20 security experts discuss the best practices for enterprise cyber hygiene.
Cyber hygiene is all about following sound security practices that aid in boosting an organization's overall security posture. This entails everything from password creation to awareness of phishing attacks as well as the practices carried out by IT staff, such as updating software and patching vulnerabilities to mitigate risks. Cyber hygiene is a preventive approach to security, and there are many best practices organizations can implement to enhance security and protect sensitive data.
To gain some insight into the most effective cyber hygiene practices enterprises should employ, we reached out to a panel of cybersecurity pros and asked them to answer this question:
"What are the best practices around enterprise cyber hygiene?"
Meet Our Panel of Security Professionals:
Read on to learn what enterprise cyber hygiene best practices our experts recommend.
Matt Middleton-Leal is a Certified Information Systems Security Professional and the General EMEA Manager at Netwrix, the company that introduced the first visibility platform for user behavior analysis and risk mitigation in hybrid IT environments.
"Organizations often neglect cyber hygiene because of..."
Insufficient budget compared to the growing complexity of the IT environment and the threat landscape. While the main goal for any organization is profitability, respect towards customer and employee data is crucial for success. The recent Equifax breach shows that simple ignorance towards basic cyber hygiene can disrupt the entire business. Here are four basic steps that would help you to improve your security:
1. Determine your baseline.
The first thing you should do is evaluate your current business risks. It is important to rely on evidence rather than assumptions. For example, you should know exactly what sensitive data you store and who has access to it. Most organizations have a very lax attitude to granting excessive permissions. You should be able to get a report with all access rights of each employee and data they touch on a regular basis.
2. Do a spring-clean based on risk.
Once you know your baseline, start to fix everything according to your priorities. I strongly recommend involving your co-workers in the process, since they may have a very different perception of where the high-value assets reside. This is probably going to be where the process gets hard. The automatic response is likely to be, “Of course Jim needs unfettered access to that folder.” This is where evidence-based reporting comes in. It is able to show how Jim was given access to the data, when he last accessed it, and what he did with it. Without extensive forensics, it can be hard to explain why particular access rights need to be removed.
3. Start all over again.
This sounds obvious, but too many organizations think of risk reduction as a one-off activity. It is actually a sustainable process that needs to be performed regularly, on schedule, and automated as much as possible. The IT environment changes all the time, and you need to stay on top of each small change to minimize the risk. If you are not sure what I mean, Google how many patches Microsoft issues on an annual basis!
4. Speak the same language with management.
CIOs and CISOs need communicate about risk in a way that the business will understand. Speak to the categories they can understand, and highlight corporate risks if something is not done. When discussing the IT budget show ROI or estimate costs that may follow. This is an area where most of us can improve a lot.
"The best practices I’d recommend any enterprise enact to ensure appropriate cyber-hygiene are..."
1. Data retention policies which ensure both appropriate and compliant retention of necessary data, and the secure destruction of data which is no longer needed. Many organizations fail to set appropriate retention policies, which serve to identify data categories, and the duration of time for which those categories should be respectively maintained. Beyond establishing those policies, however, an organization must ensure that data is not retained in excess of regulatory or functional necessity. An excess of data at rest is a liability and can represent poor cyber-hygiene.
2. Organizations must prune servers and services which are no longer in use, or which are redundant to others more fit-for-purpose. Often, an organization will permit its portfolio of services and products to stagnate, failing to recognize or act on opportunities to consolidate services and products coherently. This stagnation represents a lost opportunity to realize cost savings through increased utilization of extant services as well as an increased surface area for vulnerability, along with attendant increased management load to secure that surface area, or worse, increased risk of successful compromise. Sprawl in the age of software-defined infrastructure is a real threat, and its mitigation a necessary cyber-hygiene practice.
3. Build redundancy necessary to facilitate patches and updates. Many organizations fail to patch or update software and firmware in their infrastructure owing to the risk of outage or downtime. Though this concern is reasonable, this risk should be mitigated, rather than permitted to cascade into another form of risk: unapplied security patches and updates. Architects and product managers should ensure that their designs allow the rapid deployment of patches and updates, a task substantially facilitated by modern public and private cloud automation technologies and infrastructure.
Kathie has 25 years of experience in the information technology and security field and is currently serving as the Chief Operating Officer at Cybrary, Inc, the world’s first crowdsourced platform for cyber security and IT learning. Kathie has held a variety of leadership roles in the information security and cyber industry including positions at Invincea, RiskAnalytics, Predictive Systems Global Integrity division, NetSec, MCI, Verizon’s Enterprise Solutions, CyberTrust, and Terremark divisions.
"Hackers won’t wait for another bill to pass, and neither should we..."
All sizes of enterprises need policies and processes to manage physical, technical, and administrative controls when dealing with anything touching cyber. Don’t consider just traditional networking, servers, and endpoints, but expand your thinking into everything touching the internet, a.k.a. IoT. This could be an EKG machine, a lightbulb or thermostat in the office, you name it! If it is on your network, you must assess and test the effectiveness of those controls, fix where needed, and have ongoing monitoring and preventive measures in place for unknown and impending threats.
Aviram Jenik is the CEO of Beyond Security.
”An important practice for enterprise cyber hygiene is to establish a clear way for employees to know if..."
Emails are coming from inside or outside the organization. An email from the CEO saying please change the account number for transfer to: ___ should obviously be treated differently if it came from OUTSIDE the organization. These attacks are quite common, and surprisingly successful. Know where you're vulnerable and have at least a general plan for fixing those vulnerabilities.
An effective Vulnerability Management program will significantly reduce your risk for a relatively small cost. Figure out who your threat is. Don't run after the latest and greatest security technologies or you'll end up spending a fortune and achieving very little. Some attacks are universal and affect all organizations, but many attacks have specific 'attack vectors' that may not be relevant to you. Who is your potential attacker? What kind of attack will cause you the most damage? Answer those questions first and only then go to find solutions that address them. Just because something is in the news does not mean it affects your organization.
Isaac Kohen is the founder and CEO of Teramind, an employee monitoring and insider threat prevention platform that detects, records, and prevents malicious user behavior.
"We’ve long been focused on the traditional aspects of good enterprise cyber hygiene..."
Firewalls, secure authentication, virus scans, software patching, awareness education, and backups. These are obviously important pieces of good hygiene, but in our desire to blanket the enterprise with disinfectant, we’re missing an opportunity to target protection of our most vulnerable asset: our critical data. I believe organizations should place a priority on data hygiene to ensure the health of the ‘crown jewels.’ This means identifying where critical data lives both on-premise and in the cloud and who has access to the data. Having this information enables you to make informed decisions and investments around least privilege, segmentation, encryption, multi-factor authentication, and user monitoring. When it comes to hygiene best practices, it’s time for organizations to elevate the priority of data hygiene.
Margaret Valtierra is the Technical Marketing Specialist at Cohesive Networks, where she creates technical documentation, guides, and video demos. Margaret has a BSM from Tulane University and is an AWS Certified Solutions Architect and Cloud Security Alliance (CSA) CCSK.
"There are plenty of lists of security tools and articles on security hygiene best practices..."
The biggest hurdle is to emphasize the importance of security for your employees without creating perverse incentives.
The greatest security threats are not viruses or botnets, but human error. We all know strong passwords are important, but forcing employees to include long strings of special characters and rotate passwords frequently will only lead to less-secure practices like writing passwords on sticky notes. Plus, social engineering can take advantage of our inability to remember passwords, or trick us into valuing social hierarchy over security.
Instead, what enterprises should do is focus on enabling good security practices. It all starts with solid education. Tips like how to spot phishing emails, what data is considered personally identifiable information (PII), and tips for “security checkups” on existing accounts.
Everyone can benefit from some quick wins with built-in security. Update iOS, MacOS, and Windows applications, and any other tools that might have a security patch. Use built-in disc encryption on Mac (Firevault) and Windows (Bitlocker).
Finally, help employees meet the security standards you set. Each role and industry will have different security thresholds based on the “threat model” – or what your security priorities are and who/what you’re protecting against. If your company requires 10-15 character passwords that rotate every quarter consider subsidizing a password manager tool. Encourage 2FA or multi-factor authentication wherever possible. Create a secure, universal virtual private network (VPN) for employees to access their information securely, even on public WiFi.
Mihai Corbuleac is the Senior IT Consultant at ComputerSupport.com.
”Keeping your IT system safe is tougher than ever..."
However, there are several cyber hygiene practices that every organization needs to follow in order to keep the number of security threats to a minimum. First, let your cybersecurity experts find out your vulnerabilities, and based on that create an incident response plan to include security protocols for any discovered threat.
Second, keep your staff educated and make sure everyone knows at least the basics of how to prevent a data breach or any other security incident. Let's take email security for instance – email security is largely a mental game, so make sure you recognize the sender. Otherwise, opening or clicking the links within received emails may expose your data to serious threats. Also, it's vital to have procedures in place to limit the consequences of a potential security incident, so basically you need to turn your staff into a human firewall and always find new ways to prevent human error, because human error can be the biggest cybersecurity vulnerability.
Mike Meikle is a Highly Experienced Consultant and Corporate Consigliere at SecureHIM.
"Best practices for enterprise cyber hygiene do not begin with the procurement of expensive security appliances or services..."
They start with the basics:
- Keep your infrastructure up to date (software patches, hardware refreshes) and ensure physical security (locks, monitored access) around critical components and infrastructure. Quite a few of the latest cybersecurity breaches got their start with systems that were unpatched.
- Train users. Most security breaches gain a toe-hold due to an error by the user or malicious user intent. Having an effective employee Training, Education and Awareness (TEA) program will help employees understand the risks when opening email attachments or clicking on links, for these can lead to malware or virus infections. For example, the Equifax breach was propagated by phishing emails and malvertisements. One of the most effective things an enterprise can do is to be cautious when responding to emails and browsing the web.
- A “penetration” test, by a reputable outside firm, on your infrastructure and systems to uncover vulnerabilities can be very valuable. These firms will provide you with the information you need to close the gaps in your defenses.
- Have an incident response plan that has been tested. Knowing what to do, who to call, and how to recover is one of the most critical components for responding to a cybersecurity incident. The key word here is tested. An enterprise needs to know if their plan will actually function in reality and not just on paper.
Jack Plaxe is a security, crisis, and risk management professional based in Louisville, KY. He is the Founder & Managing Director of the Security Consulting Alliance LLC, a professional services firm offering both physical and cyber security consulting.
"Cyber hygiene refers to those things an organization must do to maintain and protect IT systems and devices and implement computer security best practices. Cyber hygiene tips include the following..."
- Only visit websites you know and trust.
- Do not download or open unknown attachments.
- Shut down your router when not in use.
- Encrypt sensitive files on your hard drive.
- Encrypt sensitive files before sending.
- Update Windows OS software and web browsers on a regular basis.
- Update anti-malware (virus, spyware, etc.) software on a regular basis.
- Run anti-malware software at least on a weekly basis.
- Run a registry cleaner in Windows on a weekly basis.
- Back up files at least on a weekly basis. Practice recovering them.
- Develop and practice an incident response plan.
- Perform a vulnerability scan monthly and promptly fix any problems identified.
Alexandra Kovaleva is a Technical Writer of DDI Development, a company that provides web and mobile digital solutions.
”Best practices around enterprise cyber hygiene include implementing a formal information security governance approach that..."
- Provides the ability to employ a risk-based approach and enables your teams to detect incidents, investigate effectively, and respond quickly.
- Stops data loss by controlling access and monitoring vendors, contractors, and employees to know what your users are doing with company data.
- Detects insider threats by monitoring user activity that allows you to detect unauthorized behavior and verify that user actions are not violating security policy.
- Includes a full working back up of all of data, not only from a basic security hygiene perspective, but also to combat emerging attacks. Social engineering tactics have been used successfully for decades to gain login information and access to encrypted files.
- Provides regular user education and training on cyber security best practices.
- Outlines clear use policies for new employees and intermediaries and makes sure employment contracts and SLAs have sections that clearly define these security requirements.
- Updates software and systems.
- Maintains compliance with a set of guidelines that are useful for keeping your business safe. Regulations like HIPAA, PCI-DSS, and ISO offer standards for how your business should conduct its security.
Ajit Sancheti is co-founder and CEO at Preempt, a San Francisco, California behavior-based authentication security company.
"A key to enterprise cyber hygiene is to monitor employee behavior for anomalies…”
Unusual changes to behavior are your first indication that something may be amiss. When behavioral analytics can be combined with adaptive response and enforcement to verify a user's identity in real-time, organizations can improve their ability to proactively defend against credential compromise. This can provide a significant reduction of time spent on incident response, allowing the teams to be more efficient and effective.
People behaving badly on the network is a given; adversaries know this and they are targeting your organization by taking advantage of your users, looking for weak links, patterns of carelessness, and virtual doors left ajar. Turn the tables by monitoring for risky activities and slamming those open doors right in the menacing face of cybercrime.
Robert Wood is currently the Chief Security Officer at SourceClear, where he is responsible for the strategic vision and technical direction of SourceClear's security, privacy, and compliance program as well as the research team.
"Establishing cyber hygiene is more important today than it's ever been given how pervasive technology has become across our lives today..."
With the explosion of devices, software, and services, one of the most important things that organizations can do today is to wrap their arms around what is actually operating within their environments. This covers everything from creating accurate application and service inventories, generating network inventories, performing software composition analyses to determine what actually makes up the software you're building, and taking part in vendor reviews to clarify who your partners are and what their own risk posture looks like. It's incredibly difficult for any chess player to create a strategy when they can't see most of the board; the same paradigm exists for cybersecurity leaders.
The rest of any cybersecurity hygiene strategy will be entirely dependent on the organization's goals, business risks, compliance needs, and what the security leader finds within their environment. Focus on the biggest fires first and on incremental improvement that steadily builds upon itself.
Mike Childs is the Business Development Director at Matrix Integration.
"There are three best practices that contribute to cyber hygiene..."
The first is to adopt the CIS 20 Critical Security Controls, especially the first five. Those are:
- Inventory of all authorized and unauthorized devices
- Inventory of all authorized and unauthorized software
- Secure configurations for hardware and software
- Continuous vulnerability assessment and remediation
- Controlled use of administrative privilege
Organizations that implement these five controls eliminate a large bulk of all known threats.
The second is to assess the cybersecurity posture of the organization against an established framework such as NIST-CSF. This should be risk-based and evaluated on a maturity curve. The assessment results are then used to improve.
Finally, every organization must have a cybersecurity incident response plan that is regularly tested and updated. The plan must include team members from across the organization (IT, HR, Legal, PR, Finance) and external parties such as vendors, law enforcement, and government.
Gregory Morawietz is the VP of Operations at Single Point of Contact. He is a cloud and IT Security Specialist with over twenty years of network and security experience. He has worked with hundreds of firms on improving IT environments, architecting cloud environments, consulting, and integrating technology for the enterprise network.
"Start by having a frequent security audit..."
Make sure you pen test and internally scan your network. Check to make sure that your endpoint security is constantly maintained. Have a SIEM software and keep it well maintained. Get a machine learning software that checks your security infrastructure and make sure it is also highly maintained. Keep your staff well trained and able to respond to alerts.
Pradeep Aswani is the CEO of Cloud Harmonics.
"Cyber hygiene lays the foundation for good cybersecurity..."
IT admins must inventory and manage everything that goes into the network, backup everything, ensure only best practice implementations/configurations are in place, immediately apply all patches so everything is up-to-date, and upgrade or dispose of end-of-life equipment.
Users shouldn't download anything that hasn't been approved, must use strong passwords, must change those passwords frequently, and must never click on links that aren't completely trusted or engage with people they don't know.
Beware of Shadow IT, which bypasses IT controls and accounts. It is easy for cyber hygiene to be left by the wayside. Human nature can also pose issues for cyber hygiene.
Amit Bareket is the Co-Founder and CEO of Perimeter 81 (powered by SaferVPN). He is an entrepreneur and cybersecurity expert with extensive experience in system architecture and software development. He graduated Cum Laude with a B.Sc. in Computer Science and Economics from Tel Aviv University.
Not being able to address simple questions like, will my firewall block this attack, will my IPS detect malicious behavior, will my DLP protect my data, and will my SIEM collect and correlate attack information means that organizations are managing security based on assumptions. Most security leaders can't measure security effectiveness, they can't communicate the value to the executive team and board, and they can't demonstrate if their security effectiveness is getting better when they invest in new technology and people. There is no room in 2018 and beyond for managing security based on assumptions and treating security like a black box that can’t be measured, managed, and improved. Organizations need to demand evidence-based information that illustrates empirically what's working and what's not so that decisions predicated on factual data can be made more rapidly.
Jacob Dayan is the CEO and Co-founder of Community Tax and Finance Pal, both finance and accounting firms based in Chicago. Jacob is a digital expert, and Community Tax works with a lot of sensitive data for clients all over the country.
"Host an organized hackathon..."
A great practice around cyber hygiene that companies can leverage is setting up an organized hackathon. Providing budding tech and IT enthusiasts with access to a mock website, software, or service (obviously with fake information) and seeing what hacks, mods, or other weaknesses can be found is a great way to obtain another slightly different perspective on your cyber hygiene. This practice is especially useful before the launch of a new IT platform of any kind. In addition, a hackathon is a great hiring technique as it provides management with a first-hand view of potential employees and their IT skillsets.
Doug is a cyber security expert and blog manager for the Digital Addicts Blog He's always up-to-date on the latest data breaches, botnets, and any other infosec news.
"One of the most important practices to include in any cyber hygiene routine is strong password management..."
While creating unique, strong passwords should be a common practice, it turns out more than half of all computer users still use one of 25 passwords. In some cases, these passwords could be the only thing standing between a cyber threat and your sensitive information. To better protect yourself, consider using long phrases instead of random letters and numbers when creating new passwords. This will allow you to easily memorize the password while making it more difficult to crack. Remember to never use the same password on more than one account. That way, if one of your accounts becomes compromised, you can be sure that the rest are still safe.
Rodrigo Montagner is an Italian and Brazilian IT Executive with 20 years of experience managing multicultural IT departments, projects, and challenges in general. He is the CEO and Founder of OM2 Tech Consulting Solutions.
"There are a core of best practices and behaviors enterprises can implement to create a neat and more balanced cyber security environment..."
A few tips include:
- Keep a strong and enforced enterprise software update pace throughout the entire hierarchy of the organization.
- Don’t forget the basics: IPS, penetration tests, critical patch monitoring, an intelligent AV policy, and a strong or very strong password policy.
- It is better to do less and do it well than to invest a lot of time, resources, and energy to do more at a mediocre level. Excel with the essential hardware, software, and general cybersecurity tools before moving on to more complicated solutions.
- Get upper management support. It is important in implementing general cyber safety and cyber awareness policies and procedures.