Earlier this year, the Internet Security Alliance (ISA) released a report reflecting the management of cyber risk back to basic cyber hygiene. It has been long held as conventional wisdom that 80% of security breaches could be prevented by the most basic security measures.
Citing studies done by Verizon and the US Secret Service, the ISA report estimates that actually 97% (much higher than the widely accepted, conservative estimate) of breaches could have been prevented or at least significantly mitigated by common best practices.
For the full list of these best practices recommended by ISA, you can view the report here. Essentially, the elements of good cyber hygiene are found in technical precautions, procedural mandates, and awareness training.
Technical Cyber Hygiene
Those responsible for the technical security of your company’s network and data need to have a system in place to consistently assess and monitor events and changes occurring within the system. They also must be afforded the time and resources to keep software and tools updated, practice good patch management, and have the right tools to control and limit access – especially remote access to the network.
Procedural Cyber Hygiene
Once a solid technical foundations is in place, comprehensive procedures must be put into place to maintain those systems and to ensure responsible, consistent use of the network and company data across the organization. Creating clear procedures for the basic elements of cyber hygiene will ensure that best practices are applied consistently and routinely. The goal should be to keep the data contained within the network manageable, grant access only to employees as their need is dictated by their job function, and to be prepared for any potential incident with a detailed, tested, incident response plan in place well in advance of an incident or breach.
Awareness Training for Good Cyber Hygiene
A 2012 survey by PricewaterhouseCoopers (PWC) indicated that 82% of data breaches are actually caused by errors made by employees. Despite this risk, the majority of companies allow employees to access corporate systems from personal smartphones and tablets with minimal controls in place and little, if any, effective security training for employees. Even with the best technical systems and procedures in place, a well-intentioned employee who has not been trained to properly access the system to keep the company’s data secure (as well as their own) is a big source of unnecessary risk. Employees should be trained and retrained (on a regular basis) to be aware of potential threats, the company’s requirements and expectations of their use of technology.
Sophisticated security technology, awareness of latest developments in cybercrime, and even extensive, routine risk analysis (whether required for compliance or simply for security) are all valuable and necessary steps to take in your efforts to maintain the security of your data and your network. But, focusing on the high level security steps while neglecting basic cyber hygiene may only give you a false sense of security.