Cybersecurity hygiene is a critical component of any infosec program. Just as washing your hands and brushing your teeth are important to personal hygiene, password updates and software patches are important to cybersecurity hygiene -- and critical to preventing data loss, breaches or identity theft.
It is important to note that cybersecurity hygiene is a shared responsibility -- it is not an activity solely for employees. Organizations and security teams, among other departments, must all play their part to prevent the spread of disease.
Standard cybersecurity hygiene checklist
The following practices should be woven into any cybersecurity hygiene checklist:
- Patch, patch, patch. Keep company-owned devices patched and up to date with the latest software versions.
- Have a strong identity and access management program that does the following:
- Don't share credentials.
- Don't use public Wi-Fi.
- Segment networks.
- Manage and secure endpoints.
- Install antimalware and firewalls.
- Encrypt drives and devices by default.
- Perform regular backups.
- Conduct security awareness training.
- Avoid social engineering scams.
- Perform asset discovery, inventory and management.
- Create, implement and maintain enterprise security policies.
Special considerations: Bring your own home cybersecurity hygiene
The COVID-19 pandemic created dramatic shifts in volumes of remote workers and thrust the need for bringing cybersecurity hygiene into the 21st century into sharp focus. Keeping corporate assets safe amid the enterprise's widely expanded boundary into every employee's home proved difficult for security teams to say the least.
As employees returned to the office, a new challenge was introduced: the hybrid workplace. Employees were now working at home, in the office or a mix of the two. Ensuring employees at home had the same tools, experiences and security measures as their in-office counterparts heightened the need to accommodate constantly changing employee work routines. Adaptability became a necessity for security teams.
- Home network segregation. Security teams need to teach users -- in simple terms -- how to carve subnets with security rules. This is an undertaking for security admins as there is a wide variety of routers and firewalls in employees' homes that must be considered. Advise employees to stay diligent and maintain home network security best practices. They should limit what smart home devices can access and use a home firewall that default denies new devices from connecting to the network.
- VPNs everywhere. Most enterprises have a VPN enabled by default for access to the corporate network. But, even in the absence of that, employees would do well to install a VPN client that enables encrypted connections to strengthen public Wi-Fi or poorly secured home connections. Companies should also be aware of VPNs that don't work in certain geographies. TunnelBear, for example, is no longer available in India because the company refused to comply with government requirements. Companies should have a backup VPN to accommodate different countries. Alternately, companies should look into adopting zero trust.
- Patch, patch, patch. Patching and updating company-owned devices have already been mentioned, but it's also critical end users understand the importance of patching their own devices -- especially as more and more workers use their own devices for work purposes. The patching of hidden devices, such as a smart microwave or thermostat, should also be periodically reviewed as smart home devices could be the source of lateral compromise on an enterprise.
Special considerations: Cloud cybersecurity hygiene
Along with an increase in the number of remote workers amid the pandemic came increased cloud use. While the cloud helps improve productivity, accessibility and scalability, risks from a security perspective inevitably follow.
To keep employees and employers safe in the cloud, follow these key cloud cybersecurity hygiene best practices:
- Create a cloud usage and security policy. Spell out the dos and don'ts of what is accepted cloud use and what is not. For instance, an enterprise might use OneDrive for document sharing, but given the widespread use of BYOD and device sharing that Google Drive and Box offer, it is likely these services might be preferred by employees. Admins should acknowledge that user preference is key but take a stance on cloud app use from a security perspective. They should also provide short, engaging training on how to use the cloud for secure data sharing.
- Be mindful when giving document and shared folder access rights to co-workers, partners, etc.
- Revoke and delete permissions where appropriate and when disengagement happens -- for example, at project conclusion or employee resignation.
- Be mindful of account cross-pollination. Consider how many Google accounts employees have. Making sure they use the correct Google Drive account -- one for work purposes -- is critical. Likewise, using a work Dropbox account to share family photos versus going through the extra step of creating a personal account to do so is also important.
- Exercise privacy and confidentiality rights. While not top of mind for most individuals, these are top priorities for corporations. Newer legislation, such as GDPR and CCPA, call out specific privacy rights. For example, ensuring digital trails are obliterated when SaaS applications are no longer in use or conducting periodic reviews of data collected by enterprise SaaS applications is critical. These tasks require training and innovative incentives, such as gamification, to raise awareness among the employees.
- Include cloud security in enterprise security awareness trainings. If a public data store breach occurs, use it as an example to drive home the message of how it could have been avoided.
Special consideration: Metaverse security
While still in early stages, companies and employees should be aware of security in the metaverse. As more users get into virtual and augmented reality, having a basic understanding of dos and don'ts is important. Be aware of the following:
- Data security. Beware of sharing sensitive information in virtual worlds with fellow metaverse inhabitants.
- Identity. Be vigilant and careful when sharing information. Proactively reach out to property owners for verification in any case of doubt.
- Data rights. Unlike the real world with its privacy acts, such as GDPR and CCPA, the metaverse requires users to question platform providers and property owners. They should ask what data is being collected, how long it is stored and what rights exist to purge the data.