Cybersecurity hygiene is a critical component of any infosec program. Just as washing your hands and brushing your teeth are important to personal hygiene, password updates and software patches are important to cybersecurity hygiene -- and critical to preventing data loss, breaches or identity theft.
It is important to note that cybersecurity hygiene is a shared responsibility -- it is not an activity solely for employees. Organizations and security teams, among other departments, must all play their part to prevent the spread of disease.
Standard cybersecurity hygiene checklist
The following practices should be woven into any cybersecurity hygiene checklist:
- Patch, patch, patch. Keep company-owned devices patched and up to date with the latest software versions.
- Have a strong identity and access management program that requires strong passwords and multifactor authentication. Consider using biometrics.
- Employ the principle of least privilege.
- Don't share credentials.
- Install antimalware and firewalls.
- Encrypt drives and devices by default.
- Perform regular backups.
- Conduct security awareness training.
- Perform asset discovery, inventory and management.
Special considerations: Bring your own home cybersecurity hygiene
The COVID-19 pandemic created dramatic shifts in volumes of remote workers and thrust the need for bringing cybersecurity hygiene into the 21st century into sharp focus. Keeping corporate assets safe amid the enterprise's widely expanded boundary into every employee's home has proven difficult for security teams to say the least.
Some remote worker security best practices are the following:
- Home network segregation. Security teams need to teach users -- in simple terms -- how to carve subnets with security rules. This is an undertaking for security admins as there is a wide variety of routers and firewalls in employees' homes that must be considered.
- VPNs everywhere. Most enterprises have a VPN enabled by default for access to the corporate network. But, even in the absence of that, employees would do well to install a VPN client that enables encrypted connections to strengthen public Wi-Fi or poorly secured home connections.
- Patch, patch, patch. Patching and updating company-owned devices have already been mentioned, but it's also critical end users understand the importance of patching their own devices -- especially as more and more workers use their own devices for work purposes.
Special considerations: Cloud cybersecurity hygiene
Along with an increase in the number of remote workers amid the pandemic came increased cloud use. While the cloud helps improve productivity, accessibility and scalability, its risks from a security perspective inevitably follow.
To keep employees and employers safe in the cloud, there are some key cybersecurity hygiene best practices to follow:
- Create a cloud usage and security policy. Spell out the dos and don'ts of what is accepted cloud use and what is not. For instance, an enterprise might use OneDrive for document sharing, but given the widespread use of BYOD and device sharing that Google Drive and Box offer, it is likely these services might be preferred by employees. Admins should acknowledge that user preference is key but take a stance on cloud app use from a security perspective and provide short, engaging training on how to use the cloud for secure data sharing.
- Be mindful when giving document and shared folder access rights to co-workers, partners, etc.
- Revoke and delete permissions where appropriate and when disengagement happens -- for example, at project conclusion or employee resignation.
- Be mindful of account cross-pollination. Consider how many Google accounts employees have. Making sure they use the correct Google Drive account -- one for work purposes -- is critical. Likewise, using a work Dropbox account to share family photos versus going through the extra step of creating a personal account to do so is also important.
- Exercise privacy and confidentiality rights. While not top of mind for most individuals, these are top priorities for corporations. Newer legislation, such as GDPR and CCPA, call out specific privacy rights. For example, ensuring digital trails are obliterated when SaaS applications are no longer in use or conducting periodic reviews of data collected by enterprise SaaS applications is critical. These tasks require training and innovative incentives, such as gamification, to raise awareness among the employees.