We’re taking the next few weeks to address some important questions we receive at Cyber Risk Opportunities. If you have questions that you would like answered, please leave them in the comments below.
Question: I’ve heard you talk about practicing “good cyber hygiene.” Do you have a list of those practices?
There are many collections of “good cyber hygiene” practices, such as The Center for Internet Security (CIS) Top 20 Critical Security Controls (previously known as the SANS Top 20 Critical Security Controls), which has been popular for a long time. You can look up here: https://www.cisecurity.org/controls/
But I like the “Essential Eight” the best because they focus on stopping cyberattacks on the user endpoints (usually Windows computers), which is where the primary cyber battles are being fought today.
You can access a complete list and lots of supporting details from the Australian Cyber Security Centre: https://acsc.gov.au/publications/protect/essential-eight-explained.htm
Having said that, the UK has a good offering in their Cyber Essentials scheme: https://www.cyberessentials.ncsc.gov.uk/
From an executive perspective, the Federal Trade Commission requires organizations to practice “reasonable cybersecurity”. We find the NIST Cybersecurity Framework is very useful while complimenting the “Essential Eight”: https://www.nist.gov/cyberframework
By the way, two of the most powerful endpoint cyber hygiene practices are:
- Not using local admin accounts for routine computing tasks (e.g., web browsing and emails) and
- Turn on application whitelisting
Next week we’ll answer a related question regarding the first powerful endpoint cyber hygiene practice above.