Becoming an unprofitable target by practicing great cyber hygiene is one of the four major goals of a Cyber Risk Management Program.
The other three are:
- Achieving your customers’ expectations (covered three weeks ago)
- Being resilient to cyber-attacks and cyber failures (covered two weeks ago)
- Being compliant with applicable laws and regulations (covered last week)
What is Great Cyber Hygiene?
There are many aspects to maintaining proper cyber hygiene. They will change as circumstances change and as cyber attackers innovate their techniques.
Let’s take a look at the most useful things you should do and that you can get started on quickly.
Cyber Hygiene at Home
In 2015, Google released a report based on their research on the top online safety practices. They compared the recommendations of non-experts with experts.
Perhaps unsurprisingly, the lists were mostly different, as you can see in the graphic below:
So, here are the top five best practices, along with a little commentary from me:
- Install software updates (i.e., the latest security patches)
- Use unique passwords (i.e., a different one for each login account)
- Use two-factor authentication (see <https://twofactorauth.org/> for a list of websites that support it)
- Use strong passwords (i.e., make them long and complex)
- Use a password manager (so you only have to remember one; I suggest either LastPass or 1Password and not your browser’s built-in password keeper)
Cyber Hygiene at Work
Everything above applies to both your home and business computing.
But because your work situation is more complicated, additional cyber hygiene practices are required. These are worthy of executive attention in all industries:
- Know your top cyber risks and manage each of them at the executive level. Make a list of them, and review and update that list every quarter.
- Stay up to date with the latest cyber risks to your industry; here are the three best reports to read each year for executive audiences:
- Have a response plan for major cyber incidents and practice that plan two or three times each year.
- Buy an appropriate cyber insurance policy.
- Have strong indemnity language in your contracts.
- Conduct anti-phishing training across your entire workforce.
Recommended Management Reports
To practice great cyber hygiene, there are regular actions your management team needs to take. Running regular reports can help you determine if you’re taking those actions consistently.
Here are three reports you should put into place. Looking at cyber risk reports may seem like a silly, “big company” thing to do, but it’s not.
There’s real value here!
Daily Data Breach Risk Report
This report takes 15-minutes to review, and it provides you with indicators of compromise. You want to stop cyber-attacks before they get too far and this report will help uncover some early signs of a breach.
For example, if someone makes themselves an administrator on your system without permission, you need to know that quickly! It’s an enormous risk for an attacker to be an administrator.
Administrators can do anything with your data, so this report should show all changes to the administrator group membership since the previous report.
Disabling all accounts of former employees within 24 hours of termination of employment or contract is also crucial for cyber risk management. Add the list of recently departed people, along with their account status, to this daily report.
Monthly Hygiene Report
Similarly, this report tells you how well your company is practicing good cybersecurity hygiene based on habits that need monitoring over the long-haul. Here are some good starter items:
- Percentage of your staff who have completed cybersecurity training;
- And, the percentage of staff actively using a password manager;
- And, the number of new customer contractual requirements that have been incorporated into your Standard Operating Procedures (SOPs);
- And, the percentage of your computers using ad blockers in their web browsers.
Weekly Patch Velocity Report
As the Google report above showed, you need to patch your systems quickly, as soon as updates become available. Otherwise, you begin appearing on the radar of multiple attackers who are constantly scanning for unpatched systems.
This report will take less than 15 minutes of your time to review.
Great Cyber Hygiene
Again, these are some of the most useful practices you can put into place at home and at work to greatly reduce the risk of cyber-attacks from inside and outside. And you can get these things started quickly.
Cyber Risk Opportunities helps middle market companies practice great cyber hygiene by prioritizing and reducing your top cyber risks, including the specific requirements of PCI, HIPAA, SOC2, ISO 27001, DFARS, and more.
Get in touch today to learn more and take advantage of a free 30-minute Q&A session with one of our cyber risk experts. Call 253-332-7867, or email us at firstname.lastname@example.org.