Many of us have heard of cyber hygiene. But what does it really mean? It is a catch-all phrase referring to a list of best practices that both you and your employees can take to safeguard the digital assets and intellectual property that you own. It’s often compared to personal hygiene, in which you take specific steps to protect yourself from getting sick.
Why is this important? Based on our own experience, we can see that the frequency and sophistication of cyber-attacks on organizations of all sizes are increasing exponentially. Research shows this as well: a study from HP found that there was a 238% increase in cyber-attacks over the pandemic. Even if you
think “I will never fall for this, I won’t click, they won’t get me,” it’s likely that someone in your organization will if they haven’t already. It’s not a matter of IF but WHEN it will happen. Perpetrators have become very crafty, not only with how but also when to attach - reaching employees at their most vulnerable time, like on a Friday right before going home, or when someone is right about to leave on vacation, or at the end of a very long day.
To keep your employees and businesses safe, the following list of basic practices is recommended:
1) Make sure your passwords are robust
Passwords have always been a nemesis with people. Since we must create so many, our goal often becomes making sure they are easy to remember. However, that is a huge security risk because this is the one thing the cyber attacker will go after. You want passwords that are long and complex. True, these are very difficult to remember, but there is a solution. You can make use of what is known as a Password Manager. The key advantage of this software application is that it can create those complex passwords for you, remember them, and even reset them on a prescribed schedule set forth by a security policy. An example of an often-recommended Password Manager to use is LastPass. Bonus: turning on MFA will also go a long way toward improving your security and is strongly recommended. We are seeing many IT departments turn on MFA as a stepping stone towards phishing-resistant password-less setups, but that is a topic for another day.
2) Making use of antivirus software
Although this may seem basic, many organizations still don't use antivirus software on their workstations and wireless devices. It is imperative that you have it and that it’s deployed companywide. You can choose from several vendors, such as Norton, Microsoft, Bitdefender, McAfee, Webroot, and more. You must consider which one will work best for your security requirements. But the key thing to remember here is that you must update your antivirus package as soon as those updates become available. These patches often account for the latest threat variants, which your device needs to recognize to thwart any malicious payloads.
3) The need for training
With a sizable percentage of the American workforce now remote or in some hybrid combination, the need for security awareness training is more critical than ever before. The fallacy in thinking here is often that training is a one-time deal. But it is not. Staying top of mind is critical. Your employees need to be constantly trained and updated on what is happening. Thus, it’s highly recommended you conduct such training once a quarter, at the minimum, and ideally, monthly. Equally important is that you want your employees to practice what they were taught. So, you want to keep these training sessions to a maximum of 30 minutes, and they need to be engaging through options such as using gamification, videos, and real-time quizzes. After this, you can even conduct a mock attack scenario to see how much your employees have learned. For example, you can launch a simulated phishing attack and see how many employees fall prey to it. Some recommended and well-liked vendors are KnowBe4 and Terranova.
4) Protection against device loss
Wireless devices are not only becoming more advanced, but they are getting smaller as well. Thus, the chances of your employee losing or even having one stolen are higher than before. To make sure that information and data do not fall into the wrong hands, it is imperative that you have a remote wipe functionality. Once this is activated, all content on that device will immediately be deleted.
5) Create backups
Creating backups is one of the oldest mantras repeated in the security world, but it is also one of the least practiced. You must keep a regular backup of all your datasets and digital assets vital to your company, such as client data; financial data; health records; etc. from the standpoint of digital assets. So, for example, if you were hit with ransomware, all you must do is restore everything from the backups you have created. The schedule for doing this is all dependent upon your security requirements. An essential tip here is to use a major cloud provider (such as AWS, Azure, or Google Cloud) for your backup needs.
Practice Makes Perfect
Just like keeping a regular patching schedule, maintaining cyber hygiene is not a one-time deal. You must practice it regularly as it will take time for everybody in your organization to develop a proactive mindset. But keep in mind, if you expect strong levels of cyber hygiene from your employees, it comes from the top down. So, if the CISO, for example, is practicing it, then your employees will follow suit.
Every company, large and small, must be proactive and diligent in their efforts to protect their clients’ data as well as their own. If you are less than 100% confident in your cybersecurity program, I would love to have a conversation with you. Please contact us at sales@sprucetech.com to learn more.
