Often, conversations about cybersecurity tend to veer to the extremely technical. In fact, most of your employees probably don’t understand the actual mechanics behind keeping your company network safe from viruses, hackers, and other threats. They just know that IT “takes care of that stuff,” so they can focus on their own jobs.
And while most IT departments do an admirable job keeping mitigating threats to corporate networks, the simple fact that so many companies experience breaches, and that malware and viruses make it through the defenses, indicates that there is a problem somewhere when it comes to cybersecurity. In many cases, the issue is surprisingly simple: Network users just aren’t practicing good cyber hygiene.
Cyber Hygiene Defined
What exactly is cyber hygiene? Industry organizations define cyber hygiene as a comprehensive way to protect and maintain IT systems and devices. In other words, it’s the simple things that a company can do to keep their networks and data safe, such as password management, limiting the number of users with administrator privileges, and performing regular backups.
Much like you practice good hygiene by doing little things like brushing your teeth and washing your hands after using the bathroom to prevent illness (and spreading illness to others), practicing good cyber hygiene can keep your network healthy and prevent problems from spreading.
You might be thinking that stressing the importance of cyber hygiene is a no-brainer, and that reminding IT to do things like change passwords isn’t necessary. But consider the fact that many of the largest security breaches and virus epidemics in recent memory were caused by hackers taking advantage of vulnerabilities that could have been easily mitigated.
For instance, the recent WannaCry ransomware outbreak that infected hundreds of thousands of machines around the world was traced back to unpatched Windows operating systems. Machines that had been updated with recent security patches were unaffected by the ransomware – and those that weren’t locked down. The WannaCry incident is just one of many clear-cut cases in which good cyber hygiene could have prevented a serious incident.
Why These Things Don’t Happen — and What’s Being Done
The next obvious question is that if cyber hygiene is so simple, why isn’t it happening more often? The answer is varied and complex.
For starters, in many organizations, employees simply don’t have the security awareness necessary to fully protect themselves and their company assets against viruses and hackers. Regular, repetitive education related to cyber security is a key part of an effective security protocol, but research indicates that most companies don’t provide education and training to employees beyond initial on-boarding.
Very few companies offer ongoing, or even annual, training related to cybersecurity and the role that individual employees play in keeping their company safe. The result is that many employees operate under the assumption that their corporate IT department has a handle on security, and that they don’t have to worry about it.
Another common reason for a lack of cyber hygiene is the fact that many IT departments are focused on higher priorities and thwarting more sophisticated threats. However, industry experts have noted that good cyber hygiene could prevent about 80 percent of security incidents, meaning that your IT team will have the time and resources it needs to focus on other priorities.
Finally, another factor in poor cyber hygiene is poor user experience. Users don’t want to jump through hoops to access the tools they need or the data they are looking for. They want to get things done quickly, without having to remember dozens of logins. When IT can’t find a balance between security and user experience, that’s when things begin to fall apart.
Users will find a way around security protocols or engage in risky behaviors, while IT develops ever more complex methods of securing vulnerable networks. Rather, developing a streamlined, user-friendly system that meets everyone’s needs is a better method; for example, a multi-factor authenticated single login is likely to be more secured, and used properly, than many different passwords.
Developing a good cyber hygiene means outlining a set of standards (even the government has gotten in on the act, with the proposed Promoting Good Cyber Hygiene Act, which would establish a baseline set of best practices to prevent security breaches), educating users on those standards, and providing training and tools to make it easier to comply. When that happens, the likelihood of a breach goes down, and your network becomes safer and more secure.