When is it time for a cyber hygiene audit?
Cyber hygiene is crucial for keeping your organization safe by limiting security breaches, threats against your IT infrastructure, and more. Read on to learn more about what makes up cyber hygiene, and how to audit its effectiveness.
Effective cyber hygiene practises limit threats against your systems, devices, and users, preventing breaches that could compromise sensitive business logic, database information, and personal data. But cyber hygiene isn’t a static or one-off process. It requires routine execution and, occasionally, a full audit.
Cyber hygiene is an ongoing process. Think of it like defensive driving: actively adopting strategies to ensure safety on the roadways every time a driver gets behind the wheel. But a complete audit of an organisation’s cyber hygiene is something that should be undertaken only occasionally. The concept is similar to preventative maintenance for machinery, like changing the oil in your car every 3,000 miles.
This article will first examine some standard cyber hygiene concepts, technologies, and best practises. Then you’ll learn about the optimal approach for integrating cyber hygiene audits into your IT routine.
Putting cyber hygiene to the test
Cyber hygiene isn’t just one concept; it’s a collection of methods and technologies that protect different aspects of your systems and users.
While encryption uses a substantial amount of advanced mathematics, it’s conceptually very simple. Encryption involves running data through multiple algorithms to encode or scramble it. Since these algorithmic transformations tend to be complicated, it’s almost impossible to derive the key—which details the encryption method—without knowing the specific transformations. Conversely, if you know the algorithms used, you can derive a key that allows you to decrypt the data and return it to its original state.
Sensitive information like credit card numbers or health records can be encrypted before transmission. And in this case, the key can be sent to the receiver separately.
- Data stores can be encrypted so only users with a key can get meaningful access.
- Personal computers can be configured to encrypt anything the user saves and provide keys automatically to authorised viewers.
Another benefit of encryption is that it protects data both in transmission and at rest.
Processes for encryption are sometimes left to the individual, adapting the policy to fit unique situations. They can also be automated, taking individual initiative and human error out of the equation. Regardless of the path, encryption is a crucial part of cyber hygiene.
Your employees may not know (or always remember) your cyber hygiene policies, so documentation is necessary.
And beyond just writing it, documentation needs to be easily accessible and relevant to authorised employees when they need it. Curating documentation to support job-specific tasks, using natural language search, and training programmes are keys to making documentation usable.
Creating and supporting strong authentication and access methods is another key. Strong passwords are a mixture of alphabetical, numeric, and special characters using both upper and lower case. The key is to make passwords difficult to crack by a bad actor.
Additionally, users should be discouraged from using the same password multiple times. Because strong passwords are difficult to remember, applications such as password generators and vaults avoid non-compliance issues. They keep the users from writing down their access codes which, if the written passwords are not stored appropriately, can create a vulnerability.
Another authentication method is using multifactor authentication (MFA), such as sending a unique token to a physical device in possession of the user. This creates yet another layer of security.
Read more: Cybersecurity Basics: Authentication and Authorization
Bad actors are constantly looking for software vulnerabilities. Fortunately, software vendors are also reacting to discovered vulnerabilities and issuing revisions to their software. These revisions are called patches. And as the name implies, these patches “patch up” security flaws in the software.
It should be noted that within a complex IT environment with different versions of software in a multi-cloud or on-premise environment, tracking patches and ensuring that they are applied can become very complex. Fortunately, there are third-party solutions that can help you manage your patches with automation and validation.
Read more: Security 101: Cloud-Native Virtual Patching
Anti-malware, software, firewalls, and other protections are critical lines of defence.
A virus is a type of malware that, when introduced into the system, can replicate itself and replace code in the programme that disrupts the normal code. Ransomware and denial of service attacks are just two of many types of malwares.
Anti-malware software vendors are continually looking for new viruses and other malware as well as ways to prevent them from infecting the system. Having up-to-date anti-malware software and automatic scanning of incoming files is a critical cyber hygiene method.
Another form of security are firewalls. Firewalls are part of network security that monitors and scans incoming and outgoing traffic. It implements a rule set that either allows or blocks traffic. A firewall creates a filter between your private network and the public internet, providing another layer of cyber security.
Cyber hygiene must focus on developing, communicating, and maintaining correct cybersecurity habits. The IT environment is dynamic and threats to digital health evolve. Hygiene measures considered sufficient a few years ago are no longer enough, as bad actors evolve to out-manoeuvre security protocols. Therefore, cyber hygiene must also evolve to keep pace.
Moreover, cyber hygiene is the responsibility of all team members. Everyone from front-line customer service representatives to your CEO must pay attention to current policies, emerging threats, and evolving best practises.
Auditing your cyber hygiene
A major purpose of a cyber hygiene audit is to take an objective look at your organisation and determine where it needs improvement. The audit is designed to document both strengths and weaknesses in your cyber security processes and procedures. Maintaining awareness of your strengths helps ensure that they’ve remained optimal, while documenting your opportunities for improvement will enable you to monitor progress from one audit to the next.
Furthermore, your organisation’s employees should experience as little disruption as possible during an audit. When audits interfere with workflow, workers feel too inundated to pay them proper attention. As a result, they rush through the audit to return to their standard work. Therefore, when possible, audits should become part of an ongoing data collection process.
There are several ways to administer and measure encryption. How you do it depends on your policies.
Assume that you have a requirement that all data sources with Personal Confidential Information (PCI) need to be encrypted. This situation might lead you to automate the encryption of data on input. But what about when it’s transmitted? Are employees responsible for implementing PCI encryption for transit? Do you want to establish policies that scan and provide a trail for handling all PCI? You could periodically sample emails and other transmissions to document the proportion sent without proper handling. If warranted by the amount of PCI, you can implement end-to-end encryption software.
The effectiveness of documentation can be checked and reinforced by regular training and testing. Since many organisations require periodic online training and testing of security processes, monitoring the results of those tests can ensure adequate understanding of the documentation.
For example, training programmes can be designed with a pretest feature that lets the employees who are familiar with the material to test out some of the course materials. If your documentation is done well, this test will go smoothly. If not, your employees will let you know.
As documentation ages, programmes for reviewing its validity should also be part of the maintenance process.
Auditing passwords involves having a company-wide policy of strong passwords and a tool to audit passwords that cheques their adherence to the policy. Even more effective might be using a tool that automates the assignment of strong passwords and rotates these passwords periodically, taking the responsibility out of the hands of the team members.
With the increased use of multi-cloud, cloud, and hybrid environments, keeping track of where a particular software is running has become more difficult. Instances may be running in multiple versions in multiple environments. Finding the instances can be a considerable task, as can patch checking.
Fortunately, there are tools that automate the discovery of all software in an IT infrastructure. These tools evaluate, patch applications, and remediate them. The use and effectiveness of anti-malware and firewalls can be audited by scanning the installed software and ensuring that each instance is up to date. This scan should include all devices on the network.
If you haven’t done a hygiene audit (ever or in recent memory), it’s highly recommended to conduct one as soon as possible. When it comes to IT security, what you don’t know can indeed hurt you. Cyber hygiene audits should become part of your normal security processes. For example, you should have metrics that evaluate your firewall effectiveness and standards by which to review these metrics. If you find that you don’t have metrics or understanding of any of the areas mentioned in this article, that would be a good place to begin. If you have metrics but don’t have processes for their regular review, that is another place to start.
Cyber hygiene is everyone’s concern and responsibility. Security gaps are dangerous to the organisation in financial and reputation terms. TrendMicro provides a cyber security risk index that can help you assess your current risk level. A quick check on some of the metrics suggested above can also help you understand the warning signs. Making cyber hygiene and associated audits a continuous part of your organisational processes is key to discovering hot spots.
ConclusionCyber hygiene is a necessary part of maintaining IT security. Setting up processes and procedures within your organisation’s regular operating procedures is a good way to maintain cyber hygiene. Although the responsibilities may differ by position, everyone in the organisation plays a role.
An audit provides important information on where and where you need to improve. It also provides a baseline for measuring improvement and effectiveness. The key to success is using automation to integrate hygiene into routine processes, offloading the additional work where possible.
For information on cyber hygiene and areas where software can assist you, visit Trend Micro.