According to the 2016 Verizon Data Breach Incident Report, the vast majority of cyberattacks were successful due to individual error. For example, 63 percent of breaches leveraged weak, default, or stolen passwords, and 12 percent of breaches involved clicking on a malicious link or attachment.
Left uninhibited, employees will behave how they choose when they are online: interacting with corrupted links and downloads, dispensing sensitive usernames and passwords, and connecting with strange people and networks with abandon. Often, because employees are not using their own devices and networks, they are less concerned about such risky practices. Unfortunately, this behavior seriously undermines any cybersecurity efforts, placing the entire organization at risk. IT departments typically remain at a loss for how to thwart such bad online habits and ensure security for the organizations and individuals, both. Yet, there is a simple answer that could save IT professionals time and heartache: cyber hygiene education.
What Is Cyber Hygiene?
Most small businesses have overarching cybersecurity plans that establish antivirus programs, firewalls, and other defenses to thwart cyberattacks. However, rarely do these plans consider individual behavior, which is why more than half of all cyberattacks aim for American small businesses. In addition to these cybersecurity measures, businesses need to consider cyber hygiene.
Cyber hygiene, also called security hygiene, is general behavior that keeps individuals (and businesses) safe from cyberattack. Unlike cybersecurity, which pertains to an organization’s largescale efforts, hygiene consists of an individual’s responsibilities and actions. For example, an IT department might build and monitor firewalls and intrusion detection systems, but if individual employees fail to generate strong passwords, install software updates, or run regular malware scans, then a business remains insecure.
Because an organization is comprised of individuals, hygiene should be considered the foundation of a business’s security strategy. Unfortunately, many small businesses fail to consider individual behavior and thus leave their networks and devices susceptible. IT and InfoSec professionals must bring awareness of cyber hygiene to all employees — and an awareness program is how.
Creating an Effective Awareness Program
Not every cyber hygiene training program works for every organization. Businesses tend to boast vastly different demographics of employees, which means IT and InfoSec professionals must consider their audience before developing an effective program. Some questions to research include:
- Who is the user population? Are they computer literate?
- What data does the user population need to access? For example, is the data classified, sensitive, or confidential?
- What systems does the user population use? For example, are the systems company-issued or BYOD? Are they managed or unmanaged?
- What is the user population’s risk profile? Are they already relatively secure?
- How does the user population prefer to learn? For example, should the program consist of casual meetings, at-home readings, or mandatory, rigid classes?
IT departments might consider communicating with their user populations for feedback while developing the program to ensure the information and methods are perfectly tailored to the organization’s needs and wants. Still, IT professionals should avoid excluding any vital security hygiene lessons, even if they seem elementary. Often, it is the most basic secure behaviors that individuals overlook for the sake of convenience. At the very least, cyber hygiene programs should include thorough education on:
- Passwords. Employees should know the elements of strong passwords including length, diversity, and privacy. There should be reminders in place to ensure employees change their passwords at regular intervals.
- Encryption. The best encryption services don’t hinder activity, but if an organization relies on employees to encrypt their data, employees must understand why it is necessary and how to make the process hassle-free.
- Updates and patches. Medium and large businesses typically have IT departments manage software updates, but smaller organizations and those with BYOD policies might rely on employees to do this work. Hygiene programs will explain why updates are absolutely necessary.
- Back-ups. As with updates and patches, not all organizations need employees to remember to back up data. However, those that don’t have IT professionals managing back-ups must include this important issue in their hygiene lessons.
- Administrative accounts. Even in startups and small businesses, it is wise to enact tiered access. Hygiene programs should explain why some employees have access to different data or programs and why it is vital to maintain those divisions.
Cyber hygiene isn’t a one-and-done action; like cybersecurity, it is an effort that never ends. IT professionals should continue to remind employees about their cyber hygiene responsibilities at regular intervals after the initial training, and there should be penalties for individuals who fail to adhere to standards and established policies.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.