Rooted in Security Basics: The Four Pillars of Cyber Hygiene

The term “cyber hygiene” pops up frequently in articles, blogs and discussions about cybersecurity. But what does it really mean? Some say it is an ill-defined set of practices for individuals to follow (or ignore). Others say it is a measure of an organization’s overall commitment to security. Still others – and I am among them – think of “cyber hygiene” as simple, readily available technologies and practices for cybersecurity.

Sponsorships Available

In reality, cyber hygiene is an overall approach to security within an organization. It includes people, tools, processes, procedures and reporting. Baselines, compliance, vulnerability management and log collection are four areas that are very important to cyber hygiene. Knowing what assets there are, how they are configured, what’s vulnerable, what’s changing, what’s failing, who’s doing what and having a log footprint to back it all up are some determining factors of having good cyber hygiene in place.

That being said, there’s good news and bad news. The good news is that organizations can use frameworks like the Center for Internet Security’s Critical Security Controls to fulfill these foundations of cyber hygiene. The bad news is that many organizations are currently not implementing these or other standards.

Indeed, in its survey of 306 IT security professionals for its State of Cyber Hygiene report, Tripwire found that nearly two-thirds of organizations didn’t use hardening benchmarks to establish a secure baseline. This neglect, in turn, negatively affects the quality of companies’ cyber hygiene in several respects:

• More than half (57%) of respondents to Tripwire’s report said it takes hours, weeks, months or longer to detect new devices connecting to the corporate network.
• 40% of organizations admitted that they don’t conduct vulnerability scans weekly or on a more frequent basis, and just half run more comprehensive scans.
• The majority (54%) of survey participants (Read more...)