When we speak of cyber hygiene, we mean the set of habits adopted by organizations and individuals to protect their information systems from cyber attacks. While these best practices need to be adapted to each company's specific situation, there are several broad categories of actions that every company should take into account to reduce the risk of a successful cyber attack.
Create an inventory of all connected properties
The first point of cyber hygiene is to know what you own so you can protect it. Creating this inventory makes it easy to differentiate between devices that are part of our business and those, unknown to us, that are potential threats.
On the one hand, this inventory will consist of every device owned by the company, including computers, phones, servers, routers and connected objects. On the other hand, it will also need to inventory online hosted properties, cloud solutions, websites and online applications.
To be aware of incoming threats in this way, the inventory will need to be continually updated. This makes it much easier to monitor network activity.
Control access to said properties
Once you know what you own, you need to make sure that only the right people have access to it. Assigning appropriate rights to property (software, websites, servers, etc.) can prevent many types of attack. It's also good practice to have a system in place to revoke these rights and accesses when a position is changed or deleted.
Finally, controlling access also means keeping logs of connections and activities on company accounts. This helps identify suspicious activity and, in the event of an attack, locate the user accounts concerned.
Have a plan in case of attack
All measures cannot prevent an attack, and when one does occur, having planned the actions to be taken in advance can make the difference between thirty minutes of service paralysis and a ransom payment of half a million euros on pain of losing all your data.
The attack response plan tells all employees what to do when an attack is suspected, who to contact and through which channel. The better integrated it is, the faster your teams will be able to react.
Protect your data
One of the main targets of cyber attacks is your company's data. There are many ways of encrypting data, controlling access and regulating intrusions. Another important point is to regularly make a copy of this data and keep it offline.
Continuous monitoring of vulnerabilities
Vulnerabilities can appear in your information system on a daily basis. Software or machines that are out of date, or updates that introduce new vulnerabilities. Their degree of severity varies, and continuous monitoring is necessary to ensure their follow-up and mitigation.
Perform penetration tests regularly
Another way of ensuring that defenses are up to scratch is to use the services of pentesters, cyber actors who play the role of cyber attackers by identifying and exploiting weaknesses in a company's information system. In this way, they can provide critical information to improve the company's overall defenses. Similarly, setting up a Bug Bounty program can be an interesting alternative, with rewards based on results.
Make cyber hygiene part of your corporate culture
Cybersecurity is everyone's business. Cyber attackers rarely attack the machine of a company's top executive; they operate at a lower, less secure level and move in little by little, sometimes for months on end. Daniel Kelley, a former cybercriminal responsible for over £70 million of damage, has shared many thoughts on this subject on online forums. One of them is that if people all followed basic computer security precautions, he would never have been able to cause so much damage.
It is therefore vital to establish an awareness plan and ensure that employees are all aware of the risks and the need to maintain good cyber hygiene practices at all levels.
