Podcast 🎧: What is cyber hygiene?
At times of COVID-19, cyber hygiene became particularly important. Being more cyber aware and practising healthy cyber hygiene is what will ultimately help you keep your business or administration continuity when you need it. In this blogpost and podcast, our senior cybersecurity expert Merle Maigre shares best practices of cyber hygiene from France, Estonia, the UK that is useful for every Internet user and organization.
Cyber security can be provided at three levels – national, organizational and individual. The National Cyber Security Index can be a helpful as a comprehensive tool for developing and measuring cyber security for country as a whole. Several international standards and guidelines exist for developing the cyber security of a single organization. However, we also need some technological literacy at the individual level. Yes indeed, we all need if we want not only to function in a digitized society but to make sure we do not create risks to it by our behavior. In e-Governance Academy, we call that cyber hygiene.
Cyber hygiene focuses on people and their personal practices of maintaining and improving their online security. These practices are often part of a routine to ensure the safety of identity and other details that can be stolen or corrupted. But naturally, if all individuals of a given organization practice responsible cyber hygiene behavior, the health of the whole organization improves, too. Thus, individual and organizational cyber security are interlinked.
By adopting cyber hygiene best practices, organizations are better able to take ownership of their systems’ cybersecurity, giving every individual a part to play in protecting their network from hackers. Yaacob Ibrahim, a former Singapore’s Minister of Communication and Information said, “We need individuals to practice good cyber hygiene and safe surfing habits at work and at home, and we need all organizations to take ownership of your systems’ cyber security and play your part.” Being more cyber aware and practicing healthy cyber hygiene, is what will ultimately help you keep your business or administrative continuity when you need it.
COVID19 emphasizes the need for cyber hygiene
Cyber hygiene can be compared to personal hygiene. Much like an individual engages in certain personal hygiene practices to maintain good health and well-being, cyber hygiene practices can keep your data and devices safe and well-protected. In turn, this aids in maintaining properly functioning devices by protecting them from outside attack.
At times of COVID-19, personal cyber hygiene comes particularly important. The recent ENISA Threat Landscape Report outlined how the years 2019 and 2020 brought significant changes in the cyber threat landscape. Above all, this is about the unique set of forces released by the coronavirus. The COVID-19 pandemic has forced large-scale adoption of technology, such as the coordination of health services, the international response to spread of pandemics, teleworking, teleconferencing, distance learning, interpersonal communication, control of lockdown measures, and many others. Working from home has given rise to new threat vectors, such as employees’ remote access through public Internet, cloud services, unsecured video streaming services and mobile devices and apps.
What are the best practices for cyber hygiene?
Enforcing comprehensive cyber hygiene procedures is a must for today’s organizations. Thus, organizations should take care that their employees know well the basic rules of cyber hygiene at the individual level. To support private enterprises in their task, some governments have published comprehensive guidelines for them. For example, the French Agence nationale de la sécurité des systèmes d’information (ANSSI)produced 40 Essential Measures for a Healthy Network and many of these measures may be referred to as “basic rules of cyber hygiene”.
In Estonia, the National Information Systems Authority (RIA) has cooperated with the private sector and launched a digital learning platform for improving the cyber hygiene of Estonian public officials. The digital cyber hygiene test provides risk profiles at the user, organization and state level. This allows more precise risk management with attention devoted to specific weaknesses. After the outbreak of COVID-19, CybExer Technologies, decided to contribute to the making life online safer and opened its online cyber hygiene course for a wider public. In this online course, everybody can test and improve their cyber hygiene skills. At the end of each individual session, users receive a profile indicating the level of risk in different areas of cyber hygiene.
The UK National Cyber Security Centre (NCSC) developed the UK Small Business Cyber Guide to identify the basic technical controls required to defeat the vast majority (estimated to be around 80%) of cyberattacks detected by the national security agencies. As a way to start cyber hygiene for an organisation, it recommends to create a cyber hygiene policy to be followed by all who have access to the network and company’s information systems. Here are typical items that should be included there:
- Password Changes: Complex passwords changed regularly can prevent many malicious activities and protect cyber security.
- Software Updates: Updating the software you use, or perhaps getting better versions should be a part of your regular hygienic review.
- Hardware Updates: Older computers and smartphones may need to be updated to maintain performance and prevent issues.
- Manage New Installs: Every new install should be done properly and documented to keep an updated inventory of all hardware and software.
- Limit Users: Only those who need admin-level access to programs should have access. Other users should have limited capabilities.
- Back Up Data: All data should be backed up to a secondary source (i.e. hard drive, cloud storage). This will ensure its safety in the event of a breach or malfunction.
Once the policy is created, the routine for each item should be set to appropriate timeframes. For instance, changing passwords every 30 days or check for updates at least once per week could be set in place.
People as the “weakest” or “most important” link?
Cyber hygiene places focus on the human dimension of cyber security. Both public and private organizations have to ensure staff are educated in good computing practices and know how to spot threats and real-life cyber security problems.
While educating their employees it is useful to keep in mind some things that work better for people in acquiring better cyber hygiene:
- When raising awareness, don’t tick boxes, but try to understand what makes people tick.
- Optimism makes people try harder. Engage with positivity.
- Don’t scare them into safer behavior. We need to overcome our habit of trying to scare people into action. Spread empowerment, not fear.
- Highlight the rewards that come with reaching our goals.
Cyber hygiene in schools
When we talk about the cyber security usually the focus is on technological and institutional aspects, on the laws and regulations prioritizing critical infrastructure of the government and businesses. At the same time, there are vulnerable groups in a society including children and teachers who often lack the necessary support.
Specific risks that should be taught at school include:
- Online safety
- Cyberbullying prevention
- Sexual violence prevention
- Prevention of internet and gaming addiction
- Encouragement of help seeking
It is important to educate young citizens who cannot be manipulated, who can detect when someone attempts it, and can deal with digital crime or difficulties. At the same time they should preserve good attitudes towards technology, be enthusiastic about present and future developments and keep up the trust in authorities.