IT teams are taking a variety steps to make sure they are secure — investing in technology, training users to recognize phishing attacks and other social engineering incidents, and monitoring activity on their networks or networks of their clients.
But one of the biggest problems, one that cybersecurity experts are starting to see hands on, is a lack of cyber hygiene throughout IT teams and organizations as a whole.
Cyber hygiene is a relatively new idea encompassing the wholistic vulnerabilities of a user’s digital world. Depending on what the user does (how involved they are in technology and netted within the network infrastructure of their networks), he or she may need to be more vigilant on how they are using their computer and cleaning up breadcrumbs left by projects or changes within the network environment.
Think of your IT team like an expert surgical team. They are scrubbing every last inch of any exposed body part, making sure that most contacted parts are completely covered with sterile material. They’re making sure that the patient (whatever work they have) is also covered, cleaned and monitored. Anyone coming in and out of the surgical room follows a list of memorized steps to ensure hygiene levels are maintained. Nothing is left to chance.
If you were scheduled for a surgery, isn’t that your expectation?
Shouldn’t this be your expectation with your network and the vulnerabilities lurking on it?
Less than a week ago, a major managed IT services provider — Cognizant — announced that their network had been ransomed by the Maze ransomware. An IT company with hundreds of clients had exposed vulnerabilities leading to an attack on their network. Now the entire world knows about it — the story has whipped through dozens of headlines.
Last month, a hospital announced that its website was hacked, resulting in the release of almost five thousand records. Nearly 15,000 records of HIV-positive patients were released nearly 6 months ago. Even blood donors — a list of 180,000 was found on the Dark Web after a major data breach, compromise lives of people that had made a conscious effort to do something for good.
For as long as It professionals have sought to protect data — and their users or clients — they have invested time, money, energy and materials into making work safer. Yet no matter how impenetrable such a fortress they’ve built seems from the outside (perhaps after having one expensive penetration test), motivated attackers are inevitably finding ways to bypass those systems. If you build a 50-foot fence, your enemy will build a 50-foot ladder.
And with technology and the assets you are storing, hackers are finding new ways in daily. They are smart, motivated and driven to meet their business objectives (making money at your expense).
Perimeter security is part of cyber hygiene, but it’s really inadequate as a primary defense.
How can you conceive of a wall that will actually protect all of your data assets? When security experts mull this problem in their head, most often they have a hard time answering concretely. And even if they come up with solutions, most of the time every solution is different.
Cybersecurity is NOT a one-size-fits-all problem.
The reason for so many organizations are throwing money at cybersecurity tools and audits and still fall victim to ransomware attacks is they are treating their cybersecurity problem with tools that they purchase out of the box.
When I designed software in another lifetime, I always said to use an out of the box solution only if you have at least 80% of the functionality you need. The problem with cybersecurity is most of the time you don’t even know what you’re going to need until you really sit down and think about your environment, your clients, your team and your culture.
How can you simply slap a solution in place that will guarantee keeping you safe if you haven’t really defined you?
That’s where cyber hygiene becomes key.
Cyber hygiene — understanding your behaviors, your data, your technology and you culture — is the most comprehensive way of evaluating your network and making sure that your team and your tools are working in harmony towards a common goal of keeping your organization and your clients secure.
As I’ve begun my mission to secure a Million People this year, I have come across a lot of ways technicians, users and organization-wide practices open the door to vulnerabilities getting exploited by hackers.
Here are the top 5 reasons why vulnerabilities persist:
1. No visibility — as the number of devices, applications and data explodes, your ability to track and monitor everything and keep track of issues or vulnerabilities across your network becomes insurmountable. Rather than do anything about it, most IT teams and leadership teams ignore or fail to recognize their true risks.
Many of these organizations even take risk assessments, audits and evaluations or penetration tests of their network — all of which come back clean. Their visibility is point-in-time rather than on-going continuous alerting and deep diving. Their people may prepare for the annual assessment, but after a month or two, what’s the likelihood that policy, procedure or behavior revert back to bad habits or quick fixes?
IT teams are visibly tracked on the number of tickets closed or handled; not how secure they leave your network. Their jobs are not meant to be tied to security-related metrics.
2. Cloud Data VooDoo — do you know how your cloud vendors are storing your data? Is it really all secure? Where is it stored? Are they being held accountable to standards you enforce and monitor within your organization? As you rely more on vendors, trusting them to secure your client data, how can you be sure that they aren’t leaving honeypots — stores of information wide open for hackers to exploit? We’ve seen dozens of major data breaches result simply because cloud data wasn’t stored properly (even though owners of that data expected it to be).
3. Company devices for personal use — you might not think how often a user might get distracted and go somewhere on their laptop that might not be for company business. Maybe they only do this when they’re not on the clock. Whenever they are visiting personal email, social media, or other sites, they may be putting your organization and its data at risk.
But how easy is it for you to know where they go? And how often have you identified problems before they became bad habits? How many credentials are stored in browsers? How much personal data are your team members sharing on social media? There are huge areas of their digital life that you really have no control over or visibility into. How can you make sure your teams are adhering — willingly so — to cyber hygiene standards?
4. No knowledge of targeted attacks — all organizations today, large or small, are being attacked. Through phishing, through technology loopholes, through websites. There are too many possible holes to count. But how many of these attacks actually get back to your teams? Who shares the stories of what specific actions actually do to real live organizations?
Most of the time, these stories are digested by maybe one person on your team. No one takes the time to communicate in ways that others might understand. Very few learn what really needs to be done. So how can we incorporate stories into hygiene? As you get alerts to cyber hygiene behaviors that are risking your data and network security, wouldn’t you want to understand why? The ‘why’ is what’s missing in most training videos, most policies, procedures and practices today.
5. Weak password hygiene — I know that passwords have been a problem for decades. But upon evaluating most users — whether they are technically savvy or not — it seems like we’ve mostly stuck to bad habits when it comes to passwords.
You might say, “But we’ve got 2 Factor Authentication (2FA), but this isn’t good enough. When passwords are weak, you are limiting your 2FA back to one factor again!
When I assessed hundreds of networks and countless computers, you know what I see? 2FA working some of the time or 2FA not working at all — even when I was told that it was.
Bottom Line: all of our networks are more vulnerable than they should be. Even if we’re investing in technologies to keep our data and networks secure, we’re leaving holes large enough for hackers to come in.
Cyber hygiene is one of the easiest methodologies to implement, in that it fits every culture and is a practice that every skill level can understand. Instead of giving people overconfidence that technology is working, pointing fingers that the tech guy should be covering security in its entirety, wouldn’t it be easier to communicate and assess an organization based on cyber hygiene?
If your technicians were to move from computer to computer, touching every keyboard, wouldn’t you expect them to wash their hands? At the end of the day, think of all the germs they’ve picked up from touching a hundred machines! Wouldn’t you expect some sort of hygiene when workers used their computers?
On average, an organization builds up 2 vulnerabilities a week on their network. Can you imagine how many holes your organization may have to fill if it does nothing for an entire year?
And then when someone evaluates that network just once, what’s the likelihood that those vulnerabilities get missed? What if a penetration tester wasn’t even thinking about those vulnerabilities that day (what if a hacker is)?
One solution?
Cyber hygiene assessment- because my goal is to protect a million people, I’ve created a simple way to assess your computer — and computers of high value targets in your organization — to make sure you’re safe. For more information, visit our cyber hygiene assessment.
