Don’t let the ads fool you – there is no such thing as a quick fix. Say we want to lose 20 pounds. Can we pop a magic diet pill, drop the weight and keep it off long term? Unfortunately. It takes constant effort. The same goes for cyber security. We can’t simply buy a shiny new service to permanently protect against online threats. Protecting our systems requires constant and systematic efforts. That’s where cyber hygiene comes in.
Think of cyber hygiene as a set of small, repeatable actions and processes. The goal is to reduce the risk of a successful breach or attack. These basic security measures vary according to the organization and the industry. Before we begin, ask yourself, “What dangers are there in our field?” We can ask ourselves. A thorough risk assessment allows us to focus on issues of concern and address issues with a credible operational impact.
Once we have a clear understanding of our risks, the National Institute of Standards and Technology (NIST) recommends incorporating these practices into a voluntary cybersecurity framework. This list of best practices includes three main components: “core,” cybersecurity and risk management functions that complement existing processes. “Implementation Levels” our concern appetite, priorities and budget; and “Profiles,” an alignment of the previous two that informs opportunities for improvement. Together, these components are designed to help us identify, protect, identify, respond to, and recover from attacks.
To be clear, implementing cyber hygiene is not an easy task, nor should it be. Integrating these practices into our work requires prior dollars and time. However, it is important to remember that the NIST framework is a guideline. We don’t have to go to it alone or all at once. If we don’t have strict compliance requirements, we can source and select controls that work best for our needs. The goal is to build security measures and ultimately a stronger defense against future attacks. With a well-crafted strategy, managing and mitigating risks becomes second nature.
Not that we can be complacent about cyber hygiene. We must review and update our processes at least annually or when significant changes occur, such as new lines of business or product expansion. Whether with internal or third-party helpers, we must be careful to balance usability and security. In other words, we need to take cyber hygiene measures without overloading our operations.
There’s no denying that technology marketing works. But we should ignore the ridiculous, buzz-worthy ads that try to convince us to buy yet another cybersecurity tool. As much as we want a one-size-fits-all solution to protecting ourselves from breaches or attacks, there simply isn’t one. Before we hit that buy button, we need to remember that cyber hygiene is the best strategy to mitigate our risks and manage our systems.
Editor’s Note: Christopher Wright is the founder and partner at Sullivan Wright Technologies, a firm that provides customized cybersecurity, IT and security compliance services. The opinions expressed are those of the author.