Cyber hygiene – or boosting cyber resilience – by ensuring an organisation’s security fundamentals are in order, is a modern take on the old adage that prevention is better than cure.
A spate of recent high-profile Australian cyber breaches has forced every organisation to re-evaluate its cyber posture. For example, the Australian Cyber Security Centre received 447 ransomware reports in 2021/22, down slightly from the highs of the pandemic, but the ACSC still assesses ransomware as the “most destructive cybercrime threat”.
Ransomware incidents cost the Australian economy as much as $2.59 billion annually, with organisations reportedly paying on average $250,000 per incident, according to a parliamentary report. Added to this is the cost of the significant long-term reputational damage that comes from making headlines for all the wrong reasons, yet another reason for Australian organisations to boost their cyber resilience.
When it comes to mitigating the risk of such attacks, cyber hygiene refers to practices adopted to maintain the safety and security of systems in an online environment. Such preventative methods are an essential aspect of any cyber security strategy, says Fabio Fratucello, Field CTO international at cyber security provider CrowdStrike.
While cyber hygiene and cyber security are similar concepts, their scope and focus differ, according to CrowdStrike. Cyber hygiene focuses on preventative methods for system health and security, whereas cyber security encompasses a holistic strategy for preventing, detecting and recovering from cyber-attacks.
“Cyber hygiene has become an essential part of the cyber security practice to protect against the constantly evolving spectrum of cyber threats,” Fratucello says.
“It is a critical component of a well-thought cybersecurity strategy, as it can reduce risks, promote customer trust, reduce cost and downtime, inhibit unwanted access to systems and reduce the likelihood of data breaches.”
Key elements of a robust cyber hygiene regime include password management, email security, software updates, and antivirus and firewall protection, according to CrowdStrike. They involve a combination of best practices, technological countermeasures and cyber security awareness training to ensure employees are not the weak link in the chain.
Many organisations underestimate the importance of fundamental cyber hygiene, even though it can thwart more than half of the cyber threats they face each day, says Fred Thiele, group CISO of Australian IT services provider Interactive.
As the partner of choice for regulated industries, Interactive’s hyper-specialised cyber expertise – delivered by the recently acquired Slipstream Cyber – includes Active Defence, Digital Forensics and Incident Response, Consulting and Assurance services.
One of the key misconceptions is cyber hygiene is a one-off siloed project rather than a business-wide ongoing effort, Thiele says.
“The fundamental nature of any hygiene initiative, whether it’s washing your hands or ensuring that you don’t click on malicious links, is that in order to be effective it must become a deeply ingrained habit,” says Thiele. “Sometimes this is misunderstood at the board level.”
“Cyber hygiene isn’t a project to be completed or an item to tick off your list, it needs to be woven into the fabric of your organisation, so it becomes second nature for everyone. It’s not hard, but it is complex with a lot of moving parts, so you need to approach it strategically to ensure you don’t spread yourself too thin.”
While protecting the organisation from a wide range of threats, effective cyber hygiene also ensures that IT and security teams spend less time putting out fires, giving them more time to focus on higher-value tasks.
One challenge of cyber hygiene is that organisations can struggle to take a step back and fully access their exposure when it comes to vulnerability management and asset management. Another challenge is that organisations often lack the embedded expertise to manage and maintain ongoing cyber hygiene efforts. This is where partnering with a cyber security specialist becomes key, says Thiele.
“It’s not just about deploying technology, it’s about fundamentally changing the way your business operates,” Thiele says. “Successfully managing that kind of change takes far more than technical skills, which is where many organisations can find themselves in need of help from a trusted partner like Interactive.”
Technological defences are not a silver bullet when it comes to cyber security, instead, it requires a combination of technology, people and process to strengthen an organisation’s security posture, he says.
Organisations often underestimate the human element of cyber hygiene, Thiele says, such as awareness training to ensure that staff don’t click on malicious links, hand over sensitive information or fall for social engineering tricks like bogus password reset requests.
“A key part of cyber hygiene is ensuring that your frontline staff, whatever their role, understand that they are also the organisation’s first line of defence and their actions have significant consequences,” he says.
“You can invest in a wide range of technical controls, but threats can still slip past your defences if your people aren’t properly trained and fully aware that everyone needs to do their part when it comes to cyber security.”