How improving ‘hygiene’ can reduce the risk of cyber attacks

Reducing the likelihood that attackers can successfully access networks, applications, and data requires ongoing vigilance and the use of sophisticated monitoring tools that can alert teams of potential intrusions.

Of course, the responsibility for achieving effective IT security extends well beyond the IT department and involves all staff within an organisation. However, The State of Cyber Resilience in Australia 2022 revealed that 33 per cent of respondents admit to bending the rules to get a job done. This includes using a non-approved browser (31 per cent), running traffic through a private VPN (29 per cent), and using unauthorised third-party software (22 per cent).

Each person needs to follow effective cyber security hygiene behaviours as part of their day-to-day activity.

Being ‘cyber hygienic’

The concept of good cyber hygiene relates to a range of behaviours that should be undertaken on a regular basis to reduce the chances of a successful cyber attack. It also covers an organisation’s cultural disposition to maintaining good security practices.

For individual staff members, there are a range of recommended steps that can help to achieve good cyber hygiene practices. These steps include setting up multi-factor authentication (MFA) for all online accounts and only using secure payment methods when shopping online.

Other steps include not opening attachments from unknown sources or clicking on suspicious links in emails. Individuals should also ensure that all their digital devices are password protected and software patches are installed as soon as they are released.

By following these basic guidelines consistently and making them a habit that comes naturally whenever operating online, individuals can significantly reduce their risk of suffering identity theft.

VIEW ALL

How IT teams can improve cyber hygiene

There are a range of steps that can also be undertaken by an organisation’s IT security team to improve their level of cyber hygiene. They include:

• Enforce use of complex passwords and MFA: multi-factor authentication and complex passwords make it significantly harder for criminals to use brute-force attacks to an organisation’s IT infrastructure. This is especially important at a time when many staff are continuing to work from home.
  
  
• Compile a list of all digital assets: if the security team does not have complete visibility into all your devices and all the elements on the network, it’s easy for vulnerabilities to occur without their knowledge. Maintain an up-to-date list of all components in use.
  
  
• Apply software patches: poor patch management is surprisingly common and can be extremely costly. All too often, organisations experience a successful attack which leverages a vulnerability that has been known for a long time, and for which a patch has been made available. Apply patches regularly.
  
  
• Control admin rights: It is vital to strictly limit who has admin-level privileges to critical systems. Privileges should be reviewed frequently and adjusted as people change roles or leave the organisation.
  
  
• Remove end-of-life systems: When hardware or software reaches end-of-life, it will no longer receive ongoing security patches or updates. This means these components should be required from the infrastructure and replaced as quickly as possible.
  
  
• Undertake regular data backups: Backing up data is one of the most important steps a security team can take. Create a schedule and follow it at all times.

Develop a hygiene culture

Even when all these steps are taken, there is still considerable responsibility resting on individual staff members to do the right thing. To achieve this, it’s important to create an organisational culture that recognises the importance of cyber hygiene and celebrates good habits and practices.

It requires a combination of leading by example, communicating expectations clearly, and maintaining a steady cadence of reminders that can drive universal buy-in.

Regular training sessions should be conducted to ensure all staff are aware of the risks that exist and the steps they can take to reduce their likelihood of falling victim. Understanding the important role they play when it comes to security is a vital part of the overall culture.

Indeed, The State of Cyber Resilience in Australia 2022 found that 61 per cent of those surveyed received three hours or less a year of training, and 14 per cent received no security awareness training at all in the last year.

To effectively educate users on cyber security hygiene, organisations should ideally provide around 30 minutes of security awareness training per month. This regular approach helps to build and maintain a cyber security culture in the workplace and turn employees into a line of defense.

Achieving strong security hygiene will deliver significant benefits for all organisations. Consider how your organisation can begin developing one today.