Cyber Hygiene

CYBER HYGIENE - HOW TO DO IT RIGHT

Cyber hygiene is just like personal hygiene; you should do it regularly to ensure your organisation’s overall IT security health. Cybersecurity hygiene consists of procedures done regularly to secure sensitive data and protect it from theft or cyberattacks. According to Cybersecurity Ventures, cybercrime costs are expected to reach $10.5 trillion by 2025. With this in mind, preventing data breaches and cyber-attacks is more critical than ever. The key to doing so correctly is by following cyber hygiene best practices and universally acknowledged frameworks.

CYBER HYGIENE BEST PRACTICES

Is your business doing everything it can to ward off cyberattacks? If not, make sure you implement common cyber hygiene best practices to limit potential threats. Some of the best practices you could follow:

1. Audit your company’s cybersecurity technology to check the condition of malware protections and spam filters you have in place.
2. Provide new employees with intensive cybersecurity awareness training and share regular updates on relevant cybersecurity topics with all employees to safeguard the human factor
3. Hire an ethical hacker or IT security expert to assess potentially vulnerable points through internal and external penetration testing, for example
4. Perform internal risk audits and have them assessed by a third party
5. Invest in first-party and third-party cybersecurity risk insurance
6. Patch and update your systems regularly to limit network vulnerabilities. These systems include servers, computers, and IoT devices
7. Maintain an incident response plan to recover from a potential breach or ransomware attack and minimise business disruption

CYBERSECURITY FRAMEWORKS TO CONSIDER

While cyber hygiene best practices include disparate procedures that you can implement separately, a cybersecurity framework gives you the full package and helps you establish credibility. Some of the most common cybersecurity frameworks are NIST, ISO 27000, and CIS controls. Whether you want to examine your existing cyber hygiene practices or upgrade them, mapping your IT security practices to some of these frameworks will put you in the right direction.

NIST CYBERSECURITY FRAMEWORK

You can test the robustness of your cybersecurity hygiene through the NIST Cybersecurity Framework, which has become the gold standard for assessing cybersecurity maturity. The National Institute of Standards and Technology (NIST) developed this cybersecurity framework (CSF) to protect critical infrastructure from cybersecurity threats that can compromise governments and businesses alike. The NIST framework consists of five functional areas: Identify, Protect, Detect, Respond, and Recover. These areas are further broken down into 23 categories and 108 subcategories, also known as desired outcomes. An example of that would be: Protect (Function) -> Identify Management, Authentication and Access Control (Category) -> Remote access is managed (subcategory). The CSF works by mapping these subcategories to existing cybersecurity standards like the ISO 27001:2013 as references.

The NIST CSF also includes current and target profiles that help you achieve your cybersecurity objectives. Your organisation would need to create a current profile to identify all of the subcategories it is already executing at an adequate level. After that, the organisation’s IT leaders would create a target profile to pinpoint the desired final state of the cybersecurity program. For most organisations, the target profile must not include all of the CSF. It should rather reflect the organisation’s understanding of the most crucial and impactful cybersecurity practices that would enable your business to achieve its objectives.

A CLOSER LOOK AT THE NIST CYBERSECURITY FRAMEWORK (CSF) FUNCTIONS:

Identify: Develop cybersecurity awareness at an organisational level to regulate cybersecurity risks to systems, assets, people, data, and capabilities.

An organisation can concentrate and prioritise its efforts in line with its risk management strategy and business requirements by thoroughly understanding the business context, the resources supporting essential functions, and the associated cybersecurity risks.

The subcategories of this function include asset management, governance, risk assessment, business environment, and risk management strategy.

Protect: Develop and implement the essential protective measures to guarantee the delivery of critical services.

This function of the NIST cybersecurity framework helps limit or mitigate the impact of a potential cybersecurity threat. Some of the processes that fall under the “protect” function include data security, identity management and access control, maintenance, awareness and training, information protection processes, and protective technology.

Detect: develop and implement the necessary activities to detect a cybersecurity event.

The detect function allows you to discover cybersecurity threats at the right time. Examples of outcome categories include detection processes, anomalies, and events; and security continuous monitoring.

Respond: develop and implement suitable procedures to act against a detected cybersecurity threat.

The respond function enables you to contain the effect of a potential cybersecurity incident. It includes: communications, mitigation, analysis, response planning, and improvements.

Recover: Create and implement the necessary measures to uphold resilience plans and restore any assets or services that were damaged by a cybersecurity event.

The recover function helps organisations restore normal operations in a timely manner to mitigate the impact of a cybersecurity attack. Subcategories of the recover function include recovery planning, communications, and improvements.

ISO 27000 SERIES

The ISO 27000 series is a flexible cybersecurity framework that can be implemented in organisations of all sizes and industries. The main standards are ISO 27001 and 27002, which lay out the procedures and requirements to create an information security management system (ISMS). ISO 27000 defines ISMS program requirements, while ISO 27002 explains the code of practice to develop ISMS controls. Having an ISO 27001 or ISO 27002 certification shows that your company abides by international cybersecurity standards and has mature procedures in place.

There are 60 standards in the ISO 27000 Series, which address a variety of information security challenges, for instance:

• ISO 27018 covers cloud computing
• ISO 27031 covers IT disaster recovery programs and related procedures
• ISO 27037 covers the protection and collection of digital evidence
• ISO 27040 covers storage security

CIS CONTROLS

The Center for Internet Security (CIS) Critical Security Controls helps reduce cyber risk and increase the resilience of technical infrastructures by listing security and operational controls that can be implemented in any environment. To help address identified risks, CIS Controls integrate with current risk management frameworks. They’re a valuable resource for IT departments that lack experience in technical information security.

CIS controls include:

• Data protection
• Inventory and control of enterprise assets
• Malware defences
• Audit log management
• Penetration testing

THE WRAP-UP

The importance of cyber hygiene cannot be overstated. Having robust cybersecurity practices in place secures data, protects your business from ransomware and malware attacks, cuts costs, and ensures that your operations are running smoothly. While implementing robust cyber hygiene practices is challenging in a constantly changing threat environment, the right cybersecurity frameworks and standards can help you get the job done.

BLACKHAT & SAUDI VISION

Get ahead of threat actors at Black Hat MEA, where you’ll learn the ins and outs of the latest ethical hacking and penetration testing techniques. Join CISOs from front-page tech companies, elite ethical hackers, and 30,000+ visitors all under one roof at the global-scale cybersecurity event. Black Hat MEA supports Saudi Arabia’s 2030 Vision in creating a tech-enabled future by training people in cybersecurity to secure the Kingdom’s new projects from cyber threats.