Stop spending, use cyber hygiene…
Gartner reports that average annual cybersecurity spend per employee has doubled, from $584 in 2012 to $1,178 in 2018. With increased spend you might infer that companies have newer more effective cybersecurity tools and are therefore safer, but we aren’t seeing that increased spend necessarily equals increased safety. Large scale data beaches are still happening, and the stakes are high with fines for these breaches costing some over half a billion. Simply throwing money (i.e. more cyber security tools) at the problem won’t solve it. Companies have created a fog of too many tools and a challenge of how they manage those tools to ensure they are configured and running properly. That’s where Cyber Hygiene can help.
The term Cyber Hygiene was first used by Vint Cerf in 2000, he referenced it as the “steps we know can be taken to improve security and resilience.” More recently the Center for Internet Security (CIS) and Council on CyberSecurity (CCS) launched a Cyber Hygiene Campaignand broke down those steps into the “5 top priorities.”
Count, Configure, Control, Patch, Repeat
- Count: Know what’s on your systems and what you need to protect
- Configure: Continuously manage systems using “known good” configurations
- Control: Know and limit who has administrative privileges of security settings
- Patch: Keep software and hardware up-to-date to protect against known vulnerabilities
- Repeat: Cybersecurity is an iterative process with no finality
A great place to get started is prioritizing what you are trying to protect and deciding how you will measure your success. Aligning to an industry recognized framework (such as NISTor CIS Critical Security Controls) will help guide you during both implementation and assessment. Once critical security controls have been implemented, which is no small task, adherence to your chosen framework(s) through Cyber Hygiene will ensure the health and effectiveness of your cybersecurity ecosystem. If you’re looking for ways to measure your success doing an audit assessment or penetration test will be helpful in showing the state of your environment at that given time. If you’re interested in continuous metrics and measuring, implementing a Cyber Hygiene monitoring tool, like Cyber Observer, will enable you to track your improvement and score cybersecurity in near real time.