[04:19] Personal hygiene is how you care for your body. If you take a bath, wash your hands, brush your teeth, wear deodorant, etc. your body is usually healthier, you feel better, and the rest of the world sees that you take care of yourself. On the other hand, poor personal hygiene often leads to assumptions that you have some issues because of an inability or unwillingness to care for yourself. There must be a reason for not taking care of yourself.
Just like personal hygiene matters so does cyber hygiene. If you don’t take care of your network and devices – they look like there are no doors on it, windows are open and hanging off the hinges, paint is dull and peeling and it’s covered in thick dust – cyber criminals take notice and see you as an easy target.
What do we consider the basic requirements of solid cyber hygiene?
[13:54] The body of your cyber hygiene cares for is your information systems and network. Different parts of the cyber body are cared for by different people in the organization. But at some level each individual is still responsible for some of the hygiene of the cyber body.
For managers
[14:35] First, you need to know what you have to protect. Define your valuable information assets. Even if, at first, you don’t think it is valuable, ask these three questions
- What if everyone sees it?
- What if I can never trust that this information is correct?
- What if it is lost and you can never get to it again?
Next, know where those things you need to protect live and breath. Create an inventory of all of your equipment and software that supports access to your valuable assets. Understand the impact of attacks against your valuable systems and data. And put plans in place to prevent things from going wrong with your ability to protect what matters.
Does this all sound familiar? Maybe, like a risk analysis?
Now, you need to train the workforce to understand what is valuable to the organization and when and how to report a potential problem they may discover. You need to plan to address things when there is a report of potential problems or violations. And, have a plan of action when things go wrong.
Protections
[21:50] So now that we’ve identified what needs to be protected, what are some of the ways we can protect the things we’ve identified? Well, how about:
- Use advanced anti-virus applications
- Patch your operating systems and applications
- Monitor the systems and application logs
- Remove unused devices and software
- Have an password management system and use it effectively
- Test your data restoration ability
- Implement a framework (like HICP, NIST, etc)
- Limit administrative accounts to systems and applications
- Documented scheduled review processes – if you don’t document it, it didn’t happen; you can’t prove it. If you don’t schedule it, it won’t get done.
For individuals – and home networks
[39:30] Whether you are connecting to the office to work from home or even if you are not connecting to an office at your home, you still need to worry about cybersecurity. It’s everybody’s responsibility to actually take the time and interest to learn these things because it does impact all of us.
Get educated about cybersecurity at Stop. Think. Connect. Toolkit. CISA has lots of good information for individuals and how to protect your information and home networks. They break it down by audience too. So there is information for children, teachers, parents, older Americans, young professionals, etc. They have information on online gaming systems, mobile banking, protecting yourself online, social media tips, phishing scams and much more. Oh, and understand that scams are more likely to look real than you think – doubt everything.