Early in the COVID-19 pandemic, sanitation and hygiene took center stage. We saw long and detailed news articles on proper handwashing techniques, accompanied by soap shortages across the country. With this still in our collective conscience, it may feel strange to think about cyber hygiene, but it’s a vitally important concept for both businesses and individuals. […]
Early in the COVID-19 pandemic, sanitation and hygiene took center stage. We saw long and detailed news articles on proper handwashing techniques, accompanied by soap shortages across the country. With this still in our collective conscience, it may feel strange to think about cyber hygiene, but it’s a vitally important concept for both businesses and individuals.
Cyber hygiene, also known as cybersecurity hygiene, is defined as a set of practices performed regularly to maintain the health of computer systems, devices, networks, and data. Like proper handwashing, cyber hygiene works best when it is practiced all the time.
Cyberthreats are increasing at a dizzying pace, and bad actors find ways to circumvent security protocols almost as fast as they can be developed. This can seem discouraging, but we all need to keep in mind that many tried and true steps are our best line of defense.
If I were forced to pick just one cyber- hygiene item to highlight, it would be multifactor authentication, or MFA for short. Every individual and business should enable MFA everywhere it is an option — as soon as possible. MFA is exactly what it sounds like — in order to access a system, program, or account, users must provide multiple authentication factors. An example of MFA is a login to an account that requires you to sign on using your username and password, but before you can access the data, you must provide a code that is sent to your mobile phone — a code that should never be shared with anyone, as that would allow for unauthorized access to any of your accounts.
In other words, cybercriminals would have to not only know your username and password, but they would also need to be in possession of your cell phone in order to get into your account. Although that scenario isn’t impossible, it is unlikely. This is why MFA is considered the gold standard in basic account security. The first thing you do after reading this article should be to investigate where across your digital profile you are able to activate MFA — and then do it.
For businesses, one of the biggest cybersecurity lapses we see is the sharing of usernames and passwords. This lapse is frequently paired with either a publicly displayed (post-it note on a monitor) or easily discovered (post-it note poorly hidden) disclosure of a username/password combination. This is horrible cyber hygiene and very risky behavior.
Businesses large and small engage in these sorts of risky practices in the name of speed and efficiency. Small businesses, where employees are asked to wear many hats, are particularly vulnerable. Criminals are aware of this and will exploit it when and where they can.
Every business should adopt what is known as “the principal of least privilege.” This is a formal way of saying that only those who need access to certain programs and systems should have that access. Do not spread access rights around to all employees. Assign specific roles to the people who need access — and enable MFA to ensure they can’t share that information with others.
It might seem time-consuming to assign separate usernames and passwords and require all employees to use MFA, but it is essential to shoring up your defenses. And it is increasingly required by business-insurance policies. Put another way, if you think setting up MFA is time-consuming, compare that to the headache of a repairing a cyber breach — notifying customers, the potential for having your company’s data held hostage via a ransomware attack, the loss of public trust, and the need to overhaul your entire data network following an attack. If MFA can prevent any of that, it’s worth the additional few seconds it takes to activate and use.
Just like handwashing, taking the time to set up practices that keep your data safe is a good idea, and can protect the health of your systems. Once you are in the habit of using these best practices, they’ll feel routine rather than invasive — and they’ll help to keep your personal and business information out of the hands of cybercriminals.
Terra Carnrike-Granata is senior VP and senior director of information security at NBT Bank, where she designs and implements sophisticated controls to prevent loss and mitigate risk, while also developing innovative ways to educate consumers and businesses on cyberthreats.