When I was little my mom would force me to wash my hands before dinner after coming in from playing with the chickens in the coop (yes, I grew up on a farm way up in Northern Michigan and was very prone to getting dirty).
I’d run to the sink, splash a little water on my dirty fingers and then head on into the kitchen for whatever mom was whipping up.
I put little effort in really getting clean, kind of negating the true reasons why Mom really wanted my hands washed before I joined my parents at the table for dinner.
As I grew up, I saw why hand washing was important, but really didn’t know how much washing was enough. Not until I was told specifically that 20 seconds of hand washing was the magic number (I believe this is equivalent to 2 rounds of “Happy Birthday To You”) that I started forming a habit of 20-second hand washing before eating.
Why in the heck am I bringing up hand washing today?
I feel like simple habits are formed by making it easy to follow through with them. And just like any hygienic habits like hand washing, cybersecurity hygiene is something that many of us have not matured in our habit-forming. We don’t have quantitative targets and have little understanding of even the behaviors involved in forming good habits.
While we might have our teams engaged in processes and continuous quality improvements involving a “plan, do, check, adjust” formula (I make my team do this quite often when evaluating and improving their processes in IT), we fail to do similar work to improve experiences with cybersecurity.
In cybersecurity, we come at security risks with a blank perspective. One of our nastiest little persistent problems is that many of us have a ton of data, but little understanding or time to even digest it.
If we were to look at this data, much of it underscored our need to revert back to the basics when it comes to security—principally on the basics like hygienic routines.
Just as medicine had to learn to implement basic checklists and routines, like hand washing (to ensure patient safety), we as organizations need to have a diligent repetitive drum beat when it comes to making sure our team members are keeping data secure.
I completely understand that this is MUCH easier said than done, but as our attacks grow exponentially as they have over the past few years, reacting to alerts and potential breaches or incidents will become less possible than it even is today.
We need to start evaluating what is important to us from a security standpoint and start tackling our security to-do list now rather than waiting for the aftermath of a breach.
What are some basics we can start implementing sooner than later?
Beware of common hacks—there are many exploits that have been out in cyberspace for years at this point. BUT what many of us fail to realize is that many of the attacks hitting CPA firms, lawyers, healthcare organizations and credit unions are the vulnerabilities and exploits that have been floating around and being exploited for years at this point. Identifying your vulnerabilities when it comes to the ‘known’ and prioritizing ways to address those issues will make your organizations tens of times more resilient to attacks.
Make Basic Hygiene A Weekly Thing—every week spend just one hour on basic hygiene. By basic hygiene, you could focus on passwords or websites or phishing emails. Whatever seems to be a big risk that week, get your teams involved in understanding that their work hygiene and personal security hygiene go hand in hand. As they build critical foundational security practices that are engrained into their habituated behavior, they will keep your organization and their family securer from those trying to get in.
Make time for security—make sure to establish a routine for reviewing your vulnerabilities, identifying current attacks and making sure that patches are fixed in your environment.
Budget for security—give your team the time and necessary resources needed to confront those vulnerabilities. One of the easiest ways to cost-effectively budget for cybersecurity is by relying on security experts that are focused on providing information about vulnerabilities and exploits—and evaluating the state of your network and team’s comprehension on how criminals are breaking in.
Celebrate wins—I’m sure several of your employees understand how to recognize a phish today. But will they be able to understand this tomorrow? Make a habit of keeping devices updates, security software running as it should, same with operating systems, applications, VPNs, the list goes on.
Document it all—your IT team might occasionally research and communicate threats to you. But most—if not all IT teams are too busy to understand and chase down security vulnerabilities that are popping up (some of which may be critical to your network security). Make sure your team has an audit trail that holds your IT group accountable to having done their due diligence in addressing those vulnerabilities. Establish a starting point and end point goal on a regular basis with that team to ensure that your security risks are being managed appropriately.
Build from those basics—as you mature in your habits and have everyone washing their hands (or pursing the equivalent in cybersecurity—maybe password security for instance), make sure to get your team interested in finding deeper ways to protect themselves and your sensitive data. Following through with a plan, do, check, adjust mentality is normally the best to address how to make your processes and technology securer and continue to make cyber hygiene a habit among your teams.
