No matter which compliance framework your organization follows (e.g., NIST, ISO SOC, HIPPA, PCI DSS, HITRUST CSF, COBIT), cybersecurity compliance seems more like a child learning to clean their room. The child (organization) knows what their parent (framework) wants and sprints to get the job done (compliance), and rest, until the next time their parent demands the job be done. The issue is what happens between each time the child is forced to clean their room. Dr. Vinton G. Cerf coined the term "cyber hygiene" in a statement to the United States Congress Joint Economic Committee on February 23rd, 2000. Dr. Cerf explained that for good personal hygiene to keep a person healthy, they must start and continue healthy practices to maintain it. If a person doesn't regularly maintain or implement healthy practices, they will develop poor hygiene. Poor hygiene can lead to becoming unhealthy or sick—or in the case of cybersecurity, falling victim to an attack.
Customer demands or technical issues may force software developers to incur technical debt or expedite delivery over zero-bug code; poor cyber hygiene often is incurred the same way, over time. It is not common for a child's clean room to become an unruly disaster in a day, and the same is true of cybersecurity. Poor cyber hygiene is the lack of routine or regimented good cybersecurity practices. Examples differ between organizations and businesses/missions, but common examples are poor documentation, inefficient patch management, inefficient vulnerability management, and lack of improvement to security configurations, all of which lead to increases in system risk. Often, poor documentation is the first sign of poor cyber hygiene. All poor hygiene with prolonged neglect leads to exponential growth in consequences.
As the child continues to neglect their laundry, the pile continues to grow, and the growth could exceed current solution capabilities. That is to say, the household washer and dryer are not up to the task of properly cleaning the backlog of laundry growing in the child's room in one cycle, and improper use of the washer and dryer by putting too many items in one cycle leads to poor results. The clothing may still be dirty, requiring rework and more resources (i.e., more water, more detergent, rewashing time). When neglected, cybersecurity often falls into a similar cycle and the solution to fix the backlog of issues becomes more expensive. Expenses extend to one or all three project management resources: schedule, money, and quality. This could also result in forced acceptance of cybersecurity related technical debt, which often leads to compliance findings at best and system compromise at worst. Compliance findings must be documented, tracked, reported, and audited from a compliance point of view. Technical implementation, testing, and deployment each have their own resource cost and combined are more expensive in the long run. A compromised system could lead to loss of a customer, removal of authorization to operate, or organizational changes.
Good cyber hygiene is having the proper policies and procedures. To be clear on terms, "policies" are the documents that mandate who, what, when, and why a specific task must be accomplished. This helps define expectations as well as document compliance. "Procedures" are the "Read a step, do a step" documents, which ensures a level of quality and predicted outcome. An organization's policy must define certain key elements: Who are the stakeholders? What needs to be accomplished? What is the frequency of execution? And finally, why is the task done? For example, take vulnerability management, a critical element of an organization's cybersecurity and risk posture. Organizations often conduct vulnerability management in a reactive method, meaning they use scanning or other identification methods to dictate when a patch needs to be incorporated into a product. By creating a policy clearly outlining the stakeholders (e.g., system owner, cybersecurity, administrators, developers, and users/endpoints) and what is patchable (e.g., firmware, operating systems, installed software, and software dependencies), which results in a risk-based cadence that balances operations with security, an organization may move from reactive vulnerability management to proactive vulnerability management. The "why" is required to get stakeholder buy-in and allow for competing needs to be addressed in a holistic approach.
In our metaphor, the child can practice good hygiene by establishing a cadence for doing their laundry by creating an internal or informal policy. The child would identify the stakeholders (themselves and their care providers), the "what" in required resources (laundry machines, laundry basket, and laundry detergent), and the "why" (avoiding negative consequences; e.g., running out of clean clothing, getting grounded). Once the child builds a laundry policy, the focus shifts to execution via procedures. This will ensure they follow the process and achieve the predicted outcome. This could be as simple as "Put dirty laundry in the laundry basket by Saturday morning," or as complex as how to operate the washer, dryer, and fold and put away clean clothing.
Good cyber hygiene differs from organization to organization. The key is to identify what your organization needs and create the policies and procedures to execute, ensuring accountability and completeness are maintained. Specific tasks will change as the operating environment changes and new technologies and automation are incorporated, but the continued focus on maintaining good cyber hygiene is a practice that should continuously evolve with the organization.
Organizations all have some level of cyber hygiene; you just might not call it that. Your policies and procedures are your cyber hygiene implementations. Gone are the days of using global and inaccurate reasons to not focus on cybersecurity, like "We are air-gapped," "We have custom environments," or "We’re too small to be attacked." Now, every organization is responsible for actively planning, implementing, and evaluating cybersecurity practices to meet constantly evolving and increasingly sophisticated threats.
The steps needed to achieve strong cyber hygiene are:
Returning to our analogy of a child cleaning their room and developing good hygiene, the process remains the same (but more informal). The child would identify the requirements for having a clean room and identify gaps in process or execution. They would start with the low-hanging fruit and focus on building a regimen of habits to continuously improve the state of their room.
VMD has a history of providing customers with holistic cyber hygiene programs in both direct support and through Government customers. Our team can quickly identify the status of an organization's cyber hygiene and report on gaps and provide proven, vetted, and authorized policies and procedures. We leverage existing tools and products to maximize return on investment. For example, for one of our Government customers, VMD implemented a Microsoft Teams workflow leveraging Power Automate to manage the request for Privileged Account Access. This reduced the organization's Personal Identifiable Information (PII) and Sensitive/Classified data spills to 0% (and replaced the previous solution of e-mailing sensitive documents), all while providing a more efficient process for account requests and automating the creation of records, documentation, and artifacts as code for both reporting and compliance use. Contact VMD at vmdsolutions@vmdcorp.com to learn how we can help your organization achieve good cyber hygiene.
John Pfister, VMD's Director of Cybersecurity Solutions, helps explain compliance concepts with a focus on fortified protections. John subscribes to Malcolm Gladwell's 10,000 hour rule for expertise, bringing more than 10,000 hours of practice in the fields of System Administration, Security Engineering, and System Architecture, providing a unique multi-perspective of cybersecurity problems and solutions.