OUR THOUGHTS ON:

The IT Security Superhero's Guide to Good Cyber Hygiene

Cybersecurity|Risk Advisory/Internal Audit

By Eric Henderson

“Move along folks, nothing to see here!” is what I imagine stressed-out IT security crusaders worldwide murmur every night in their sleep. Especially after spending yet another day protecting their organizations from the hundreds of thousands of cyber criminals and villains who use their arsenals of malware and attack techniques to wreak havoc on core systems and hold hostage sensitive information like intellectual property, personally identifiable information, protected health information, financial data and trade secrets.

Mix in some job fatigue and it would be difficult to blame these hardworking superheroes for becoming distracted from maintaining good cyber hygiene, in other words, fundamental principles and practices that provide a solid foundation of security for any organization. While it alone does not guarantee any organization Luke Cage-like bulletproof protection, cyber hygiene remains effective at warding off risks from even some of the most common and sophisticated internal and external adversaries.

Schneider Downs believes basic cyber hygiene is so critical that its absence could undermine existing security programs and even sophisticated cyber defense technologies. While there is no magic spell available to banish cyber threats into a dark dimension forever, the following Schneider Downs “Security Superhero” checklist features kryptonite-like quality tips for weakening cyber criminals’ attack strategies and keeping your organization safe in the ongoing cyberspace battle between good and evil:

#1: Deploy robust endpoint security like antivirus software, encryption, data loss prevention tools, application whitelisting and other security safeguards on all computer systems.

#2: Conduct cybersecurity education and awareness activities (e.g., phishing simulations) that promote proper employee behavior.

#3: Limit the number of users with administrative privileges, and maintain appropriate system access that’s commensurate with job duties.

#4: Enforce use of multifactor authentication, complex passwords and/or passphrases, especially on corporate email and key systems.

#5: Maintain a regular patching schedule for applications and infrastructure assets, such as servers and databases, to maintain functionality and safeguard against malware attacks.

#6: Implement and test procedures that regularly backup and routinely recover data.

#7: Test periodically for exploitable vulnerabilities and unauthorized software installed on your network.

#8: Identify and manage risks associated with third-party suppliers and external dependencies.

#9: Build and maintain an inventory of key assets like hardware and software.

#10: Establish an incident response plan to detect and react to security incidents such that damage to the organization and time to recover business operations is limited.

#11: Secure personal mobile devices by enabling a passcode or fingerprint lock, engaging encryption, and/or keeping operating system and mobile app versions current.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at contactSD@schneiderdowns.com.

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2018 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

comments