IT Operations

What Is Cyber Hygiene and Why Does It Matter?

Cyber hygiene is a set of habitual practices for ensuring the safe handling of critical data and for securing networks. It’s like personal hygiene, where you develop a routine of small, distinct activities to prevent or mitigate health problems. Cyber hygiene practices include the inventory of all endpoints connected to a network, vulnerabilities management, and the patching of software and applications.

As cyberattacks have increased around the world—interrupting businesses and government operations, and often leading to massive ransomware payouts and damaged corporate reputations—cyber hygiene has become a key method for creating operational resilience.

Consider the disruption caused by the COVID-19 pandemic, which created opportunities for criminal hackers through email phishing, supply chain attacks, and password and malware attacks that preyed on millions of remote workers’ devices. Already in the first half of 2021, the global ransomware attacks have hit 304.7 million, surpassing last year’s total of 304.6 million.

Tanium’s Cyber Hygiene Assessment: An actionable path to better endpoint management and security

In response, the White House has urged government and business leaders to protect themselves by implementing foundational cyber hygiene best practices, noting that it is their critical responsibility to protect against threats with a strengthening of our nation’s resilience against cyberattacks. That’s because cyber hygiene is one of the surest ways to improve any organization’s overall security posture and defend against threats now and in the future.

Why is cyber hygiene important?

Cyber hygiene helps prevent cybercriminals from breaching an organization’s network—or at least raises the opportunity cost, making it so hard that the criminal gives up and goes looking for another victim. It’s true that many of today’s attacks are increasingly sophisticated, relying on social engineering to get a victim to divulge sensitive information, targeting “whales” (high-level executives), or deploying malware in a supply chain that can then infect hundreds of others.


The fact is, most successful attacks are the result of routine lapses—failing to know what endpoints are connecting to your network, to consistently and rapidly monitor and deploy patch updates, to make the correct security configurations, and to rapidly identify and resolve breaches before they can harm core business operations. Cyberattackers take advantage of these missteps.

You can’t blame complacent or uninformed IT managers, administrators and security engineers. Rather, the failures are a product of the complexity and dynamism of modern IT environments.

The typical business network includes an array of computers, servers, databases, virtual machines, mobile devices, operating systems, applications, and tools, each of which is a potential attack vector. If these aren’t regularly and properly maintained, it can result in lost or misplaced data, unpatched software, outdated user privileges, and other issues. In this way, an environment grows more vulnerable over time and leaves you with multiple points of exposure.

[Read also: Cyber insurance isn’t your best protection against cyberattacks]

Cyber hygiene helps reduce those vulnerabilities by identifying risks and deploying mechanisms and strategies to reduce or resolve them. By practicing cyber hygiene, organizations strengthen their security posture and can more effectively defend themselves against devastating breaches.

How do you assess your cyber hygiene?

Cyber hygiene is assessed using a performance monitoring solution that scans your IT environment to discover your various assets and to identify vulnerabilities. The results are presented as a scorecard that quantifies the health of your IT estate. Vulnerabilities are given a severity level of “critical,” “high,” “medium,” or “low” based on the Common Vulnerability Scoring System (CVSS), an open industry standard for rating a computer system’s security vulnerability. 

These vulnerabilities can be sorted by asset criticality, so you can see which will have the most significant business impact. For example, an unpatched vulnerability on the CEO’s laptop would warrant more immediate attention than one on the intern’s.

Cyber hygiene helps prevent breaching a network—or makes it so hard that the criminal gives up and goes looking for other victims.

Cyber hygiene assessments help overcome two of the biggest obstacles to effective security: incomplete visibility into the IT environment and inadequate resources to respond to issues. 

Risk scoring surfaces the most critical vulnerabilities and prioritizes them. This allows IT teams to allocate their resources toward closing the most critical security gaps first before moving on to lower priority issues.

[Read also: Measuring what matters: aligning risk measurement with corporate goals and objectives]

Cyber hygiene assessments provide a roadmap for improving your cyber hygiene and to better manage and protect your IT environment. Performed continuously, cyber hygiene assessments help you understand your current security exposure and whether it’s getting better or worse.

What are the benefits of cyber hygiene?

Good cyber hygiene offers several benefits that ultimately put your organization in a better position to defend against cyberattacks. Specifically, it helps you:

  • Locate unmanaged assets: You can’t protect what you can’t see. That’s why an accurate inventory of all your assets is the foundation for strong cybersecurity. Good cyber hygiene practices allow you to maintain an up-to-date asset inventory, identify vulnerabilities associated with any particular asset, and quickly resolve security gaps.
  • Protect customer data: Cyber hygiene supports a range of proven security practices, such as patch management, password discipline, appropriate administrator privileges, and other measures that improve data protection.
  • Find outdated administrator privileges: It’s easy to lose track of administrative rights as people move from one role or department to another or leave the company. But high-level administrative controls pose a significant security risk, so it’s important to regularly audit who has administrative privileges and how often they’re used. Outdated or long-forgotten privileges need to be immediately updated or revoked.
  • Identify rogue software: Remote work has led many workers to install unsanctioned software on the devices and endpoints they use to connect to your network. That’s a problem. Chances are, that software hasn’t been properly configured, patched, updated, or secured, making it an attractive target for attackers. Cyber hygiene helps IT administrators gain visibility into all the software installed and used on their network so they can manage it or remove it.
  • Meet compliance requirements: By identifying and prioritizing security risks and empowering IT teams to quickly remediate them, cyber hygiene makes it easier to track and report your organization’s security status and ensures it’s always aligned with regulatory and compliance requirements.

What are the risks of poor cyber hygiene?

The results of poor cyber hygiene can cascade through your IT environment, resulting in multiple security vulnerabilities and potential attack vectors. Some of these include:

  • Data loss: If local hard drives and online storage aren’t regularly backed up and maintained, important data can be lost through hardware failure, data corruption, improper handling, or ransomware and theft. The last carries a particularly dire cost: According to the Ponemon Institute’s most recent Cost of a Data Breach Report, for 2020, the overall average cost of a ransomware breach is $4.44 million. And that was before the massive hacks on SolarWinds, Colonial Pipeline, and many other businesses.
  • Misplaced data: Data that aren’t organized in a proper file system are vulnerable to being misplaced, and the problem increases exponentially as the organization grows.
  • Software vulnerabilities: Poor patch management and old or out-of-date software are a common cause of breaches at organizations of all sizes. Software developers regularly release patches and updates to fix known vulnerabilities in their products, but if an organization doesn’t have a process for applying them on a timely basis, hackers can potentially exploit these applications to gain access to the network.
  • Malicious software: More than 350,000 new malicious programs are registered every day. If antivirus and other security products aren’t regularly updated to keep pace with this constantly changing landscape, hackers can use a range of malicious software to get inside the company network and set up more targeted attacks.
  • Inadequate vendor risk management: With today’s hybrid IT environments, focusing on your own security posture is not enough. You have to consider the potential security risks posed by third-party vendors and service providers that have access to your network and process your sensitive data. Failing to understand and manage the level of risk your vendors introduce can leave you further exposed to service disruptions and breaches.
  • Lack of compliance: The issues resulting from poor cyber hygiene can be compounded, leaving gaps in your compliance with PCI, DSS, HIPAA, or other regulatory frameworks.
  • Security breach: The worst outcome of poor cyber hygiene is a successful cyberbreach. Improper configuration management, poor vulnerabilities management, and weak security policies and threat response procedures can leave your organization exposed to data theft, business disruption, and massively expensive ransomware payouts. Ultimately, these can result in huge financial costs, a damaged reputation, and a loss of customer loyalty.

What are cyber hygiene best practices?

To protect and maintain your IT systems and devices, it’s important to implement cyber hygiene best practices. The following list isn’t exhaustive but provides a solid foundation to build upon.

  • Maintain an IT asset inventory: When a criminal attacker gets inside your network, they will look for your organization’s most valuable assets the same way a home burglar looks for cash and jewelry. It’s essential then to maintain an asset inventory to know what you have of value in order to know what to protect. For most organizations, anything considered “business critical” is a likely asset. Depending on the business, these may include corporate financial data, customer data and payment information, patents and copyrights, and proprietary source code. Locate and classify all the assets your organization has on-premises or in the cloud, where they’re kept, and who has access
    to them.
  • Maintain complex passwords: Complex passwords that are changed regularly are a strong first line of defense against an array of security threats. Regular users should have passwords of at least 10 characters (upper- and lower-case letters, numbers, and special characters) while administrative passwords should use a minimum of 15 characters and should be checked against existing dictionaries of commonly used passwords. Multifactor authentication, which requires the user to identify themselves with a second form of verification, such as a thumbprint or numerical code, adds an extra layer of security.
  • Regularly update software: Poor patch management is essentially an open-door policy for cybercriminals. Operating system and application patches must be applied regularly and promptly to mitigate the risk of malware breaching your network. A strong patch management system is one of the best defenses against data breaches and other security incidents.
  • Control admin privileges: As high-level administrative privileges pose one of the biggest security risks in any organization, it’s important to give admin-level access to programs and systems only to those who need it. Standard users should have more limited capabilities. They shouldn’t be allowed to install applications on their computers or mobile devices without administrative permission, for example.
  • Regularly back up data: Backup procedures should be performed on a regular schedule and verified to confirm their integrity. It’s also important to regularly test the restoration process to make sure it works correctly.
  • Manage end-of-life systems: End-of-life systems are computer hardware and software that are no longer supported with security patches and updates from their manufacturers or developers. These introduce great risk to the organization and should be promptly removed from use.
  • Implement an incident response plan: Businesses of all sizes should have an incident response plan in place to mitigate the damage and minimize the downtime from an attack. An attacker can compromise a machine and begin moving laterally through a network in just a few hours, so it’s essential to develop a rapid response protocol that reduces hacker dwell time and minimizes the exfiltration of data. Teams should test the effectiveness of the plan by periodically responding to simulated data breach incidents and evaluating how effectively and quickly they achieve their response goals.

What are some examples of good cyber hygiene?

One common example of good cyber hygiene would be practicing vigilance when sending or receiving emails. Because of its ubiquitous use in every organization, email has become a popular way for cybercriminals to disseminate malware to unsuspecting users. A typical tactic is to pose as a person or business the recipient knows and trick them into clicking on a malicious link that steals their credentials or downloads malware onto their computer.

Performed continuously, cyber hygiene assessments help you understand your current exposure and whether it’s getting better or worse.

An organization that practices good cyber hygiene would be scanning all incoming emails for viruses and requiring two-factor authentication for all logins so that any stolen credentials would be useless to the attacker. It also would have educated all its employees to be wary of suspicious emails with links and attachments, training them not to click on these and to report the email to an IT administrator.

Creating user passwords is another opportunity to practice good cyber hygiene. Rather than using something that could be easily guessed like a child’s birth date, an employee would create a “healthy” password by ensuring it was 10 to 15 characters long; used a combination of letters, numbers, and special characters; and didn’t include the name of a person, fictional character, product, or a word used in a dictionary or one that can be found on their social media feeds (like Yankees).

How does business cyber hygiene differ from individual cyber hygiene?

Individual or personal cyber hygiene is concerned with protecting an individual from security threats while business cyber hygiene mitigates risk for an organization. Some practices are common to both, such as using complex passwords, running antivirus software, being vigilant when responding to emails, and backing up data. Business cyber hygiene, however, is practiced on a much larger scale and addresses a broader range of business concerns, such as securing IT infrastructure, meeting regulatory compliance requirements, and managing vendor risk.

Despite these differences, the goal of both personal and business cyber hygiene is to protect computer systems and the integrity of data.

How do you create a good cyber hygiene policy?

Every organization will have unique IT environments and business needs, but a basic cyber hygiene policy should outline the specific responsibilities of the organization and individual employees. At the organizational level, there should be standard procedures in place to govern areas such as IT asset inventory and management, network and physical security, threat and vulnerability management, regulatory compliance, incident response, and user education.

[Read also: How enhanced cyber hygiene can help your organization wake-up from a PrintNightmare]

The organization, in turn, should ensure that employees understand and follow its prescribed cyber hygiene best practices. This means preparing and communicating policies around software updates, data backups, password security, secure network usage, and the handling of sensitive data. It’s also important that the organization provide phishing training and awareness to reduce the risk of social engineering threats.

What is an ideal cyber hygiene checklist?

An ideal cyber hygiene checklist is informed by the best practices outlined earlier and includes the following tasks:

  • Create and maintain an inventory of all hardware and software on the organization’s network.
  • Identify your “crown jewel” data, where it’s located, and who has access to it.
  • Set and enforce strong password policies.
  • Limit administrative-level privileges to those who need them.
  • Regulate how end users install software, either by limiting their access to only trusted programs or requiring IT approval for any installation.
  • Keep operating systems and software applications up-to-date and apply patches promptly.
  • Implement a process for regularly performing, verifying, and testing data backups. Keep multiple copies and back up both on-premises and in the cloud.
  • Track end-of-life systems and remove them from use.
  • Create a vendor risk-management plan outlining agreed-upon behaviors, access, and service levels.
  • Educate employees on good cyber hygiene practices, including password management, email vigilance, and how to use the organization’s network securely.

What are the challenges of implementing good cyber hygiene?

One of the biggest challenges of implementing good cyber hygiene is simply knowing what you need to protect. Today’s dynamic hybrid environments often provide limited visibility, and you can’t protect the parts you’re not aware of.

It’s imperative to know what hardware and software is on your network and where it is, as well as where your most important data is located and who can access it. A cyber hygiene assessment can help map every corner of your network and identify its most critical vulnerabilities so you can fix them.


Another significant challenge is simply maintaining good cyber hygiene over the long term. Cyberattacks are unrelenting for many organizations, so it’s no longer adequate to scan the network now and then. Performance monitoring must be continuous to detect and remediate threats, and that requires resources many businesses don’t have. Cyber hygiene assessment solutions, however, can continuously monitor for vulnerabilities in your environment so you can understand your security exposure in real-time.

What are the top priorities in implementing cyber hygiene today?

With ransomware incidents on the rise and pervasive across industries, the top priority of implementing cyber hygiene today involves reducing the chances that an organization will fall victim to this type of attack. On average, a ransomware attack leads to 23 days of downtime, and it’s expected that ransomware will costs businesses $20 billion in 2021. Good cyber hygiene can help improve your organization’s resilience to ransomware attacks, increase your visibility and control of your environment, and accelerate incident response.

More resources

Ransomware 101: What Is It and How Do I Prevent an Attack?

Healthcare Ransomware: What to Do Before, During and After an Attack

What Is Asset Discovery and Inventory? 

What Is Data Privacy Management?

What Is Performance Monitoring?

Tool Sprawl Threatens Post-Pandemic Security 

What Is Security Configuration Management? 

 

Christopher Null
Christopher Null is a veteran technology and business journalist with more than 25 years of experience writing for Yahoo, Wired, Forbes, and more. He was a top editor at PC Computing¸ Smart Business, and New Architect and was the founding editor of Mobile magazine.