Cybersecurity Committee Newsletter

What is Good Cyber Hygiene? 

As children, we were taught good hygiene habits like brushing our teeth or washing our hands. Why? Because they prevent disease, infection, and illness. Cybersecurity has likewise adopted the concept and language of hygiene to describe everyday behaviors and practices for maintaining healthy data security and preventing compromise. If adopted and practiced regularly, they will contribute to better security and privacy at work and at home.

Consider a recent public service announcement from CISA and FBI about cyber threats and the best ways to protect yourself. They list four things all of us should adopt for good cyber hygiene: 

1. Keep software up to date, 

2. Think before you click, 

3. Use strong passwords, and 

4. Turn on multi-factor authentication. 

You can watch the two-minute video here (https://www.youtube.com/watch?v=S0dn87l907Q). 

HIPAA Versus Hygiene 

While people in the healthcare field should be familiar with HIPAA laws, such compliance is a minimum bar for effective security and privacy. Hygiene is certainly related to compliance but broader in scope. For instance, HIPAA does not require multi-factor authentication (sometimes called two-factor authentication), but experts strongly recommend it. Multi-factor authentication (MFA) can block over 99.9% of account compromise attacks, according to Microsoft

The amount of security should always be appropriate for actual risks and vulnerabilities. HIPAA and cyber best practices are in agreement about this approach. High-value and high-risk accounts – often including protected health information, bank accounts, and email – warrant high security including strong, unique passwords and multi-factor authentication. These steps can be easier than traditional passwords by using a password manager (such as LastPass) and authentication app (such as Google Authenticator). 

Our Hygiene Affects Others, Too 

Imagine you have two colleagues, Cameron and Drew. They incorrectly believe that they can pick weak passwords, and it is their risk alone to bear. Unfortunately, attackers could break those weak passwords and use the compromised accounts to victimize Cameron and Drew’s friends and colleagues by sending phishing emails from their accounts. Cameron and Drew are adding risk for other people by not understanding what the risks really might be. 

Our social and digital connectedness and interdependence makes us similarly connected as in the physical world. Hungarian physician Ignaz Semmelweis discovered the same in 1847 when he showed that hand washing lowered mortality of women during childbirth. Good hygiene helps protect others and poor hygiene poses a risk to others. 

Keep in mind simple precautions prevent simple risks. Washing our hands likely does not prevent cancer or heart disease. Similarly, strong passwords are unlikely to stop a sophisticated attacker who works for a foreign government. Good hygiene in health or cyber is a start, but more is needed to stay “healthy”. After we adopt cyber hygiene, we should address more sophisticated cyber risks. If our systems are connected to the Internet and data could be corrupted, lost, or stolen, we should prioritize backing up data, installing antivirus software, and enabling encryption. 

Intermediate Cyber Hygiene 

Once basic hygiene is in place, users and organizations have the foundation for increasingly mature cybersecurity practices. A best practice for organizational hygiene AND HIPAA compliance is effective training tailored to an individual’s role and responsibilities. History shows one-size-fits-all training is ineffective and expensive. Instead, a mature organization understands that training doesn’t eliminate risk and asks itself “How many phishing clicks are we willing to accept compared with the cost of training?” 

A highly effective and under-valued habit is incident response planning and practice. Too often, plans are developed on paper without input or exercises with real-world participants. This can result in stale and ineffective plans for managing a fire. In modern environments, both IT and people are dynamic and this necessitates periodic testing and evaluation to prepare for physical-world disruptions (fire, pandemic, etc.) as well as malicious threats including ransomware. 

Conclusion 

We all play a role in protecting personal, business, and healthcare data. Good cyber hygiene plays a critical role in preventing cyber incidents before they occur. Take an opportunity today to adopt these simple and effective steps and teach them to your coworkers, family, and children! 

N.B. Not all cybersecurity concepts can be explained with biological analogies. For instance, we use the language of digital viruses and infections but there are shortcomings to those comparisons. For more on considerations for cyber analogies, see the forthcoming book Cybersecurity Myths and Misconceptions (Spafford, Metcalf, and Dykstra; Addison-Wesley, 2023).