Cyber hygiene connects reliable security principles to a person’s individual and unique habits.
Nearly everyone is concerned about their security and privacy, both online and offline. Ever since personal computing became a thing, people have become increasingly better at using PCs to be more productive, better informed, or entertained.
Staying secure while doing all of this on laptops and smartphones isn’t easy. The process of understanding threats to one’s security and privacy often takes a certain technical understanding of computers and networks, and this level of understanding is often not accessible to the average person.
It’s this very lack of technical understanding that is often what attackers exploit. For a long time, cybercriminals have identified people as the weakest link in cybersecurity and target their personal devices. Individuals become victims by not following best practices or revealing too much personal information.
How can we help people be more secure without asking them to become tech experts?
In order to empower people to make better decisions and improve their personal security posture, there are guiding principles that serve as a common means to convey conventional wisdom and empower people. Everyone can apply these principles.
In fact, a few fundamental security principles have evolved in the security field. One simple example principle is known as “least privilege”; in other words, anyone who doesn’t need to have access to an account shouldn’t have access to it. For example, no one other than yourself should be able to access your email account because your emails are private. (That’s why sharing the password to your email account is never a good security practice.)
The role of cyber hygiene
Cyber hygiene describes the practices and steps that people take to maintain a strong security posture. These recommendations can be connected to the guiding security principles that have emerged, and applying the practices and steps supports the growth of good cyber hygiene.
The European Union Agency for Network and Information Security (ENISA) stated that “cyber hygiene should be viewed in the same manner as personal hygiene and, once properly integrated into an organization will be simple daily routines, good behaviors and occasional checkups to make sure the organization’s online health is in optimum condition.”
By transforming practices and steps into simple daily routines, good behaviors, and occasional checkups, people can unlock the ultimate goal of cyber hygiene, which is to form habits that fortify their security posture.
Cyber hygiene connects reliable security principles to a person’s individual and unique habits. It’s through this connection that the average person can up their security game without becoming a technical expert.
Good cyber hygiene is going beyond what security products actually can do. A security product can automate finding infections, or block incoming, known threats. A good security product is able to counter the most recent and more sophisticated threats. It can mitigate the risk of a threat.
Even the best software, however, can’t reduce the actual risk of being targeted. That’s because this risk is determined by a person’s behavior. If someone keeps downloading files from untrustworthy websites and clicks on every link on the web, they will maximize the chance of becoming a target.
This scenario is further demonstrated by the following analogy: Wearing a seat belt when driving doesn’t mean that you’re safe when driving faster. Instead, it means that the crash impact at regular speeds is reduced. The same is valid for a security product: It reduces the impact, not the risk. Reducing this risk is connected to having good behavior, or in other words, good cyber hygiene.
Dimensions of cyber hygiene
At Avast, we look at cyber hygiene across different risk dimensions that we call cyber hygiene vectors. Assessing each individual and each device across these vectors leads us to a risk score that determines how much risk a person incurs regarding each of these aspects. This score we call the Online Safety Score. There’s a score for each dimension that we assess as well as a combined score across all dimensions that provide an overall picture of where an individual is at.
- OS hygiene determines if someone is maintaining their device with up-to-date OS versions. Current OS versions are considered more secure and often include security patches that reduce the security risk.
- Application hygiene refers to the risk coming from applications installed on the device that may include vulnerabilities that are exploited if not maintained or upgraded.
- Web hygiene assesses the risk when being online and browsing the web. It includes a multitude of factors with respect to security and privacy of web sites visited.
- Admin hygiene checks if individuals are maintaining their system in a manner that ensures that non-privileged users can’t easily take over the computer.
- Password hygiene helps to ensure that the individual’s password management is healthy.
- Hardware hygiene works with the device’s hardware settings to ensure that the physical device cannot be exploited if exposed by vulnerabilities.
- Security settings hygiene ensures that the protection possible by software measures is maximized.
- Backup hygiene determines if the individual is maintaining backups of their data either in the cloud or using local offline storage.
- Network hygiene measures how often someone connects to networks that are inherently risky such as an open Wi-Fi network.
How to mitigate risks to improve security
The way that people can benefit from Avast’s cyber hygiene assessments in the Online Safety Score is by taking measures to reduce those risk scores and thereby improve their security posture. Risk is typically defined as “hazard times exposure”. In this context, hazard corresponds to shortcomings in the cyber hygiene dimensions.
For instance, if someone runs an old operating system for which updates are no longer released or frequently visits insecure websites, an attack might not immediately occur. However, the longer that the device remains vulnerable, the higher the risk for an attack becomes.
The simple reasoning here is that attackers have more time to target the device. Thus, hazard is the potential for an attack to happen, and exposure describes the time that a hazard exists. Together, they define the overall risk.
When removing a hazardous condition (for example, by updating one’s operating system), we’re effectively reducing the risk. This is how cyber hygiene can be helpful: It raises one’s awareness on the security and privacy risks that they knowingly or unknowingly have and provides the best security practices to mitigate those risks.