How to clean up security vulnerabilities with better cyber hygiene

In the last installment of this column, we looked at how technology and the procurement process (for government and enterprise) needs to change to ensure IT infrastructure is better protected from cyber attacks. This time, let's look at one of the more neglected aspects of network security: People.

Nearly everyone, both within and outside the IT department, has some level of network access. Unfortunately, outside the IT department (and to some extent within), these users do not fully understand the risks and vulnerabilities to which a network can fall victim. That has prompted a move within security circles to emphasize what's increasingly known as "cyber hygiene."

Just like our parents instilled good hygiene practices as we grew up, we are now obliged to instill similar practices among the users of our networks - to make sure, as it were, that we clean up after ourselves when we access networks and sensitive data.

Cyber hygiene outlines the steps we need to follow to improve cybersecurity and protect ourselves and others in the online environment. For many organizations, this can mean organizing hardware and devices; monitoring the network; adding or removing software, and creating a formal framework for how we handle information security today.

That's tougher than it sounds. Users will almost always take the path of least resistance - for example, sharing passwords. For this reason, cyber attacks are shifting, with identity becoming the primary attack vector for bad actors.

As far back as 2013, a report from Verizon indicated that 76 percent of breaches came from compromised credentials. Unfortunately that statistic hasn't improved much since then, especially in government.

Dominic Cussatt, acting chief information security officer for the Department of Veterans Affairs, has said that government "can't seem to drive cyber hygiene over the goal line because we are distracted by the crises of the day and distracted by new or innovative technologies." According to Cussatt, we need to "focus on the basics."

With that said, let's look at some of those basics, to get a better handle on how to actually make cyber hygiene work.

Education and practice, practice, practice

If you're not aware of potential risks to your IT system, its architecture and its vulnerabilities, how can you be expected to do your job and accomplish mission objectives?

People need to understand how important cybersecurity is to the organization. We must have agreement across all functional areas of best practices for security and awareness of common areas of cyber attack.

One of those best practices is to make sure that roles-based access should be set up immediately. No one should have root-level access. Go back quarterly to assess whether the same individuals are needed in the same roles.

We need to be constantly refreshing practices, training harder and more frequently, and beefing up the amount of exercises we do. And senior leaders need to be involved, because (to be blunt) an organization with bad cyber hygiene often stinks from the head.

Harden the workforce

Our people have to have a sense of ownership in the security process - which includes understanding that their actions have consequences.

Too often, we push risk away from people. As a result, the dangers in poor cyber hygiene are not real to them.

Make it real to make them tougher. For example, agency or corporate credit cards should be taken from employees who don't follow protocols carefully. Right now, that kind of downside risk to poor practices is not as clear as it should be.

Hold people accountable if they are not executing. Good order and discipline is important in the military; we should apply that same rigor to private-sector and government security practices.

Improve the user experience

When we improve the user experience, we improve adoption, which in turn improves security. Consequently, the user experience for network access needs to feel easier to get people to buy-in faster.

One obvious way to do that is multi-factor authentication with single sign-on. Because users don't need to manage multiple passwords, accessing applications is faster and easier. The security is baked into the user experience. We've taken away one potential avenue of vulnerability, and we're one step closer to optimal cyber hygiene.

Down the road, we should even consider non credential-based identities. Both the Department of Defense on the government side and AETNA in the private sector are looking into this.

But the overall push here should be to constantly review practices, educate our people on those practices, and work constantly to update practices and roles as necessary.

Our adversaries are betting on an unchanging, stagnant security environment. We fight that stagnation with better cyber hygiene.