What’s the big deal about cyber hygiene?

Don’t let the ads fool you—there’s no such thing as a quick fix. Say we want to lose 20 pounds. Can we pop a magic diet pill, drop the weight and keep it off long-term? Unfortunately not. It requires continuous effort. The same goes for cybersecurity. We can’t simply buy a flashy new service to stave off online threats permanently. Protecting our systems requires steady and strategic efforts. That’s where cyber hygiene comes in.

Think of cyber hygiene as a collection of small, repeated actions and processes. The aim is to decrease the risk of a successful breach or attack. These fundamental security tactics will differ depending on the organization and the industry. Before starting, we may ask ourselves, “What threats exist in our field?” A thorough risk assessment will allow us to focus on concrete areas of concern and address issues with a credible operational impact.

Once we have a clear idea of our risks, the National Institute of Standards and Technology (NIST) recommends incorporating these actions into a voluntary cybersecurity framework. This outline of best practices includes three primary components: the “Core,” cybersecurity and risk management activities that complement existing processes; “Implementation Tiers,” our risk appetite, priorities and budget; and “Profiles,” an alignment of the former two that informs potential opportunities for improvement. Together, these components are designed to help us identify, protect, detect, respond and recover from attacks.

To be clear, implementing cyber hygiene isn’t an easy task, nor should it be. Integrating these practices into our operations requires upfront dollars and time. However, it’s critical to remember that NIST’s framework is a guide. We don’t have to go at it alone or all at once. Unless we have strict compliance requirements, we can source and select the controls that work best for our needs. The goal is to build up layers of security measures and, ultimately, stronger immunity against future attacks. With a well-executed strategy, overseeing and reducing risks becomes second nature.

That’s not to say we can be complacent about cyber hygiene. We must evaluate and update our processes, at least annually, or when significant changes, such as new lines of business or product expansions, occur. Whether deployed internally or with the help of a third-party partner, we must be careful to balance usability and security. In other words, we must enact cyber hygiene measures without overburdening our operations.

There’s no denying that tech marketing works. But we should ignore the humorous and buzz-worthy commercials trying to convince us to buy another cybersecurity tool. As much as we’d like a one-size-fits-all solution to protect ourselves from breaches or attacks, it just doesn’t exist. Before we hit that purchase button, we should remember that cyber hygiene is the best strategy to mitigate our risks and maintain control of our systems.

Editor’s note: Christopher Wright is co-founder and partner at Sullivan Wright Technologies, a firm providing tailored cybersecurity, IT and security compliance services. The opinions expressed are those of the author.