Understanding the 7 pillars of cyber hygiene

Every year the number of cyber attacks against the private and public sectors rises, and their increasing intensity has governments and industries alike concerned. It is important now more than ever for businesses to understand the reality and ramifications of these attacks and make cyber hygiene an integral part of any business success.

Cyber hygiene refers to the policies, procedures and systems — or pillars — that users and organizations employ to keep their systems healthy and secure.

I’ve spoken with a number of our region’s IT experts to help articulate the merits of cyber hygiene. The digital era requires we instill proactive, reactive, strategic and tactical practices in our daily logistics around data security and privacy.

David Lazor, founder and CEO of LazorPoint in Cleveland, warns about the impact of cybersecurity attacks on business of all sizes, from small family-owned companies to large corporations with their own IT departments, which could cripple an organization financially, ruin its reputation and create a legal liability.

“Think of cyber threats as no different as threats in the physical world — to protect against them you must identify where you can be exploited and put solutions in place to minimize your exposure to those threats,” he said. “Organizational exposure to threats is only increasing as systems move to the cloud, systems are more connected, and business critical applications in use continue to increase.”

So how do you address these threats? Lazor recommends a layered security approach. “Medieval castles had layers of security, all of which provided overlapping yet unique protections against the threats of their day. They had a moat, concentric castle walls and knights for protection,” he said. “Organizations today need multiple layers of security to address the complex cyber threat landscape.”

With that in mind, here are seven pillars of cyber hygiene — and comments from area experts — as a guide to the latest thinking around cybersecurity layering.

Patching and monitoring

Roger Mitan, chief technology officer of BlueBridge Networks, said, “Many cybersecurity breaches occur due to unpatched systems. Additionally, many systems failures are a result of a mismatch of patches, where systems patches and software patches aren’t on matching levels, leading to software and systems failures. For these reasons, patching is a vital part of this pillar. The other part of this pillar is properly monitoring systems and their associated patches. A good monitoring suite of tools will provide information on patch levels so systems administrators can stay up to date and avoid the aforementioned issue.

“It is important to utilize a monitoring suite which can quickly alert administrators to systems failures and security breaches. Too often, systems and security issues can go unnoticed until they become much larger and cause global outages or massive private data leaks. The monitoring suite of software which IT organizations utilize can prevent these issues from spreading by immediately notifying and even automatically intervening to stop these issues from spreading.”


Just as important as having a backup is having more than one level of them to rely on. When it comes to most things in IT, I follow the rule of threes, which, in this case, means having at least three layers of backups.

Mitan advises, “The first level is going to have the quickest recovery time and will usually be used the most often. An example of this would be having windows volume shadow copies for file servers or log file backups for sql servers frequently scheduled to run throughout the day. These can be used to recover data quickly in the case of an accidental individual file or data deletion or corruption scenario.

“The second level is a backup that occurs less frequently and is generally used as a recovery point in a larger system failure or issue. An example of this would be using san snapshots on underlying enterprise storage. These snapshots would generally be scheduled only a few times per day, less frequently than first level. If an entire system or server becomes corrupted from something like a bad software update, a snapshot can be quickly mounted or reverted to, bringing the entire system back online quickly.

“The third level is the more traditional daily backup. This can be maintained by many technologies, but will most often be a dedicated backup software such as Veeam or CommVault. These backups will usually be used as a last resort as they will often take the most time to restore from. However, they will also traditionally be the backups that are stored the longest, stored offsite and used as a part of the bigger picture disaster recovery plan for an organization”.

These three levels combine to provide a backup system that supplies the confidence that your organization can recover data no matter the cause or scale of data corruption or loss.

Multi-factor authentication

MFA is a form of security that requires a user to provide more than one form of verification to gain access and is becoming a standard specifically when accessing sensitive data or private networks. Examples of authentication methods can be hard/soft tokens, mobile authentication, and biometric authentication, such as retina and fingerprint scanning.

Jeremy Dodge, manager of operations at BlueBridge Networks, said, “This additional layer of security atop of a strong password can significantly mitigate the chances of a breach or compromise of your data. You are seeing its implementation all across the internet, from social media sites, to banking institutions, to personal email. It is good practice wherever your personal data may reside, to check if the option is available and if so, to enable it”.


This is by no means a new concept, but micro-segmentation has been revolutionizing the data center more and more rapidly within the last two years. According to Michael Hudak, account executive at BlueBridge Networks, “By utilizing NSX Micro-Segmentation, you can create security rules that apply directly to each Virtual Machine, which allows you to not only put a specific firewall on each VM, you can put a firewall in-between each VM. You can even put in global policies to encompass your entire environment. These new applied modalities to virtual network securities allows the user more flexibility and options on how they protect their data”.


Your employees’ security awareness and training will inevitably be tested in the near future. Tim M. Opsitnick, executive vice president and general counsel of TCDI, said, “Whether your employees recognize and stymie the threat or become the next victim is directly correlated with the level of training that they receive. It takes just one mistake, such as clicking on a phishing email, being careless with sensitive data or failing to spot suspicious activity, for a serious data breach to occur. Attackers know that employees are the weakest link, and are targeting them accordingly.

“Security awareness training tools and programs are widely available and quite affordable,” he said. “Organizations should be leveraging these tools to establish formal programs to help them spot cybersecurity threats and red flags so as to not become the next victim to today’s sophisticated attacks”.

“Encryption refers to the use of a specific algorithm to secure electronic data in a manner that prevents the data from being accessed and/or utilized by an unauthorized person,” said Michael Stovsky, partner and chair of the innovations, information technology and intellectual property group at Benesch. “The algorithms used to encrypt data are varied as is the strength of encryption employed. And the bar with respect to what is considered a reasonable method and strength for encrypting data at rest and in transit increases frequently. What was considered to reasonable a year ago may not be reasonable today as technological advances and the ease of implementing encryption increase.

“Encryption in some cases is required by law or regulation, but has mainly taken on the status of a best practice in most cases where data protection laws, rules and regulations mandate that appropriate methods be used to protect data,” Stovsky noted. “Also, in some cases the use of encryption to protect personal data can be helpful in reducing legal requirements such as the notice requirement under some data breach notification laws. Whatever your company does, and wherever your company operates, a consideration of whether and to what extent encryption can play a role in effective cyber hygiene should be undertaken.”

Least privilege

Adopting a policy of least privilege — only allowing a user access to the information and programs necessary for their job — minimizes cyber exposure.

Tom Aumiller, director of information technology for Maloney + Novotny, explained, “For a ‘standard’ user account this means granting the minimum rights needed for that user to perform their job duties. Here are two common issue we see during our audits. First, all users have local administrator rights to their desktop/laptop computer. These rights allow them to install software, including malware or virus strains delivered through spam or fake web links. If you remove their local administrator rights, they cannot unknowingly install a dangerous, executable file on to the computer. The second common issue involves users who periodically need ‘superuser’ or administrator privileges to perform their duties. These are often IT support positions. During their normal workday they may not always need these privileges. In these instances, we recommend having two accounts, an “a-“account used only for administrator functions and a ‘standard’ user account with the least privileges policy applied. That way, the administrator account is only used when required, thus lowering cyber risk through least privilege. It is easier to ‘open a window’ when someone needs it, then to run around closing windows and doors once an intruder gains access.”

We live in a data-centric world where as soon as we gather information, we are disseminating it. We find ourselves in the midst of a proliferation of data. It offers tremendous advantages as far as timeliness and efficiency, yet the flip side is security and corporate responsibility. There are 1,001 ways to rob the bank. You only have to come up with 1,002 ways to prevent it. You can explore more on this important topic here, which is one of my favorite resource links.

Article originally published on Crains Cleveland