Enterprise cybersecurity hygiene checklist for 2024
Enterprise cybersecurity hygiene must be a shared responsibility between employees and employers. Learn how both can get the job done with this checklist.
Cybersecurity hygiene is a critical component of any infosec program. Just as washing your hands and brushing your teeth are important to personal hygiene, password updates and software patches are important to cybersecurity hygiene -- and critical to preventing data loss, breaches and identity theft.
It is important to note that cybersecurity hygiene is a shared responsibility -- it is not an activity solely for employees. Organizations and security teams, among other departments, must all play their part to prevent the spread of disease.
Standard cybersecurity hygiene checklist
The following practices should be woven into any cybersecurity hygiene checklist:
- Patch, patch, patch. Keep company-owned devices patched and up to date with the latest software versions.
- Have a strong identity and access management program that does the following:
- Requires strong passwords.
- Uses multifactor authentication.
- Prohibits credential reuse.
- Offers biometrics use.
- Employs the principle of least privilege.
- Don't share credentials.
- Don't use public Wi-Fi.
- Segment networks.
- Manage and secure endpoints.
- Install antimalware and firewalls.
- Encrypt drives and devices by default.
- Perform regular data backups.
- Conduct and participate in security awareness training.
- Avoid social engineering scams.
- Perform asset discovery, inventory and management.
- Create, implement and maintain enterprise security policies.
Special considerations: Bring your own home cybersecurity hygiene
Since the COVID-19 pandemic ushered in a new era of remote and hybrid work, organizations have had to grapple with how to keep corporate assets safe -- whether employees are working in the office or from home.
To avoid common remote and hybrid employee security issues, follow these security best practices:
- Home network segregation. Security teams need to teach users -- in simple terms -- how to carve subnets with security rules. This is an undertaking for security admins, as there is a wide variety of routers and firewalls in employees' homes they must consider. Advise employees to stay diligent and maintain home network security best practices. They should limit what smart home devices can access and use a home firewall that default denies new devices from connecting to the network.
- VPNs everywhere. Most enterprises have a VPN enabled by default for access to the corporate network. But, even in the absence of that, employees would do well to install a VPN client that enables encrypted connections to strengthen public Wi-Fi or poorly secured home connections. Companies should also be aware of VPNs that don't work in certain geographies. TunnelBear, for example, is no longer available in India because the company refused to comply with government requirements. Companies should have a backup VPN to accommodate different countries. Alternately, companies should look into adopting zero trust.
- Patch, patch, patch. Patching and updating company-owned devices have already been mentioned, but it's also critical end users understand the importance of patching their own devices -- especially as more and more workers use their own devices for work purposes. The patching of hidden devices, such as a smart microwave or thermostat, should also be periodically reviewed as smart home devices could be the source of lateral compromise on an enterprise.
Special considerations: Cloud cybersecurity hygiene
While the cloud helps improve productivity, accessibility and scalability, risks from a security perspective inevitably follow.
To keep employees and employers safe in the cloud, follow these key cloud cybersecurity hygiene best practices:
- Create a cloud usage and security policy. Spell out the dos and don'ts of what is accepted cloud use and what is not. For instance, an enterprise might use OneDrive for document sharing. Given the widespread use of BYOD and device sharing that Google Drive and Box offer, however, it is likely employees might prefer these services. Admins should acknowledge the importance of user preference but take a stance on cloud app use that aligns with the organization's risk-based security strategy. They should also provide short, engaging training on how to use the cloud for secure data sharing.
- Be mindful when giving document and shared folder access rights to co-workers, partners, etc.
- Revoke and delete permissions where appropriate and when disengagement happens -- for example, at project conclusion or employee resignation.
- Be mindful of account cross-pollination. Consider, for example, how many Google accounts many employees likely have. Making sure each uses the correct Google Drive account -- one for work purposes -- is critical to data security. Likewise, don't use a work Dropbox account to share family photos. Rather, it's important to take the extra step of creating a personal account for personal data.
- Exercise privacy and confidentiality rights. While not top of mind for most individuals, these are top priorities for corporations. Newer legislation, such as GDPR and CCPA, call out specific privacy rights. For example, ensuring digital trails are obliterated when SaaS applications are no longer in use or conducting periodic reviews of data collected by enterprise SaaS applications is critical. These tasks require training and innovative incentives, such as security gamification, to raise awareness among employees.
- Include cloud security in enterprise security awareness trainings. If a public data store breach occurs, use it as an example to drive home the message of how it could have been avoided.