4 min read time

What Is Cyber Hygiene and Who Is Responsible for It?

by   in Cybersecurity

Despite a constant stream of prominent cyber-attacks, many businesses have never experienced a significant cyberattack (or, they are unaware of successful attacks – many breaches go undetected for years.) Like a gambler on a winning streak, it’s all too easy to downplay risks when we’ve never been burned – it’s human nature

Someone may have a habit of texting while driving without an incident. But this does not change the fact that each time they text, they are substantially increasing their risk of causing an accident.


Cybersecurity is no different. Having a poor cybersecurity posture exposes your organization to a level of risk that any business owner would find unacceptable upon reflection. Burying your head in the sand won’t change this. Every business should determine their risk appetite, and then implement cybersecurity strategies to bring the two in line. 

Granted, cybersecurity can seem overwhelming. However, even small steps, like implementing cybersecurity (or cyber) hygiene best practices, can make an impact on improving an organization’s security posture. 

What Is Cyber Hygiene and Who Is Responsible for It?

Cyber hygiene is a set of practices organizations and individuals perform regularly to maintain the health and security of users, devices, networks and data. By maintaining good cyber hygiene, an organization minimizes the risk of operational interruptions, data compromise and data loss by improving its overall security posture.

Cyber HygieneOrganizations often have multiple elements in need of cyber hygiene. All hardware (computers, phones, connected devices), commercial software, and online applications used should be included in a regular, ongoing maintenance program. Each of these systems could have specific vulnerabilities that can lead to different problems. Cyber hygiene isn’t about achieving a state of 100% security. That’s impossible. It’s about raising the bar as high as you can to deter adversaries and reducing your attack surface. 

The responsibility of cyber hygiene is not just on IT/Operations managers, administrators, or engineers. Rather, cyber hygiene is a shared responsibility that all users and departments must prioritize. One way almost every employee can help maintain proper cyber hygiene is by following current email security best practices, such as avoiding public Wi-Fi without use of a VPN, and actively monitoring for indicators of a phishing attack

With technology at the core of every business, it’s imperative that we keep our systems running without a hitch. You cannot afford to be complacent when it comes to software updates, another aspect of cyber hygiene, as they are crucial to fixing bugs and vulnerabilities. That’s why software updates is one of the themes for this year’s Cybersecurity Awareness Month

Out of Date Software Is More Vulnerable to Attack

Patch management is the flossing of cyber hygiene: everyone knows they should do it, but not everyone does. And just as a failure to floss may lead to higher rates of cardiovascular disease, failing to patch increases the risk of serious security incidents. A Ponemon Institute survey revealed that 60% of breach victims said their breach’s cause was unpatched software with a known vulnerability.  

The good news is that once vulnerabilities are known, patches are routinely made available quickly. The U.S. National Institute for Standards and Technology (NIST) publishes Common Vulnerabilities and Exposures (CVEs) in its National Vulnerability Database (NVD), and software providers often proactively send patches to users. In addition, insurers are becoming part of the solution by providing notification of vulnerabilities as a risk management service to complement their cyber insurance policies. 

In November 2021, the Cybersecurity and Infrastructure Security Agency (CISA) began compiling a priority list of known exploited vulnerabilities that are under active attack. Consistently updated, this list includes more than 500 vulnerabilities, across software providers that have been assigned a CVE ID, are actively exploited, and have a clear remediation available, such as a vendor-provided update. CISA also provides Cyber Hygiene Services to help organizations reduce their exposure to threats. 

Keeping Software up to Date Is Good Cyber Hygiene

Software applications should be updated regularly, ensuring that the latest security patches and most current versions are in use across the enterprise – for all applications and operating systems.

Update Software

While patching known critical vulnerabilities as soon as a patch is available is ideal, it is understood that it takes time to properly test updates and address associated compatibility or logistical issues. In my experience, for software vulnerabilities under most policies, the grace period begins as soon as the vulnerability is published in the NVD and has a patch or fix available. Vulnerability management policies usually provide 30-45 days to find, test and deploy a patch, even for a company with a complex IT environment. Critical vulnerabilities may require tighter turnaround times. Operational concerns due to impacts can be mitigated through use of orchestrated pre- and post-health checks to make sure nothing breaks due to applying an update or patch (check out this ITOM blog, “7 Things ITOps Can Do for Enterprise Security Right Now” for more). 

Software updates are a great way to keep your computer running smoothly and safely. Make sure you and your teams are installing updates as they are prompted and not putting them off for extended periods of time. It’s best to maintain a regular update schedule, where the latest security patches are deployed on a frequent basis. 

In sum, don't forget to floss!


Join our Security Community | What is Cyber Resilience? | What is Cybersecurity? | Reimagining Cyber Podcast