govern-users-identities

Enhance security hygiene

Creating a culture of security hygiene in an unsafe world

govern-users-identities

Enhance security hygiene

Creating a culture of security hygiene in an unsafe world

Poor security hygiene: The dirty little secret


Organizations will spend billions of dollars this year on security solutions to lock up their data and business systems … and then promptly leave the proverbial keys under the mat through poor security hygiene practices. It’s true. Most cybercrime isn’t the result of big brute-force attacks, but because organizations don’t pay enough attention to the “little” things like strong passwords and frequent software patches.

The frustrating part is that everyone knows poor security hygiene is a problem. Chief security officers know it. Compliance officers know it. Cybercriminals know it too. And they count on the fact that organizations will practice less-than-perfect hygiene, due to a lack of individual vigilance or organizational visibility. As the headlines of big data breaches can attest, poor security hygiene is still a problem.

For some companies, a well-publicized wake-up call may be what’s needed to make security hygiene a priority again. But you don’t want to go that route. A better approach is to recognize that poor security hygiene is everyone’s dirty little secret, expose the security risks in your organization right now and implement sound security hygiene at every level of your business through automation and consistent policy enforcement.

How can you clean up your security hygiene?

Pictogram of a building representing a business with people.

Investigate

Discover where your security vulnerabilities are hiding through better data visibility, analytics and expert-led assessments.

Pictogram of a building representing a business with people.

Educate

Ensure that employees and partners understand and adhere to security best practices for proper hygiene, from choosing strong passwords to spotting (and avoiding) phishy emails.

Pictogram of a building representing a business with people.

Automate

Embed good security habits into your processes and workflows and minimize the risk of human error compromising your security posture.

What is your biggest challenge to locking down security hygiene?

%

responds finding and cataloging processes, endpoints and applications across the entire organization

%

responds getting colleagues and partners to adopt and maintain security hygiene policies

%

responds setting aside the time and resources to implement our security hygiene strategy

Finding and cataloging processes, endpoints and applications across the entire organization

Getting colleagues and partners to adopt and maintain security hygiene policies

Setting aside the time and resources to implement our security hygiene strategy

Practice good security eight days a week?


When it comes to security hygiene, it’s easy to fall into bad habits: reusing the same password for multiple applications, assuming that data stored in the cloud aligns with your own security standards, and so on. But it’s also easy to make good security practices a habit. Patch Tuesday is a popular example, in that many organizations are now in the habit of installing new software patches for their business applications every Tuesday of the week.

But what about the rest of the week? Imagine how much stronger your security posture would be if you had a Wi-Fi Wednesday to promote weekly mobile device security or instituted Malware Mornings to make sure your antivirus definitions were up to date. While we’re not actually suggesting you have to give every security initiative a memorable name, we are recommending that you automate the process of good security hygiene as much as possible.

Adopt security best practices

Pictogram of a building representing a business with people.

Patch Tuesdays

Pictogram of a building representing a business with people.

Malware Mornings

Pictogram of a building representing a business with people.

Wi-Fi Wednesdays

Do you really need to stay on top of security every day? Yes, because cyberattacks don’t take a day off. Organizations need to practice good security hygiene eight days a week to stay ahead of the constant stream of new cyberthreats and globally based cyberattacks that can strike anywhere, at any time.

10 Essential Security Practices: Building a Risk-Aware Culture

Building risk awareness into your organizational culture is the key to a balanced and effective security hygiene program. Watch this video to see how education leads to better protection.

Cybercriminals look for the spots you miss


It’s not that organizations don’t see the value of security hygiene. Rather, they don’t see where the lack of security hygiene is causing problems: in their networks, applications, endpoints, etc. Limited visibility into risk exposure is the primary reason that poor security hygiene persists.

What you can’t see, you won’t clean. The most damaging cyberattacks are often the result of security holes that might have been easily patched or closed, but were overlooked or undetected: an old legacy application, an unsecured partner portal, etc. The statement that an ounce of prevention is worth a pound of cure holds true here, but what happens when you’re prevented from seeing the problem in the first place?

If you want to improve your security hygiene, start by improving visibility into your organization’s threat surface. Real-time, reliable data that reports across all your different systems, locations, applications, operating systems, endpoints, etc. is one of the most important weapons you have in the fight against cyberattacks. By enhancing that data with contextual insights and advanced analytics, organizations can quickly pinpoint where and how to focus their security hygiene efforts for maximum effectiveness.

If good hygiene is sound policy, which policies provide the best hygiene?


Your security is only as strong as the policies behind it. Just as security technology evolves to catch new cyberthreats, security policies also need to change and adapt to those threats. Implementing new software to stop ransomware attacks, for example, won’t be nearly as effective if you don’t also educate users on how to detect and avoid the spear-phishing attacks that carry ransomware.

Best security policies

educate_users_icon

Educate users

strategic_security

Stategic security partner

seamless_security_icon

Seamless security

Fortunately, organizations aren’t alone in their fight against cybercrime. New virus definitions, threat intelligence and security best practices are constantly being developed by security vendors and industry watchdog groups. Working with a strategic security partner can also bring additional and much-needed insight into where your security policies are weak and where they’re strong.

Simplicity is central to security. Organizations cannot expect employees to shoulder the responsibility of policing their own security. It’s critical, therefore, that security be as seamless as possible from the user’s perspective, whether that means embedding security safeguards directly into your business applications and workflows or simplifying password management by combining a single sign-on with multifactor authentication.

Progressive Insurance: Proactively Protecting Data by Creating Appropriate Controls

Managing, monitoring and securing data is critical to creating strong security hygiene policies, tracking security issues and providing rapid remediation. Watch how Progressive Insurance uses IBM Security solution to ensure their own safety against cyberthreats.

Don’t delegate security, automate it


Had he been born a few hundred years later, the poet Alexander Pope might have ended his observation “To err is human” with the thought, “to automate is divine.” Expecting users to scrupulously follow your security policies is simply wishful thinking. In fact, you can count on them not to follow those policies by keeping the same passwords for too long, using public Wi-Fi networks and opening suspicious emails.

No, if they want to protect their organization, security teams must adopt a proactive stance. And here they’ll find another obstacle: Funding for security tends to be reactive. It often takes a major industry event — or one that hits closer to home — to shake loose funding for additional security measures.

To err is human.
To automate is divine.

– Alexander Pope

To avoid this proactive/reactive cycle, organizations need to embrace security automation. Automation drives down the cost of maintaining good security hygiene by building security safeguards such as vulnerability detection and mitigation directly into business processes. It not only frees users from the responsibility of maintaining their own security, but IT teams as well. Handing off the critical but lower-function security tasks to automation means that security professionals now have more time to perform higher-level tasks such as threat hunting.

Good hygiene also helps with compliance

Healthy security habits protect your day-to-day operations and improve your ongoing efforts toward compliance. In fact, compliance rules often mandate good security habits such as encrypted communications, frequent password changes and regular data backups. As a result, good security hygiene ensures that organizations are less likely to incur high penalties from regulators due to non-compliance.

Compliance, after all, is essentially a set of security best practices, and consistent hygiene is the best security practice of them all. Good hygiene takes a proactive stance to security that can anticipate new compliance measures before they’re mandated, rather than reacting to them. Automation and consistent policy enforcement further support compliance efforts by enabling organizations to easily update security policies as compliance measures are added and enhanced over time.

Remember the importance of visibility into real-time security data that we mentioned earlier? It also plays a critical role in helping internal and external auditors confirm compliance. Each organization tends to have its own compliance calendar for updates and audits, but there is always the possibility of an unexpected audit. Having reliable, real-time security data to generate compliance reports on demand makes this process far less disruptive and far more effective.

alt-text

The 123s of hygiene

Consistent hygiene — the best practice of all


Automation and consistent policy enforcement — enable organizations to update security policies


Visibility — help internal and external auditors confirm compliance

What is the primary driver for your security hygiene strategy?

%

responds meeting compliance requirements

%

responds fear of (or response to) a breach

%

responds strong support or expectations from the C-suite

Meeting compliance requirements

Fear of (or response to) a breach

Strong support or expectations from the C-suite

Make a clean break from poor hygiene habits today


Supporting a culture of good security hygiene is the single most important thing you can do to protect your brand and your customers. It is the foundation upon which all your other security activities rest and, without it, even your best security efforts will unravel. To set the responsibility for security hygiene on the shoulders of users, however, is to set them too high a bar. Instead, organizations that are serious about security hygiene will integrate it into their applications and processes and automate it to ensure its widespread adoption.

The source of poor security hygiene isn’t simply laziness or a lack of awareness, but also a lack of the proper tools and insights. This is where the right security partner can play an invaluable role, by helping your organization identify healthy security habits and maintaining a high state of hygiene at all times through automation and managed services. If you’re ready to make a clean break from the poor hygiene habits of the past, IBM Security is ready to help.

Enhance security hygiene with IBM products and services:

products image
services icon

Next steps

card_3

Enhance security hygiene Solution Brief

Explore IBM Security products and services.

card_3

Start your transformation

Learn how security hygiene can be simpler so you can be more secure.

card_3

Download the ebook

Save and share this document with colleagues.

Table of contents

Poor security hygiene: The dirty little secret

Poor security hygiene: The dirty little secret


Organizations will spend billions of dollars this year on security solutions to lock up their data and business systems … and then promptly leave the proverbial keys under the mat through poor security hygiene practices. It’s true. Most cybercrime isn’t the result of big brute-force attacks, but because organizations don’t pay enough attention to the “little” things like strong passwords and frequent software patches.

The frustrating part is that everyone knows poor security hygiene is a problem. Chief security officers know it. Compliance officers know it. Cybercriminals know it too. And they count on the fact that organizations will practice less-than-perfect hygiene, due to a lack of individual vigilance or organizational visibility. As the headlines of big data breaches can attest, poor security hygiene is still a problem.

For some companies, a well-publicized wake-up call may be what’s needed to make security hygiene a priority again. But you don’t want to go that route. A better approach is to recognize that poor security hygiene is everyone’s dirty little secret, expose the security risks in your organization right now and implement sound security hygiene at every level of your business through automation and consistent policy enforcement.

How can you clean up your security hygiene?

Pictogram of a building representing a business with people.

Investigate

Discover where your security vulnerabilities are hiding through better data visibility, analytics and expert-led assessments.

Pictogram of a building representing a business with people.

Educate

Ensure that employees and partners understand and adhere to security best practices for proper hygiene, from choosing strong passwords to spotting (and avoiding) phishy emails.

Pictogram of a building representing a business with people.

Automate

Embed good security habits into your processes and workflows and minimize the risk of human error compromising your security posture.

What is your biggest challenge to locking down security hygiene?

%

responds finding and cataloging processes, endpoints and applications across the entire organization

%

responds getting colleagues and partners to adopt and maintain security hygiene policies

%

responds setting aside the time and resources to implement our security hygiene strategy

Finding and cataloging processes, endpoints and applications across the entire organization

Getting colleagues and partners to adopt and maintain security hygiene policies

Setting aside the time and resources to implement our security hygiene strategy

Practice good security eight days a week?

Practice good security eight days a week?


When it comes to security hygiene, it’s easy to fall into bad habits: reusing the same password for multiple applications, assuming that data stored in the cloud aligns with your own security standards, and so on. But it’s also easy to make good security practices a habit. Patch Tuesday is a popular example, in that many organizations are now in the habit of installing new software patches for their business applications every Tuesday of the week.

But what about the rest of the week? Imagine how much stronger your security posture would be if you had a Wi-Fi Wednesday to promote weekly mobile device security or instituted Malware Mornings to make sure your antivirus definitions were up to date. While we’re not actually suggesting you have to give every security initiative a memorable name, we are recommending that you automate the process of good security hygiene as much as possible.

Adopt security best practices

Pictogram of a building representing a business with people.

Patch Tuesdays

Pictogram of a building representing a business with people.

Malware Mornings

Pictogram of a building representing a business with people.

Wi-Fi Wednesdays

Do you really need to stay on top of security every day? Yes, because cyberattacks don’t take a day off. Organizations need to practice good security hygiene eight days a week to stay ahead of the constant stream of new cyberthreats and globally based cyberattacks that can strike anywhere, at any time.

10 Essential Security Practices: Building a Risk-Aware Culture

Building risk awareness into your organizational culture is the key to a balanced and effective security hygiene program. Watch this video to see how education leads to better protection.

Cybercriminals look for the spots you miss

Cybercriminals look for the spots you miss


It’s not that organizations don’t see the value of security hygiene. Rather, they don’t see where the lack of security hygiene is causing problems: in their networks, applications, endpoints, etc. Limited visibility into risk exposure is the primary reason that poor security hygiene persists.

What you can’t see, you won’t clean. The most damaging cyberattacks are often the result of security holes that might have been easily patched or closed, but were overlooked or undetected: an old legacy application, an unsecured partner portal, etc. The statement that an ounce of prevention is worth a pound of cure holds true here, but what happens when you’re prevented from seeing the problem in the first place?

If you want to improve your security hygiene, start by improving visibility into your organization’s threat surface. Real-time, reliable data that reports across all your different systems, locations, applications, operating systems, endpoints, etc. is one of the most important weapons you have in the fight against cyberattacks. By enhancing that data with contextual insights and advanced analytics, organizations can quickly pinpoint where and how to focus their security hygiene efforts for maximum effectiveness.

If good hygiene is sound policy, which policies provide the best hygiene?

If good hygiene is sound policy, which policies provide the best hygiene?


Your security is only as strong as the policies behind it. Just as security technology evolves to catch new cyberthreats, security policies also need to change and adapt to those threats. Implementing new software to stop ransomware attacks, for example, won’t be nearly as effective if you don’t also educate users on how to detect and avoid the spear-phishing attacks that carry ransomware.

Best security policies

educate_users_icon

Educate users

strategic_security

Stategic security partner

seamless_security_icon

Seamless security

Fortunately, organizations aren’t alone in their fight against cybercrime. New virus definitions, threat intelligence and security best practices are constantly being developed by security vendors and industry watchdog groups. Working with a strategic security partner can also bring additional and much-needed insight into where your security policies are weak and where they’re strong.

Simplicity is central to security. Organizations cannot expect employees to shoulder the responsibility of policing their own security. It’s critical, therefore, that security be as seamless as possible from the user’s perspective, whether that means embedding security safeguards directly into your business applications and workflows or simplifying password management by combining a single sign-on with multifactor authentication.

Progressive Insurance: Proactively Protecting Data by Creating Appropriate Controls

Managing, monitoring and securing data is critical to creating strong security hygiene policies, tracking security issues and providing rapid remediation. Watch how Progressive Insurance uses IBM Security solution to ensure their own safety against cyberthreats.

Don’t delegate security, automate it

Don’t delegate security, automate it


Had he been born a few hundred years later, the poet Alexander Pope might have ended his observation “To err is human” with the thought, “to automate is divine.” Expecting users to scrupulously follow your security policies is simply wishful thinking. In fact, you can count on them not to follow those policies by keeping the same passwords for too long, using public Wi-Fi networks and opening suspicious emails.

No, if they want to protect their organization, security teams must adopt a proactive stance. And here they’ll find another obstacle: Funding for security tends to be reactive. It often takes a major industry event — or one that hits closer to home — to shake loose funding for additional security measures.

To err is human.
To automate is divine.

– Alexander Pope

To avoid this proactive/reactive cycle, organizations need to embrace security automation. Automation drives down the cost of maintaining good security hygiene by building security safeguards such as vulnerability detection and mitigation directly into business processes. It not only frees users from the responsibility of maintaining their own security, but IT teams as well. Handing off the critical but lower-function security tasks to automation means that security professionals now have more time to perform higher-level tasks such as threat hunting.

Good hygiene also helps with compliance

Good hygiene also helps with compliance

Healthy security habits protect your day-to-day operations and improve your ongoing efforts toward compliance. In fact, compliance rules often mandate good security habits such as encrypted communications, frequent password changes and regular data backups. As a result, good security hygiene ensures that organizations are less likely to incur high penalties from regulators due to non-compliance.

Compliance, after all, is essentially a set of security best practices, and consistent hygiene is the best security practice of them all. Good hygiene takes a proactive stance to security that can anticipate new compliance measures before they’re mandated, rather than reacting to them. Automation and consistent policy enforcement further support compliance efforts by enabling organizations to easily update security policies as compliance measures are added and enhanced over time.

Remember the importance of visibility into real-time security data that we mentioned earlier? It also plays a critical role in helping internal and external auditors confirm compliance. Each organization tends to have its own compliance calendar for updates and audits, but there is always the possibility of an unexpected audit. Having reliable, real-time security data to generate compliance reports on demand makes this process far less disruptive and far more effective.

alt-text

The 123s of hygiene

Consistent hygiene — the best practice of all


Automation and consistent policy enforcement — enable organizations to update security policies


Visibility — help internal and external auditors confirm compliance

What is the primary driver for your security hygiene strategy?

%

responds meeting compliance requirements

%

responds fear of (or response to) a breach

%

responds strong support or expectations from the C-suite

Meeting compliance requirements

Fear of (or response to) a breach

Strong support or expectations from the C-suite

Make a clean break from poor hygiene habits today

Make a clean break from poor hygiene habits today


Supporting a culture of good security hygiene is the single most important thing you can do to protect your brand and your customers. It is the foundation upon which all your other security activities rest and, without it, even your best security efforts will unravel. To set the responsibility for security hygiene on the shoulders of users, however, is to set them too high a bar. Instead, organizations that are serious about security hygiene will integrate it into their applications and processes and automate it to ensure its widespread adoption.

The source of poor security hygiene isn’t simply laziness or a lack of awareness, but also a lack of the proper tools and insights. This is where the right security partner can play an invaluable role, by helping your organization identify healthy security habits and maintaining a high state of hygiene at all times through automation and managed services. If you’re ready to make a clean break from the poor hygiene habits of the past, IBM Security is ready to help.

Enhance security hygiene with IBM products and services

Enhance security hygiene with IBM products and services:

products image
services icon

Next steps

Next steps

card_3

Enhance security hygiene Solution Brief

Explore IBM Security products and services.

card_3

Start your transformation

Learn how security hygiene can be simpler so you can be more secure.

card_3

Download the ebook

Save and share this document with colleagues.