Security of users, data, devices and networks is orchestrated via a set of precautionary cyber measures called cyber hygiene. Enterprises today deal wih a sheer volume users, data and devices, often distributed across complex cloud/hybrid environments – making cyber hygiene monitoring a challenging task. In this session, leading cyber experts shed light on the importance of implementing effective cyber hygiene amidst an uncertain threat landscape and share best practices on how to do so.
So my name's Christoff Kupa, I'm from Aons and I'm running the business here in the central European region.
My name is Boris Boster, I'm from Ian and I'm heading the governance Risk Compliance Department in cybersecurity.
And hi, my name is Norm Green, I'm from CLO Security. I run product and strategy of the company
And we, we already have met Manuel Garrett, but all of you already put at following instructions. The question was introduce yourselves and make your opening statement, which none of you did. So could I please have your opening statements?
Okay, I will go with an opening statement. My opening statement is, cybersecurity is about making sure that your assets and your processes are in the best possible state and in the best possible hygiene, so to say, because only if you have all of your processes and all of your assets under one control and under one view, you have as least as possible cracks in your system. And that helps to repel potential attacks. That's an opening statement from my side.
Well, opening statement, your cyber hygiene is like your fridge. You don't want any rotten vegetables in your fridge. So put out all your end of life systems or your unused users, everything you don't use anymore, anything that is not up for consummation, put it out and then you're healthy.
So when we talk about cyber hygiene, I think that the basic comes to users and at the end of the day, users, our identities. So if you want to make sure that you know who's actually connecting to your network, identities is the new key. Make sure you have the right identity based connectivity. Make sure that you have that level of hygiene so when you start with the users, everything else will also fall into place.
From my point of view, I would say cyber hygiene is very parallel to personal hygiene. So yes, it's repetitive, it's something you have to do every day. It's, it's easy to, to be tempted to let it go for one day, for one. But the reality is we cannot expect to, to, for the doctor to fix everything when there is an incident, when there is a problem, right? We have to do our part day by day and that will basically mean less incidents and when they come, they are less severe.
Okay, great. Thanks. Settlement. So considering that most incidents do result from poor cyber hygiene, why are we still getting it wrong? Or why are we so poor at this? Why is it just not part of business as usual? So, you know, who wants to take that one?
Yeah, I, I, I would try to answer because the business comes in the way. So our day to day drops and, and everybody is, is looking for patch windows and well, the business wants to run. So, so if you ask the business, Hey, can I have a patch window for, for, for regular patching? They probably say, yes, come back next month. And then just when you come around the corner and say, Hey, your patch window is now due, I want to install some patches. No, it, it doesn't work right now. Can you come back later, maybe tomorrow? And so I think a lot of things is that the business really comes into the way and there is so much thing to do that it's postponed and postponed and then like your fridge, it's getting dirty and dirtier and dirtier and dirtier until you have something rotten in there. You have end of life systems. You have you an un hygiene system.
Yesterday we were stuck in car analogies and today we're on fridges. It's is great. Does everyone else on the panel agree that that that kind of the business is one of the things that, that they're bumping into the most And as, as a kind of a follow up to that, I mean, do you also get pushback from them, from end users in any way? I mean, are you getting it from both sides, so to speak? Manual?
Yeah. I, so my take would be not so much a limitation by the business, but the, for me it's, it requires a lot of discipline. So we, it's, it's actually quite easy to define cyber, cyber hygiene controls and have them work for the first month. The problem is, doing that consistently over time requires, requires a lot of discipline and, and people need to be constantly aware, especially people with, with where their job is not cyber security, but still have to, to run some controls. It's for them very hard to keep the focus because it requires discipline of, of doing something, which to be blunt, it's not always, it's, it's sometimes boring, right? So you have to, to, to make sure to, to brush your teeth three times per day every day. And sometimes people go like, Yeah, okay, fine, but every day, Well, yeah, every day. So for me it's, it's rather than, rather than a limitation by the business, for me it's instilling that awareness and that discipline in the, in the workforce. That's where I see the challenge.
Okay, great. I I, I don't wanna spend too much time in on the problem area. Cause I think we kind of all understand that I'd rather look trying spend more of the time. We've got not, not much time to look at the solutions. So could you guys maybe just run through again from, maybe starting from this end this time, how are your organizations ensuring that you've, you've got a, a reasonable or good level of, of cyber hygiene? What are the programs that you've put in or that your organizations put in that you, you could recommend to saying these really work well?
Yeah, so I, I think it all, as I mentioned, you started with the users, it started with the people. So it's making sure for example, that when you connect to the system, you, you have MFA and you have aso so that you are able to, you know, fully control and know exactly who's actually connecting backups. So I've heard something that, that I found was very interesting. I have never the, the, the sentence goes like this, I have never seen a backup system that failed. The restore on the other hand is where the problem is, and that is a lot of the challenges that we have in these types of implementation. But, but for us, it comes around implementing the zero trust capabilities, which will enable to solve a lot of the problems that, you know, lack of cyber hygiene can actually take control of.
Yeah. For, for Ian, well, I must say one thing is of course the governance. We, we put in rules to make people aware. So people are, are key to it and I, I like your statement that it's a continu awareness that needs to be raised. So what we do to ensure that we have a more or less cyber hygiene system or environment is of course that we know our asset. So we want to have our assets classified so that we also can look after the more critical assets, maybe much stricter than after less critical assets like a contain system or something like this. Not saying contain systems are not important, but hey, and also for users, so privileged user access must be restricted and if people don't use or need the excess any longer, they must be removed. So also this is implemented, I think there can be done much more on an automatic way, but in future hopefully. But as it is, there are some routines living to, to eliminate and also patch management and of life management. So we work, we are working on this, we are working on this with our partners, with the, with the business partners, with the, with the external partners to make sure that we have, yeah, a high standard in cyber hygiene in general.
Yeah, I can only add to this users identities, assets, those are things we have to look at. Those are things where this kind of hygiene we talked about is really necessary. I want to add to this that also SAS applications, which now are proliferating all across the planet, all across the place will be and are already a point where we need to look at. Now if you ask me what my company does to put proper measures in place here to make this all better, I can, I'm in the positive and lucky position to say that my company invented a system that I'm actually representing here that does exactly that in an automated way. But let's not go there. This is not a sales show, I'm just saying this is what my company does to make this better.
Yeah. So I want to make the distinction between, between the actual security controls and the cyber hygiene, right? So once the security controls are there, the cyber hygiene, what, what my company does to ensure cyber hygiene is basically three things. It's bit first, having, having the policies, the standards in place. Second is running awareness rating campaigns, so, and continuous awareness rating, so yearly refreshers and so on. And third running maturity controls. So running, sorry, maturity campaigns. So maturity to, to make sure that we identify year after year whether the, the controls continue to be effective or actually cyber hygiene is disappearing because people are, even though the, the technology is there, if the controls are there, we are not running it effectively anymore. We are not, again, sorry for the, for repeating the analogy. We are not brushing our teeth every day. Right,
Okay. So from your experience though, if, if you were to, to recommend one, one thing above all else, you know, sort of, if a peer of yours would come and say, look, you know, I, I need to do one thing, I can do one thing. I've got resources to do one thing about cyber hygiene, what would it be? Let's start the other way around. Let's start with manual this time.
So again, I, I would not recommend any specific practice. I wouldn't, I wouldn't talk about reification campaigns, I wouldn't talk about sso, I would talk about those three things. You, you need to have a clear plan, something in writing that defines what you mean by cyber hygiene, what controls you want to have in place and so on. Second, you need to make sure you raise awareness at least, well, let's say once a year. But, but it depends. And third, you need to assess, you need to assess whether it's being effective. Beyond that you, you can start introducing specific controls, but if you don't have that, you don't have a plan, you'd have a north star, a map to get there.
Okay. If I would only have one resource to do one thing, I would actually encourage this resource to invest their time in identifying what are those basic things to do, how to do those basic things and then automate them so that the next day they can look for something else. So they automate the asset problem in the first phase, the automate the user problem in the next phase, the automator identity problem and I'm calling problem, let's say the playground, Yeah, in the third day. And then, then you go to SARS and then you reiterate, and by doing so, you can also use limited resources to make progress and to get ahead and finally to define your hygiene state in a certain, in a certain way and make a KPI out of it. And then see where you are from on a scale from one to 10. That's what I would recommend. If I had limited, also, I would recommend to talk to the management and say, this is a problem, this is cracks in our shield, this is where are going for, we should have more than only one resource. But that's another story
For, for one, one recommendation is make aware that cyber hygiene matters. Because if you raise this awareness throughout the company, then the people probably in charge in the operations departments, they will take care of it if they understand the risk. So if you raise the awareness of it all and why it matters, why it matters for each and every person on both the business level, but also on the private level, then I think you, you already want and can go then in this direction because I like it.
Yeah. So I think, I mean, everything that you said is true, but I think that awareness is definitely very, very important because if training etc. Is, is put into place, people understand why they should not click a phishing email asking them to give money to an, you know, the latest phish scam. But as a very famous sentence that basically says hacker zone break in, They log in, right? Everything that has to do, if you are able to protect your assets in a way that only the, you know exactly who's connecting to them, there's multifactor authentication, you are, you are very, very sure that they can only connect to what they need. The chances of anything happening that will propagate is significantly reduced. The, the rest of it can definitely follow.
Okay. I did warn you we're gonna be really short on time. So kind of, we are looking at closing statements already, but I'd also like to fold in a, a suggestion from them was how did, how did things change during covid 19? What did you learn? What worked better? What worked less well? How, how have you rejigged things? So kind of roll that into a closing statement as well. If you, if you could please we'll start.
So, you know, when we speak to a lot of CISOs and IT managers, they actually look at COVID time almost with nostalgia because they say, I knew everybody who's connecting, everybody was home. I had full control of who's connecting. I give them the right access now that they came back in the office or they're moving around, I, I lost that level of control. I won the same level of control I had in Covid without covid. And, and that is an aspect that, that I think we need to, to try to aspire to.
That's very interesting.
Well, I don't know if so much did change during covid actually, because I think it shifted the work and if, if at all, I think more permissions for some rights have been granted because where you first, where you went to your colleague and said, Can you do this for me? And on an eye to eye level, they probably agreed this, this now went through more regular channels, digital channels could be, could be, could be stated. So I think they're changed a bit in, in the ramp up of rights on, on single persons and yeah, my recommendation and my closing statement would be, look at it really like your fridge, Get out all the Rutten stuff, look on the due dates and then make it clear that you have a clear fridge with fresh food.
Okay. On the end
I was thinking what to say about Covid that not had been said in the last two years in terms of cybersecurity. Because we talked about all the aspects of different working scenarios and everything, and I'm with you, but I want to add, I'm with you in terms of the additional access we had been granting to people and I want to add that within Covid or within the time spent since Covid kicked in and happened also the way changed, we use it by the way it is catered and delivered. And this is again something about sa so I'm with you. We have more access, but also we have all of a sudden more systems that out of creative needs had been needed, you know, to be used. And then there, this is something I would say Covid has been initiating, but that not stopped. This is gonna continue. That would be my closing statement
And manual. The last word maybe goes to you.
Yeah, thank you. So I think during covid what we saw is cyber hygiene is at the center of cybersecurity. Cybersecurity is at the center of zero trust. And when, when we didn't have that, that in person component during covid, we realized zero trust is, is a real thing and it's achievable. The technology is there, but again, the cyber hygiene practice are not so much related with technology but related with practices. Right. And what my, my, my closest statement would be, organizations are complex and complexity is going to continue to, to be there and therefore anything you do at one point in time is going to tend to degrade and devolve and, and you need to, to be very aware to, to make sure you keep those practices up to speed, up to standard and and maintain cyber hygiene.
Great, thank you. That brings us very, very nicely to time and I think I'm gonna call time and there gentlemen, thank you so much for your contribution. Please show your appreciation.
How can we help you