Phil Robinson, Principal Consultant at Prism Infosec
Poor cyber hygiene remains a major cause of security breaches. The National Cyber Security Centre (NCSC) Annual Review 2023 revealed that the highest proportion of incidents it had dealt with this year were the result of the exploitation of unpatched common vulnerabilities and exposures (CVEs) affecting public-facing applications which could have been prevented through better cyber hygiene.
But what is cyber hygiene? There’s no strict definition, although the general consensus is that it’s a number of simple routine measures adopted to secure sensitive data and minimise risk from cyber threats. As most cyber threats are relatively unsophisticated, adopting these measures can prove highly effective. In the case of the CVEs mentioned above, effective patch management (an integral part of ensuring good cyber hygiene) would have seen critical updates prioritised and applied, potentially reducing the risk of compromise.
The most common measures adopted, according to the Cyber Security Breaches Survey 2023 government report, are keeping malware protection updated (ie anti-virus), backing up to the cloud, password management, restricting administrative access rights, and using network firewalls, with two thirds of businesses having these in place, although staff training should also be included here to mitigate the insider threat.
Is cyber hygiene getting worse?
However, the report notes that there has been a consistent decline in some areas of cyber hygiene across the last three waves of the survey. The use of password policies fell from 79% in 2021 to 70% in 2023, deployment of network firewalls from 78% to 66% (although this in practice could be due to an increased prevalence of cloud computing and deployment of Zero Trust Network Architecture), restricting administrative rights from 75% to 67%, and policies to apply software security updates within 14 days fell from an already low 43% to 31% (this was even more marked among the retail and wholesale sector where the rate fell from 41% to 29%). In addition, only 18% of businesses had instructed staff in the form of security awareness training over the course of the year.
The shift has occurred in the micro and SME sectors, although among medium businesses the number placing security controls on their devices dropped sharply (from 91% to 79%) as did agreed processes for phishing emails (from 86% to 78%). When adding to this the economic pressures which have seen these businesses cut back resources, it is clear that the downward spiral may well be set to continue, leaving these smaller businesses particularly vulnerable to attack. So, what can they do to improve security practices and reduce the likelihood of compromise?
One of the easiest ways to improve cyber hygiene is to implement an approach based on compiance with an existingbaseline cyber security standard. There are a number of particular standards and guidance that can be used, such as: Cyber Essentials (CE and CE+), ISO 27001 (and more wider the ISO27000 series) as well as the NIST Cybersecurity Framework (CSF).
Awareness of these standards is still relatively low, with only 14% saying they had heard of CE, 9% adhering to ISO27001 and 3% to working with the NIST standard but uptake is increasing. The NCSC report found 30% of micro and SME businesses became compliant with CE for the first time this year, with 4% of micro organisations signing up to CE and 17% to CE+.
The Cyber Security Longitudinal Survey Wave 2, which only covers medium, large and very large companies, reports a higher uptake, with 25% adhering to CE, 11% to CE+ and 17% to ISO 27001. It did find that organisations were more likely to adhere to one of the standards if they had experienced a cyber incident in the last twelve months and this is worrying as it suggests even those companies with access to more resources are not acting until after they’ve been breached.
Why standards are the perfect way to increase cyber hygiene
The tide is turning, however, with 35% of businesses being motivated to get CE compliant to generally improve security, compared to 22% pursuing compliance to bid on government contracts and 15% for commercial contracts. Several initiatives have also sought to spread the word and in January 2023 the NCSC launched its Funded CE Programme offering financial assistance for those seeking accreditation.
From a cyber hygiene perspective, CE provides a comprehensive basis with five technical controls covering boundary firewalls and internet gateways, secure configurations, user access controls, malware protection and patch management. Today, however, only a fifth of businesses currently comply with all five, according to the Breaches Survey. Of those that do fully comply, 66% had experienced an incident according to the Longitudinal Survey, which meant they only went ‘all in’ after the event, at which point they realised the value of the controls in enabling them to identify and manage incidents.
In contrast to CE, which is driven by the UK Government, ISO 27001 is an international standard and demonstrates an organisational commitment to managing information security. Last year it was consolidated down from 14 to four areas: Organisational, People, Physical and Technological. The list of controls was cut from 114 to 93, with 11 new ones added, while 57 have been merged and some removed, and five new attributes have been introduced to align with digital security. All changes which make it much more relevant to SMEs.
ISO27001 can take some time to achieve but is valid for three years while CE and CE+ are renewed annually. CE is a self-assessment while CE+, an extension of CE, requires third party involvement with an assessor carrying out a technical audit and vulnerability scans.
What is clear is that poor cyber hygiene can leave the business open to attack but that putting in place a minimum level of security can significantly reduce the chance of being compromised. These baseline standards all provide a route for organisations that are short on time and resources to improve their cyber hygiene. In fact, the NCSC states that 80% fewer cyber insurance claims are made with CE in place, revealing just how effective making these small changes can be when it comes to mitigating attacks. So rather than viewing such compliance as an outlay, organisations need to view these standards as a vital investment in protecting their processes and assets.
