Cyber security hygiene best practices for your organization - ITSAP.10.102

Cyber security Cyber securityThe protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information. More specifically, cyber security includes the body of technologies, processes, practices and response and mitigation measures designed to protect networks, computers, programs and data from attack, damage or unauthorized access so as to ensure confidentiality, integrity and availability. hygiene refers to the best practices your organization can take to maintain the overall health and security of your IT environment. Your cyber security hygiene helps you better defend your networks, systems and data from threat actors.

Threat actors, even in more sophisticated attacks, leverage common vulnerabilities and weaknesses to attack systems and gain initial access. By building a solid cyber security foundation, your organization is better positioned to protect, defend and recover from cyber incidents.

On this page

Cyber security hygiene checklist

The following checklist provides actions your organization can take to strengthen your cyber security.

While not all actions may be feasible, you should prioritize implementing those that are most impactful and sustainable for your organization. Doing so will enhance your cyber security posture.

Network and endpoint protection

  • Protect your network and endpoints with the following tools
    • anti-virus and anti-malware software
    • network protocol inspection tools
    • endpoint detection and response
    • firewalls
    • wireless intrusion detection and prevention systems
    • mobile endpoint threat management solutions and mobile threat defence products
  • Segment your networks to stop traffic from flowing to sensitive or restricted zones
  • Implement a security information and event management system to enable real-time, continuous monitoring to identify anomalies in your
    • network traffic
    • wireless access points
    • mobile device gateways
  • Monitor your security critical components, including the
    • Domain Name System (DNS) server
    • authentication server
    • public key infrastructure
  • Implement protective DNS to prevent users from inadvertently visiting potentially malicious domains on the Internet
  • Regularly renew cryptographic keys to maintain secure communications
  • Document secure baseline configurations for all your IT, operational technology components and cloud infrastructure
  • Establish and maintain a configuration management database
  • Conduct and maintain an inventory of your IT assets
  • Manage and detect unauthorized assets by developing and maintaining IT asset management procedures that ensure proper tagging and labelling of hardware and software assets

Read more

Top of page
 

System protection

  • Enable automatic updates and patches for your firmware, hardware, software and operating systems, especially for Internet-exposed services and systems
  • Patch operating systems and applications promptly after assessing organizational risk and confirming compatibility with your environment
  • Enforce phishing-resistant multi-factor authentication (MFA) for all accounts and systems, especially those with administrative privileges
  • Encourage the use of strong, unique, and confidential passphrases or passwords where MFA is not technically feasible
  • Ensure administrators use dedicated workstations that do not allow web browsing or email access
  • Regularly review and update user privileges, such as
    • remove users no longer in your organization
    • edit user privileges if users no longer require access to certain data or systems
    • limit administrative privileges to a small number of users
    • require two-person integrity for administrative privileges
    • conduct administrative functions from a dedicated administrative workstation
  • Apply the principle of least privilege, ensuring users only have the set of privileges that are essential to performing authorized tasks
  • Consider role-based access control
  • Manage mobile devices with unified endpoint management software
  • Implement application allow lists to control what applications and components are allowed on your networks and systems
  • Assess third-party applications to identify and disable unnecessary components or functions or require human intervention before activation (for example, macros)
  • Disable autorun or autoplay on all your operating systems and web browsers to avoid automatic installations of unauthorized software
  • Establish an incident response plan and conduct annual tests to ensure timely restoration of critical functions and effective recovery
  • Categorize your assets to identify those that are most critical to your organization's operations
  • Regularly backup critical data and systems to offline storage, ensuring backups are isolated from network connections
  • Test your backups periodically to ensure data and systems can be recovered quickly and successfully
  • Proactively manage device lifecycles to address vulnerabilities in end-of-life or end-of-service-life devices, which often remain unpatched and increase security risks

Read more 

Top of page
 

User education and additional protective measures

  • Provide ongoing, tailored cyber security training to ensure your employees know how to respond to suspicious links or emails
  • Provide privacy awareness training to your employees to reduce the risk of privacy breaches
  • Identify and subscribe to relevant security information sources or alert services to stay informed about threats that could impact your organization
  • Develop an internal and external contact list of key stakeholders to alert during cyber threat events

Read more

Top of page
 
Date modified: