What is cyber hygiene?

After a cursory Google Search, there is no clear answer or prevailing precedent of what defines cyber hygiene..  Below is a quick infographic that summarizes the most common tips and recommendations when one googles Cyber Hygiene.

Most of these cyber hygiene best practices have common characteristics. They are the relatively low effort and/or cost investments an organization can make to greatly increase its cyber security posture. Most are self-directed  and do not require cyber expertise to implement them. They are largely proactive, with few reactive measures.  All of the recommendations can be found in industry security frameworks like NIST, CIS, ISO, Fedramp, CMMC, or SOC. 

Cyber Hygiene related activities provide a great foundation to initiating a strong security program. Unfortunately many small and medium sized businesses are not practicing cyber hygiene. 

Why is there such a large disconnect between these common recommendations for cyber hygiene and the reality of practice?

The common reasons for a hygiene gap include:

  1. Most SMBs cannot afford an in-house cyber expert so they have not been properly educated and/or have the knowledge basis to prioritize cyber hygiene efforts
  2. The well known products and services in the market rarely occupy more than one of those circles in the graphic.  There are no silver bullet cybersecurity solutions that cover the range of recommendations.  Further, SMBs typically don't have the budget or risk profile to economically deploy a full suite of products as they predominantly were grown to meet the needs of the fortune 500
  3. A security audit will identify an organization's gaps to date, but is unlikely to plan and execute the steps necessary to fill those gaps. We see frequently witness small business assessing and identifying gaps, but failing to follow through to remediation. 
  4. Many $$$ in the cyber market are flowing to reactive vs proactive solutions. The urgency (breach, data loss, etc) provides an immediate impetus for solutions (Forensics and Data Recovery). Detection and response (D&R) related solutions are a poor substitute for cyber hygiene. Industry frameworks prioritize cyber hygiene recommendations above before D&R and $ for risk removal is very compelling as well.  

Filling this knowledge and practice gap of cyber hygiene will continue to be a challenge. There is a market disconnect between the reality of risk reduction practices, cyber losses, and the tools being deployed to close the gap. The changing of human behaviors, cyber education, executive leadership awareness, and corporate governance are a massive market opportunity for new products and services that to date are largely undressed in the SMB markets. 

FortMesa Product Feature

FortMesa looks to orchestrate cyber hygiene for SMBs or the Service Providers serving them. By laying the foundation for a security program, planning and scheduling step by step improvements, measuring, monitoring, and reporting progress, the platform fills the security expertise gap for SMBs. 

Learn more

About Tim Schnurr

Tim recently left his role as VP in the Deloitte Cyber Product Team to join FortMesa Founder, Matt Fisch. Tim is passionate about building Saas solutions for cyber risk reduction.