Cyber hygiene sounds like a newfangled IT term at first, but it’s actually about something that everyone knows from everyday life: cleanliness and regular maintenance. Just as we want to keep our homes free of dust, companies also need to regularly “dust off” their IT infrastructure in order to avoid security gaps and contain and minimize attacks at an early stage.

Our Managing Director and Security Architect, Fabian Böhm, was recently on the Stegmann and Company podcast “Bits and Bytes” with Alexa Dippold and talked about this often neglected topic. And the core message is surprisingly simple: it’s not difficult, everyone actually knows what to do.

Why cyber hygiene is so important

IT in general is becoming increasingly confusing. More networking, cloud services and new technologies are also creating more and more opportunities for attacks. The truth is, and we’ll be honest: there are countless tools and software products that promise to protect companies from cyberattacks. But the essentials are often forgotten > the basic maintenance of systems. Only those who continuously clean up systems can prevent security gaps and outdated systems from accumulating. This is less a question of budget than of prioritization. IT teams are often overloaded, and while companies invest in expensive security solutions, simple but effective maintenance is neglected.

The often underestimated basics of IT security

Where do we start? For example, password hygiene is often shockingly poor and comparable to a front door key that has been lying under the doormat for years. This applies to both personal and business accounts, where passwords often NEVER expire. Outdated operating systems are like ticking time bombs, and patching software becomes a matter of luck, where often only hours can decide the success or failure of an attack.

A particularly critical point is the testing of backups. A backup strategy without regular recovery tests is like an untested emergency kit… worthless in an emergency. Imagine a fire breaks out and no one has ever been through the fire drill. The consequences of a cyber-attack can be similarly devastating and the recovery of the systems fails.

Another important aspect that is often underestimated: System hardening, the secure configuration of applications. Many applications and operating systems are delivered with standard configurations that almost always activate unnecessary functions and services. It is therefore important to take preventative measures at an early stage rather than having to react later under pressure.

Identity protection is just as important, especially in the Microsoft environment with Active Directory and its cloud counterpart Entra ID. Basic cyber hygiene is essential here in order to make effective use of the numerous expensive security products that companies purchase and to actually rectify the identified vulnerabilities.

But why this neglect? It is often due to IT teams being overloaded and a lack of prioritization on the part of management. Infrastructures are becoming increasingly complex, not only due to the cloud, but also due to topics such as AI, while resources often remain limited. “Security is a matter for the boss” is not just a saying, but a necessity. After all, investments in basic cyber hygiene pay off many times over in an emergency and are often more effective than blindly buying expensive but unused software. Cleaning up legacy issues also plays an important role here, even if this initially incurs costs.

The good news is that cyber hygiene is not rocket science. It’s about mastering the basics and applying them consistently.

The pillars of cyber hygiene summarized at a glance:

• • Use strong passwords and check and change them regularly
  • Update your systems regularly
  • Harden your systems, e.g. according to the CIS recommendations
  • Back up your data and test the recovery
  • Process messages in your (X)DR systems and recommendations from the last pentest
  • Sensitize your employees and above all create TIME to process them

Continuity is the key. Take small steps on a regular basis, for example by giving IT administrators dedicated time each month for cyber hygiene measures, instead of initiating large projects that come to nothing. The use of inexpensive or even open source tools to analyze the environment can also be helpful here.

Our expert summed it up aptly in the podcast: “Most of the time, there isn’t enough time, and this is exactly where managers should start. For example, giving your administrators just eight hours a month to focus exclusively on internal IT security hygiene would be a big step forward. This topic should be given more priority.”

Conclusion: Cyber hygiene as an investment in the future

In many cases, it can make sense to bring external service providers on board to take on specialized tasks. Be it patch management, the analysis of system gaps or the implementation of backup solutions. This collaboration takes the pressure off internal teams and brings additional expert knowledge into the company.

Cyber hygiene may not be glamorous, but it is the foundation of any robust IT security strategy. So before you purchase the next “promising” security tool, make sure you get the basics right. At the end of the day, it’s like dusting: It may not always be fun, but the result is a much safer and more pleasant environment for everyone in the company 😉.

Curious to find out more? The Bits and podcast takes another look at cyber hygiene from a different angle! >> To the podcast episode <<