Cyber Hygiene, Cyber Health and Cybersecurity: What’s the Difference?
Cyber hygiene, cyber health, cybersecurity. They all seem like interchangeable phrases. But you wouldn’t interchange “doctor”, “nutritionist”, and “surgeon.” While a lot can slip through the cracks, it’s important to draw a distinction between the three disciplines in order to properly identify areas of pain and correctly prescribe improvements.
Cyber Hygiene
Cyber hygiene deals with network security related to the general upkeep of the network. You can compare this to your yearly check-ups. How is your blood pressure? What is your Body Mass Index? How’s your diet, and are you getting enough sleep? It is intended to ensure everything is working as it should. This is nowhere near the operating table, but it’s also more involved than a self-diagnosis. And good cyber hygiene can keep you off of the proverbial operating table.
Similarly, cyber hygiene involves vectors that aren’t necessarily cybersecurity related, at least not at first glance: switches, active directory servers, endpoint access, the principle of least privilege – all the tools of IT. Are they configured properly? Do we know where everything is on the network and is that where it is supposed to be? Is there full visibility over these assets or are there blind spots? In other words – if you take every peripheral threat out of the picture, does your network itself run as it needs to in order to operate smoothly?
One easy way to cover the bases of cyber hygiene is to stay current with the CIS Controls. Implementation Group 1 (IG1) in particular emphasizes the need for the basics: knowing what’s on the network, configuring it properly, securing access, and patching where needed. This is IT’s job, as it involves the well-being of the network and all things on it. It requires expertise and is particularly involved during development, deployment, and regular audits.
Cyber Health
Cyber health is largely the responsibility of the user. This would be you taking charge of your health by hiring a nutritionist, for example. They teach you what to eat, where to shop, and what to avoid.
Cyber health practices operate the same way. Users can be taught cyber awareness principles, how to spot a phishing attack, the virtues of avoiding public Wi-Fi, and how to protect their BYOD devices. Additionally, they learn to use MFA, are educated on which sites to avoid, and are trained in strong password creation and VPN use. While many of those initiatives come from the top down, they are ultimately in the user’s jurisdiction, and compliance depends largely upon policy, usability, and buy-in.
Cybersecurity
Cyber Hygiene and Cyber Health are critical components of an organization’s Cybersecurity posture, of course. But separate from these basics, cybersecurity-specific tools and services are necessary to monitor and maintain a health security posture. And when someone gets “sick” – perhaps a user clicks a bad link, or there’s evidence of an exploit or ransomware – you may need trained professionals to step in and help. It’s like when a patient is admitted to the Emergency Room, and a team of doctors and nurses lean on best-in-class technology to save treat them. Highly skilled practitioners, state-of-the-art solutions, and high-pressure environments all combine to help their patient recover.
In the digital world, cybersecurity experts are on the front lines of attack. Dealing with everything from zero-days to malicious exploits, they are on-call 24/7/365 to guard against the mundane scans and the nation-state attacks. If a DDoS attack occurs at 2 AM, these are the SOC analysts who won’t get any sleep. While staying vigilant amidst a constant environment of cyber warfare, cybersecurity experts often lack the time to keep up with the chores of daily maintenance, and security “check-ups” may seem like a luxury when they’re drowning in alerts. Consequently, many are forced to triage and take care of the most life-threatening situations first.
A Unified Approach
To maintain optimal health, a person needs all three; regular trips to the doctor, good everyday health and nutrition, and access to top medical care in critical situations. Working together, cyber hygiene, cyber health, and cybersecurity solutions combine to form a fully balanced security strategy and the most complete approach to digital defense. One team of surgeons can’t do it all – the demands for consistent maintenance are too high, and it’s the individual’s responsibility to take care of their choices on a daily basis. Similarly, the task would be too great for a family practitioner alone, and a nutritionist never removed a kidney stone.
To have a fully functioning IT department, cybersecurity measures have to be baked in, and IT needs to perform the basic, everyday maintenance tasks. Users need to be educated on how to make prudent cyber choices and buy-in needs to come from the top. Through investing in all three disciplines, an organization can avoid creating problems for themselves down the road.
Organizations today need a unified approach to security. With the onslaught of exploits continuing to proliferate, evolve, and become ever more elusive, a tactician’s attention to strategy is needed. Defense-in-depth requires reliance on all three levels. Balancing cyber hygiene, cyber health, and cybersecurity will allow even the smallest SMBs to create a network designed to not only fend off attacks but stay healthy and heal itself.
Ted has worked with network security and web technologies for almost 30 years, beginning his career as a full-stack web engineer and transitioning to network security. He now guides Nomic and its supporting initiatives, including CINS Active Threat Intelligence.