CISA has a Secure Our World campaign as part of October being Cybersecurity Awareness Month. The tag line is “simple ways to protect yourself, your family and your business from online threats.” There’s a 1-minute video aimed every “digital citizen from K to gray”, and CISA Director Jen Easterly has been doing interviews. 

One of the things I like about this campaign is it’s finally an appropriate use of the term cyber hygiene. Here’s a pull quote from an interview that Jen Easterly did with CBS News.

We call it cyber hygiene. We want to make cyber hygiene as easy as buckling your seatbelt or brushing your teeth. … It’s strong passwords in a password manager, it’s keeping your software constantly updated, it’s turning on multi-factor authentication, … and it’s thinking before you click.

Four items. Hygiene is a small list of items. Hygiene is something that all should do. Patients and doctors. Users and security professionals.

In the security community the term cyber hygiene has become synonymous with good security practice and has turned into a long and growing list. A lot of what is being called cyber hygiene only applies to security professionals or other specialized roles. Monitoring and detection. Incident response. Role based access control.

Even worse, the term cyber hygiene implies that if you don’t do everything on this long and growing list you are foolhardy and negligent. Even if the security control or practice on the list will cost significant resources and have negligible impact on risk. Even if implementing cyber hygiene will take resources away from other actions that would have a much greater impact on risk reduction.

The danger with “cyber hygiene” is it moves the OT security community, when budgets are ramping up to make progress, to a checklist approach as opposed to a risk based approach.

I’m afraid that the term cyber hygiene has taken hold in the OT / ICS Security world. I fought it. Even did a podcast on it back in 2018 before it took hold. I have grudgingly accepted that it has caught on. I never use it, but I almost never tell someone who does use it is the wrong term. At a certain point fighting a popular term isn’t helping create the future. I’d still prefer we stop using it as a substitute for good security practices that should be considered by a security team. 

Maybe this campaign will help. Wait a minute, CISA says cyber hygiene is these four things.