Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog


Cyber Hygiene Essentials: What You Need to Know

In part one of our series on cyber hygiene, we explore the fundamentals that can help businesses understand where they're vulnerable and how to protect their networks from cyberattacks and breaches.

No doubt you've got a lot on your plate running a business: keeping productivity and output on track, monitoring expenses and sales, managing employees, maintaining customer service and so on. As such, you may not be as aware of cybersecurity fundamentals – what those in the industry often call "cyber hygiene" – as you should be. Leaders of small businesses might even be wondering, "Why would my business be hacked? It's not big enough to attract hackers' attention." 

Fear not; the Tenable team has you covered. In part one of our series, we'll explore why cyber hygiene is so important and dig into essential practices for establishing it.

Understanding your vulnerability risk

For starters, it's important to define vulnerabilities. The term "vulnerability" isn't synonymous with "malware" or "virus”: It simply means any weakness within your network that can be exploited. Vulnerabilities can be errors in application coding, unpatched flaws in the operating systems of hosts on the network, devices on the network with insufficient security measures or other complications. (Malware and other cyberthreats often enter networks because of vulnerabilities; they are not vulnerabilities in and of themselves.) Recognizing what these weaknesses are is the first step toward establishing cyber hygiene.

Another principle to keep in mind is that business size or level of renown doesn't necessarily matter: Research from the Ponemon Institute found that 66% of small- or medium-sized businesses (SMBs) experienced at least one cyberattack in FY 2019, while 63% underwent a data breach.1 This illustrates an important distinction: Even if you aren't specifically targeted by ransomware or a banking trojan, a data breach can still occur as the result of an underlying vulnerability somewhere on your network. Even if the vulnerability is not exploited, the fact that it can be is dangerous enough. You might even bear the brunt of a cyberattack without being its main target: This happens with self-propagating botnet attacks that seize onto every accessible network in their path and wreak havoc indiscriminately, as well as hacks that use your business as a springboard to a bigger target (if, say, you supply materials to an enterprise-scale company).

Additionally, it's been found that cyberattackers go after SMBs because they consider them easier targets. An April 2020 study by Infrascale reported that 46% of small businesses were specifically hit with ransomware, and 73% of these organizations paid the money demanded of them.2 While a large-scale ransomware attack on a major corporation could certainly net hackers a big payday, it's simpler to pursue many smaller targets: From an attacker’s point of view, they're more likely to get paid and less likely to be caught or stopped with the latter approach. 

Defining "shadow IT" and your attack surface

Once you understand the need for constant vigilance, the next step toward cyber hygiene is to develop full awareness of your network. Begin by inventorying all hosts and devices connected to your network.3 Pay specific attention to devices that aren't company-issued: Personal computers, smartphones and tablets may not include the same protections as their organization-provided counterparts, and thus represent a significant risk – they're often called "rogue IT" or "shadow IT." Prioritize network assets according to greatest risk, paying closest attention to those with personal information of customers, employees or suppliers as well as any that contain PCI-protected credit card data, health information under the umbrella of HIPAA and any other data covered by regulations relevant to your business. 

Similarly, you must make yourself aware of all applications running on the network. Unauthorized, unknown applications are always a major red flag, but so are apps that haven't been updated in a while: The latter can be just as dangerous as the former, due to their higher likelihood of featuring unpatched vulnerabilities. Once you catalog all vulnerable elements of the network, you will have a fuller understanding of your attack surface.

Attackers won't think twice. Why should you?

Get full visibility into your vulnerabilities.

Try Nessus Pro today >

Implementing fundamental cybersecurity protections

Now that you know what can be vulnerable, it's time to look at what is vulnerable, starting with the use of vulnerability scanning solutions. Such tools will pinpoint specific vulnerabilities, wherever in your network they may be. Many of them can be easily addressed by downloading and installing the latest patches from manufacturers. (Leaving known vulnerabilities within your network unpatched for any length of time opens your organization to serious risk, which only increases as time passes. A significant number of organizations do nothing upon learning of unpatched vulnerabilities – not a habit you want to mimic.)

Other vulnerabilities may require you to delete excessively compromised applications and replace them with similar, non-vulnerable programs. Alternatively, you might need to get rid of host computers or devices with unsupported software or operating systems that are too outdated to be worth the trouble of patching. While these application or device removals might not be simple processes, you can't ignore their necessity if your scan determines that they're the sources of critical vulnerabilities. 

Eliminating definite or potential threats is only half of the battle, of course – you also have to reduce your chances of future exposure. If you're not already using anti-malware tools and firewalls, implement them immediately4 (ideally in the most up-to-date iterations you can find, like next-gen virtual or hardware-based firewalls). Beyond that, you'll want to encourage better cyber hygiene throughout your organization by training your employees and establishing a cybersecurity policy that all employees must follow, detailing not only what solutions should be used but also best practices like creating smart passwords (with random character combinations) and spotting phishing emails (noticing suspicious-looking requests to click links or attachments, et al). 

If you're unsure how to create this policy on your own, the FCC's Cyberplanner tool is a great place to start. Also, if handling all of these issues on your own is untenable, you can turn to cybersecurity consultants or managed services providers, but be sure to check the service-level agreement you sign with either of those parties to know exactly what they'll offer you and what you're expected to cover yourself. 

Next steps

All of the practices noted above are very valuable for protecting your business from cyberattacks and breaches, but they're ultimately the basics. True minimization of your attack surface may require more precise actions, which we'll examine closely in part two of this series.

1. Ponemon Institute, "2019 Global State of Cybersecurity in Small and Medium-Sized Businesses," October 2019
2. Infrascale, "Infrascale Survey Reveals Close to Half of SMBs Have Been Ransomware Attack Targets," April 21, 2020
3. CISA, "Cyber Essentials," Aug. 17, 2020
4. Carnegie Mellon University, "Cyber Hygiene: A Baseline Set of Practices"

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

Try Tenable.io


Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now

Try Nessus Professional Free


Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable.io Web Application Scanning


Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.



Buy Now

Try Tenable.io Container Security


Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try Tenable Lumin


Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.


Continuously detect and respond to Active Directory attacks. No agents. No privileges. On-prem and in the cloud.