Cyber hygiene is very topical at the moment. As the Microsoft Digital Defense Report 2022 highlights, basic cyber security hygiene can protect against 98 percent of attacks.

Maintaining systems in a good state is essential to the health of and security of users, devices and data. There’s lots of debate on what cyber hygiene is and a quick internet search will reveal myriad articles on it.

When studying for my Masters in Classical Studies I decided to write a dissertation on how hygienic Roman sanitation really was. That led me to studying a lot about how sanitation, health, and hygiene work. Just because we can see all these remains of Roman sanitation, from aqueducts to toilets to drains doesn’t mean that Roman cities actually were hygienic or safe to live in.

This got me thinking about the parallels with cyber hygiene. Just because organisations have made the investment in infrastructure, are they using it in a way that maintains their health?

Cyber leaders must focus on the entire system
In public health, hygiene and sanitation, the discussion is around the need to focus on the entire system not each part, a useful parallel for cyber hygiene.

When considering community health and sanitation a common framework that is used is:

Health = Clean Water + Sanitation + Hygiene Education 

We can draw a similar analogy for cyber systems:

Cyber Health = Clean Feed + Cyber Sanitation + Cyber Education

So, for the rest of this article, I’m going to consider each of these areas of health considering both the real world and cyber analogies in order to think about how we build healthy systems.

Clean cyber feed
Clean water is essential to health but is not always easy to provide. Without treatment, water can represent a serious risk to the health of the individual. Similarly, an unpatched system on the internet will be infected within two to three hours. Even having infrastructure in place does not guarantee clean and safe drinking water.

Many look at the impressive aqueducts, sewers and drains in the Roman period and assume a high level of hygiene but intestinal parasites have been found from across the Empire. Similarly, we can often see organisations that have invested in expensive infrastructure such as firewalls, network security monitoring or anti-malware but are still exposed to attack by lack of identity protection or approaches to ensure that only clean systems can access data.

For example, Microsoft estimates that only 26% of monthly active users and 33% of administrative accounts in Azure AD have Multi-Factor Authentication enabled despite this being able to stop up to 80% of all attacks that are seen, and the list of top 10 passwords make for a scary read.

Just as the treatment of water is damaging modern sewers, so the way we clean the feed can affect cybersecurity. For example, network security controls may define architectures that can actually bring more vulnerability to micro-service and cloud-based systems or our supply chain may be a cause of pollution.

Cyber sanitation
Sanitation and the cleaning up and maintenance of a system to prevent pollution are essential to good health. Ever since John Snow made the link between cholera transmission and contaminated water in London in 1854 the understanding of these diseases has moved beyond seeing it as a ‘miasma’ to understanding the link between bacilli, pollution, and disease.

Without understanding that, steps may not be taken to clear the environment.

Even when the causes of disease are understood, stresses on the infrastructure can cause health risks. During floods there is a real risk of illnesses caused by the pollution of the water, and the interruption of access to clean water during war and conflict is also a major problem.

For example, there are also real concerns that the polio in UK sewage samples could cause an outbreak if it were to get into rivers due to the overflow of sewage allowed during stresses on ageing infrastructure.

Cyber also faces similar challenges. Many organisations have invested in security systems to manage their “pollution” and to help them implement cyber hygiene but struggle to implement and use them well.

Systems can only be patched if their location and status is known, something that is often difficult in today’s complex and hybrid infrastructures. Maintaining systems and gaining alerts from them is also costly and the budget not always there for ongoing operations and protection.

Invisible 'pollutants'
Focus is often on the visible ‘effluents’ of high-profile attacks covered in the news, such as ransomware, and not on the essentials of building a secure, resilient and clean environment that can respond to stresses well.

There are also two major pollutants that we are struggling to manage well. Most organisations have poor data governance. The access to cheap data storage has allowed us to pollute our infrastructure with old data, making it hard to manage and understand the clean data we use.

We also have ageing and legacy infrastructure that cannot be kept update and reduce the hygiene of the system. We often need to run legacy protocols and operating systems in order to support critical applications or infrastructure. This is where we get a direct connection between hygiene and cyber hygiene.

The critical infrastructure used to run water treatment systems is increasingly becoming a focus of cyberattack, so if we don’t invest in good cyber sanitation we could cause poor human sanitation.

Cyber education
As Smui Krishna puts it when considering how sanitary water pumps would be, the water pumped from a well is only as clean as the cupped hand of the person who drinks it.

Similarly in an online behaviour, an identity or device is only as secure as the behaviour of the user who deals with it, and how hygienic their online behaviour is.

Without understanding the impact of bacteria and contaminants on water, decisions on water quality are often made based upon colour, taste, and smell. There have been problems with getting people to use improved water facilities because the chemicals used in treatment made the taste unpleasant. Frontinus graded the quality of aqueducts feeding Rome based upon how clean they were.

 Similarly, the security systems that we provide to individuals often create an unpleasant user experience so that individuals don’t use them and follow less secure processes.

Multi-Factor authentication systems make users more secure but many find the use unnatural and so do not voluntarily engage with them. We need to help people to understand the cyber contaminants and threats but in a way with which it is easy to engage so they can understand in their own context.

Cyber sanitary engineering
Sanitary engineering has been defined as ‘the art and science of applying the forces of nature in the planning and construction of works pertaining to public or individual health’.

Cyber security could similarly be the art and science of applying technology and process in the planning and construction of systems relating to organisational or an individual’s online health.

Frontinus in his book on aqueducts discussed how urban sanitation was important to the salubritas, or health, of a city. Cyber hygiene and sanitation are essential to the salubritas of our online world.