Skip to content

Illustration by Security Management

Cyber Hygiene Needs Improvement, Too

When the U.S. Government Accountability Office (GAO) drummed up seven recommendations that could improve hygiene for the Department of Defense (DOD), they were not talking about proper hand-washing protocols. While everyone is singing "Happy Birthday" twice while soaping up at the sink (or one round of the chorus to Lizzo's "Truth Hurts"), the GAO was looking at the DOD's cyber hygiene and published its findings in its April report, CYBERSECURITY: DOD Needs to Take Decisive Actions to Improve Cyber Hygiene.

The GAO defines cyber hygiene as "a set of practices for managing the most common and pervasive cybersecurity risks." And for the DOD, this is essential to dealing with increasing threats to its information and networks as the department increasingly relies on information technology. According to the DOD's Principal Cyber Advisor, industry experts gauge that approximately 90 percent of cyberattacks could be beaten with basic cyber hygiene and sharing best practices. 

Although the DOD is currently working on three department-wide cyber hygiene initiatives, the work is "incomplete—or their status is unknown because no one is in charge of reporting on progress," the GAO said. 

One campaign, the Culture and Compliance Initiative, was slated to be completed during the 2016 fiscal year. Out of its 11 overall tasks that aimed to foster education, training, integration of cyber into operational exercises, and more, only four of the tasks have been fully implemented.

Within a second campaign, the Cyber Discipline plan, which would work 17 tasks to remove preventable weaknesses from the department's networks, at least four of the tasks have not been completed and progress on another seven remains unknown.

The last initiative, Cyber Awareness training, aims to help the department's employees maintain awareness of cyber threats and support best practices to keep systems and data secure. "However, selected components in the department do not know the extent to which users of its systems have completed this required training," the GAO said. 

In an effort to address these issues and assist the DOD in fully implementing cyber hygiene practices, the GAO made seven recommendations, calling on the Secretary of Defense to spearhead action. The recommendations include that the DOD's chief information officer (CIO) takes appropriate steps to ensure the full implementation of its three cyber hygiene initiatives; the Secretary should also work with the CIO and the Deputy Secretary of Defense to oversee completion, with scheduled deadlines, of remaining tasks; accurate monitoring and  progress reports on implementation and training; requiring all DOD components, including DARPA, require users to take the Cyber Awareness Challenge training; and have the CIO assess which senior leaders have more complete information to make risk-based decisions, while revising or creating new reports as updates are provided.

You can read more about how U.S. government agencies are working to strengthen their cybersecurity in Security Management's April article, "Prioritizing a Patch."

And if you're bored with singing "Happy Birthday" while washing your hands, here are a couple other options: