Good Cyber Hygiene: The Everyday Hero of Cybersecurity
- David
- Jun 11
- 3 min read
Updated: Jun 12
Cyber hygiene starts with the basics: long, unique passwords, timely software updates, and the principle of least privilege. These core concepts serve as the foundation that supports more advanced business requirements like CI/CD Pipelines, Identity & Access Management and Zero Trust.
The easiest way to ace your cybersecurity requirements is to consider them as a natural part of your business rather than a compliance requirement, and build a culture of cybersecurity with your employees.
To help understand where you might want to focus next, our consultants have compiled a handy checklist.

1. People First
Good cyber hygiene begins with your teams being aware and enabled across the board (not just in the DevOps team). It's how your business protects your people, who will in turn help protect your data, and the trust your customers place in you.
Security Awareness Training rolled out and refreshed regularly (at least annually).
Phishing simulations are used to build awareness and measure progress.
Developers are trained in secure coding practices relevant to your tech stack.
Executives model secure behaviours (e.g., using a password manager, MFA, and regular updates).
Clear security responsibilities defined across roles (e.g., patching, IAM, incident response).
Implementing security awareness training is one of the simplest ways to reduce risk, especially in environments where developers move fast and wear multiple hats. Make it practical, make it routine, and make sure everyone understands why it matters.
2. Patch Early, Patch Often
We understand that it is hard to balance the day-to-day of product delivery with security updates, however automatic updates have come a long way. It is estimated that a significant portion of enterprise software, especially cloud-based solutions, utilize automatic updates or allow for their easy implementation.
Automation is used to apply updates wherever possible (e.g., for containers, plugins, libraries).
A responsible person or team is assigned to oversee vulnerability management.
All operating systems, applications, and firmware are patched according to an accepted schedule.
Automated vulnerability scanners help, including FOSS tooling can also be combined with configuration management and auditing capabilities to highlight risks that need to be actioned.
3. Access Only What You Need
This principle is simple: no one—human or machine—should have access to more than they need to do their job. It’s common to find "temporary" admin accounts that never got removed, test users with production access, or CI/CD pipelines with excessive permissions. Some of the most effective cybersecurity measures are also the simplest!
Multi-Factor Authentication (MFA) is enabled for all office accounts, SaaS platforms, admin access, and these are attributed to individuals (no use of shared accounts)
User access reviews are conducted at least quarterly.
Old/unused accounts as well as test accounts are automatically flagged or removed.
Cloud backups are enabled and automated, and occasionally tested for restoration.
Endpoint protection is installed for end-user and server assets
BYOD is enrolled into company policies so lost/stolen device procedures (e.g., remote wipe) can be initiated.
Use role-based access control (RBAC), or similar mechanisms for sensitive systems, and audit your identity and access management (IAM) policies. This reduces the blast radius of any security incident.
4. Secure Your Code
If you’re building software or smart devices, the development lifecycle is your front line. Use secure defaults, lean into the advancements in secure code review through AI, and make threat modelling an integral part of sprint planning.
Static code analysis tools are integrated into CI/CD pipelines.
Third-party dependencies are scanned using Software Composition Analysis (SCA).
Secrets (e.g., API keys, tokens) are never hardcoded or stored in source control.
Threat modelling exercises are part of the design process for new features.
The earlier you catch a security issue, the cheaper and easier it is to fix.
Bonus #. Validate Your Efforts!
Think of penetration testing as your routine check-up. It doesn’t replace housekeeping, but helps confirm whether your security practices are working in the real world.
Penetration testing is scheduled at least annually—or after major product changes.
Findings from the last pentest have been addressed and verified.
Testing includes business logic and real-world threat scenarios, not just automated scans.
Internal and external testing is considered (e.g., insider threat simulations, supply chain risks).
Test results are used to inform budgeting and future security investments.
Because pentesting translates technical findings into business risk, it helps you prioritise improvements and make informed investment decisions.
Talk to us if you would like a tailored version of this list - we are happy to share our experience on a pragmatic approach to getting your security sorted!.
Comments