Techie Tonic: Why daily cyber hygiene matters more than you think

That was an interesting afternoon discussion, two CXOs, a prominent CISO – Jeevan Badigari of ARADA and a well-known CIO - Aditya Kaushik, ZMI Holding cut through the noise of modern cybersecurity and landed on a surprisingly simple truth “most breaches are not the result of sophisticated attacks, but of overlooked basics”.

Both leaders emphasized that cyber hygiene, while unglamorous, forms the foundation of any effective security posture. It is not a one-time initiative but an ongoing practice of maintaining secure configurations, managing access, and ensuring visibility across digital assets.

Jeevan continued “There’s strong data behind this, the CIS Community Defense Model shows that if you implement the full set of CIS Controls, you can defend against roughly 86 percent of known attack techniques. Even more telling, the baseline ‘essential hygiene’ controls alone mitigate around 77 percent of the most common attack patterns. That’s a huge impact from getting the basics right.”

A key theme in their discussion was the importance of secure configuration.  Aditya added, like I keep insisting my team members “If there’s one control that stands out, it’s configuration management. If your systems drift from secure baselines, everything else starts to wobble. It’s the linchpin.”

So, what does effective cyber hygiene actually look like in practice? The two CXOs broke it down into three core habits “know it, lock it, and prove it”.

“First, know it,” explained Jeevan. “You need a living inventory of everything, namely devices, applications, cloud resources, identities, and data. And each asset must have an owner. If something doesn’t have clear ownership, it shouldn’t go live. Without that foundation, you can’t enforce any meaningful control.”

“Then, lock it,” added Aditya with is age old information management practices. Follow the elementary steps mantra “Default to secure settings. Remove default passwords, disable unnecessary services, enforce least privilege, and require multi-factor authentication, especially for administrators. Treat configurations as code, like define baselines, monitor for drift, and fix issues automatically. In the cloud, don’t rely on memory but use policies to block risky configurations.”

The final step, they agreed, is often the most overlooked. “Prove it,” said Jeevan. “Assume things will drift or break. Then verify continuously. Patch vulnerabilities based on exposure, critical, internet-facing issues should be resolved in days, not months. Centralize logging and protect it from tampering. Run exercises that simulate real attack paths, and track remediation with clear ownership and deadlines. That’s how you move from assumption to assurance.”

Beyond reducing breach risk, both CXOs highlighted another benefit of compliance. Aditya with his age-old Information Management experience shared the common consensus “Cyber hygiene and compliance are really two sides of the same coin, frameworks like ISO 27001, GDPR, and PCI DSS all require the same fundamentals like asset management, access control, patching, and secure configurations. If you’re doing hygiene well, you’re already halfway to meeting those requirements.”

Jeevan agreed, adding that poor hygiene is often the root cause of audit failures. “Unpatched systems, weak passwords, missing inventories and these are the findings that come up again and again. They’re not exotic issues; they’re basic gaps.”

Let’s conclude

As their conversation drew to a close, both leaders returned to a shared conclusion “cyber hygiene must be embedded into daily operations, not treated as a periodic project”.

“Start with the essentials, like multi-factor authentication, rapid patching, secure configurations, and clear asset ownership,” said Jeevan. “Then build from there by reducing unnecessary privileges, reviewing access regularly, and integrating these practices into your development and change processes.”

Aditya summed it up succinctly: “Security doesn’t fail because we lack advanced tools. It fails because we don’t consistently apply the fundamentals.”

Their collective message was clear. While the threat landscape continues to evolve, the most effective defense remains rooted in discipline. Cyber hygiene may not make headlines, but it is the quiet force that prevents them.

Stay tuned for more interviews and discussions…