Establishing and embedding good cyber hygiene practices is essential to manage organizational cyber risk. Routinely ensuring the security of systems and data can significantly reduce organizations' exposure to cyber attacks. In its latest Digital Defense Report from October 2023, Microsoft stated that good cyber hygiene can protect against 99% of cyber attacks.
What's Happening
Only a few fundamental cyber hygiene practices could have prevented most successful cyber attacks. High-profile examples of successful cyber attacks that leveraged unpatched vulnerabilities include the WannaCry and Equifax attacks in 2017 and the Rackspace attack in 2022. In a survey from April 2024 by network intelligence company Extrahop, 51% of respondents reported that more than 50% of cyber attacks on their organizations were related to poor cyber hygiene. According to the survey, about 50% of organizations use at least one unsecured, and thus vulnerable, network protocol.
Why It Matters
Inadequate cyber hygiene practices make digital assets more vulnerable to attacks.
Cyber hygiene is a component of cyber risk management, which S&P Global Ratings views as critical to limiting the potential negative ratings impacts following a successful cyber attack. For sector-specific details on the effects from insufficient cyber risk management on ratings, see "Cyber Risk Insights: Navigating Digital Disruption," published July 9, 2024.
In an increasingly digital world, effective cyber security matters. This is because:
- Organizations with poor cyber security are more vulnerable to cyber attacks and demonstrate weak cyber risk management, which could weigh negatively on our rating assessments.
- Poor cyber hygiene suggests insufficient response and recovery planning, which can exacerbate the financial and reputational effects of a successful cyber attack.
- Companies with poor cyber hygiene practices could struggle to get cyber insurance coverage, which could increase financial pressure in the case of a cyber attack.
What Comes Next
Insurers are honing in on cyber hygiene. Insurance coverage and exclusions will depend on an organization's ability to demonstrate effective cyber hygiene. Companies' cyber preparedness is already a consideration in our ratings analyses.
Cyber resilience, which relies on effective cyber hygiene, is coming to the fore. It is becoming increasingly embedded in the wider concept of operational resilience and covers different types of operational disruption. As a result, regulatory risk increases for organizations that are unable to demonstrate good cyber hygiene and face increased cyber security risks.
Related Research
- Cyber Risk Insights: Navigating Digital Disruption, July 9, 2024
- Cyber Risk Insights: IT Asset Management Is Central To Cyber Security, Aug. 15, 2023
- Cyber Risk Insights: Detection Is Key To Defense, May 10, 2023
- Cyber Brief: Multifactor Authentication Remains Effective But Not Impenetrable, Oct. 18, 2022
This report does not constitute a rating action.
Primary Credit Analyst: | Martin J Whitworth, London +44 2071766745; martin.whitworth@spglobal.com |
Secondary Contact: | Tiffany Tribbitt, New York + 1 (212) 438 8218; Tiffany.Tribbitt@spglobal.com |
No content (including ratings, credit-related analyses and data, valuations, model, software, or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced, or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees, or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness, or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED, OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.
Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses, and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment, and experience of the user, its management, employees, advisors, and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.
To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw, or suspend such acknowledgement at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal, or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.
S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain nonpublic information received in connection with each analytical process.
S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.spglobal.com/ratings (free of charge), and www.ratingsdirect.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.spglobal.com/usratingsfees.