Cyber security hygiene best practices for your organisation – ITSAP.10.102 – Canadian Centre for Cyber Security

Summary

This guidance from the Canadian Centre for Cyber Security provides a practical checklist of cyber security hygiene actions organisations should take to reduce risk. It stresses that many attacks—however sophisticated—start by exploiting common weaknesses, so a strong hygiene baseline improves protection, defence and recovery.

The checklist is organised into three main areas: network and endpoint protection, system protection, and user education and additional measures. It recommends tools, processes and governance practices that are prioritised for impact and sustainability rather than exhaustive perfection.

Key Points

Use layered network and endpoint defences: anti-virus/anti-malware, endpoint detection and response (EDR), firewalls, network protocol inspection and mobile threat-defence tools.
Segment networks to prevent lateral movement and protect sensitive or restricted zones.
Deploy a Security Information and Event Management (SIEM) for continuous, real-time monitoring of network traffic, wireless access points and mobile gateways.
Monitor security-critical components such as DNS servers, authentication servers and public key infrastructure (PKI).
Use Protective DNS to block access to malicious domains and regularly renew cryptographic keys to preserve secure communications.
Document secure baseline configurations, maintain a configuration management database and keep an up-to-date IT asset inventory with proper tagging and labelling.
Enable automatic updates and patch firmware, hardware, operating systems and applications—prioritise Internet-exposed services and test compatibility.
Enforce phishing-resistant multi-factor authentication (MFA) for all accounts, use strong unique passphrases where MFA is not possible, and restrict administrative privileges.
Require dedicated administrative workstations (no web/email), apply least-privilege and consider role-based access control and two-person integrity for high-risk admin actions.
Control applications with allow lists, assess and harden third-party apps (disable unnecessary components), and disable autorun/autoplay.
Establish and test an incident response plan annually; categorise critical assets, maintain offline isolated backups and regularly test recovery.
Provide ongoing, tailored cyber security and privacy training, subscribe to threat alerts and maintain internal/external contact lists for incident notification.

Why should I read this?

Short version: this is the no-nonsense checklist that blocks most common attack paths. If you want fewer incidents, less frantic firefighting and a clearer route to compliance—read the checklist, pick the top items you can sustain, and get them done. We’ve bundled the essentials so you don’t have to trawl the whole manual.

Context and relevance

Threat actors routinely exploit basic misconfigurations and unpatched systems. Following these hygiene measures aligns your organisation with current best practice and national readiness goals, reduces attack surface, and supports regulatory and supply-chain expectations. The guidance is relevant to small and medium organisations as well as larger enterprises—prioritise the items that yield the greatest risk reduction for your environment.