The Two Sides of Cyber Hygiene: Technical Controls and the Culture Behind Them

The technical controls of a strong cyber hygiene matter, but so does the culture behind them.

Most organizations aren’t breached because someone pulled off something sophisticated. They’re breached because something known and preventable was left unaddressed. It could have been an unpatched system, a weak password, or a simple email that looked slightly off that nobody questioned.

That’s not a technology problem. It’s a people and process problem and solving it requires looking at both.

In this post, we’re covering both sides of what keeps organizations vulnerable and what actually moves the needle:

• The real cost of neglecting vulnerability management (and what the data shows)
• The five technical areas that come up most consistently in incident response
• Why security culture matters as much as the tools you invest in
• How to practice before the bad day comes
• Where to start — for individuals and organizations alike

The Threat Landscape Is Not Waiting on You

When a breach happens, the clock starts immediately. Three to five days of hard downtime is a realistic expectation — and that’s assuming you have a good backup and smooth recovery process. Then, the full timeline to get things somewhat back to normal is about three to six weeks, with hundreds of hours of internal and external resources involved.

What’s driving these incidents? In a recent episode of the Get to the Point podcast, Shawn Mendel, Director of Professional Services at High Point Networks, broke down what he sees consistently across incident response cases:

1. Weak authentication — like poor password practices and no multifactor authentication — account for ~39% of cases.
2. Known, unpatched vulnerabilities — Systems with documented security gaps that weren’t addressed in time — ~24% of cases.
3. Unknown origin — ~37% of the time, even with forensics teams involved, the entry point can’t be determined.

And that last number is worth sitting with. More than a third of the time, organizations go through a full incident response and still don’t know exactly how it happened. That’s what makes the preventable 63% all the more important to address.

Five Areas Worth Your Attention

Across the incident response cases we’ve been part of, there’s a consistent pattern: the organizations hit hardest are almost never victims of something exotic or unforeseeable. Rather, they’re dealing with the same five areas that keep coming up — and that, with the right focus, could have reduced the impact significantly or prevented the incident entirely.

1. Patch known vulnerabilities: Vendors identify and release patches regularly. But the gap isn’t awareness of those; it’s the lack of follow-through. Patching doesn’t happen automatically in most environments, so threat actors are actively looking for unaddressed vulnerabilities to exploit.
2. Review your configurations: Firewalls, endpoint protection, security tools, all of them. Best practices evolve. A configuration that was set up correctly a year ago may no longer meet current standards. Periodic reviews can catch the changes before an attacker does.
3. Account management: This is the area we flag most consistently, and the one most organizations find hardest to enforce because it has a direct human element. Password policies, multifactor authentication, privileged access management, service accounts. People push back. Enforce it anyway.
4. Network segmentation: If a threat actor gets in, segmentation limits how far they can move. Isolating critical systems, management interfaces, and sensitive resources means a compromised user account doesn’t automatically become a compromised environment.
5. Zero trust strategy: As we’ve covered before, the shift toward Zero Trust is a philosophy. If a user doesn’t need access to something, they don’t get it. Everything requires authentication, and nothing is implicitly trusted. It may be more administrative work upfront but significantly decreases risky exposure over time.

Cyber Hygiene is a Culture, not a Product

Here’s where the conversation shifts — and it’s one worth having separately from the technical controls.

Lynn Soeth, Service Manager of Security Services and Sales Engineering at High Point Networks, joined us on a recent episode of the (Episode 4: Cyber Hygiene Without Fear) to talk about exactly this. Her framing gets to the heart of why so many organizations stay vulnerable even after investing in the right technology: “In the end, it’s the people.”

And the way you reach people around security matters as much as what you’re trying to teach them.

Lynn points to a counterintuitive problem with fear-based security training: it uses the same tactics cybercriminals use. It’s urgency, panic, and worst-case scenarios. The effect is all the same: it shuts down rational thinking through fear rather than building good habits.

“Statistics show that if you know about a scam, you are 80% less likely to fall into that scam. So we need education — but how we deliver it is just as important.”

— Lynn Soeth

Lynn’s approach to building a security culture that actually works comes down to five things, and none of them require a lofty budget:

1. Everyone owns a piece of it. Security isn’t the IT department’s job. It belongs to every person in the organization — and people need to hear that explicitly and repeatedly.
2. Policies exist and people know them. You can’t expect people to do the right thing if they don’t know what the right thing is. Written policies, shared and communicated, are the foundation.
3. Reporting feels safe. If someone clicks a link they shouldn’t have, they need to feel comfortable telling someone immediately rather than hiding it out of fear of punishment. That window of time between the mistake and the report matters enormously.
4. Recognition goes further than consequences. Catching something, reporting something, doing the right thing — those moments deserve acknowledgment. At High Point Networks, Lynn’s team uses competitions, gift cards, and gamified phishing campaigns during Cybersecurity Awareness Month in October. The goal is engagement.
5. It has to be ongoing. “Cultures don’t shift day one. Cultures shift over a period of time.” A once-a-year training video doesn’t build a security culture. Consistent, varied, human communication, though? That does.

Practice Before the Bad Day Comes

If there’s one investment we’d recommend before anything else — before the next tool, before the next policy update — it’s a tabletop exercise. Not because it’s glamorous, but because it works.

A tabletop exercise is a structured walk-through of a breach scenario with the people who would actually be in the room when something goes wrong. No live systems, no real pressure — just your team, a realistic scenario, and an honest look at what happens next.

In almost every incident we’ve been part of, the organizations that recovered fastest had practiced. The ones that struggled were figuring out their roles in real time (like at 2:00 AM, with systems down, and a forensics team waiting on a decision).

The framework matters. Before you run a scenario, you need to know who’s filling each role:

• Incident commander: The person leading the overall response and making calls
• Operations: The people doing the actual work of containment and recovery
• Finance and insurance decisions: Who decides whether to engage the insurance company, whether to pay a ransom, what financial commitments to make
• Logistics: The person making sure everyone else has what they need to keep working, whether that’s access to systems, a conference room, or dinner at 9pm when recovery is still underway

Each person in each role writes their own section of the playbook. So when a real incident happens, nobody is picking up that document for the first time.

What you’ll almost always find in a tabletop exercise:

• Gaps you didn’t know existed
• Communication channels that assume email is working
• Decision-makers who don’t know who has authority to do what
• Insurance assumptions that haven’t been verified

“It helps identify gaps… we weren’t prepared for that, we don’t know who takes care of that.”

— Shawn Mendel

Finding those gaps in a conference room is infinitely better than finding them during an actual breach.

Where to Start

Security culture doesn’t have to be built all at once. Here’s what we’d prioritize:

For individuals:

• Switch to pass phrases. Four random words gets you to 16 characters, which matters more than complexity.
• Use a different pass phrase for every account.
• Get a password manager — one strong master pass phrase protects everything else.
• Freeze your credit when you’re not actively using it.

For organizations:

• Visit cisa.gov — free resources, weekly themes, and a full Cybersecurity Awareness Month toolkit you can adapt for your team.
• Run a tabletop exercise. Even a simple one will surface gaps you didn’t know existed
• Build the reporting culture before you need it. People need to feel safe saying something before an incident, not after.

Want to explore what this looks like for your organization? We’re here — fill out the form below or explore our cybersecurity solutions.

Cyber Hygiene: The Bottom Line

Security culture doesn’t shift in a day…but it does shift — if you’re consistent, if leadership participates, and if people feel safe enough to say something when something looks wrong.

The organizations that recover well from incidents aren’t just the ones with the best tools. They’re the ones where people know their role, trust the culture, and feel empowered to say something when something looks wrong. That combination, strong technical controls and a people-first security culture, is what actually moves the needle. Not one without the other.

If you’re not sure where your organization stands, that’s a great place to start the conversation.