Why Cyber Hygiene Defense Works Against Ransomware Attacks
I just returned from DefCon and the hardware hacking village is still vibrating through my mind—not to mention everything I learned there only confirmed all my existing beliefs.
The basics matter. Sure, you can get the best firewall, the latest AI-powered detection (don’t get me started on that), and costly endpoint security tools. But what if your employees are using the same passwords as their personal emails? Using Password123? Opening that suspicious invoice attachment from Finance_Dpt@DefinitelyABadDomain.ru? You’re toast.
Ransomware isn’t some strange, unstoppable force. It feeds off of bad habits — slack security practices, unpatched systems, trusting emails that might look legitimate but absolutely shouldn’t be trusted. And the good news? You can block most attacks with cyber hygiene.
What is Cyber Hygiene?
A little cyber hygiene is like merit-based personal hygiene — daily habits that keep you clean (and in this case, secure). If you don’t brush your teeth, you get cavities. If you don’t, you get ransomware. Simple.
I started in this field back in the early 2000’s (well, even before that, I was a network admin in ’93, dealing with multiplexers for voice/data over PSTN). Then the Slammer worm blasted through networks in less than 10 minutes because no one believed in simple patching. Different malware, same story today.
Cyber hygiene consists of doing small things repeatedly to prevent a big mess later.
- Patching software (Old vulnerabilities remain unpatched, waiting to be exploited.)
- Leaking weak or reused passwords (Credential stuffing is a thing, people.)
- Clicking bad links (Phishing is still King.)
- Providing users with excessive permissions (If you must breach someone, limit the damage.)
These are mistakes I see time and again when I’m called in to clean up after ransomware attacks. But guess what? You do not need to become the next victim.
Best Practices for Businesses
If you’re in charge of a company—any company, from a mom-and-pop to a branch bank (about a month ago, I just finished upgrading three banks to zero-trust)—you want to make sure these habits get pounded into your team:
1. Patch Everything
Updates may be annoying, but they prevent breaches. Set up automatic updates for:
- Operating systems
- Browsers
- VPN software
- Firewalls, switch & router
- Apps not made by the OS developer (e.g., that random PDF reader from 2015 you installed)
2. Multi-Factor Authentication (MFA) Is Not Optional
At some point, your password will be stolen. MFA shuts down that attack dead in its tracks even when they do.
Best practices:
- Use an authentication app, not SMS (SIM swapping is a thing).
- Enable MFA on email, VPNs, admin accounts and cloud services.
3. Zero Trust Is More Than a Buzzword
Two things:
- Assume everyone is compromised. Every warning should use this as a guide.
- Limit access accordingly.
Your receptionist should not be accessing financial databases. Your marketing intern should not have access to critical admin-level systems. Have segregated users—need-to-know basis only.
4. Train, Test, Repeat: Phishing Awareness
This is the cheapest and one of the most effective defenses: user education. Humans are the weak link — the best firewall won’t prevent an employee from clicking Invoice_XYZ.zip from CEO@DefinitelyNotFake.com.
At PJ Networks, we conduct real-world phishing simulations. Employees who fail? More training. You can’t think once is enough.
5. Backups: TEST Them BEFORE You Need Them
This one makes me cry: lots of companies think they have backups; however, they:
- Have not tested recovery in months (or years).
- Keep backups on the same network (If ransomware strikes, guess what? Those backups become encrypted as well).
Stop with offline or immutable backups (i.e., backups that cannot be modified by malware).
Make sure to follow the 3-2-1 rule with your backup strategy:
- 3 copies of data
- 2 different storage types
- 1 backup offsite (air-gapped preferred)
Mistakes That Often Result in Attacks
I’ve lost count of the companies I’ve had to rescue from ransomware — almost every single time, the way in was something stupid. Avoid these pitfalls:
- Shared Admin Accounts – If more than one person is using the same login, there’s no way to know who did what. Give out separate logins.
- RDP Exposed on the Internet – You should never have Remote Desktop Protocol open on the outside. If you must have remote access, use a VPN with MFA.
- DNS Security – Users often enter credentials into bad domains. Use DNS filtering to prevent access to known bad actors.
- We’ll Fix It Later – Later becomes never. You get hit with ransomware asking for $400,000 in Bitcoin.
Trust me — you do not want to be making a call to someone like me to negotiate with hackers. Prevention is cheaper.
Security Awareness Training by PJ Networks
We’re not a PJ Networks that installs a firewall and leaves. Our Security Awareness Training has been designed to:
- Educate employees—Real-world attack simulations, not just PowerPoint slides.
- Cultivate better security habits—Password hygiene, detecting phishing attempts, and safe browsing.
- Reduce human error—Educate people to have critical thinking skills before they click on anything.
We partner with banks, financial houses and enterprises that can’t afford breaches — because, quite frankly, no one can.
Quick Take: Your To-Do List
If you’re short on time but high on paranoia (good), this is what you should do today:
- Update all software (yes, even that ancient Java install)
- Enforce MFA for everything
- Verify Your Backups (restore a file, does this really work?)
- Conduct a phishing test for your team
- Restrict admin access, not everyone needs full access
Conclusion
Cyber hygiene is not a one-and-done: it is daily habits that you build over time. Miss an update, click the wrong link, or recycle passwords across accounts? All it takes is one mistake for ransomware.
Years of cleaning up the mess created when companies ignored security fundamentals have taught me one thing. Preventing ransomware is very doable.
So be proactive. Secure your network. Oh, and for the love of infosec, stop using Password123.
Sanjay Seth
Cyber Security Consultant, PJ Networks Pvt Ltd
