Remember how we had to start socialising again after Covid? It wasn't because everyone "felt" how long to wash their hands. It only worked when clear, shared rules applied to everyone: uniform routines, monitoring, and a kind of "hygiene pass" showing responsibility taken. Not for oneself, but for everyone. Cyber hygiene works the same way. It is performed by individuals, yes. But it is owned and governed by the organisation. Period.
Clarifying responsibility: We want personal cyber hygiene, but it is not private. The individual carries out actions (logs in with multi-factor, updates, reports anomalies); the organisation decides, enables and is accountable (makes multi-factor mandatory, pushes updates, simplifies reporting, monitors impact). Personal behaviour without shared rules becomes random; shared rules without tool support become theatre. It doesn't matter if experts give individual advice on personal cyber hygiene; it does more harm than good. The individual = execution at best. The organisation = responsibility. Collective cyber hygiene emerges only when standards, tools and monitoring make the right thing easy for everyone on a factual and practical basis. Responsibility then flows upwards.
Today, we still hear things like "don't click", "be suspicious", "update more often", as if cybersecurity were a matter of conscience rather than a system. But the data is clear: social engineering, leaked data and supplier pathways continue to drive breaches. In other words: you can't "train the user" out of a poorly designed environment and expect individual cyber hygiene efforts to save the day. What's needed are collective rules, secure default choices and measurable impact. (Verizon, 2024; ENISA, 2021).
The uncomfortable truth
We often talk about people as the "weak link" (I'm definitely one of them) but rarely about the organisation as a hostile environment. Bonuses and KPIs reward speed while security is rewarded by the absence of incidents (i.e., invisible success). Those who slow things down become "the problem". This isn't behaviour, it's governance and incentives.
And we moralise: "you clicked" and package it as personal cyber hygiene responsibility, which is nothing but a finger-pointing that individualises system failures. The result is a culture of silence, shadow IT, delayed alerts and greater damage. Research shows that psychological safety (being able to raise alarms without shame) leads to earlier warnings and faster detection; fear works short-term but undermines compliance in the long run. (Edmondson, 1999). Those familiar with my previous writings might pause here, noting I have advocated cyber psychology and training. That is absolutely right. But what I'm writing now is about poor psychology and even worse training strategy.
Hygiene, for real: from personal habits to collective rules
Let's take a clear and undeniable example. When society needed to reopen after Covid, it wasn't enough that "some were good". Everyone's behaviour had to be predictable through clear, shared rules. Translated to cyber, this means: secure default settings, uniform procedures, and proof that it actually works, not more posters in the break room. (Verizon, 2024).
This is also why suppliers are not a footnote. It only takes one party to slip up for everyone else to suffer. ENISA shows how attacks via the supply chain have become more frequent and sophisticated. In the hygiene analogy: you don't invite to a shared buffet unless the catering follows the same rules. (ENISA, 2021).
Two analogies that are compelling and hard to argue against
Handwashing only helps if there's water running. An individual's habit is worthless if the system (the tap) isn't on: secure default settings must be enabled, not just "available". It's the organisation's duty to ensure this.
A hygiene pass for socialising. Access to the room required shared rules and proof of compliance. In the cyber world, it's the same: without demonstrated hygiene (updates, login protection, recovery capability), you shouldn't be allowed into others' environments. It's not punishment, it's care for the collective.
Why the individual focus is appealing but also misleading
Training campaigns and "phishing tests" sound good and feel empowering. But research is mixed: effects often exist but are short-lived and uncertain over time. This doesn't mean training is useless; it means no training can compensate for poor design. (Bada & Sasse, 2020; Falling & failing…, 2024).
Moreover, rules are sometimes used to discipline rather than protect: monitoring, control, and shifting responsibility downwards. Speaking this openly exposes power imbalances, but organisations that depoliticise security achieve more honest reporting and build genuine resilience.
Three simple "wash your hands" tips for collective cyber hygiene
Make the secure choice automatic. Enable multi-factor authentication for all, standardise secure configurations, and patch critical vulnerabilities quickly (measured in days, not quarters). This targets real attack surfaces reflected in the data. (Verizon, 2024).
Measure three figures every week.a) median time to update, b) multi-factor authentication coverage, c) time from alert to action (detection/recovery). Report these to management since hygiene is collective (Verizon, 2024).
Make the chain infection-proof. Require a "hygiene pass" from suppliers: demonstrated routines for updates and vulnerability management, clear contact channels and the ability to quickly cut access and test that it works. (ENISA, 2021).
This isn't more finger-pointing at individuals. It's practical leadership: building environments where the easy choice is the right one, where mistakes don't become disasters, and where everyone gains entry only when hygiene levels protect the collective. Those who shift from individual morality to collective hygiene won't just be safer; they'll also be preferred in others' ecosystems. And perhaps that's what cybersecurity and cyber hygiene really are — a matter of being preferred in an increasingly competitive digital world.
References (APA)
Bada, M., & Sasse, A. (2020). What (if any) behaviour change techniques do government-led cybersecurity awareness campaigns use?Journal of Cybersecurity, 6(1).
Edmondson, A. C. (1999). Psychological safety and learning behavior in work teams.Administrative Science Quarterly, 44(2), 350–383.
ENISA. (2021).Threat Landscape for Supply Chain Attacks.European Union Agency for Cybersecurity.
Verizon. (2024).Data Breach Investigations Report (DBIR 2024).Verizon Business.
