Security hygiene: why the basics matter more than you might think

Meanwhile, the fundamentals—the seemingly boring hygiene processes—get pushed to the back of the queue. Without these, your shiny new systems are redundant.

Organisations can reduce a massive amount of cyber risk just by deploying basic security controls. No fancy AI or big spend required—just disciplined execution of the fundamentals.

We’ll show you why something quite ordinary can in fact be your most powerful form of defence.

Good hygiene: the security conundrum 

It’s the cybersecurity equivalent of brushing your teeth. Everyone knows it’s essential, not everyone does it properly, and the consequences of neglect can be painful and expensive.

According to the 2025 Verizon Data Breach Investigations Report, stolen credentials (22%) and exploited vulnerabilities (20%) remain the primary entry points for breaches. These aren’t sophisticated zero-day hacks; they’re breaches that usually exploit basic hygiene failures.

Meanwhile, the global average cost of a data breach continues climbing, now standing at £3.65 million—a 10% increase from the previous year and the highest jump since the pandemic. For businesses in the UK and beyond, the costs go beyond financial damage to include operational disruption, regulatory scrutiny, and reputational harm.

The question becomes: why do organisations keep neglecting the basics when the stakes are so high?

Common blind spots in security fundamentals 

So what mistakes are people actually making? Let’s shed some light on the most frequently overlooked aspects of security hygiene:

Patch management gaps 

According to a recent vulnerability management report, 10% of survey respondents took anywhere from three months to a year to deploy security patches, while only 25% managed to patch within a month of the patch’s release. And the Verizon 2023 Data Breach Incident Report noted that the median time to patch was 49 days! That’s creating an extended vulnerability window that gives attackers plenty of time to exploit known weaknesses.

Even more concerning, the Verizon DBIR reveals that only slightly over 50% of known edge device vulnerabilities are ever fully patched, and those that are patched take an average of 32 days to remediate. That’s a potentially huge number of vulnerable entry points into your network.

Credential and access control weaknesses

When credentials are compromised, many organisations take far too long to notice.

Attack identification and containment time for breaches attributed to stolen credentials reached an average combined time of 292 days—nearly 10 months during which attackers can operate unchecked.

Third-party security blindness

Your security is only as strong as your weakest supplier. Third-party involvement in breaches has doubled year-over-year, jumping from 15% to 30%. This shows that extended supply chain risks are a critical (and often overlooked) component of basic hygiene.

Why we get distracted 

There are a few big reasons that firms struggle to maintain diligent security hygiene.

The shiny object syndrome

Cybersecurity teams can be tempted to chase the latest tools while neglecting fundamentals. As KPMG’s Director of Cyber cautions: “If that money is spent on the next best shiny tool but basics like cyber hygiene are not fixed, then the organisation’s level of resilience will not improve.” Tools are great, but they have to be used alongside people-centred processes.

The invisibility problem

Good hygiene is largely invisible—you notice it only when it fails. This can make it difficult to demonstrate value, especially when you’re competing for limited resources against more visible projects.

Expanding attack surfaces

Attack surfaces are constantly expanding, especially with the rise of remote work. Attacks specifically targeting VPNs and edge devices have increased dramatically—up by 8x compared to the previous year. These devices now play a role in 22% of exploit-related incidents, compared to just 3% previously.

Building a sustainable hygiene process

Creating effective security hygiene requires not just checklists, but sustainable processes that are suitable for your specific environment. Here are some strategies that can help:

Realistic patch management 

As we highlighted earlier, patching properly and on-time is massive. It has to be taken seriously. The main ways to make your patch process better involve:

• Risk-based prioritisation that addresses the most critical vulnerabilities first
• Consistent, predictable patching cadences that teams can plan around
• Streamlined testing protocols that validate patches without unnecessary delays
• Automation tools that reduce manual effort and human error in the patching process
• Clear visibility into patch status across all systems, including edge devices

Smarter resource allocation 

Cybersecurity budgets are growing, with Infosecurity’s 2025 Cybersecurity Trends Report noting an average growth of 31% over the next 12 months. That said, allocation remains a challenge.

How much of your IT budget should you allocate to cybersecurity? While it’s impossible to say an exact figure that suits all companies, you could take a rough average of the advice out there: most figures online hover around 5-20%.

But what if a serious new threat arrives tomorrow? Or if someone notices a vulnerability gap in a system that stores customer data? These things can demand fast financial thinking.

But most importantly, a good portion of your budget should be dedicated to hygiene basics rather than advanced tools that aren’t useful due to your fragile foundations.

Meaningful metrics 

You could consider shifting from compliance-focused metrics to risk-based metrics that have better meaning for your actual security posture.

For example, as well as tracking “percentage of systems patched,” you might measure “vulnerability exposure window”—the time between a vulnerability’s discovery and its remediation across your systems.

This approach isn’t a hard rule, but it’s an idea that many organisations can find valuable. Risk-based metrics give more context about your actual exposure and can help you prioritise limited resources. They can also resonate better with business leaders who need to understand security in terms of business risk rather than technical compliance. Go for whatever drives the right behaviours and highlights your most significant risk areas.

From checklist to culture 

Effective security hygiene is both a technical challenge and a cultural one.

The UK’s Cyber Security Breaches Survey 2025 notes that many organisations are instituting basic cyber hygiene but stopping there, creating a gap between technical compliance and actual security effectiveness.

So moving beyond tick-box compliance needs security teams to make hygiene visible by translating technical metrics into business risks. When the board understands that a 30-day patching cycle means a certain level of risk exposure, they can make informed decisions about acceptable risk.

This cultural shift also means recognising that security hygiene works best as a shared responsibility. Phishing remains the most persistent threat, with 18% of all UK businesses having suffered such attacks (and these are the ones that were actually discovered). This really shows the need for ongoing awareness training and user involvement in security. Technical controls alone can’t create a truly resilient organisation.

The competitive advantage of getting the basics right 

Far from being just a defensive necessity, strong security hygiene can become a genuine business enabler for your organisation. When you excel at security basics, your business benefits in multiple ways:

• Business continuity and stability – With 70% of businesses experiencing notable operational downtime from breaches, companies with strong hygiene maintain more consistent operations. This stability means better customer experiences, more reliable service delivery, and fewer emergency resource diversions.
• Stronger resilience against ransomware – On the optimistic side of things: while ransomware was present in 44% of breaches, the median ransom payment fell to £90,000, with 64% of victims refusing to pay. This suggests firms might be wising up. They’re developing improved recovery capabilities through proper backups and incident response plans, which are core elements of security hygiene.
• Significant cost avoidance – Prevention is pretty much always cheaper than a cure. We’ve already shown the massive costs involved when things go wrong. Strong hygiene practices make up a fraction of these costs while dramatically reducing the likelihood of incidents.

Let’s get the basics right together

Security hygiene isn’t that exciting. You probably won’t win any awards for innovation by following these practices. But it’s the foundation upon which all other security measures stand.

Illuminate the blind spots, run sustainable processes, and build a culture that values the basics. This way, you’ll create a security posture that can withstand a huge portion of today’s threats.

At Two Four Secure, we help organisations see the unseen gaps in their security foundations and establish practical, sustainable hygiene processes that actually work. We don’t just point out problems, we help solve them.

Need some help or advice on building strong security foundations? Contact us today.