In an ideal world, governments would lead from the front on cybersecurity. Big-name breaches across federal, state, and local governments over the years demonstrate that cybersecurity best practices aren't being driven by the public sector.\nHowever, things now seem to be changing with the Cybersecurity and Infrastructure Security Agency\u2019s (CISA) new Binding Operational Directive (BOD), which will require federal agencies to patch hundreds of known vulnerabilities.\nAs best practices go, patching is fundamental to effective cybersecurity. The hope is that with this new push, the Biden administration can light a path towards cyber hygiene that will make organizations across the country more secure.\nA directive for all organizations\nThe directive applies to all software and hardware on Internet- and non-Internet-facing IT systems, whether managed in-house or by a third party. It mandates that federal agencies patch a list of nearly 300 vulnerabilities that present a \u201csignificant risk\u201d to networks.\nAgencies have two weeks to close the vulnerabilities published in 2021 and six months for older Common Vulnerabilities and Exposures (CVEs) \u2014 some of which date back to 2014. Importantly, the BOD also establishes a CISA-managed catalog of \u201cknown exploited vulnerabilities,\u201d which will be regularly updated and extends the requirement for agencies to fix them.\nThe move is long overdue, given that government watchdogs have highlighted deficiencies in federal patching programs for many years. It will be warmly welcomed in security circles, and less so in the cybercrime underground and hacking units of hostile nations.\nThe initiative can be viewed as part of the Biden administration\u2019s rigorous approach to cyber risk management. This follows a widely praised Executive Order in May, which mandated the implementation of zero trust architecture, enhanced intelligence sharing, encryption, endpoint detection and response among agencies, and improved supplier scrutiny across government.\nHowever, CISA director Jen Easterly has been clear: this BOD is not just a government play. She wants all organizations to adopt the directive and prioritize the vulnerabilities listed in the catalog. That\u2019s absolutely the right message to send out.\nThe problem with unpatched vulnerabilities\nThe cybersecurity industry is often guilty of overcomplicating things. However, in the case of software vulnerabilities, the message is unequivocal: patch, patch, patch.\nSoftware vulnerabilities have been at the heart of some of the biggest data breaches in history. And this year, exploits have empowered threat actors to ramp up malicious activity to almost unprecedented levels \u2014 from the outrageous SolarWinds campaign to the widespread exploitation of Exchange server bugs earlier in the year.\nSecurity flaws don\u2019t just arm nation-state operatives; they\u2019re also a top-three attack vector for ransomware, driving a 148% increase in attacks year-over-year and costing organizations billions in the process. The bad news is the sheer scale of the threat. In an ideal world, organizations would patch everything as soon as vendor updates become available. The size of the corporate attack surface is too great and patch volumes are already unmanageable.\nThere were over 18,100 CVEs released last year alone, more than any year previously. That amounts to more than 50 per day. A majority were classed as low complexity and required no user interaction to exploit. CIOs and CISOs running legacy IT systems may be even more restricted in what they can upgrade for fear of breaking mission-critical systems and rendering key applications unusable.\nImproved cyber hygiene\nSo how can organizations practically follow Easterly\u2019s advice to minimize cyber risk? Most breaches result from lapses we make \u2014 failing to understand which endpoints are unpatched and misconfigured, and which are connected to critical systems and data.\nGiven the complexity and dynamic nature of modern IT environments \u2014 especially cloud VMs and containers \u2014 keeping track of everything is increasingly challenging. Threat actors are adept at probing for and exploiting these mistakes.\nThis is where cyber hygiene comes in: offering a best practice approach to identify where risks are most pronounced and then fixing them. So how do you get there? Visibility is the first crucial step: you can\u2019t protect what you can\u2019t see.\nUnfortunately, research shows that 94% of global CIOs have discovered endpoints in their organization that they were previously unaware of. Once you know what you have, it\u2019s time to scan for vulnerabilities and configuration issues \u2014 prioritizing them by risk to the organization. This will vary from one organization to the next.\nThen you need to remediate quickly and at scale, something that has traditionally been a challenge for large organizations. Where systems can\u2019t easily be patched, endpoints can be shielded with security tools and entry points to networks must be monitored to keep hackers at bay.\nIt\u2019s important to remember that this shouldn\u2019t be a one-off process. IT leaders must continually scan and fix their environment because it\u2019s in a state of constant flux, with changes potentially exposing new attack vectors every second.\nLet\u2019s be clear: prompt patching isn\u2019t a panacea. Consider integrating vulnerability management into a zero-trust strategy for a more comprehensive risk management approach. Cyber hygiene isn\u2019t about reaching a state of 100% security. That\u2019s impossible. It\u2019s about raising the bar as high as you can to deter adversaries. And on that note, CISA\u2019s directive is a great step in the right direction.