Digital Hygiene in Business: 6 Management Decisions to Reduce Reputational and Incident Cost Risks.

Digital hygiene in a company is not just an IT specialist's concern. It is a discipline of management, internal control, and reliability. A company that cannot clearly state which accounts are active, where sensitive data is stored, who has access to it, and how quickly deviations become noticeable, is not actually managing significant risks. This is precisely why digital hygiene in a company is an essential component of cybersecurity in a company and data security in companies.

The issue is also relevant in Latvia. The National Cybersecurity Law has been in effect since September 1, 2024, and the NIS2 logic no longer applies only to IT teams, as organizations in scope had to identify their status, appoint a cybersecurity manager, and submit a self-assessment. In 2025, Cabinet of Ministers regulations on minimum cybersecurity requirements also entered into force. This means one thing: cybersecurity is becoming a demonstrable management capability, not a declaration of good intentions.

Market data confirms this reality. Verizon's 2025 DBIR shows that compromised access data was the initial access path for 22%breaches, ransomware was present in 44% breaches, and third-party involvement in breaches doubled year-over-year from 15% to 30%. The APWG recorded over 1 million phishing attacks in Q1 2025. IBM's 2025 estimates the global average cost of a data breach at $4.4 million, while 2024 analysis showed that in cases of high business disruption, the cost increased to $5.01 million. In other words, unseen vulnerabilities are no longer cheap.

Why is this a management issue?

The essence of NIS2 is simple: critical and important services in Europe must no longer rely on minimal technical protection and unclear responsibility. The logic of the directive, also incorporated into Latvian regulation, requires risk management measures, incident reporting, business continuity plans, supply chain security, and management involvement. Furthermore, NIS2 clearly stipulates that management structures must approve and oversee these measures.

This means one thing: cybersecurity in a company is becoming a demonstrable management capability, not a declaration of good intentions. Digital hygiene in a company, in this context, is one of the key tools by which an organization can demonstrate compliance with NIS2 requirements in Latvia and effective cyber risk management.

GDPR must also be evaluated in a business context today. It is not just a set of rules on personal data. It is a framework for reputation, contractual consequences, and sanctions. The European Commission reminds us that in case of violations, not only sanctions but also restrictions on processing are possible, while the EDPB also emphasizes that obvious good data management builds trust. For management, this means that a data breach affects not only lawyers but also the company directly – its revenue, relationships with partners, and market perception.

What is attack surface reduction

Attack surface reduction In business terms, reducing the attack surface means a completely pragmatic discipline. Digital hygiene within a company plays a central role here – the fewer accounts, devices, links, shared folders, and data copies there are, the smaller the potential attack vector and the more effective cybersecurity is within the company.

In practice, this doesn't mean “more technology,” but less waste: fewer orphaned accounts, less “just in case” access, fewer files without deadlines, fewer outdated devices, fewer random outsourcing, and less data whose business value has already been lost.

The six steps in this article are essentially six ways for management to reduce the attack surface with clear decisions.

1. Unique passwords and identity discipline

Thesis. If an identity is not managed, an attacker doesn't need to bypass the system – they just need to log in.

Where does the real risk lie. Kompromitēti piekļuves dati joprojām ir viens no ātrākajiem uzbrukuma ceļiem. Verizon 2025 DBIR rāda, ka kompromitētas akreditācijas bija sākotnējais piekļuves vektors 22% pārkāpumu. Ja uzņēmumā paroles tiek atkārtoti izmantotas, glabātas izkliedēti vai zināmas vairākiem cilvēkiem, viens incidents ātri pārtop par vairāku sistēmu problēmu.

What does that cost the company. For a company, it costs account takeovers, reputational damage, longer incident containment, and a much more expensive return to normal operations. If an email or financial account is compromised, the consequences can also become monetary.

Practical action.

• Implement a requirement that all critical accounts have unique passwords and a centrally managed password vault solution.
• Prohibit shared user accounts where possible; each access must be traceable to a specific individual or role.
• Consolidate identity management via SSO where possible so management can see who is truly active.
• Regularly review elevated privilege accounts and sensitive data, including API keys and services without a clear owner.
• Implement a process for leaked credential verification and rapid rotation.

A management question to ask yourself. Can management receive a clear answer today to the question: which are our critical accounts, who owns them, and how are they protected?

2. Two-factor authentication

Thesis. A password alone is no longer a security control – it's just the first hurdle.

Where does the real risk lie. Phishing continues to work on an industrial scale: APWG observed 1,003,924 phishing attacks in Q1 2025. At the same time, Verizon's additional 2025 study on credential stuffing shows that these attacks averaged 19%of all authentication attempts per day, and reached 25% in large enterprises. If a second layer of authentication is not implemented, a compromised password often means a compromised account as well.

What does that cost the company. The cost is disproportionate to the investment. A compromised email account can lead to payment irregularities, leakage of contractual correspondence data, and loss of customer trust. For management, it also means additional time for incident management and reputation damage control.

Practical action.

• Prioritize the implementation of phishing-resistant MFA for email, administrative access, financial systems, VPN, and cloud services.
• SMS should only be used as a temporary solution; authenticator apps, security keys, or passkey-type solutions are preferred.
• Document all MFA exceptions and set deadlines for them; permanent exceptions are to be considered management risks.
• Implement conditional access based on device, location, and risk signals.
• Regularly review which accounts are actually logging in without two-factor authentication.

A management question to ask yourself. Which is the critical company account that even today a hacker could access with just a password if they compromised it?

3. Account and access audit

Thesis. Unnecessary access is not a convenience – it's a risk.

Where does the real risk lie. Uzbrukuma virsma aug klusumā: bijušo darbinieku konti, trešo pušu piekļuves bez termiņa, koplietotas mapes ar neskaidru īpašnieku un servisu konti, ko neviens vairs nepārrauga. Verizon 2025 DBIR norāda, ka trešo pušu iesaiste pārkāpumos pieauga no 15% līdz 30%, kas parāda, cik dārgs kļūst nepārvaldīts partneru un piegādātāju slānis.

What does that cost the company. The result is a larger incident radius, slower response, weaker auditability, and more difficult due diligence. At the time of an incident, the company loses valuable time as it first tries to understand who had access to what.

Practical action.

• Implement quarterly access reviews for critical systems, shared applications, and financial tools.
• Strengthen the joiner-mover-leaver process to automatically trigger access changes for employment relationship changes.
• Apply the principle of least privilege, basing access on roles rather than individual exceptions.
• Maintain a third-party access log with the owner, justification, deadline, and audit date.
• Review service and integration accounts, especially those connected to email, data exports, and financial flows.

A management question to ask yourself. Do we have more access than we have business needs?

4. Financial deviations and notifications control

Thesis. Some cyber incidents first appear in the financial stream, not on the security dashboard.

Where does the real risk lie. Business email compromise, fake invoices, changes to supplier bank accounts, and unusual authorization requests often start as operational trifles. APWG reports that in Q4 2025 wire transfer The number of BEC attacks increased by 136%% compared to the previous quarter. If financial controls fail to detect deviations, the incident can escalate without any technical “alarm signal.”.

What does that cost the company. Direct costs are lost payments, but indirect costs are even broader: contract disputes, insurer involvement, auditor's additional claims, reputational issues, and management time consumption. The scope of an incident is often determined not by the initial amount, but by how long the deviation went unnoticed.

Practical action.

• Implement dual confirmation for changes to supplier bank details and non-standard payments.
• Automate notifications for account logins from unusual locations, new payees, and changes to authorization roles.
• Determine the callback verification procedure using pre-known contacts instead of the information provided in the email.
• Separate the rights for payment preparation, approval, and execution.
• Monthly, reconcile signals from the finance and security teams – unusual payments, unusual logins, and received supply chain changes.

A management question to ask yourself. Can our financial controls detect a cyber incident before the money is gone?

5. Email, cloud storage, and redundant information

Thesis. Disorganized information increases risk, even if the infrastructure is technically protected.

Where does the real risk lie. Companies often store too much data for too long and make it too widely accessible. Contracts, payroll files, customer data, copies of data exports, old invoices, and personal data accumulate in emails, cloud drives, and shared folders without a clear retention period. From the NIS2 perspective, this increases the attack surface; from the GDPR perspective, it also increases the potential scope of consequences if a breach occurs.

What does that cost the company. The more data I input, the larger the leak volume, the more complex the incident analysis, the costlier the legal assessment, and the more burdensome the communication work with clients and partners. In transaction audits or investor due diligence, this type of environment signals a lack of control, not diligence.

Practical action.

• Implement data classification and understandable retention periods for email, shares, and exports.
• Review public and external sharing links, assigning terms and owners.
• Separate working documents from official records and archives.
• Delete or archive data whose operational value has been lost, especially sensitive exports and local copies.
• Perform outbound checks of management emails and critical shared folders to understand the actual, not declared, situation.

A management question to ask yourself. If a data incident were to happen today, how much of the leaked information would the company no longer need at all?

6. Device, Updates, and App Permissions

Thesis. An unpatched device is a silent entry point with excessive trust.

Where does the real risk lie. Verizon 2025 DBIR rāda, ka ievainojamību izmantošana sasniedza 20% kā sākotnējais piekļuves vektors, bet ransomware bija klātesošs 44% pārkāpumu un 88% SMB pārkāpumu. Neinventarizētas ierīces, kavēti atjauninājumi, lokālā administratora tiesības, nekontrolētas lietotnes veido vidi, kur viena ievainojamība pārtop darbības pārrāvumā.

What does that cost the company. The cost here is most often downtime. IBM 2024 showed that as business disruption increased, the average cost rose from $4.63 million to $5.01 million. In manufacturing, service delivery, or financial flows, this means not only IT recovery but also a real cessation of company operations.

Practical action.

• Maintain a unified inventory of devices and software, showing ownership, status, and criticality.
• Define clear critical security update SLAs and the procedure for approving exceptions.
• Reduce local administrator rights and review application installation permissions.
• Manage mobile and remote device security with MDM/EDR, encryption, and remote wipe.
• Feel free to decommission old disks, USB drives, and devices, documenting data destruction.

A management question to ask yourself. How many of our active devices and applications can actually be considered managed today?

Why is digital hygiene in a company an indicator of management quality

In a company, access control almost always reflects the quality of management. If it's unclear who makes decisions about access, who reviews exceptions, who is responsible for third-party access, and who approves data retention periods, then the problem isn't in the technology. The problem is in the accountability model.

This is precisely why digital hygiene is closely linked to the internal control system. Passwords, MFA, access audits, retention periods, payment alerts, and device inventories are not separate technical minutiae. They are control points through which a company manages access, changes, exceptions, and deviations.

NIS2 merely formalizes this logic: management structures must approve cyber risk management measures and oversee their implementation. Therefore, security can no longer be considered an “IT department function.” It is a risk management function with technical execution and a shared responsibility – ensuring that critical risks are not only identified but also operationally controlled.

Reputation, trust, and market access

Security in the market is increasingly understood as reliability. Customers expect not only service but also assurance that their data, correspondence, and commercial information are not circulating uncontrollably. Partners are increasingly requesting explanations regarding access, outsourcing, and incident management during the procurement or contract negotiation phases.

During due diligence, digital hygiene issues become apparent very quickly. If a company cannot demonstrate how access is managed, how redundant data is deleted, how third-party rights are controlled, and how former employee accounts are closed, it signals a broader weakness in management. From an investor's perspective, this isn't an “IT deficiency”; it's a lack of corporate quality, predictability, and control.

For this reason, security is not just protection against an incident. It is also the protection of capital, transaction speed, and trust. Companies that understand this do not isolate cybersecurity. They integrate it into procurement, financial control, human resources processes, internal audit, and daily operations.

Conclusion

Digital hygiene in a company is not just an additional layer of security. It is the line between manageable risk and invisible accumulated vulnerabilities. Companies that intentionally develop digital hygiene within their organization strengthen their corporate cybersecurity, improve data security, and simultaneously build trust in the eyes of customers and partners. It becomes an essential element for both fulfilling NIS2 requirements in Latvia and for long-term cyber risk management.

However, the visible digital layer is only part of the overall risk. Sensitive information also resides in paper archives, contract folders, old hard drives, USB drives, local backups, and document flows outside central systems. It is precisely there that data often remains whose operational value is minimal, but whose potential for damage is still high.

Therefore, the next logical step is not another technical tool, but an assessment of blind spots: where information resides within the company outside of visible control, what access points still exist, and which carriers still pose a risk without business return. This will be part 2 of the topic.

Sources and facts used

• Republic of Latvia National Cybersecurity Law, effective from 01.09.2024.
• Ministry of Defence, Cybersecurity / National Cyber Security Law, information on NIS2 implementation, registration, cybersecurity manager and self-assessment deadlines.
• Cabinet of Ministers Regulation No. 397“Minimum cybersecurity requirements”, adopted on 25.06.2025.
• Directive (EU) 2022/2555 (NIS2) regarding management co-responsibility and supply chain security.
• European Commission, enforcement and sanctions under EU data protection rules; EDPB SME data protection guide.
• ENISA Threat Landscape 2024 A Report on the State of Cybersecurity in the Union 2024.
• Verizon, 2025 Data Breach Investigations Report Executive Summary; Additional 2025 DBIR research on credential stuffing.
• IBM, Cost of a Data Breach Report 2025; IBM 2024 analysis of the business impact of incident costs.
• APWG, Phishing Activity Trends Report, Q1 2025 to Q4 2025.