Companies with a focus on cyber hygiene and security basics prevent more attacks and find intrusions faster.
In 2020, nation-state attackers compromised as many as 18,000 companies by inserting malware into an update from remote management vendor SolarWinds. Early this year, as many as 30,000 organizations suffered an attack through zero-day vulnerabilities in Microsoft Exchange.
These attacks may leave security teams feeling they must focus on preventing—or at least preparing for—the most sophisticated attacks, such as supply chain breaches or zero-day vulnerabilities. However, cyber hygiene and consistently stressing security basics remain the most important practices for companies, boosting their ability to detect attackers who get inside their networks and systems.
"I would contend that about 95 percent of the exploits that are used by nation-state actors and high-end criminal groups are not using zero days but just [exploiting victims who leave] the doors open for the attackers," says Gregory Touhill, a director on the board of the Information Systems Audit and Control Association (ISACA) and a professor of cybersecurity at Carnegie Mellon University. He argues that closing the front door to the network by patching and applying good configuration management and other measures will have the greatest long-term impact. Why would attackers use high-value attack techniques when they can just walk in the unlocked back door?
The stats bear this out. Companies with leading cybersecurity programs are four times better at stopping attacks and finding breaches, three times better at responding to breaches, and two times better at reducing the impact of a breach, according to Accenture's State of Cyber Resilience report.
Please read: Small business security requires a password manager
"You want complete visibility and consistency, developing the right operating model for network and endpoint, and, for access, understanding how to use least privilege to lock down the cloud services and network components," says Rob Boyce, North America cyberdefense lead at Accenture Security.
Sophisticated and large-scale attacks will always stand out, but boring, day-to-day security measures are key to minimizing risks. Here are the basics, broken down into three typical categories: people, process, and technology.
While many security teams think of employees as a source of vulnerability, they can be—when trained well—the first line of defense.
As employees have shifted to remote work, educating them in strong security principles has become even more important. While many security teams think of employees as a source of vulnerability, when trained well, they can be the first line of defense.
Teaching employees about best practices—use a password manager, do not reuse passwords, use multifactor authentication, and be suspicious of email—goes a long way toward keeping your company safe. Show your people concrete examples of what damage can happen by failing to put these practices to use and they'll be more likely to get on board.
How big a team do you need? The typical company dedicates two full-time employees to attain the average level of security awareness: promoting awareness and behavioral change, according to the SANS Institute's 2019 Security Awareness Report. To achieve an above-average level, the equivalent of more than three full-time employees are necessary depending on the size of the company. (The survey focused on companies with at least 1,000 employees.)
The companies most secure in their management of security measure their progress closely and track employee training and practices. A good place to start is to use the results of phishing drills. When Touhill—then Brigadier General Touhill—served as CIO of the U.S. Transportation Command, he conducted regular phishing drills and publicized the results.
"We started out with a 17 percent click rate, and then we would point out what was wrong with the message, and pretty soon we got down to less than [one] percent," he says. "We also publicized the results—anonymizing the soldiers—so it became sort of a competition."
To secure your organization, you need to know what assets are critical and how to best protect them. Maintaining an up-to-date census of assets is a critical basic security function for companies. Only when companies know all of their assets can they keep them patched and determine the appropriate controls for each category of asset.
"If you don't know what assets you have, where those assets reside, the criticality of those assets, how can you fundamentally add additional layers of control to secure those systems and data?" says Andrew Rafla, principal and lead for zero trust at Deloitte Risk & Financial Advisory.
With the rise of various forms of invoice fraud—from business email compromise (BEC) to spear-phishing attacks that target the finance department—creating a robust accounting and payment process in conjunction with a firm's bank is incredibly important. Often, business email fraud starts with the compromise of an executive's account, which is then used to forward invoices and bank transfer details.
To protect against the increasingly sophisticated BEC schemes, invoices should be verified using a variety of checks through different points of contact to minimize the potential for fraud.
Another damaging scheme is ransomware attacks, especially the more recent variant known as double extortion, in which data is stolen and then encrypted. Companies that do not pay the ransom demand not only do not get the key to unlock their data but will likely find their data published to the Internet.
The first line of protection for companies is to back up the most important data and run regular exercises to verify restoration. The restoration process has to be as painless as possible. There are cases where companies have paid ransoms even when they have backups because the act of restoring data takes too much time.
Remote work is another reason why businesses should plan to adopt a zero trust architecture. The focus of zero trust is to start with the assumption that any device may be compromised and verify that the device is clean and then keep watch for abnormal behavior.
An identity infrastructure is the first requirement for zero trust. Users and devices are discrete entities that are monitored for changes in behavior. If a device suddenly connects from a new location or someone accesses a resource for the first time, that should trigger additional security checks. Multifactor authentication helps in preventing attacks with stolen credentials.
In addition, you should adopt device management software to ensure devices are up to date and configured correctly. Endpoint detection and response lets you manage remote devices and respond to incidents from afar. The more that automation is built into the systems, the faster the security team can respond to potential breaches.
"It is important to integrate the technology stack as much as possible, and leverage automation and orchestration capabilities to be able to rapidly respond in real-time, as opposed to a reactive approach, where you are taking a manual action," says Deloitte's Rafla. Finally, a zero trust network access technology can secure access to corporate assets and protect the expanding array of cloud services. Such services allow networks and services to be segmented, establishing micro-perimeters around critical assets and services, says Rafla.
"Even if you are breached, you reduce the blast radius of a potential threat and reduce the damage from the breach," he says.
Please read: Why healthcare is such a juicy ransomware target
While many companies focus on technology first, hoping that a new product or service will solve their security problem, a clearer process or better training for employees might be smarter. Technology is just one component of the overall security basics—people and process are just as important.
For many companies, the default security approach is to focus on what the organization is legally required to do—in other words, compliance. Take that approach, and you'll likely fall short.
"Don't get locked into thinking compliance is security—compliance gives you the bare minimum, and it's the bare minimum 18 months ago," ISACA's Touhill says. "Compliance will not always bring you best practices, but best practices will always bring you into compliance."