“Assume breach” is the popular computer defense strategy based on the idea that your company is either already breached or could easily be breached by a dedicated attacker. There is a lot of validity to this approach. Most companies and organizations are super easy to hack and compromise. However, it doesn’t have to be this way.
Some senior management folks might find this strange, but you can significantly make your organization harder to breach. In fact, just a handful of defenses can do more to lower your cybersecurity risk than anything else. These include fighting social engineering and phishing better, patching the most likely to be attacked software far better, and requiring multi-factor authentication (MFA) for all logons. This won’t guarantee that you won’t be attacked, but it does reduce the risk. How much?
Depending on which survey you read, up to 91 percent of all cyber attacks begin with a successful phishing attempt. Think of the benefit you would get just from an effective social engineering awareness program. Based on my experience, doing significantly better at all three things might reduce your cybersecurity risk 99%. An assume-breach strategy will not do that. Assume breach is after the fact. You’re just trying to limit the damage by detecting the bad guys earlier and limiting their spread.
If you want to stop getting hacked, you have to concentrate on not getting hacked in the first place. You can’t completely get rid of assume-breach strategies like better security monitoring, domain isolation and intrusion detection. Sadly, most organizations spending more money on assume-breach defenses instead of prevent-breach strategies.
Patching and anti-social engineering and phishing programs most effective
Two of the three defenses I mentioned above, fighting social engineering and patching software, are not expensive. You’re already paying for them. Just do them better. You’re probably only spending 5% or less of your IT security budget on the two problems that likely make up 90% or more of your risk. In most organizations, it’s nearly 100% of the risk.
Use multi-factor authentication when and where you can
Fighting social engineering and patching will decrease your cybersecurity risk the fastest. Requiring MFA across all organizational logons is probably the third best thing you can do to lower your risk. Many passwords are compromised because of the first two issues, and most people re-use the same passwords across different sites. It’s a mess. The only way to fix it is to require MFA logons. Unfortunately, I don’t know of a MFA solution that works across all software, services, logons and devices. The best that you can do is to pick an MFA solution that works across the largest number of your sites, services and devices.
Ensure you have reliable backups for everyone
I’m amazed by how many companies with supposedly good backups pay the ransom from ransomware that has locked up their systems. They often say they have good backups, but the time and resources needed to restore those backups would cost more than paying the ransom. Well, I’ve got news for you. Many companies pay the ransom and the unlock keys don’t work or the criminal culprit just doesn’t try to help them. If you can’t trust your backup solution to help with a massive restore event, then perhaps you need a better backup system.
Use your company’s cybersecurity experience to figure out the rest
After you implement those four defenses, what you do then is up to you and your company’s cybersecurity weaknesses. Some companies, like those that develop lots of public and in-house software, should probably focus on better securing the software that they write. Other companies are traditionally under the threat of denial-of-service attacks and should strengthen their DDoS defenses. A lot of super-secure companies that don’t suffer breaches implement whitelisting application control software.
Figure out where your remaining cybersecurity gaps are and fill them, but only after fixing the first four problems I recommend above. You can do significantly better in preventing breaches. Assume-breach defenses are OK and needed, but they can’t beat stopping breaches in the first place.