Extracted content from an article I wrote for my CompTIA series. You can check out the unabridged version here:
It’s a futuristic cybersecurity threat landscape out there – one that sometimes feels like it’s ripped from the pages of a science-fiction thriller. State actors and government-sized interests are finding more sophisticated ways of delivering targeted cyberattacks. Highly funded cyber-outlaws are delivering polymorphic malware that permeates enterprise defences, establishes a foothold and transmits data back to the criminal mothership. The security industry is working overtime to create advanced malware sandboxing and endpoint detection and response (EDR) solutions to keep pace, but the attackers always seem to be one step ahead.
This sort of thing is going on. Networks and applications are compromised this way. Sometimes.
The truth is, though, that it’s not how most – or even how many – cyberattacks take place. Most of the instances of catastrophic hacks we hear about don’t come from rogue states with limitless resources. Rather, they’re coming from average criminals with average resources. Whether they’re mere mischief-makers, low-level extortionists or affiliates of one organized crime syndicate or another, they don’t have a spare billion in bitcoin to throw at your firewall.
So why are they still getting in? The answer is simple.
Run-of-the-mill cybercriminals look for run-of-the-mill ways onto a network, system or application. They want the most bang for their buck. And while there’s a tendency for businesses to focus on the thrilling, frightening, bleeding edge of cybersecurity, most successful hacks happen because of a failure to implement the cybersecurity basics. Best practices for securing networks and applications – some of which have been standard for decades – are not followed, making it easy for a cybercriminal to get what they’re looking for without expending too much effort.
It’s no exaggeration to say that failing to manage the cybersecurity basics is leaving businesses vulnerable – understanding how and why this is the case can help both IT pros and the businesses they support take critical steps that tend to get missed.
How Cybersecurity Is Like Home Security
While there are, of course, differences between home security and cybersecurity, it can be helpful to understand the problems we’re facing by stripping out the bits and bytes and just thinking about the practical steps we take to keep our possessions from getting stolen.
If you lived in a ground-floor apartment in a city with a high rate of break-ins, you might think more seriously about a home security system or reinforced locks than you would if you lived in a rural area with few neighbours.
Then again, even if the likelihood of a random break-in was low, you might have other reasons for increasing security, such as to protect your valuable, irreplaceable possessions or give yourself peace of mind that you’re safe.
From there, you’d research which system would most effectively secure entry points to your home. You would want a comprehensive system that defended against the most likely ways people would break into a house like yours.
And you would have to use it in conjunction with the intuitive basics of home security, like remembering to lock your doors. If you had your front door outfitted with all sorts of locks and alarms but had another easily visible entry into your home that was entirely insecure, it’s a safe bet that anyone looking to break in would just saunter into the unlocked entrance rather than expending effort trying to disarm alarms and cut through bolts.
Patching to Secure All the Entrances
Some organizations will focus huge investments on solutions purporting to keep the cybersecurity equivalent of the front door reinforced enough to prevent a tank from rolling in during a full military invasion while leaving the backdoor or street-level window hanging open with a brand new television in plain view.
One of the most easily avoidable ways that enterprises leave a wide-open path for cybercriminals onto their systems is through failing to install patches as necessary. When a vendor rolls out a patch, it means they’ve discovered a hole in through the cellar that they’ve mistakenly left open while building a house, and they’re giving the user a solution that blocks it off.
Patches are the new locks on the doors when the old keys have been compromised; they’re the blackout blinds that keep your new TV out of sight from the street. That’s why identifying vulnerable systems quickly and having hard, service-level agreement (SLA)-defined rules on the timeline for deploying patches on 95 to 100% percent of systems internally is a necessity. Patching software should be seen as inseparable from using that software.
Implementing two-factor authentication (2FA) to limit remote logins from unfamiliar IP addresses and workstations and following strong password rules are similarly basic but critical ways to cut off the easiest routes a cybercriminal has into a business network. If a cybercriminal doesn’t have a whole lot of time or money, cutting off the easy route is functionally equivalent to cutting off the only route.
Looking at it from this perspective, it’s clear why so many hacks can be attributed to missing the cybersecurity basics. “Basic” in this sense doesn’t mean easy, it means foundational. It’s critical that both IT and business units appreciate that. In fact, it is critical to improving the rather dismal statistics on cybersecurity events.
Driving Cybersecurity Decisions with Risk, Not Hype
Does this mean, then, that if a particularly enthusiastic business unit gets home from a trade show with news of an exciting new security solution they want to implement, that it should be rejected out of hand? Of course not.
IT focuses on the basics doesn’t preclude implementing more sophisticated solutions – if they make sense. Security solutions built around technology like AI, machine learning and behavioural analytics are critical to handling a threat landscape that’s developing and changing at a breakneck pace.
As the threats evolve, our defences have to evolve with them. But understanding how a given solution reduces risk will always be the right way to determine if and how to implement a security solution, no matter how sophisticated the technology becomes.
As with a home security system, a new advanced solution is the sort of investment that needs to be justified in terms of potential risk. There are many complex risk assessments you can go through to determine if it’s worth investing in a particular solution. Does the value of the protected assets outweigh the cost of the solution? Will it truly protect against real-world threats? There are tons of variables to consider.
When it comes to risk assessment, one calculation always makes sense – getting the basics right is one of the most sound investments a business can make. Managing cybersecurity basics correctly takes next to no additional investment and provides an unparalleled ROI in terms of potentially preventing common, costly data breaches.