Every computer defender is inundated with over a hundred cybersecurity controls they are supposed to deploy to make their environment at reduced risk of cyber attack. But what most security defense guides do not tell you is that just three defenses will decrease the vast majority of cybersecurity and all the other defenses added up will not decrease even ten percent of the risk in most environments.
What are these magical three defenses?
Well, for one, they are not magical. They are the same three defenses that could have been providing any organization with their best defenses since the beginning of computers. They are:
- Fight social engineering
- Patch software and firmware
- Use strong authentication
I will break down each with a long discussion.
Fight Social Engineering
Social engineering is involved in 70% to 90% of all successful attacks and has been since the beginning of computers. Social engineering is when someone pretends to be a person or brand you might otherwise trust more than a complete stranger and asks you to perform an action that, if malicious, will harm you or your organization’s self-interests. Most often, social engineering comes in the form of a phishing email but can come over any communication channel, including: a voice call, web, text message, or social media.
Most social engineering attempts arrive unexpectedly and ask the receiver to do something they have never done before for the first time, at least for that sender. The best way to defeat social engineering is to create a best, defense-in-depth plan consisting of policies, technical defenses, and end-user education. The last recommendation, education, is the most important and most neglected recommendation.
Every organization should frequently train employees on how to spot the signs of a social engineering attack, how to avoid it, and how to appropriately report it to the desired organization central collection point. Hopefully, the latter requirement can be made as simple to the end user as clicking on a button to report.
Employees should be given lots of training showing many different types of social engineering attacks, especially the most common and current types of attacks. New employees should be given 30 to60 minutes of security awareness training when hired and then annually thereafter. At least every month, users should be given more, but shorter training, perhaps lasting three to five minutes, focusing on only the most common and recent types of attacks. Each user should also undergo at least a monthly simulated phishing test where they are sent fake phishing attacks that mimic the real ones they might otherwise face. Do not let real phishers be the only ones trying to social engineer your end users.
How well your organization does or does not fight social engineering and phishing is likely the difference between being successfully hacked or not. It is that important. No other single computer security defense comes close.
If you are interested in everything you can do to fight phishing, read this: https://www.knowbe4.com/hubfs/Comprehensive-Phishing-Guide.pdf.
Patch Software and Firmware
The second most common reason for successful hacking is hackers or their malware creations exploiting unpatched software or firmware. Unpatched software is involved in about 20% to 40% of all successful hacking attacks. Even though you should patch all critical vulnerabilities, you really, really need to patch the software and firmware that hackers and malware are exploiting (which really is only about four percent of total software).
The U.S. Cybersecurity Infrastructure Security Agency (CISA) has a list of all software and firmware that hackers and their malware creations exploit. It is called the Known Exploited Vulnerability Catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog). If you do not already subscribe to the list, you can subscribe here: https://public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_136.
Review the current list and any time a new announcement comes in, which happens usually from once to a few times a week, look to see if you have any of the listed software or firmware, and if you do, get it patched as soon as possible.
These two defenses, fighting social engineering and patching, if done well, will decrease your cybersecurity risk up to 90%. Just doing two things very well.
Use Strong Authentication
Lastly, every user should use phishing-resistant, multifactor authentication (MFA) to protect valuable data and systems. Sadly, most MFA and a majority of the most popular MFA solutions are not phishing-resistant. You need to use a phishing-resistant form of MFA whenever possible. If you are not sure which MFA is or is not phishing-resistant, here is a list I created of phishing-resistant MFA: https://www.linkedin.com/pulse/my-list-good-strong-mfa-roger-grimes.
Unfortunately, less than two percent of the world’s sites and services work with MFA. Most sites and services use login names and passwords. When you do use a password, it must be strong (i.e., very guessing- and cracking-resistant, etc.) and unique per site. Strong passwords are randomly generated and at least 12 characters long. If you create a password by yourself, it must be at least 20 characters long to be considered strongly resistant to guessing and cracking attacks.
No one likes to create and use very strong passwords. Because of that, most people should be using a good, popular password manager. Password managers will create very strong, truly random, long passwords that are different for every site you use. And if you cannot use a password manager (or MFA), create a password that is at least 20 characters or longer and unique for the site.
Well, that is it. How well you do on these three computer security defenses likely determines if you or your organization is successfully hacked. Yes, there are many other ways anyone can be hacked, but these three security recommendations put down 90% to 99% of the risk. Do these three things well and you likely will not be hacked. Do not do them well, like most organizations do not, and you are likely to get successfully hacked.
Now go fight the good fight!
Roger A. Grimes is a Data-Driven Defense Evangelist at KnowBe4. He is a 30-year computer security professional, author of 13 books and over 1,200 national magazine articles. He frequently consults with the world’s largest and smallest companies, and militaries, and he has seen what does and doesn’t work. Grimes was a weekly security columnist for InfoWorld and CSO magazines from 2005 – 2019. He regularly presents at national computer security conferences, and has been interviewed by national magazines and radio shows, including Newsweek magazine and NPR’s All Things Considered. Roger is known for his often contrarian, fact-filled viewpoints.
Roger A. Grimes is a Data-Driven Defense Evangelist at KnowBe4. He is a 30-year computer security professional, author of 13 books and over 1,200 national magazine articles. He frequently consults with the world’s largest and smallest companies, and militaries, and he has seen what does and doesn’t work. Grimes was a weekly security columnist for InfoWorld and CSO magazines from 2005 – 2019. He regularly presents at national computer security conferences, and has been interviewed by national magazines and radio shows, including Newsweek magazine and NPR’s All Things Considered. Roger is known for his often contrarian, fact-filled viewpoints.