It’s a rough number, but I’d wager that 99 percent of computer security risk in most organizations can be attributed to two root causes: social engineering and unpatched software.
I’m not talking about pure numbers of success exploits, but overall impact. Many CISOs and threat intelligence analysts have told me that 100 percent of the biggest events at their company involved social engineering. Certainly, bad breaks enter your environment through other means, which is why we still need to secure our servers, encrypt our disks, and prevent physical intrusions. But in terms of the biggest impact, most organizations can tie those events to two root causes.
Think about what that means. If your organization is like most, 99 percent of your current risk will be resolved if you address exatly two problems. Likewise, anything you do to address other problems accounts for 1 percent of that risk. If your own data analysis supports this assessment, then take a look at your allocated resources and see if they are aligned against these right threats in the right proportions.
Shore up unpatched software
Defeating this root cause seems to be simple. Patch your software! But if it were that simple, it wouldn’t be a top root cause stretching across two decades.
Yet everyone knows training alone can’t provide a perfect defense. Some people will click anything sent their way no matter what you teach them.
My favorite defense is to implement an enterprisewide two-factor authentication (2FA) program and get rid of passwords across the board. This isn’t easy, but as long as employees are required to have passwords, they can be easily phished out of them. With 2FA, an attacker can’t succeed in stealing the initial logon credentials without physical compromise or a sophisticated malware attack.
Even if you defeat credential theft, you have to stop people from running rogue programs. Education can help, but you need more. Antimalware programs help detect and stop rogue programs, of course, but we all know they have accuracy limitations. I’m a huge fan of application control software (such as whitelisting programs), which I think will become far more pervasive in corporate environments than they are today. If you can’t use strict application control, then you have to do everything else, and everything else won’t be as good.
Stopping social engineering could involve many possible strategies for your environment. It could mean defense in depth, increased security boundaries, assume breach defenses, and more. But if you are able to identify the most likely causes of social engineering and fix the unpatched software, you’ll be way ahead of the game.