Five foundations to cybersecurity defense mitigating 90% of breaches

During my 16 years in the cybersecurity industry, and after discussions with numerous CISOs and cyber security experts, they all agree that there are five basic steps all organizations can take to mitigate over 90% of all cyber breaches1

Just like cars were not initially designed for safety, the internet was not designed for security. With a growing number of fatal accidents, the car industry and governments took action to make driving a car ten times safer. Five features and controls that have proven to make the biggest difference for car safety today include seatbelts, crush zones, airbags, driver education, and mandatory motor vehicle inspections. 

Today, cyber attacks are the single biggest crime sector impacting the security of billions of people around the world. Ranging from criminal gangs to governments, hackers are becoming increasingly more sophisticated, organized, and well funded, leveraging the latest cyber technologies, including Artificial Intelligence, to automate advanced attacks at scale. 

Thankfully, governments and industry bodies are joining forces to improve internet safety, similar to what has been achieved for cars. Large technology, financial and healthcare corporations, and government agencies are required to comply with extensive risk management frameworks. These initiatives are important, but it is a daunting task for any organization to address every cyber security risk. At Yubico, on our mission making the internet safer for everyone, we want to help others mitigate the most impactful cyber threats. This can be achieved by implementing five key controls that make the biggest difference while continuing to strive for broader security and compliance goals.

1. Use multi-factor authentication (MFA) to access all IT systems and implement phishing-resistant authentication for all privileged users

Cyber security experts agree that strong MFA is the most important defense against accidental disclosure and cyber attacks that target user identities. Statistics show that more than 80% of breaches involve stolen and misused login credentials1.

Logging in with only a username and password to IT systems may in the physical world be similar to a simple lock on your entry door; it can be easily bypassed. Additional steps, including one-time passcodes (OTP) from an authenticator app add an additional layer of security, similar to a deadbolt lock for your entry door. However, advanced phishing attacks and social engineering demonstrate that fraudsters can trick the users into sharing these on time passcodes.

Phishing-resistant authentication technologies, based on strong public key encryption, provide a greater degree of account protection while reducing the likelihood of human error. The FIDO standard and Smart Cards both provide this increased level of protection. The security level is similar to an iron bank vault that requires multiple factors to open. To stop the most targeted users and damaging breaches, this level of protection is recommended for all privileged or sensitive users, anyone authorized to access and perform company security-relevant functions, and anyone with access to IT systems and servers with sensitive information.

The US Government has acknowledged that all MFA is not created equal, and a White House Directive recommends phishing-resistant authentication as the only approved login method for all US government agencies by 2024.

2) Limit users’ access rights to the minimum required to perform their role

To limit the attack vector and the number of people in an organization that can cause a breach, it is critical to also limit access rights for all IT systems to the people who need these rights to perform their job responsibilities. Statistics show that cyber breaches caused by the organization’s own staff or contractors, by purpose or accidentally, are the reason behind 19% of all breaches1. Some of these insider attacks may be orchestrated by outside forces, including competitors and governments, and the best way to stop employees who are involuntary or voluntary planning to commit a crime is to ensure that they do not have access to the most critical data and systems.


3) Apply software patches for all high-risk vulnerabilities within 30 days, and use only supported software versions

Hackers look for ways to exploit vulnerabilities in old and unpatched software and IT systems. Unpatched software is directly or indirectly the reason behind 5% of all breaches1. By moving IT systems from offline servers to modern cloud services, the cloud vendors mitigate risk by continuous updates for known vulnerabilities. However, as cloud services can be accessed from anywhere it is even more important to implement step one on this list: using strong MFA for all logins.

4) Back-up all business critical data and test recovery procedures

Backups of critical information and systems may be required to restore operations to an operable and trusted state.This step will not stop breaches, but it is critical to safeguard business operations and continuity.

5) Annual employee security awareness training and continuous learning

Remind employees of their responsibilities and provide guidance on how to fulfill them – starting with this list of the previous four foundational steps. Provide continual updates as the business and cyber threats evolve, and just like all education, try to make it fun and engaging and people will learn. This is why after stepping aside as CEO earlier this year, I am dedicating some of my free time contributing to a script to a comedy movie series that embodies the steps outlined in this blog. While cyber fraudsters try to trick users to make mistakes leading to breaches, entertaining education can trick users to want to learn how to outsmart the fraudsters.

The above five foundational steps can be used by any organization to track their cybersecurity maturity over time, for reporting to the leadership team and board, and for peer benchmarking. This list will also help prepare companies for the addition of cybersecurity risk management information as part of the annual environmental, social, and governance (ESG) reporting, and help customers and investors to assess risk and make informed decisions based on consistent and useful information.  

In upcoming blogs and webinars, Yubico will share more content and tools that will make it even easier for any organization to track and measure their own ‘five steps’ for effective cyber defense. We will then also introduce the security experts, industry bodies and government agencies that we are partnering with to drive this initiative. It may be a bold goal, but based on the current statistics on what causes the most damage, it is possible to help mitigate 90% of all breaches in 5 years. 

We are committed to our mission making the internet safer for everyone. Together, we can stop fraudsters from limiting the potential of what the internet is and can be. 

——

1The statistics cited in this blog are from the Verizon’s 2023 Data Breach Investigations Report

Talk to our teamTalk to our team

Share this article:


  • Yubico delivers PIN advancements with new YubiKey 5 – Enhanced PIN keysTo prepare for continuously evolving cyber threats, governments around the world are adapting and updating authentication requirements for online services which directly impact thousands of organizations and their employees. While there’s currently no universal regulation for more robust multi-factor authentication (MFA), the need is highlighted across a range of requirements including PSD2, GDPR, and the […]Read moreCompany NewsProduct NewsYubiKeyYubiKey 5 – Enhanced PINYubiKey 5 SeriesYubiKey as a Service
  • Yubico LogoYubico liefert PIN-Verbesserungen mit dem neuen YubiKey 5 – Verbesserte PIN-SchlüsselUm sich auf die sich ständig weiterentwickelnden Cyber-Bedrohungen vorzubereiten, passen Regierungen weltweit die Authentifizierungsanforderungen für Online-Dienste an und aktualisieren sie, was direkte Auswirkungen auf viele Unternehmen und deren Mitarbeiter hat. Zwar gibt es derzeit keine universelle Regelung für eine robustere Multi-Faktor-Authentifizierung (MFA), doch wird deren Notwendigkeit in einer Reihe von Anforderungen hervorgehoben, darunter PSD2, DSGVO […]Read moreYubiKey
  • An inside look at Yubico’s transition to passwordlessBefore “passkey” became a familiar term in our industry, Yubico had long delivered hardware-backed and phishing-resistant FIDO2 based authentication. Today, the adoption of passkey usage is accelerating. However, it’s taken quite a bit longer to integrate passwordless authentication into the everyday, enterprise-grade authentication flows that are required for today’s businesses.  As long as it’s been […]Read moreOktapasswordless
  • Mission matters – my reflections on winning the EY World Entrepreneur of the Year “This is the biggest mission any of the entrepreneurs have presented in this competition.”  I heard these words a few weeks ago from one of the judges for the EY World Entrepreneur of the Year award program – whom I had the honor to meet during the final step of the world’s largest entrepreneur competition.  […]Read moreawardsFounderStina Ehrensvard