During my 16 years in the cybersecurity industry, and after discussions with numerous CISOs and cyber security experts, they all agree that there are five basic steps all organizations can take to mitigate over 90% of all cyber breaches1.
Just like cars were not initially designed for safety, the internet was not designed for security. With a growing number of fatal accidents, the car industry and governments took action to make driving a car ten times safer. Five features and controls that have proven to make the biggest difference for car safety today include seatbelts, crush zones, airbags, driver education, and mandatory motor vehicle inspections.
Today, cyber attacks are the single biggest crime sector impacting the security of billions of people around the world. Ranging from criminal gangs to governments, hackers are becoming increasingly more sophisticated, organized, and well funded, leveraging the latest cyber technologies, including Artificial Intelligence, to automate advanced attacks at scale.
Thankfully, governments and industry bodies are joining forces to improve internet safety, similar to what has been achieved for cars. Large technology, financial and healthcare corporations, and government agencies are required to comply with extensive risk management frameworks. These initiatives are important, but it is a daunting task for any organization to address every cyber security risk. At Yubico, on our mission making the internet safer for everyone, we want to help others mitigate the most impactful cyber threats. This can be achieved by implementing five key controls that make the biggest difference while continuing to strive for broader security and compliance goals.
1. Use multi-factor authentication (MFA) to access all IT systems and implement phishing-resistant authentication for all privileged users
Cyber security experts agree that strong MFA is the most important defense against accidental disclosure and cyber attacks that target user identities. Statistics show that more than 80% of breaches involve stolen and misused login credentials1.
Logging in with only a username and password to IT systems may in the physical world be similar to a simple lock on your entry door; it can be easily bypassed. Additional steps, including one-time passcodes (OTP) from an authenticator app add an additional layer of security, similar to a deadbolt lock for your entry door. However, advanced phishing attacks and social engineering demonstrate that fraudsters can trick the users into sharing these on time passcodes.
Phishing-resistant authentication technologies, based on strong public key encryption, provide a greater degree of account protection while reducing the likelihood of human error. The FIDO standard and Smart Cards both provide this increased level of protection. The security level is similar to an iron bank vault that requires multiple factors to open. To stop the most targeted users and damaging breaches, this level of protection is recommended for all privileged or sensitive users, anyone authorized to access and perform company security-relevant functions, and anyone with access to IT systems and servers with sensitive information.
The US Government has acknowledged that all MFA is not created equal, and a White House Directive recommends phishing-resistant authentication as the only approved login method for all US government agencies by 2024.
2) Limit users’ access rights to the minimum required to perform their role
To limit the attack vector and the number of people in an organization that can cause a breach, it is critical to also limit access rights for all IT systems to the people who need these rights to perform their job responsibilities. Statistics show that cyber breaches caused by the organization’s own staff or contractors, by purpose or accidentally, are the reason behind 19% of all breaches1. Some of these insider attacks may be orchestrated by outside forces, including competitors and governments, and the best way to stop employees who are involuntary or voluntary planning to commit a crime is to ensure that they do not have access to the most critical data and systems.
3) Apply software patches for all high-risk vulnerabilities within 30 days, and use only supported software versions
Hackers look for ways to exploit vulnerabilities in old and unpatched software and IT systems. Unpatched software is directly or indirectly the reason behind 5% of all breaches1. By moving IT systems from offline servers to modern cloud services, the cloud vendors mitigate risk by continuous updates for known vulnerabilities. However, as cloud services can be accessed from anywhere it is even more important to implement step one on this list: using strong MFA for all logins.
4) Back-up all business critical data and test recovery procedures
Backups of critical information and systems may be required to restore operations to an operable and trusted state.This step will not stop breaches, but it is critical to safeguard business operations and continuity.
5) Annual employee security awareness training and continuous learning
Remind employees of their responsibilities and provide guidance on how to fulfill them – starting with this list of the previous four foundational steps. Provide continual updates as the business and cyber threats evolve, and just like all education, try to make it fun and engaging and people will learn. This is why after stepping aside as CEO earlier this year, I am dedicating some of my free time contributing to a script to a comedy movie series that embodies the steps outlined in this blog. While cyber fraudsters try to trick users to make mistakes leading to breaches, entertaining education can trick users to want to learn how to outsmart the fraudsters.
—
The above five foundational steps can be used by any organization to track their cybersecurity maturity over time, for reporting to the leadership team and board, and for peer benchmarking. This list will also help prepare companies for the addition of cybersecurity risk management information as part of the annual environmental, social, and governance (ESG) reporting, and help customers and investors to assess risk and make informed decisions based on consistent and useful information.
In upcoming blogs and webinars, Yubico will share more content and tools that will make it even easier for any organization to track and measure their own ‘five steps’ for effective cyber defense. We will then also introduce the security experts, industry bodies and government agencies that we are partnering with to drive this initiative. It may be a bold goal, but based on the current statistics on what causes the most damage, it is possible to help mitigate 90% of all breaches in 5 years.
We are committed to our mission making the internet safer for everyone. Together, we can stop fraudsters from limiting the potential of what the internet is and can be.
——
1The statistics cited in this blog are from the Verizon’s 2023 Data Breach Investigations Report