Cyber breaches or ransomware-induced shutdowns can crush a company. Financial loss. Reputation damage. Legal penalties. Nobody wants to be responsible for any of these, but attacks are on the rise. The average corporate data breach in the U.S. costs $9.44 million, plus regulatory penalties.
And attackers are always looking for better weapons. To rip a true story from the headlines, a U.K. executive was bamboozled by an AI-generated call from — he thought — his CEO. The phone voice had the precise German accent and cadence of his boss. The executive dutifully followed instructions to wire $243,000 to a "new supplier" in Eastern Europe.
That was futuristic when it happened, but most cybercrime successes come from simpler techniques applied to paths of least resistance. Basic vulnerabilities allow hackers to steal millions. Imagine what emerging threats like language model AI-based attacks could cost your business. The previous example pales by comparison.
Luckily, cybersecurity hygiene can greatly limit exposure and prevent most breaches.
The good, the bad and the ugly
Let me paint a picture of what we’re dealing with. The average enterprise identifies 345 new vulnerabilities rated as critical on its attack surface, each month. Attack surfaces constantly fluctuate (by roughly 9% monthly), making security gaps harder to detect. Remediating every supposed critical vulnerability would keep a security team busy full time.
To truly reduce risk, security teams need to know which vulnerabilities actually matter most, and how to mitigate them. Exposure of a customer database could cost millions and cripple a business. Obsolete warehouse maintenance logs, by comparison, have little business value and are therefore not urgent.
The lesson here? Having the visibility and context to prioritize what constitutes high risk of consequential loss gives security leaders the great advantage of knowing what to mitigate first. And cyber hygiene enables proper prioritization. How so? An environment where firmware, passwords and user privileges are not up to date and discipline is sloppy will undoubtedly create gaps in an organization’s attack surface and point bad actors to exposed assets. The answer: take back control of the security hygiene.
See the whole forest, and prioritize which unhealthy trees to cut down
The solution to this problem — contrary to what many organizations have become accustomed to — does not involve adopting more point solutions. In fact, security stacks have grown out of control, creating more admin work and alert fatigue than most security teams can handle.
A critical ingredient in prioritizing risk, however, is having full-spectrum visibility of your assets, data, users and applications. Over half of successful breaches involve undetected — and therefore unmanaged — assets. With the proper visibility, security teams can:
- Manage all assets and address their security;
- Look at their context and business purpose, if they appear in security alerts;
- Prioritize the truly “must fix now” issues and get to work remediating them;
- Identify helpful adjustments to hygiene, like eliminating weak passwords and data exposure.
Another great lesson: see the forest, but understand which few trees to cut down. Identifying the purpose, context and value of business assets helps prioritize for the “real world” and significantly lower the number of critical alerts to remediate.
Meanwhile, robust hygiene across the organization keeps that forest smaller — making it harder for hackers to exploit vulnerabilities.
The building blocks of effective cyber hygiene
Robust hygiene includes managing password and firmware updates, doing regular backups and keeping data access privileges current. But to be fully effective, hygiene needs other building blocks of cybersecurity to be in place. Let’s review what cyber hygiene consists of and how to use it.
- Visibility. This is to track and protect all assets requires more than basic visibility. The bar has risen, and now it’s necessary to also identify what unit or subsidiary each database and server belong to. (see ownership attribution, below). Even today, up-to-date complete views of network and data assets elude many organizations.
- Risk assessment of the entire attack surface. This should include external attack surfaces. For example, even government cloud assets can expose terabytes of emails if not assessed and protected properly.
- Automation to determine the context and business value of assets. This entails attributing assets to the right business unit within the organization, and classifying them by type. This allows security leaders to gauge their value and the consequences if they were compromised.
- Prioritization of vulnerabilities. Simply accepting a list of critical vulnerabilities that pop out of the security toolset could tie teams down, chasing false criticals. Accurate prioritization depends on knowing the context and ownership of assets, and their exploitability. For instance, could one stolen password lead to theft of private customer information?
- An enabling environment for cyber hygiene. This could include a zero-trust architecture, effective strategies for fast remediation, and employee training that is engaging and motivational.
Cybersecurity hygiene reinforces other foundational security measures. Acting together, they enable most companies to shut down most cyber attacks. It’s about going back to basics, while prioritizing must-fix vulnerabilities.
To drill into the use of automation, it has a dual role here. It handles the daunting grunt work for cyber hygiene and for other processes we mention above. Automation is essential in using heuristics and natural language programming to classify, attribute, and assign value to IT assets.
What about exploitable vulnerabilities and attacks that actually succeed?
Cybercrime — successful attacks and their consequences — in the aggregate would be the world’s third-largest economy, after the U.S. and China. Businesses need to efficiently remediate critical risks that are exploitable. Hygiene cuts down on their exploitability by reducing unauthorized access, which is a great help.
But what happens when an attack breaks through? Fast detection and remediation in a well-practiced response plan should speed up MTTR and contain the blast radius from a successful attack, limiting the damage.
If you understand your own attack surface, you can take a hacker’s perspective and see how — as one example — simply purchasing stolen credentials can allow break-ins to elude detection when good cyber hygiene is not practiced across an organization. Zero trust principles may provide significant protection, but something as simple as frequent password rotation can render stolen credentials useless to attackers.