The key to really good cybersecurity is to concentrate on just 4 things. Master them first before you begin to try and do the other hundreds of things that everyone else is going to tell you need to do.
Here are the four things all computer security people should do to significantly lower cybersecurity risk the best and most effectively:
- Mitigate social engineering
- Patch exploited software
- Practice good password hygiene
- Use multi-factor authentication (MFA)
There it is. Those four things, if concentrated on and done well, will make you and your organization significantly less likely to experience a negative cybersecurity event. If not done well, as is the case with most people and organizations, it will mean you are at higher risk for negative cybersecurity events. No other defense recommendations (e.g., antivirus, firewalls, least-privilege, etc.) will do as much to significantly reducing cybersecurity risk than the four things mentioned above.
I am not staking my 34-year cybersecurity career on saying that these four things will do more to decrease cybersecurity risk than anything else, because for the entirety of the computer age, these four defenses would have put down 99% of all cybersecurity attacks. It is people’s and organization’s inability to correctly focus on these four things that allows cybercriminals and their malware to be as successful as they are. I am not saying they are the only four things you should be doing or that if doing these four things very well will absolutely mean you will not get hacked. But what I am saying is the odds of you or your organization getting hacked go up significantly if you do not do these four things well; and vice-versa.
I have written white papers, books and hundreds of cybersecurity articles on this topic. If you want the basis for my recommendations, please read my magnum opus on the topic: A Data-Driven Computer Defense.
Or read any of the free articles I post on LinkedIn every week. I am a broken record about this topic. When I die, if I get this one point across to more people and help to better secure people’s computers, organizations and the Internet, I will die a happy man.
How Do I Know These Four Things Will Best Defeat Hackers and Malware?
Well, it is because for over three decades, the most popular ways hackers and malware have compromised devices and organizations have been social engineering, unpatched software and password issues. If you want to stop someone from repeatedly breaking into your house, you have to figure out how they are breaking into your house and stop it. Same with computers and networks.
Defense In Depth – Policies, Technical Defenses, Education
For each of the four mitigations, you need to create the best combination of policies, technical defenses and education that you can. You create policies, that if followed, decrease the likelihood of something bad happening. Like looking both ways before crossing a street. You try your best to implement technical defenses (e.g., content filters, antivirus, secure configurations, etc.) that decrease the likelihood of a potential harmful thing from reaching a user or exploiting a device. Lastly, you give every user the best education you can to help them recognize badness and how to treat appropriately (e.g., report, ignore, delete, etc.), because no matter how great your policies and technical defenses are, some amount of badness will get to your users, and they need to know how to evaluate and treat.
Mitigate Social Engineering
The vast majority of hacking and malware are successful because of social engineering. Depending on the vendor and study, the percentage of cybercrime that involves social engineering is between 50% to 92%. There is no other root cause that accounts for nearly as much cybercrime. Handle social engineering threats well, and you get rid of at least half the risk cybercrime. One thing. Half of your risk gone.
Social engineering usually tries to trick a potential victim into revealing confidential information (e.g., password, private information, etc.) or into downloading or executing malicious content. The single best thing any person or company can do to defeat social engineering is to get education on how to spot and treat potential social engineering threats. Getting everyone good security awareness training and doing simulated phishing tests should be done by every organization. Making everyone familiar with how to recognize the various types of social engineering scams and creating a culture of healthy skepticism should be the goal.
Let me say this again: The single best thing any organization could do to prevent cybercrime is to better mitigate social engineering. Nothing else has as much bang for the buck. Nothing.
Patch Exploited Software
After social engineering, unpatched software comes in a distant second for the most popular root cause of cybercrime. How much unpatched software is involved in cybercrime changes over time, but in general, it is involved in 20% to 40% of cybercrime incidents. Perfectly patch your software and you get rid of 20% to 40% of your risk.
You really do not even need to patch everything. You just need to perfectly patch the software that hackers exploit. Which software do hackers exploit? Glad you asked. The U.S. Cybersecurity Infrastructure Security Agency (CISA) has a list of what software is used by hackers to break into places. It is officially known as the Known Exploited Vulnerabilities Catalog. If an exploit is on this list, get it patched ASAP. You really need to patch any critical security exploit, but if it appears on this list, you really, really need to patch it ASAP. You can subscribe to a CISA announcement list to get proactively notified.
Practice Good Password Hygiene
Hackers have always loved to guess at passwords and to have their malware creations steal them. There exists tens of billions of people’s login names and passwords on the Internet where anyone can see them and try them. Even if the passwords are not the user’s current passwords, oftentimes they reveal patterns, which can be used by hackers to guess the current passwords.
The single best password defense is to make sure you use a different password on every website and service. Since the average person has over 170 websites and services they log into in a given year, using a password manager is the way to go. Use a password manager to create different long and complex passwords for every website.
Use Multi-factor Authentication
Where you can, to protect valuable data use multi-factor authentication (MFA). MFA can be hacked and bypassed (I even wrote a book on the subject, Hacking Multi-factor Authentication. But using good MFA probably eliminates at least 20% of hacking attacks.
Here is the big caveat. The whole reason you need to move to MFA is to prevent hackers from social engineering you out of your password, but perhaps 80% to 90% of MFA can be easily socially engineered around. Pick an MFA solution which cannot be easily defeated or bypassed by sending a simple phishing email. Most MFA…likely the one you like…can be easily socially engineered. But there are varieties (e.g., FIDO2-based, BeyondIdentity.com, etc.) that are harder to social engineer around. Pick a strong MFA solution. There is no need to move to MFA that is easily socially engineered. It defeats the purpose. I cover the topic here and here.
So, this is it! This is what you need to do to significantly reduce your cybersecurity risk. Everyone else will try to distract you with this and that and all sorts of solutions which will not work nearly as well as what I tell you here. If a solution you are wondering about or trying to promote is not on this page, it may help defeat hackers and malware, but not as much as these four things. This is the cold, hard truth. No one else will tell you as concisely how to best protect yourself and your organization against hackers and malware. I just did. Go fight the good fight!