Every good defense has three pillars of controls: policy, technical, and education. People are always asking what they should do for each to minimize cybersecurity events the most and what they should do first and best.
The Scope of the Problem
There are a lot of things to worry about. There were 12,174 new vulnerabilities announced last year alone and hundreds of defenses you are told you need to deploy ASAP. The MITRE Common Weakness Enumeration list provides 839 potential cybersecurity weaknesses. The original, fairly small MITRE ATTACK framework now has 12 columns and 70 rows, and growing, showing you all the different ways you can be compromised.
The defense-in-depth guidelines are growing each year. The NIST Cybersecurity Framework, one of the most popular guides, is 55 pages long. The SANS Top 10 list of controls has turned into the Center for Internet Security’s Top 20 list. And let’s not forget programmers. The OWASP Top 10 list is still a great guide. This is on top of all the millions of new malware programs and hackers of every stripe (e.g., nation-state, script kiddie, financial thief, etc.) trying to break into your organization. I don’t know of any field that has so many simultaneous threats. It’s a lot to worry about.
What You Should Do First and Best
You cannot do everything you need to do first and best. You just can’t. Although you need to do it all…or at least most of it…you have to pick what to start with. The data is in.
Since social engineering and phishing accounts for 70% to 90% of all malicious data breaches and unpatched software accounts for 20% to 40% of them, anything you can do to best fight those root exploit causes is what you should be doing first and best. These are the controls you should start with under each of the control pillars.
Best Technical Controls
Any technical control you can implement to decrease successful phishing (e.g., content filters, anti-spam, anti-malware, anti-phishing) and increase the percentages of patching should be done. This is where your defense-in-depth strategy needs to concentrate on. I have a webinar where I discuss all the things I could think of (policies, technical controls, and education) to fight phishing. It contains a lot of useful hints and nearly 100 slides of information. Interested in learning more about SPF, DKIM, and DMARC, try this webinar. If you want to learn more about social engineering and how to best fight it, check out any of these KnowBe4 webinars. There is truly some great knowledge in those webinars taught by a variety of presenters, including KnowBe4’s Chief Hacking Officer Kevin Mitnick.
No matter how great your technical controls are, bad things will get past your defenses and to your co-workers. It’s just a matter of life. So, until the perfect technical controls come into existence, employee training is required. On the educational front, we now know what works for the best security awareness training. You want to create a culture of healthy skepticism against social engineering schemes that might motivate someone to click on a link, run a program, or provide their credentials to someone against their own best interests. That takes good, consistent training and testing.
You should do monthly short trainings (e.g., videos, posters, tests, games, etc.) along with at least monthly simulated phishing tests. Training and testing should cover how to spot the basic, most common signs of potentially malicious content and what employees should do (which is report them to you and then delete). At least once a year, all employees should take a longer educational session, perhaps 15 to 45 minutes long. Then at least once a month, short, more targeted training that focuses on the most likely social engineering events. This month’s coronavirus scam education is a great example: https://www.knowbe4.com/coronavirus-security-awareness-resources.
Do monthly training and testing and you will significantly reduce the risk that someone will click on something risky.
So, what should you do policy wise? What’s the best single policy you can add to your security policies?
Well, I actually think it’s two things. First, everyone should be trained to hover over URLs and be able to determine rogue versus legit locations before clicking. Hovering should be a policy, backed by education on how to determine good versus bad. Second, there should be a policy that anyone requesting something unexpected that could result in financial harm, such as changing a bank account number or sending a new invoice, should require to be confirmed by voice at a pre-determined phone number prior to the transaction being approved. Nothing sent only via email should happen automatically. We love email. We use it as a daily part of our lives to conduct business. But it is used far too successfully by spammers and phishers to be automatically trusted for all business transactions. It should be a policy to call the requestor to confirm the transaction request.
You can’t do every possible computer security control at once. You have to pick a handful of the best ones that are most likely to decrease risk the best and fastest to start with. Anything you can do to reduce the risk from social engineering and unpatched software should be first and best. And once you have those taken care of, move on to the other hundred things the world is telling you that you need to do.