The Two Best Things You Can Do To Protect Yourself and Organization

Two Best Things to Protect Your OrgSince the beginning, two types of computer attacks (known as initial root cause exploits) have composed the vast majority of successful attacks: social engineering and exploiting unpatched vulnerabilities. These two root causes account for somewhere between 50% to 90% of all successful attacks. There are tons of other ways you can be attacked (e.g., password guessing, misconfiguration, eavesdropping, physical attacks, etc.), but all other types of attacks added up all together do not equal either of the other two more popular methods.

Social engineering is involved in 50% to 92% of successful attacks and exploiting unpatched software and firmware accounts for 20% to 40%. There is a lot of crossover because attackers often use multiple attack methods to accomplish their malfeasance. For example, a social engineering email will try to convince potential victims to download a trojan-enabled Microsoft Word document that launches an attack against an unpatched vulnerability.

It is the world’s inability to focus on these two top root causes of attacks appropriately that allows hackers and malware to be successful.

Unfortunately, even though social engineering and attacks against unpatched vulnerabilities are the vast majority of attacks, by far, the average organization spends less than 5% of its IT/IT security budget to fight these threats. I am not sure how much the average organization should spend to fight the two biggest threats, but likely more than they are today.

I think, today, most IT practitioners and senior management understand social engineering is a big risk, but I do not think they understand exactly how much bigger of a risk it is to all other attack types. If they did, they would be more likely to put the appropriate resources against it.

Let me be clear, there is no single mitigation other than fighting social engineering that would best reduce cybersecurity risk in most organizations. Anything an organization can do to better fight it is one of the best things it can do. Successfully fighting social engineering is essentially the difference between getting or not getting successfully attacked in a given year. Patching likely to be exploited software and firmware is the second-best thing you can do. Get on it!

You need to do everything you can do to fight social engineering, including implementing good policies, which reduce the risk of social engineering, implementing your best defense-in-depth technical defenses (like content filters, endpoint detection & response software, secure configurations, etc.) to prevent social engineering from getting to end users, and training end users to recognize social engineering that gets past the first two mitigations.

Here is everything KnowBe4 suggests to best fight social engineering.

Read it and implement the best practice recommendations that work for you and your organization.

You need to aggressively patch software and firmware vulnerabilities that are used by malicious hackers and malware to do their badness. What software and firmware vulnerabilities are used by hackers and malware to exploit devices and networks? The U.S. Cybersecurity & Infrastructure Security (CISA) agency has a list of those vulnerabilities, branded as the Known Exploited Vulnerability Catalog. Subscribe to this list and CISA will send you an email any time a vulnerability gets newly exploited by an attacker for the first time (as far as they know). If you have software or firmware on this list, get it patched as soon as possible.

That is it! These two mitigations, fighting social engineering and patching exploited vulnerabilities, are the two best things most organizations can do to fight hackers and malware. If you do these two things better, the risk that you will be compromised in a given year goes way down, and if you do not, vice-versa.

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe To Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews