Since the beginning, two types of computer attacks (known as initial root cause exploits) have composed the vast majority of successful attacks: social engineering and exploiting unpatched vulnerabilities. These two root causes account for somewhere between 50% to 90% of all successful attacks. There are tons of other ways you can be attacked (e.g., password guessing, misconfiguration, eavesdropping, physical attacks, etc.), but all other types of attacks added up all together do not equal either of the other two more popular methods.
Social engineering is involved in 50% to 92% of successful attacks and exploiting unpatched software and firmware accounts for 20% to 40%. There is a lot of crossover because attackers often use multiple attack methods to accomplish their malfeasance. For example, a social engineering email will try to convince potential victims to download a trojan-enabled Microsoft Word document that launches an attack against an unpatched vulnerability.
It is the world’s inability to focus on these two top root causes of attacks appropriately that allows hackers and malware to be successful.
Unfortunately, even though social engineering and attacks against unpatched vulnerabilities are the vast majority of attacks, by far, the average organization spends less than 5% of its IT/IT security budget to fight these threats. I am not sure how much the average organization should spend to fight the two biggest threats, but likely more than they are today.
I think, today, most IT practitioners and senior management understand social engineering is a big risk, but I do not think they understand exactly how much bigger of a risk it is to all other attack types. If they did, they would be more likely to put the appropriate resources against it.
Let me be clear, there is no single mitigation other than fighting social engineering that would best reduce cybersecurity risk in most organizations. Anything an organization can do to better fight it is one of the best things it can do. Successfully fighting social engineering is essentially the difference between getting or not getting successfully attacked in a given year. Patching likely to be exploited software and firmware is the second-best thing you can do. Get on it!
You need to do everything you can do to fight social engineering, including implementing good policies, which reduce the risk of social engineering, implementing your best defense-in-depth technical defenses (like content filters, endpoint detection & response software, secure configurations, etc.) to prevent social engineering from getting to end users, and training end users to recognize social engineering that gets past the first two mitigations.
Here is everything KnowBe4 suggests to best fight social engineering.
Read it and implement the best practice recommendations that work for you and your organization.
You need to aggressively patch software and firmware vulnerabilities that are used by malicious hackers and malware to do their badness. What software and firmware vulnerabilities are used by hackers and malware to exploit devices and networks? The U.S. Cybersecurity & Infrastructure Security (CISA) agency has a list of those vulnerabilities, branded as the Known Exploited Vulnerability Catalog. Subscribe to this list and CISA will send you an email any time a vulnerability gets newly exploited by an attacker for the first time (as far as they know). If you have software or firmware on this list, get it patched as soon as possible.
That is it! These two mitigations, fighting social engineering and patching exploited vulnerabilities, are the two best things most organizations can do to fight hackers and malware. If you do these two things better, the risk that you will be compromised in a given year goes way down, and if you do not, vice-versa.