If we were to auction off last year’s typical data breach, what would it go for? Try about $4.2 million. How many data breaches were reported last year? 68% more than the year before, breaking records and setting an all-time high. And what was the most common attack vector leading to these breaches?
The Verizon 2022 DBIR discovered that “82% of breaches involved the human element, including social attacks, errors and misuse.” As early as 2017, it was estimated that “93 percent of breaches … could have been prevented had basic security steps been taken, such as regularly updating software with patches, blocking fake email messages that contain ransomware, and training staff to recognize and avoid phishing attacks.” The number of breaches that hang on the thread of human error is staggering.
In my opinion, that’s not singularly depressing. It’s encouraging. That means at least 82% of breaches can be prevented by relatively simple, affordable means. An ounce of prevention. And what does that cost? Just a little time and investment in employee security training.
The CIS Controls are an excellent place to start. Formerly the SANS Top 20, or SANS Critical Security Controls, they’re now the CIS Critical Security Controls and there are 18 of them. However, since each is extensive in scope, Implementation Groups (IGs) are used to prioritize how you should implement them. IG1 covers basic security hygiene and is where you want to begin. Just like the website states, “IG1 is the on-ramp to the CIS Controls and consists of a foundational set of 56 cyber defense Safeguards. The Safeguards included in IG1 are what every enterprise should apply to defend against the most common attacks.” Phishing and other access-based threats are some of these “common attacks” that yield high returns in data breaches.
IG1 pulls heavily from CIS Control #14, Security Awareness and Skills Training and states that organizations should “Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise.” So, set up a program to train your employees. And it doesn’t take a huge, sophisticated SOC to do that. As CIS states, “an IG1 enterprise is typically small to medium-sized with limited IT and cybersecurity expertise” and one that can’t tolerate a lot of downtime.
Maybe you’re a city, municipality, school district that needs daily student access to grades and assignments, or a local credit union. The kind of data you’re trying to protect is typically financial or employee based and implementing IG1 protections will shore up your defenses against the most common, non-targeted attacks. We’re talking brute force, phishing, credential stuffing and those myriad of other low-hanging fruit campaigns that seem to get the best of us. Remember, even though sophisticated, targeted attacks are out there, malicious hackers don’t want to work harder than they have to, so they’ll typically try the easy approach first (with an 82% chance of success). You can block these by implementing the CIS controls in IG1.
Attitude is everything
I just want to mention that the attitude of security professionals towards users and trainees has come a long way since the early days. It used to be blame and shame, a bunch of user error jokes and a large hint of “you should have known better.” Maybe some exasperated sighs and a side of superiority. No more.
You need to be a department, consultant, or vendor that clients can trust and feel safe being cyber-vulnerable around. Not everybody knows this stuff, even the basic stuff, and that is a fact painfully obvious to the criminals who constantly reap the rewards of this naiveté. We need to know this, accept it and make users feel normal for not knowing the basics because the fact is – most don’t. Siding with the user and against external threats is better than making enemies in both camps. That should be equally obvious.
Being a trusted advisor that anticipates their questions, understands their concerns and hits them at their level (whatever that may be) will do wonders for company-wide buy-in for security awareness trainings and other top-down programs. Remember, these are professionals in their fields, not ours.
Working with remote work
At the risk of overstating it, I’ll just put in my plug for remote work. The average network environment (thanks to that, cloud workloads, IoT devices and more) just isn’t what it used to be, and attackers have found all those little extra ways in. Employees (and management) can’t be in the dark about the risks they bring to an organization by bringing their own laptop, using their phone to log into Salesforce (yikes) or downloading unapproved apps in the spur of the moment. Those are reasonable security requirements which, once explained, might be easier for clients to adopt than they might anticipate. A few well-placed policies in the right areas, a few access controls and some additional employee training can tamp down bad behavior faster than you think. People know remote work is new, they expect some changes, and in a lot of ways they are looking for direction so get them before the new wears off.
The disappearance of the perimeter is a bit overstated, but since some claim we’re in the no-perimeter, zero-trust age, it shouldn’t be hard to get buy-in for security awareness programs that support this new normal. Zero-trust means zero-trust in network safety, in cloud workloads, in physical asset security and in access management. Companies will understand that, just as they understand the way we do business has changed. Why shouldn’t employees keep abreast of those changes? You can’t have complete network security without educating those on and behind and connected to the network. Just find a provider that fits your company, settle into those CIS requirements and tamp down on the problems causing over 80% of the breaches. I’d say that given how long we’ve been adjusting to this new digital work context, fresh employee security training is nowhere near overkill – it’s overdue.
Defend from within
And yet, we know it’s not a catch all. Zero-trust means zero, right? So that means that even if a baddie does dupe your best players and somehow skirts past your defenses, you need to be prepared to defend from within. You can integrate every available network security tool (and training implement) and still suffer a data breach. Do train your employees. Do implement CIS security controls. Do secure endpoints and BYODs and the door to your server room like your livelihood depended on it. But don’t stop there. Make sure your organization is strong on the inside to add just one more layer of security to protect your company’s private and sensitive data.
Put Us In Your Corner.
We back you up with managed threat protection, visibility, and support, 24/7.