Microsoft’s ‘Digital Defense Report September 2020’-some of which we discussed last week, provides many insights into the state of cybersecurity which Cyberhedge will continue to highlight in the coming weeks. One key finding: most breaches are successful due to poor basic cyber hygiene within the organization. According to the report:
“Once inside a network, this proficiency in understanding protective and detective controls continues to contribute to the success of the cybercriminals. Through reconnaissance they’ll select machines with no or poorly configured antivirus software to perform most of their actions, modifying their techniques if they sense they might be detected. Unfortunately, there are also numerous examples of situations where cybercriminals simply performed their attacks as they wished, with poor cyber hygiene leaving no blocking controls in their way.
In some instances, cybercriminals went from initial entry to ransoming the entire network in less than 45 minutes.”
Microsoft’s finding reinforces a key fact uncovered by Cyberhedge analysis and evident in our market-validated ratings—very basic improvements in basic cyber hygiene, beginning with good training, policies and processes (such as properly configuring software and following through on a consistent patching strategy), is very often the difference between 1. Preventing a breach or 2. Early detection of an intrusion that limits the extent of the disruption, and a much more serious, widespread network disruption that can cost billions.
This ‘human management’ of the technology stack is more important than simply having the technology in place that should theoretically defend against attacks. The cliché that ‘a chain is only as strong as its weakest link’ describes the cyber governance reality extremely well. In addition, improvements in the human management area can be easily implementable in an organization that has otherwise strong management systems.
Considering that ransomware breaches are ever increasingly common and financially damaging, the cost/benefit of improvements in this area are clear.
Questions from the C-suite, including the CEO and CFO (considering the significant financial risks involved) should center less on “do we have the latest and greatest firewall or endpoint protection?” and more on “what policies and processes do we have in place to ensure basic hygiene is strong and that the tech we do have is properly deployed?”