Even though it is often said there is no silver bullet, organizations seem to be looking for one. As cybersecurity leaders, we entertain vendor meetings and attend conferences to learn about the latest technologies and techniques for security data and access to data. We want to make sure we have the right tools to encrypt, classify, prevent loss of, and maintain the integrity of the company’s data. Of course, it is a positive thing to be informed of the latest innovations in cybersecurity. This being said, I have to ask the question, why are we focusing on the esoteric when we have not covered the basics?
Before answering the question, consider one of the most destructive attacks on data: ransomware.
Security researchers predicted the global cost of ransomware would be $20 billion by 2021, and there are projections that the cost of this attack on data will exceed $265 billion by 2031. Why is there, and will there be a continuous increase in these types of attacks? Sadly is because ransomware attacks are low risk for the bad actor. We are always looking for the best technology to protect our data, but sometimes it is not a technology but rather something more fundamental. I say this simply because we see the same advice with every alert we see from the government and industry experts. And that same advice is the basics. Some, but not all of these basic practices are:
- Enable multi-factor authentication.
- Patch systems.
- Conduct user awareness training.
- Apply network segmentation
- Enable role-based access
- Implement measures for detecting intrusions
Why in 2022 are we still talking about applying basic security hygiene? But, more importantly, why would an organization look for better security tools to protect data when the basics have not been accomplished? This is likely because the basics can be difficult operationally or from an organizational culture perspective to implement. But they are essential, and no amount of updated technologies will genuinely protect you if you have not addressed the basics.
How does an essential practice supersede a technology designed to prevent intrusion? Simple cyber-attacks will happen, and they will happen no matter what tools you have in place. We should defend our data with the idea that an intrusion into the enterprise is inevitable. The basic defensive measures that are often mentioned tend to be more about resilience and zero trust. They are building blocks of an architectural construct that, if deployed properly, will provide obstacles that will likely de-incentivize an attacker by throwing up many barriers between the source and the target of a cyber attack.
Therefore, cybersecurity leaders should build technology stacks upon the foundation of the basics. For example, multi-factor authentication requirements coupled with role-based and privileged level access are factors that must be integrated into data access models before considering how data will be handled in transit or at rest. This is not to say that data encryption and data classification, and labeling are not important. They are essential to protecting information, but determining how a user is authenticated or how the organization will respond is likely more effective than relying on encryption or data loss prevention technologies as a primary protector of data.
The bottom line, the basics are available in a lot of place. Most cybersecurity professionals are familiar with the CIS top 20. Information is available from the Cybersecurity and Infrastructure Security Agency (CISA) or the Information Sharing and Analysis Center (ISAC) appropriate for a company’s industry. Where compliance requirements for data protection are a concern, consider how close you are to fully compliant if you implement a basic set of controls such as the CIS Top 20. You might find you are either fully compliant or reasonably close, depending on the compliance standard. Meaning implementing the basic controls not only will only reduce your cyber risk profile but will add efficiency to your compliance journey.
