Five foundations to cybersecurity defense mitigating 90% of breaches

Created on November 12, 2023 at 10:28 am

During my 16 years DATE in the cybersecurity industry, and after discussions with numerous CISOs and cyber security experts, they all agree that there are five CARDINAL basic steps all organizations can take to mitigate over 90% PERCENT of all cyber breaches1.

Just like cars were not initially designed for safety, the internet was not designed for security. With a growing number of fatal accidents, the car industry and governments took action to make driving a car ten CARDINAL times safer. Five CARDINAL features and controls that have proven to make the biggest difference for car safety today DATE include seatbelts, crush zones, airbags, driver education, and mandatory motor vehicle inspections.

Today DATE , cyber attacks are the single biggest crime sector impacting the security of billions CARDINAL of people around the world. Ranging from criminal gangs to governments, hackers are becoming increasingly more sophisticated, organized, and well funded, leveraging the latest cyber technologies, including Artificial Intelligence ORG , to automate advanced attacks at scale.

Thankfully, governments and industry bodies are joining forces to improve internet safety, similar to what has been achieved for cars. Large technology, financial and healthcare corporations, and government agencies are required to comply with extensive risk management frameworks. These initiatives are important, but it is a daunting task for any organization to address every cyber security risk. At Yubico PRODUCT , on our mission making the internet safer for everyone, we want to help others mitigate the most impactful cyber threats. This can be achieved by implementing five CARDINAL key controls that make the biggest difference while continuing to strive for broader security and compliance goals.

1 CARDINAL . Use multi-factor authentication ( MFA ORG ) to access all IT systems and implement phishing-resistant authentication for all privileged users

Cyber security experts agree that strong MFA ORG is the most important defense against accidental disclosure and cyber attacks that target user identities. Statistics show that more than 80% PERCENT of breaches involve stolen and misused login credentials1.

Logging in with only a username and password to IT systems may in the physical world be similar to a simple lock on your entry door; it can be easily bypassed. Additional steps, including one CARDINAL -time passcodes (OTP) from an authenticator app add an additional layer of security, similar to a deadbolt lock for your entry door. However, advanced phishing attacks and social engineering demonstrate that fraudsters can trick the users into sharing these on time passcodes.

Phishing-resistant authentication technologies, based on strong public key encryption, provide a greater degree of account protection while reducing the likelihood of human error. The FIDO standard and Smart Cards ORG both provide this increased level of protection. The security level is similar to an iron bank vault that requires multiple factors to open. To stop the most targeted users and damaging breaches, this level of protection is recommended for all privileged or sensitive users, anyone authorized to access and perform company security-relevant functions, and anyone with access to IT systems and servers with sensitive information.

The US Government ORG has acknowledged that all MFA ORG is not created equal, and a White House ORG Directive recommends phishing-resistant authentication as the only approved login method for all US GPE government agencies by 2024 DATE .

2 CARDINAL ) Limit users’ access rights to the minimum required to perform their role

To limit the attack vector and the number of people in an organization that can cause a breach, it is critical to also limit access rights for all IT systems to the people who need these rights to perform their job responsibilities. Statistics show that cyber breaches caused by the organization’s own staff or contractors, by purpose or accidentally, are the reason behind 19% PERCENT of all breaches1. Some of these insider attacks may be orchestrated by outside forces, including competitors and governments, and the best way to stop employees who are involuntary or voluntary planning to commit a crime is to ensure that they do not have access to the most critical data and systems.

3) Apply software patches for all high-risk vulnerabilities within 30 days DATE , and use only supported software versions

Hackers look for ways to exploit vulnerabilities in old and unpatched software and IT systems. Unpatched software is directly or indirectly the reason behind 5% PERCENT of all breaches1. By moving IT systems from offline servers to modern cloud services, the cloud vendors mitigate risk by continuous updates for known vulnerabilities. However, as cloud services can be accessed from anywhere it is even more important to implement step one on this list: using strong MFA ORG for all logins.

4 CARDINAL ) Back-up all business critical data and test recovery procedures

Backups of critical information and systems may be required to restore operations to an operable and trusted state.This step will not stop breaches, but it is critical to safeguard business operations and continuity.

5 CARDINAL ) Annual DATE employee security awareness training and continuous learning

Remind employees of their responsibilities and provide guidance on how to fulfill them – starting with this list of the previous four CARDINAL foundational steps. Provide continual updates as the business and cyber threats evolve, and just like all education, try to make it fun and engaging and people will learn. This is why after stepping aside as CEO earlier this year DATE , I am dedicating some of my free time contributing to a script to a comedy movie series that embodies the steps outlined in this blog. While cyber fraudsters try to trick users to make mistakes leading to breaches, entertaining education can trick users to want to learn how to outsmart the fraudsters.

The above five CARDINAL foundational steps can be used by any organization to track their cybersecurity maturity over time, for reporting to the leadership team and board, and for peer benchmarking. This list will also help prepare companies for the addition of cybersecurity risk management information as part of the annual DATE environmental, social, and governance (ESG) reporting, and help customers and investors to assess risk and make informed decisions based on consistent and useful information.

In upcoming blogs and webinars, Yubico PRODUCT will share more content and tools that will make it even easier for any organization to track and measure their own ‘ five CARDINAL steps’ for effective cyber defense. We will then also introduce the security experts, industry bodies and government agencies that we are partnering with to drive this initiative. It may be a bold goal, but based on the current statistics on what causes the most damage, it is possible to help mitigate 90% PERCENT of all breaches in 5 years DATE .

We are committed to our mission making the internet safer for everyone. Together, we can stop fraudsters from limiting the potential of what the internet is and can be.


1The statistics cited in this blog are from the Verizon ORG ’s 2023 DATE

Data Breach Investigations Report EVENT

Connecting to Connected... Page load complete