Securing the Digital World

Cybersecurity Best Practices that Break the Cycle

Oct 12, 2021 | by Jim Taylor |
Image of man on a train using multi-factor authentication

During Cybersecurity Awareness Month, SecurID will highlight insights and best practices to help all businesses and users do their part to protect themselves, secure remote work and “#BeCyberSmart.”

There’s a point in The Matrix when Keanu Reave’s Neo watches a cat walk past a doorway twice in a manner of moments. It’s a warning sign: Trinity (played by Carrie-Anne Moss) explains that a déjà vu is a “glitch in the matrix” that occurs when “they change something.” Then the bad guys attack.

When it comes to real-world cybersecurity, this scene gets it half right: a sense of déjà vu does frequently precede something terrible happening. But the film gets the order wrong. Cybersecurity déjà vu doesn’t occur when something changes. Instead, it usually results when we fail to change anything.

The first two weeks of Cybersecurity Awareness Month explore best practices for “general cyber hygiene” and how to defend ourselves against phishing. With long-term hybrid work, digital transformation and new threats, it’s more important than ever for each of us to prioritize basic cybersecurity best practices to protect ourselves and prevent fraud.

But many of those best practices are the same principles that we’ve been pushing since the dawn of cybersecurity. Likewise, many of the threats, pressures and limitations that cybersecurity professionals are trying to address in 2021 are nothing new: although the symptoms might change, the root causes are the same today as they were years ago.

With so many of us observing Cybersecurity Awareness Month, let’s look at some of the ‘new’ opportunities, challenges and pressures shaping cybersecurity today—and the ways we can break the cycle, implement changes and move forward.

Best practices for preventing ransomware

One of the most frequent questions we get today is ‘What can we do to prevent ransomware?’

It’s a timely question: in 2020, we saw 65,000 successful ransomware attacks. That was one successful ransomware attack every eight minutes—and that’s only counting the reported and successful attempts.

Over the last year we’ve seen hospitals, police departments, the NBA, Minor League Baseball teams and critical infrastructure all get hit by ransomware attacks. As a result, earlier this summer ZD Net published a column asking “Have we reached peak ransomware?”

But as bad as ransomware is, it’s nothing new. Although ransomware has been around since 1989, for decades, hackers were likelier to deploy computer viruses, rogue security software, Trojan Horses, adware and spyware, computer worms, DOS and DDOS attacks, Phishing, Rootkit, SQL Injection Attacks or man-in-the-middle attacks.

Ransomware is a symptom of a much bigger problem—not the problem itself. The problem causing ransomware attacks is that many organizations lack basic security practices that could prevent it from occurring in the first place.

Specifically, we’ve built too many doors and windows into our data and devices—and we’ve left those doors and windows wide open. Look at Colonial Pipeline: as Bloomberg reported, hackers caused one of the most high-profile and costliest ransomware attacks in history by accessing the company’s networks through a virtual private network (VPN) account that was a) no longer actively in use and b) not protected by multi-factor authentication.

Ransomware is today’s most popular trend—and when cybercriminals move on to the next big thing, the next threat du jour will also be just another symptom of bad cyber hygiene and bad practice, not a technical evolution.

So what do we do about it? Address the root causes: identity and access management and authentication are fundamental to any security posture. Every organization needs to begin by knowing who its users are, what they should have access to and how they should be authenticated. Having those basics in place may have prevented DarkSide from breaching Colonial Pipeline and ransoming its systems.

These are not new revelations by any means—but they’re the starting point for any functional cybersecurity program.

Best practices to securing hybrid work

The pandemic forced businesses in every sector to adapt to hybrid work. In some cases, businesses rushed out rapid changes, transforming their operations practically overnight and standing up VPNs and other technologies to maintain operations.

Trading security for speed, poor implementation—this all sounds like every security project ever. The pandemic did present some unique challenges for cybersecurity, but for the most part, our sector has always been reactive instead of proactive. Whether it’s a breach, a new set of regulations, some new form of malware or a new business need, cybersecurity tends to play catch-up.

Adapting to new dynamics like hybrid work requires that businesses generally and cybersecurity specifically take a longer view. One way for us to do that is to finally—finally—eliminate hackers’ favorite vulnerability and eliminate passwords. The 2020 Verizon Data Breach Investigations Report found that more than 80% of hacking-related breaches involved either brute force or the use of lost or stolen credentials.

Not only are passwords insecure, they’re also expensive: for bigger enterprises, nearly 50 percent of IT help desk costs go to password resets. That can add up to more than $1 million in staffing. That's a lot to pay for password resets.

Modern, passwordless authentication can achieve a balance between safety and convenience. And there’s never been a better time to make the switch: although your employees are probably working far from your IT desk, they still carry smartphones with them almost constantly. These devices can inform risk-based authentication that step-up security requests when necessary, all while improving the user experience.

And that’s just today’s users. What about tomorrow’s? Our sector should team up with schools and colleges to make cybersecurity a fundamental part of our kids’ curriculum. Teaching our students good security practices is just as important as having the right tech stack and processes in place—if not more so. Kids need to learn the types of information that cybercriminals are looking for and the ways to keep it out of hackers’ hands. The earlier we start giving students that information, the better.

Best practices for developing zero trust security

Zero trust is where many of these threads come together. It can represent a real change for many organizations—one that’s long overdue.

But to be clear, zero trust is a way of thinking, not an implementation. Don’t let anyone tell you differently.

And it’s because zero trust is a way of thinking that makes it so powerful: it’s a new framework for security teams to comprehensively think about their work, their exposure and their default practices.

If you wanted to be glib about it, you could say the only difference between zero trust and least privilege is fifteen years. And while that’s an oversimplification, zero trust is least privilege: it’s providing the bare minimum that someone needs to fulfill a business role. That starting point can re-orient how businesses operate:  

  1. Drastically reduce your risk profile. If there’s no reason to expose an asset, then don’t. Risk isn’t the byproduct of convenience—it’s just bad practice.
  2. Never trust, always verify. Validate, validate and then validate again. Does this user need access? Why? For how long? Where do they typically sit when they make this request? What do they use it for? You can start by scrutinizing the most frequent, highest-risk and likeliest requests and building practices that step-up authentication as needed.

Déjà vu all over again

Cybersecurity Awareness Month is now in its 18th year, and I’d wager that many of the problems that it’s focused on in 2021—and the solutions that cybersecurity teams are advocating for—are largely the same as they were when the event first began.

That shouldn’t discourage us. In fact, I think it should help us focus on the essentials, like prioritizing identity, understanding who your users are, using MFA and minimizing your risk profile. Those may represent table stakes—but in cybersecurity, table stakes can be priceless. 

We know the storm is coming—so let’s not wait to buy insurance until after it passes. Instead, let’s get real about cybersecurity: good security is just good habits. Let’s be proactive.  

Because we’ve seen this movie before. We know what’s going to happen. And, just like with Neo, maybe the only way we can do something when we feel a sense of déjà vu is to point out that it’s happening again.