Brushing your teeth twice daily is vital for oral hygiene, not to mention for the benefit of those sitting close to you. When you rush to work, drop your kids off at school, or attend an arguably more exciting event such as a concert of the newly reformed favourite childhood band, brushing your teeth isn’t the thing we drop. Even though it’s not exciting, we accept that it’s important and prioritise it over things,* like breakfast, grabbing that second cup of coffee, or packing a thoughtful lunch. The cybersecurity equivalent of brushing your teeth can feel equally dull and not something we often discuss. Still, as a good dentist will do, it’s worth being reminded every so often of the basics, especially as more exciting and glamorous things enter our lives, like AI.
It is said that the only constant in life is change. And this is nowhere more apparent than in cybersecurity, where businesses look to accelerate digital transformation, embrace the cloud, and leverage AI. But with organisations devoting so much of their resources and budgets towards their endeavours (IDC forecast worldwide spending on AI to reach $632 Billion by 2028), there’s less space for foundational cybersecurity hygiene, like patch management, credential management, admin privilege restrictions, and other cyber equivalents of brushing your teeth. These practices may be perceived as mundane and easily overlooked amidst other priorities. But without attending to foundational security needs, havoc ensues, from million-dollar ransomware attacks to downstream impacts on dozens of customers.
How the consequences of neglecting cyber basics materialise
Splunk’s recent report, State of Security 2024: The Race to Harness AI, found AI-powered attacks concerned security leaders more frequently than any other attack type. But when asked about which cyberattacks they’ve actually experienced in 2024, data breaches (reported by 52%), business email compromise (49%), and system compromise (49%) top the list. This points to a mismatch between the attention that more hyped, cutting-edge things like AI get versus how much they practically affect the business and how much risk they incur on the daily.
This imbalance of priorities has real consequences. When cyberattacks lead to data breaches, 81% of those leaks happen because of stolen, weak, or default passwords. This past year alone, we’ve seen multiple cyberattacks that could have been prevented with basic cybersecurity controls. Thousands of employees’ data were stolen because the organization didn’t require MFA and retained credentials that were still valid years after they were stolen. In another instance, a server not protected by MFA got hacked, reducing cash flow for 94% of U.S. hospitals and incurring HIPAA fines.
We’ve also been seeing threat actors from Iran, Russia, and China target critical sectors in the West and gain entrance through water utility systems secured with default passwords. These attacks did little more than disrupt operations and spill water. But if vulnerabilities persist across our critical sectors, bad actors will only do more damage: contaminating drinking water, damaging infrastructure, and endangering lives.
Government agencies around the world have been issuing rallying cries for organisations to reprioritise basic cybersecurity practices, including the Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) in the USA. Closer to home for me in the U.K., the National Cyber Security Centre (NCSC) recently published a list of Cyber Essentials, requiring any organisation that wants to work with the U.K. government to undergo a third-party Cyber Essentials certification process to ensure they adhere to baseline cybersecurity measures. Similar guidance was published for individuals and small organisations, too. Elsewhere, Singapore and the Netherlands have recently published comparable initiatives.
Next steps: Visit your dentist for a stern reminder of how to keep your (cyber) hygiene in check
To reprioritise cybersecurity hygiene — and do so while balancing other agendas to remain competitive, innovative and agile — organisations can take these three actions:
- Conduct a cybersecurity assessment. Not only does an assessment help an organisation gauge the maturity level of its practice, but it also helps determine immediate priorities for a security team. A cyber assessment should include identifying and prioritising the organisation’s assets, defining the top threats the organisation faces, identifying vulnerabilities, and analysing and implementing controls. Each organisation faces its own unique set of risks based on its industry, infrastructure, and other factors. It should also be prioritising risks based on likelihood, as well as the cost of prevention versus information value. Pick a framework from those mentioned above, such as Cyber Essentials, and baseline your organisation against it. (It doesn’t matter if you’re not in the UK)
- Map cyber risks to business risk. Before an organisation reprioritises basic cybersecurity practices, its leadership has to be on board and understand that if the SOC enables the business, any risk of a breach or hack is fundamentally a business risk. More than half of all instances of downtime originate from cybersecurity-related issues; each instance exacts an average of USD 9,000 (GBP 6700, EUR 8000) per minute, according to The Hidden Costs of Downtime. Security leaders need to articulate to the rest of leadership the ways in which cybersecurity shapes an organisation’s reputation and financial profitability, for better or for worse.
- Divvy up resources according to present realities. Today, many organisations invest more of their resources into forward-thinking initiatives, but much of it is for threats that may never materialise. Instead, a more balanced approach prioritises addressing the immediate threat landscape, with a portion focused on near-term goals and a smaller reserve dedicated to preparing for future unknowns.
For security leaders, the good news about reprioritising cyber hygiene basics is that it doesn’t require more staffing or expanded budgets. All it takes is a reallocation of teams’ priorities to focus on the organisation’s most likely threats and a recommitment to strategies that we all already know will strengthen an organisation’s security posture — something that’s easier to justify than a large new investment in a technology that may or may not add value. It shouldn’t be difficult to justify the time and cost of brushing your teeth daily.
Cyberattacks enabled by simple vulnerabilities have been getting the better of enterprises for far too long. But we can change that.
Keep up with today’s cybersecurity landscape by subscribing to the Perspectives newsletter. To learn how security leaders are innovating with AI and driving resilience, read The State of Security 2024.
* While researching for this article, I was surprised to find that 2% of people don’t brush their teeth at all, and somewhere between 20% and 33% of people regularly skip brushing in the morning, leaving huge holes in my analogy and perhaps explain the increasing sales of mints.