Losing the battle against the bad guys? Keep your software patched and defend against social engineering, and you might start winning a few Credit: Thinkstock It’s a rough number, but I’d wager that 99 percent of computer security risk in most organizations can be attributed to two root causes: social engineering and unpatched software.I’m not talking about pure numbers of success exploits, but overall impact. Many CISOs and threat intelligence analysts have told me that 100 percent of the biggest events at their company involved social engineering. Certainly, bad things enter your environment through other means, which is why we still need to secure our servers, encrypt our disks, and prevent physical intrusions. But in terms of the biggest impact, most organizations can tie those events to two root causes.Think about what that means. If your organization is like most, 99 percent of your current risk will be resolved if you address exactly two problems. Likewise, anything you do to address other problems accounts for 1 percent of that risk. If your own data analysis supports this assessment, then take a look at your allocated resources and see if they are aligned against these right threats in the right proportions.Shore up unpatched softwareDefeating this root cause seems to be simple. Patch your software! But if it were that simple, it wouldn’t be a top root cause stretching across two decades. The key to diminishing this risk is to identify the right software to patch and do it really, really well. The risk reducers I respect know the difference between the largest unpatched program in their environment and the unpatched program mostly likely to be exploited in their environment. A security expert knows there is usually a gulf between the two.For example, for many years, Microsoft’s Visual C++ Redistributable program, which is included with tens of thousands of applications, has been the most unpatched software—worse even than Oracle Java or Adobe Acrobat. The difference is that the Visual C++ Redistributable is hardly ever exploited. I’ve never heard of a single case of that happening. Why? Because for attackers to exploit it, they need to know it’s there, unpatched, in the first place—then create a specific exploit that attacks a vulnerability in each program running it. That could mean creating tens of thousands of different attack programs, and because most of those programs don’t run as services or browser add-ins, they would be far harder to detect.Instead, attackers target commonly unpatched programs that can be exploited using a single, predictable exploit. Hackers, like everyone else, would rather work less for greater impact rather than the other way around.To reduce exploitation of unpatched software, use your own data to determine which programs are most exploited successfully, then go about patching (or eliminating) those programs as best you can. You’ll be vastly more successful decreasing risk by patching the most exploited programs than by trying to patch everything perfectly.Defeat social engineeringSocial engineering comes in all shapes and sizes, from someone calling you on the phone to web or email phishing to trying to get you to reveal a logon credential or run a rogue program (for example, fake tech support). No panacea can prevent all social engineering attempts. But you need to mount a sustained defense.Start by training users to recognize social engineering attacks. You can create your own educational programs and content or use someone else’s: Internally created content can better address your organization’s specific needs, but it can be poorly done. Last week, I spoke to a security administrator of a big company who said his co-workers were more likely to click on a phishing email after their training and before. He wasn’t sure what was wrong with their internal training, only that it had a negative correlation and he had the data to prove it. Luckily, there are lots of fantastic external training companies. My personal favorites are Knowbe4 and PhishMe. Yet everyone knows training alone can’t provide a perfect defense. Some people will click anything sent their way no matter what you teach them. My favorite defense is to implement an enterprisewide two-factor authentication (2FA) program and get rid of passwords across the board. This isn’t easy, but as long as employees are required to have passwords, they can be easily phished out of them. With 2FA, an attacker can’t succeed in stealing the initial logon credentials without physical compromise or a sophisticated malware attack.Even if you defeat credential theft, you have to stop people from running rogue programs. Education can help, but you need more. Antimalware programs help detect and stop rogue programs, of course, but we all know they have accuracy limitations. I’m a huge fan of application control software (such as whitelisting programs), which I think will become far more pervasive in corporate environments than they are today. If you can’t use strict application control, then you have to do everything else, and everything else won’t be as good.Stopping social engineering could involve many possible strategies for your environment. It could mean defense in depth, increased security boundaries, assume breach defenses, and more. But if you are able to identify the most likely causes of social engineering and fix the unpatched software, you’ll be way ahead of the game. Related content news UK government plans 2,500 new tech recruits by 2025 with focus on cybersecurity New apprenticeships and talent programmes will support recruitment for in-demand roles such as cybersecurity technologists and software developers By Michael Hill Sep 29, 2023 4 mins Education Industry Education Industry Education Industry news UK data regulator orders end to spreadsheet FOI requests after serious data breaches The Information Commissioner’s Office says alternative approaches should be used to publish freedom of information data to mitigate risks to personal information By Michael Hill Sep 29, 2023 3 mins Government Cybercrime Data and Information Security feature Cybersecurity startups to watch for in 2023 These startups are jumping in where most established security vendors have yet to go. By CSO Staff Sep 29, 2023 19 mins CSO and CISO Security news analysis Companies are already feeling the pressure from upcoming US SEC cyber rules New Securities and Exchange Commission cyber incident reporting rules don't kick in until December, but experts say they highlight the need for greater collaboration between CISOs and the C-suite By Cynthia Brumfield Sep 28, 2023 6 mins Regulation Data Breach Financial Services Industry Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe