Yes, you do need to be prepared should your organization be breached, but countering social engineering, patching, multi-factor authentication and a solid backup plan will keep them from happening. Credit: AndreyPopov / Getty Images “Assume breach” is the popular computer defense strategy based on the idea that your company is either already breached or could easily be breached by a dedicated attacker. There is a lot of validity to this approach. Most companies and organizations are super easy to hack and compromise. However, it doesn’t have to be this way.Some senior management folks might find this strange, but you can significantly make your organization harder to breach. In fact, just a handful of defenses can do more to lower your cybersecurity risk than anything else. These include fighting social engineering and phishing better, patching the most likely to be attacked software far better, and requiring multi-factor authentication (MFA) for all logons. This won’t guarantee that you won’t be attacked, but it does reduce the risk. How much?Depending on which survey you read, up to 91 percent of all cyber attacks begin with a successful phishing attempt. Think of the benefit you would get just from an effective social engineering awareness program. Based on my experience, doing significantly better at all three things might reduce your cybersecurity risk 99%. An assume-breach strategy will not do that. Assume breach is after the fact. You’re just trying to limit the damage by detecting the bad guys earlier and limiting their spread.If you want to stop getting hacked, you have to concentrate on not getting hacked in the first place. You can’t completely get rid of assume-breach strategies like better security monitoring, domain isolation and intrusion detection. Sadly, most organizations spending more money on assume-breach defenses instead of prevent-breach strategies. Patching and anti-social engineering and phishing programs most effectiveTwo of the three defenses I mentioned above, fighting social engineering and patching software, are not expensive. You’re already paying for them. Just do them better. You’re probably only spending 5% or less of your IT security budget on the two problems that likely make up 90% or more of your risk. In most organizations, it’s nearly 100% of the risk.Use multi-factor authentication when and where you canFighting social engineering and patching will decrease your cybersecurity risk the fastest. Requiring MFA across all organizational logons is probably the third best thing you can do to lower your risk. Many passwords are compromised because of the first two issues, and most people re-use the same passwords across different sites. It’s a mess. The only way to fix it is to require MFA logons. Unfortunately, I don’t know of a MFA solution that works across all software, services, logons and devices. The best that you can do is to pick an MFA solution that works across the largest number of your sites, services and devices. Ensure you have reliable backups for everyoneI’m amazed by how many companies with supposedly good backups pay the ransom from ransomware that has locked up their systems. They often say they have good backups, but the time and resources needed to restore those backups would cost more than paying the ransom. Well, I’ve got news for you. Many companies pay the ransom and the unlock keys don’t work or the criminal culprit just doesn’t try to help them. If you can’t trust your backup solution to help with a massive restore event, then perhaps you need a better backup system.Use your company’s cybersecurity experience to figure out the restAfter you implement those four defenses, what you do then is up to you and your company’s cybersecurity weaknesses. Some companies, like those that develop lots of public and in-house software, should probably focus on better securing the software that they write. Other companies are traditionally under the threat of denial-of-service attacks and should strengthen their DDoS defenses. A lot of super-secure companies that don’t suffer breaches implement whitelisting application control software.Figure out where your remaining cybersecurity gaps are and fill them, but only after fixing the first four problems I recommend above. You can do significantly better in preventing breaches. Assume-breach defenses are OK and needed, but they can’t beat stopping breaches in the first place. Related content news analysis Water system attacks spark calls for cybersecurity regulation The Iranian CyberAv3ngers group’s simplistic exploitation of Unitronics PLCs highlights the cybersecurity weaknesses in US water utilities, the need to get devices disconnected from the internet, and renewed interest in regulation. By Cynthia Brumfield Dec 11, 2023 11 mins Regulation Cyberattacks Critical Infrastructure feature Accenture takes an industrialized approach to safeguarding its cloud controls Security was once a hindrance for Accenture developers. But since centralizing the company's compliance controls, the process has never been simpler. By Aimee Chanthadavong Dec 11, 2023 8 mins Application Security Cloud Security Compliance news analysis LogoFAIL attack can inject malware in the firmware of many computers Researchers have shown how attackers can deliver malicious code into the UEFI of many PCs though BIOS splash screen graphics. By Lucian Constantin Dec 08, 2023 8 mins Malware Vulnerabilities news Google expands minimum security guidelines for third-party vendors Google's updated Minimum Viable Secure Product (MVSP) program offers advice for working with researchers and warns against vendors charging extra for basic security features. By John P. Mello Jr. Dec 08, 2023 4 mins Application Security Supply Chain Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe