Yes, you do need to be prepared should your organization be breached, but countering social engineering, patching, multi-factor authentication and a solid backup plan will keep them from happening. Credit: AndreyPopov / Getty Images “Assume breach” is the popular computer defense strategy based on the idea that your company is either already breached or could easily be breached by a dedicated attacker. There is a lot of validity to this approach. Most companies and organizations are super easy to hack and compromise. However, it doesn’t have to be this way.Some senior management folks might find this strange, but you can significantly make your organization harder to breach. In fact, just a handful of defenses can do more to lower your cybersecurity risk than anything else. These include fighting social engineering and phishing better, patching the most likely to be attacked software far better, and requiring multi-factor authentication (MFA) for all logons. This won’t guarantee that you won’t be attacked, but it does reduce the risk. How much?Depending on which survey you read, up to 91 percent of all cyber attacks begin with a successful phishing attempt. Think of the benefit you would get just from an effective social engineering awareness program. Based on my experience, doing significantly better at all three things might reduce your cybersecurity risk 99%. An assume-breach strategy will not do that. Assume breach is after the fact. You’re just trying to limit the damage by detecting the bad guys earlier and limiting their spread.If you want to stop getting hacked, you have to concentrate on not getting hacked in the first place. You can’t completely get rid of assume-breach strategies like better security monitoring, domain isolation and intrusion detection. Sadly, most organizations spending more money on assume-breach defenses instead of prevent-breach strategies. Patching and anti-social engineering and phishing programs most effectiveTwo of the three defenses I mentioned above, fighting social engineering and patching software, are not expensive. You’re already paying for them. Just do them better. You’re probably only spending 5% or less of your IT security budget on the two problems that likely make up 90% or more of your risk. In most organizations, it’s nearly 100% of the risk.Use multi-factor authentication when and where you canFighting social engineering and patching will decrease your cybersecurity risk the fastest. Requiring MFA across all organizational logons is probably the third best thing you can do to lower your risk. Many passwords are compromised because of the first two issues, and most people re-use the same passwords across different sites. It’s a mess. The only way to fix it is to require MFA logons. Unfortunately, I don’t know of a MFA solution that works across all software, services, logons and devices. The best that you can do is to pick an MFA solution that works across the largest number of your sites, services and devices. Ensure you have reliable backups for everyoneI’m amazed by how many companies with supposedly good backups pay the ransom from ransomware that has locked up their systems. They often say they have good backups, but the time and resources needed to restore those backups would cost more than paying the ransom. Well, I’ve got news for you. Many companies pay the ransom and the unlock keys don’t work or the criminal culprit just doesn’t try to help them. If you can’t trust your backup solution to help with a massive restore event, then perhaps you need a better backup system.Use your company’s cybersecurity experience to figure out the restAfter you implement those four defenses, what you do then is up to you and your company’s cybersecurity weaknesses. Some companies, like those that develop lots of public and in-house software, should probably focus on better securing the software that they write. Other companies are traditionally under the threat of denial-of-service attacks and should strengthen their DDoS defenses. A lot of super-secure companies that don’t suffer breaches implement whitelisting application control software.Figure out where your remaining cybersecurity gaps are and fill them, but only after fixing the first four problems I recommend above. You can do significantly better in preventing breaches. Assume-breach defenses are OK and needed, but they can’t beat stopping breaches in the first place. Related content feature Top cybersecurity M&A deals for 2023 Fears of recession, rising interest rates, mass tech layoffs, and conservative spending trends are likely to make dealmakers cautious, but an ever-increasing need to defend against bigger and faster attacks will likely keep M&A activity steady in By CSO Staff Sep 22, 2023 24 mins Mergers and Acquisitions Mergers and Acquisitions Mergers and Acquisitions brandpost Unmasking ransomware threat clusters: Why it matters to defenders Similar patterns of behavior among ransomware treat groups can help security teams better understand and prepare for attacks By Joan Goodchild Sep 21, 2023 3 mins Cybercrime news analysis China’s offensive cyber operations support “soft power” agenda in Africa Researchers track Chinese cyber espionage intrusions targeting African industrial sectors. By Michael Hill Sep 21, 2023 5 mins Advanced Persistent Threats Cyberattacks Critical Infrastructure brandpost Proactive OT security requires visibility + prevention You cannot protect your operation by simply watching and waiting. It is essential to have a defense-in-depth approach. By Austen Byers Sep 21, 2023 4 mins Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe