‘Focus on the fundamentals,’ says cybersecurity expert

10 Nov 2023

Image: © Tierney/Stock.adobe.com

Hackuity’s Sylvain Cortes says it’s important to master the fundamentals of cyber hygiene before considering more complex risks.

Security teams often concentrate on tackling the most advanced risks. However, this focus can be counterproductive if the foundations of cybersecurity go overlooked.

As cyberattacks increase year on year, there has never been a more important time to refresh the fundamentals of cybersecurity. This includes adhering to government guidance for better cyber hygiene.

Here we explore the fundamentals of a good cybersecurity strategy and how organisations can maintain vigilance in this vital area.

Updating software

Security teams are grappling with a growing number of vulnerabilities and an ever-expanding attack surface. As the siloes between security and operations teams running updates lead to business downtime, patching these vulnerabilities as they arise can be a daunting task.

However, the latest guidance from the UK’s National Cyber Security Centre (NCSC) suggests that when a company receives an alert to update its device or software, it should not be disregarded. Executing these updates is one of the swiftest measures to reinforce online safety.

The concept of ‘if it ain’t broke, don’t fix it’ is a false comfort when it comes to software patching. Organisations should proactively try to find and mitigate vulnerabilities before adversaries can exploit them to orchestrate attacks.

‘A layered approach to cybersecurity is essential’

In 2022, global online users identified more than 25,000 fresh standard IT security flaws and exposures. From January to April of 2023 alone, this figure reached 7,489.

Over the last ten years, there has been a spike in the number of discovered common vulnerabilities and exposures (CVEs). A significant proportion of these vulnerabilities were disclosed quite some time back, and we have found that 80pc of cyberattacks exploit a vulnerability that was made public over five years ago.

By regularly updating software, organisations can fix vulnerabilities before they are exploited and ensure the software on which they rely isn’t opening them up to attacks. Regular updates also mean that organisations must have constant vigilance in monitoring, discovering, analysing and fixing vulnerabilities across all possible points of attack.

Managing the attack surface

Managing a growing attack surface is at the heart of an effective cybersecurity strategy, particularly given the accelerating adoption of cloud services and hybrid work models. Assets such as public cloud services, desktop computers, and Internet of Things (IoT) devices are routinely exposed to external threats.

Cybercriminals can easily identify and exploit these assets, serving as potential backdoors into the organisation. A key component to staying ahead of these threats is robust attack surface management (ASM). This isn’t just about securing the external perimeter; it’s about comprehensively safeguarding all internal and external assets that could be potential entry points for attackers. Understanding these components is crucial for implementing a comprehensive strategy that truly safeguards an organisation.

‘Managing a growing attack surface is at the heart of an effective cybersecurity strategy’

The rising number of security vulnerabilities means teams need a way to focus on the biggest threats that matter to their business. Understanding the context around risks is critical to allocating resources accordingly.

While some teams have adopted more advanced vulnerability management programmes, others lag, relying on outdated, manual methods that lack context or insights into the real risks. This approach is unsustainable in the long run. It’s a bit like using a bucket to bail out a flooding ship. And simply adding more tools won’t solve the core issue.

A centralised view of all assets and the ability to prioritise risks helps companies use their current security tools more effectively, to save time and money, and provides them with a constant overview across their entire attack surface.

The ‘human factor’

A layered approach to cybersecurity is essential, and the ‘human factor’ in cybersecurity still plays an important part. Researchers from Stanford University found that 88pc of data breaches are down to human error.

Security awareness training helps employees to understand their role in preventing attacks, to identify threats and engage them with the fundamentals of good cyber hygiene.  However, while awareness training can help to reduce risk and achieve compliance, it shouldn’t be used to plaster over security shortcomings.

There is also no such thing as a one-size-fits-all approach. For instance, some training programmes might provide a general overview of how to combat and flag suspicious activities. Employees are less likely to engage in generic programmes, without gaining any essential insights, as each company has its unique challenges which need to be addressed.

Security awareness training can also suffer from being overly reliant on jargon, which can confuse the participants and make it harder to communicate issues clearly. Instead, training must be focused and interactive to connect with users.

A continuous approach

Many organisations might provide the training once – for example, during a special awareness month or compliance push. But they will expect their staff to pick up and retain all the necessary knowledge in one short stint. Companies must understand that security awareness training is not a one-and-done strategy. It is an ongoing journey.

Fortifying against cyberthreats isn’t just about advanced solutions; it’s about getting the fundamentals right. Organisations must prioritise critical aspects such as timely software updates, comprehensive vulnerability management and effective training. As these form the bedrock of a robust cybersecurity strategy, ignoring them puts organisations at unnecessary risk.

By Sylvain Cortes

Sylvain Cortes is VP of strategy at Hackuity, a cybersecurity vulnerability management platform. Cortes has more than 15 years of experience in cybersecurity as a strategist, evangelist and teacher.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.