All of us involved in technology are hard-wired to love, admire, and covet tools. Hardware, software, firmware–the more tools the better. After all, no one wants to get caught without the right tool for the right job. Has there ever been a CIO or CISO, confronted by their CFO to cost-justify yet another tool, who hasn’t trotted out the cautionary phrase, “When the only tool you have is a hammer, every problem looks like a nail.”
But, it is critical that CISOs and CIOs take caution to not fall into the “shiny tool syndrome,” where we think that every new cybersecurity problem we encounter can only be addressed by the latest and greatest new tool. Of course, cybersecurity tools are great and are getting better all the time. And, as someone who works at a company where we are justifiably proud of the quality and innovation we put into our cybersecurity tools, I think we all need to stay on top of the latest in cybersecurity remedies.
Sometimes, however, it’s best to stick to the basics, the fundamental blocking and tackling that all organizations–regardless of size, industry, budget, or security challenge–must have deeply ingrained into their day-to-day processes. Good cyber hygiene practices may not be sexy, but they are absolutely essential and crucial to defending your crown jewels.
And there’s a profound, compelling reason why: We all are in more peril of becoming the next cybersecurity victim whose mistakes result in blaring headlines and become cautionary tales at industry conferences. The problem is getting worse every day.
Why? There are many reasons, but the most fundamental one is the fact that the attack surface continues to expand at an alarming rate. There are more endpoints than ever, thanks to trends like bring your own device, the Internet of Things, and the digitalization of critical infrastructure. Research indicates that a typical IT department manages more than 27,000 endpoints, and that more than half of them transmit sensitive data. The proliferation of cloud services also means that people can and do work from any location at any time as long as they have an internet connection, meaning that employees, customers, partners, and vendors all are accessing critical data through a web of interconnected devices.
With that many potential points of entry, we all have to ensure that, in additional to having the right cybersecurity tools, we are sticking to fundamental, tried-and-true cyber hygiene practices to limit the risk of attack, speed the process of detection, and ensure reliable, consistent remediation.
So, what constitutes good cyber hygiene?
- Committing to, and following, a really robust vulnerability pathing process. Within 24 hours of identifying a vulnerability, all critical systems should be patched; within 72 hours, all systems must be patched.
- Compensating controls for unpatched systems are a must.
- Automating detection, prevention, and remediation is essential; humans no longer can keep up with cyber risk and the relentless wave of incursion attempts–most of which are automated, themselves.
- Adopting a zero-test security architecture, where every piece of network traffic is inspected and applications must be white-listed before they can be accessed over the network.
- Improving and increasing visibility into all application usage. You must know when and where applications are being used, and who is using them. This becomes trickier with all the web-based applications our enterprises are using, but it’s more essential than ever. Suitable controls must be put in place to improve visibility and automated steps have to take immediate action when issues are identified.
C-suite executives and board members also must be active participants in cyber hygiene blocking and tackling. (And not just because business leaders have been known, from time to time, to cut some corners when it comes to their own cyber hygiene.) Business executives should press their CISO and CIO for clear answers to fundamental questions about cyber hygiene practices and risk:
- What are the most fundamental cyber hygiene practices that everyone who touches our network has to follow?
- What are we doing to reduce the attack surface, even as we continue to add endpoints?
- What metrics are we using to measure our vulnerabilities, and what do the statistical trendlines look?
- Do we need to add more controls on application usage, especially SaaS applications, to ensure everyone is following the fundamental rules of cyber hygiene?
- When our business units start up new IoT projects, what safeguards need to be put in place to limit the potential exposure of these new endpoints?
Practicing good cyber hygiene is not the panacea for preventing data breaches, just like jogging regularly won’t prevent a heart attack by itself. But just like it’s easy to imagine that a sedentary lifestyle contributes to health risk, I can guarantee that bad cyber hygiene will promote the potential of catastrophic cyber risk–even if you have all the shiny new tools on the market.
Naveen Zutshi is chief information officer at Palo Alto Networks.