Minimum Cybersecurity Practices to Protect Your Company Against 99% of Attacks
3 min read
Recently Microsoft has issued their 2023 Digital Defense Report that provides insights into the digital threat landscape and empowers organizations’ digital defense. The report suggests simple rules to prevent most cyber attacks.
One of the key conclusions presented by experts in the report is that the majority of successful cyberattacks can be prevented by implementing just a few fundamental cybersecurity hygiene rules.
In other words, companies do not necessarily need to build expensive and large-scale systems. They just need to adhere to the following minimal security standards to withstand over 99% of attacks:
- Implement multifactor authentication. It is interesting that the second factor, tied to an email address or sent via SMS, is no longer considered sufficiently secure. More and more often, authenticator apps, the passwordless approach, or yet quite “exotic” hardware tokens are recommended as a more secure alternative.
- Apply Zero Trust principles. The Zero Trust concept involves proactive protection through the absence of trust even to users and devices inside the company’s network perimeter. By constantly verifying users and devices as well as enforcing strict access control, the risk of unauthorized access is significantly reduced. Zero Trust principles include:
- Continuous explicit verification. Before granting access to resources, it is necessary to ensure that users and devices have undergone authentication and authorization considering all available data points, specifically, user identities, locations, device status, services, or work processes, as well as data types and anomalies.
- Least privilege access. This principle involves restricting user access in terms of time and the extent of rights, granting only those necessary to access a resource.
- Treat every request as a security breach. Constantly assume that your system security has been breached, and your systems could be compromised. This entails continuous monitoring of the environment for potential attacks.
- Use XDR and antimalware. The use of extended detection and response (XDR) in combination with malware protection software enhances an organization’s ability to defend against a wide range of cyber threats, respond quickly to incidents, and maintain a reliable security level. These tools assist in gathering analytical information regarding malicious activities, detecting, and automatically blocking attacks on systems. Continuous monitoring of threat detection systems is crucial for timely response to such threats.
- Keep up to date. Keeping all systems up to date is essential for cybersecurity since software updates and security patches are released by vendors to address known vulnerabilities and security flaws. The absence of the latest security updates and outdated systems remain one of the primary reasons why many companies fall victim to cyberattacks. It is critically important to establish a regular update process for all systems, including firmware, the operating systems, and applications.
- Protect sensitive data. Understanding what the company’s confidential and critically important data is, where it is located, and whether appropriate protection methods are implemented is crucial for ensuring proper security. This protection may involve data encryption, access control, backups as well as developed and implemented security policies to prevent data breaches, ensure integrity, and confidentiality.
These security rules are not rocket science, so why haven’t many companies implemented these fundamental practices? The answer probably lies in the realm of changing the daily habits of employees and the internal company culture. This process is not easy or quick, and it will likely encounter resistance from people. Nevertheless, these actions are necessary, and it is best to start implementing them now.
Dmytro has been working in IT for over 20 years. He started his career as an information security specialist and also tried his hand in other areas: Quality Assurance, Business Analysis, Project Management, People Management, and others. In recent years, he has focused greatly on information security and achieved considerable success in it. Today, Dmytro is the Head of the Information Security Department and has extensive experience in process building and team management. He is a well known speaker at specialized events and a trainer at internal and external courses of Sigma Software University.