When a company gets breached, one of the main accusations that is often levelled is that they did not cover the "basics" of cyber security.
The recent Verizon Data Breach Investigations Report found that 90 percent of breaches examined in the report fit into only nine patterns.
But most surprisingly, these were the same patterns of attack as in previous years, showing that the hackers had not needed to invest in new models. As Lorenz Kuhlee, ?Incident Response/Forensic Consultant, Verizon RISK Team said, this shows a worrying lack of investment in ‘the basics’.
But with so many products and vendors out there, it is hard to know what the basics actually are.
It’s not like there is a simple attack surface to protect any more. Information is no longer simply centralised on a company’s own mainframes or sat in its own data centre and now flows to third party public and private clouds.
In the other direction, the arrival of smartphones and wearables in the enterprise has also extended the end-points of the network.
As a starting point, assess the various entry points for threats into your specific business. This should involve a discussion between management, employees and IT.
Ask a series of questions: what data do you need to protect and how much are you willing to spend to protect it? Does that data need to be shared amongst employees? Do you have remote workers that will have to be authenticated to access the data from multiple locations?
As Lisa Toth, US Head of Risk, Compliance and Regulation at Hatstand, says, there is "not a one size fits all solution to cybersecurity and a tailored approach will enable each firm to fit a framework to both their risk appetite and budget on a strategic and tactical basis."
She recommends performing a risk assessment, then to use this to "evolve a working plan to mitigate the gaps and demonstrate to the regulators and stakeholders that the firm is taking its cyber risk management responsibilities extremely seriously."
If you know what your risk is and how much a breach will cost your business, then you can work out how big your budget needs to be.
A simple, cheap and effective protection to put in place as starting point is education of staff.
Giving staff a thorough grounding in the types of attack to expect and how to stop them is a strong first step, and although technological solutions must not be neglected, is disproportionately effective in stopping most threats.
What should this training look like? Matt Walmsley, EMEA Director, Vectra Networks, says that much of good training is about improving behaviour.
For example, an incredibly common form of attack at the moment is phishing, which tricks the recipient into giving up information or clicking a malicious link because it appears to be sent by a legitimate entity.
According to Cyber Security Partners (CSP), there are 156 million phishing emails sent every day. A phishing attack was used in the attack on Snapchat on 26 February, when a scammer impersonated Snapchat CEO Evan Spiegel in a request for employee information.
One employee fell for the scam, providing the payroll information of around 700 current and former employees.
In an enterprise context, being well educated about unsophisticated threats such as phishing can be highly effective in stopping them. This could mean as little as showing examples of what phishing attacks look like so that employees recognise them when they appear.
It is also important that employees can recognise potentially dangerous URLs or downloads in what seems to be a legitimate email, or increasingly other communication methods. FireEye recently found the RuMMS malware, which uses SMS messages as the attack vector.
Walmsley says that the impact of training can be measured by comparing pre and post-training testing results from orchestrated phishing and social engineering attempts.
Gert-Jan Schenk, VP of EMEA at Lookout says that organisations should "regularly run tests for employees, to train them to be more observant and catch phishing attacks by doing things like reviewing email address, subject line, attachments and so on."
Perhaps to the disappointment of security professionals, however, Walmsley emphasises that security training is not a "one-time pill".
"It needs to be an iterative process embedded into an organisations security posture and refined based upon contextual learnings."
There are other human factors to consider. Many breaches are caused by hackers gaining legitimate credentials and simply signing in to networks rather than any kind of digital ‘break-in’.
This is due to the inherent weakness of the password. For one thing, due to the difficulties in remembering a password, people often use a relatively obvious password, such as their own name, and they may also use the same password for multiple accounts.
Additionally, any password can eventually be cracked through brute force, if a bot attempts every single combination of characters.
SailPoint’s 2016 Market Pulse Survey found that 63 percent of respondents used a single password among applications and 28 percent shared passwords with co-workers.
The solution might seem to be implementing policies to force employees to use more complex and hence safer passwords. However, this is doomed to face resistance if these passwords are not memorable.
Rather than rely on employees remembering passwords, some companies suggest technological solutions: Joe Siegrist, CEO and co-founder of LastPass, says that the solution is "a password manager for personal accounts, teams and entire businesses helps people embrace password best practices while maintaining a secure digital identity."
Good password managers are not simply an encrypted store containing passwords, but provide the option of whether to sync passwords across all devices or whether to keep them local to a single device.
Perhaps, though, as some companies claim, it is time to move past the password altogether.
For example, it is increasingly easy to implement multi-factor authentication, which means two or more different ‘factors’ being used simultaneously in an authentication. These factors can be something the user has (a smartphone), knows (a PIN code or password) or is (a fingerprint or other biometric.)
The proliferation of smartphones makes two of these factors particularly easy to attain: the smartphone can be the something the user has and due to the camera, touch screen and microphone can also allow biometric authentication to be used.
Moving from policy to product, traditional antivirus and firewall products are a good start.
This includes security software installed on end-points such as smartphones and PCs, which can protect the enterprise from general malware that could be downloaded inadvertently through a user mistakenly clicking a link to a rogue domain.
There are many anti-malware solutions, some free, that can be downloaded directly onto a smartphone from an app store or installed by the IT department.
However, as Andrew Tang, Service director, Security at MTI Technology, says it also means malware protection at the entry and exit points of a network, such as perimeter firewalls, email gateways and web gateways.
"If there is a web presence, ensure the web application is secure," he says.
He recommends adopting the OWASP Top Ten, a series of guidelines for securing web applications.
Businesses should also ensure a robust patching plan is in place, so that vulnerabilities in software cannot be exploited.
Albie Attias, Managing Director at King of Servers, says that many organisations are still routinely using old software. Attias cites a survey by Spiceworks in 2015, which found 66 percent of IT managers saying their organisation was still using Windows XP in some capacity.
"This poses a huge threat to security, as Microsoft no longer releases security updates for this operating system," he says.
"Organisations should always ensure their OS is up-to-date, and plan to upgrade their systems in advance of their provider turning off extended support and security patches."
This goes for mobile devices as well, where a strong update policy is a must-have. Patches are issued regularly to devices by the device vendors when they find weaknesses in the source code.
A solution is to invest in a "corporate-owned, personally enabled" model, where devices are issued to the workforce and control over updates is retained centrally within the organisation.
These basic approaches will not guarantee safety from cyber attacks, but they could deter the everyday unsophisticated hackers by making an attack slightly too much hassle to bother with.