The New Security Advice is the Same, Old Advice

As we head into the New Year, I’m often asked what my predictions are for the new year. What threats will emerge to be the biggest threats? And what defenses do I recommend to counter those new threats?

I get similar requests all the time, especially since COVID-19 hit. I have been invited to present no less than 100 webinars or Zoom meetings since March designed to tell management and remote workers what they need to be doing to be safe online.

I’m always befuddled by the question because what you need to be doing now, regardless of the situation, is what you should have been doing for the last two to three decades.

Threats and risks come and go. A long time ago, it was MS-DOS boot viruses causing all the problems. Then it was Windows viruses, email worms, and Java applets. Today, the biggest threat is probably ransomware. Accidentally leave something unpatched or get tricked into running a Trojan Horse program and you could be in a world of hurt. Your data and login credentials could be exfiltrated and your systems and files encrypted. Without paying the ransom…sometimes even with paying the ransom…things can be bad.

But the “dirty little secret” to computer defense is how those things infiltrate your computer or network hasn’t changed much since the beginning of computers. It’s mostly social engineering and unpatched software. And fighting those two things has been the best way for an individual or organization to defend themselves for three decades. Sure, there are one-offs…some organizations get broken into because of a rogue insider, Wi-Fi eavesdropping, or an SQL injection attack…but if you want to put your money into what defenses will be most likely to stop hackers and malware, it’s everything you can do to fight just two root causes of exploitation: social engineering and unpatched software.

Social engineering such as tricking someone into running malware or giving away their login credentials, is involved in 70% to 90% of all malicious breaches (https://blog.knowbe4.com/70-to-90-of-all-malicious-breaches-are-due-to-social-engineering-and-phishing-attacks). Unpatched software is involved in 20% to 40% of all data breaches. Every other root cause you can think of (e.g., eavesdropping, password guessing, zero days, USB keys, misconfigurations, physical attacks, etc.) is only 1% to 10% of the risk in most environments and for most people.

Organizations ask me, how do I prevent hackers and malware the best? Concentrate on stopping social engineering and patch better. Individuals ask me how to protect their PCs at home? Concentrate on stopping social engineering and patch better. How do remote workers best protect themselves when working at home during COVID-19? Repeat after me, concentrate on stopping social engineering and patch better.

There isn’t some special, secret sauce to protect someone at home versus someone at work. There isn’t something we should do different, computer security-wise, just because COVID-19 hit or because a new year is ringing in the bell. Well, maybe if the way hackers and malware most often broke into computers and networks changed, we would have some new advice to follow. But it hasn’t, so the advice is the same.

This whole idea that people need to do something different with their computer security defense because of newly emerging threats is a great marketing theme. It gets people to listen. And any time more people are listening, that’s a good thing. But do they actually need to do something different? Probably not.

I’ve been doing computer security going on 34 years, and with some brief (multi-year) exceptions, like computer viruses and USB key attacks (and the recent SolarWinds attack), what will best protect people on their computers over the long term now is what would best protect people back in the 1980s. There is no doubt in my mind that everyone concentrating on defeating social engineering and better patching better are the two best defenses that anyone can do. Almost no one is doing it well enough.

How do I know? Because hackers and malware are more successful than ever. It’s hard to be perfect, but we can be better. A big part of the problem is that we are distracted by the latest threats and the flood of new gadgets and gizmos that promise significantly better computer security, while less and less time is devoted to the basics. Even though 70% to 90% of the risk is due to social engineering, most organizations spend less than 5% of their IT security budget to fight it. It’s a fundamental misalignment. I don’t think that organizations need to be spending 70% to 90% of their IT security budget to fight phishing, but perhaps more than 5%, don’t you think?

I’m not sure if anyone who might request me to speak or write about the latest computer security scenario is going to read this article, but if you ask me what I would recommend to people today for “such and such” a reason, I’m going to give you the same reply I’ve been giving for over 30 years: Better concentrate on stopping social engineering and better patch. Nothing is more important to your environment.