Contact Us

Cyber Security: Innovation or Back to the Basics?

Cyber Security: Innovation or Back to the Basics?

Cyber Security: Innovation or Back to the Basics?

April 26, 2016 – While innovation in cyber security is certainly necessary, studies have shown for many years that if companies and agencies simply patched everything that they own to the current level, 93% of all vulnerabilities would be removed. The issue in that statement is this: why can’t IT shops get to 100% patching status?

There are multiple excuses given: i.e. legacy systems, people turn off their desktops/laptops and the patch does not get sent, not enough resources to review and make sure patches are applied to systems, etc. While these excuses can have merit at times, few organizations take the time to develop a root cause analysis by continually asking “why” until they get to the root cause.

Technology alone is not the savior of cyber security. Building and maintaining plans for achieving protection from threat is achievable – and one of those plans has to be 100% patching – on everything. If a legacy system cannot be patched, the root cause analysis should tell people “move the legacy system to something that can be patched or replace it with new code or an application that can be patched.”

If the laptop or desktop was turned off, institute a policy that states that the system cannot be logged into until the patches have been applied – period. It is interesting that so called draconian steps usually end up changing the mindset of people who have always turned off their desktop/laptop instead of logging out and leaving it running.

Much has been written about user behavior and cyber security; specifically, that change was the most significant driver in improving overall cyber security for any enterprise. Not changes in technology – changes in behavior. People still open phishing campaign emails even though they have received instructions saying “don’t do that.” People still write their password down on a piece of paper and put it somewhere on their desk. System administrators still use group passwords to ease the login process for servers. All of these are actions people know not to do, but they still do them. When management starts to believe that the next new shiny tool will solve their cyber security issues without looking at the requirements to remove the vulnerabilities first, then the behavior mindset needs to change.

If only one activity – patching – can reduce 93% of the vulnerabilities in the enterprise, does it not make sense to get that accomplished so that cyber security professionals can focus on the remaining 7% with all of their time? Cyber security innovation is important. Getting back to the basics can yield even better results.