Basic cyber hygiene protects against 99% of cyber attacks

Basic cyber hygiene protects against 99% of cyber attacks. Seems easy, but that implies establishing a proper cybersecurity program, that includes people, processes and technology.

Microsoft's 2023 Digital Defense Report states that basic security measures protect organizations from 99% of cyber attacks.

We can add, to make this statement even stronger, that without the fundamentals of cyber hygiene, most expensive state-of-the-art, cutting edge technology will be impaired by the absence of a solid foundation.

The first important clarification is around the definition of "fundamentals of cyber hygiene". This sounds relatively easy, but can only be implemented through a structured cybersecurity program, that itself is a complex task.

Let's take an obvious example of vulnerability scanning process and the consequential patching of the identified vulnerabilities. It's a no-brainer that systems should be continuously scanned for vulnerabilities, and activating such a service takes just a few hours.

The real problem starts when the Security team sends out a list of 80+ critical vulnerabilities to the IT team on a Friday afternoon, demanding that they patch them immediately.

It becomes clear that in absence of an acknowledged Cybersecurity strategy within the organization, and a Cybersecurity program that is shared and aligned with the IT department, there will be continuous conflicts and discussions that will be decided based on who has more power between departments and not by what is the higher risk that the organizations is exposed to.

The second important clarification is what can we define as cyber hygiene or "basic security measures" ? Every year the bar is raised, just as the threat exposure increases and the exploitation complexity reduces.

A simple example is Multi Factor Authentication (MFA). Because of the extensive exposure directly to the internet of commodity services through Cloud platforms, such as Microsoft 365,
the increasing number of data breaches, both of service providers and individuals that make use of weak passwords and/or re-use their passwords on multiple sites,

MFA becomes a fundamental security measure to have, and thus falls into the category of "basic security measure".

For the same reason, so does a Password Manager solution, that removes the responsibility on the shoulders of individuals, to manage multiple complex passwords for all their personal and business applications.

Therefore, to be able to implement "basic cyber hygiene", organizations will need to deploy a proper cybersecurity program that encompasses all domains of Cybersecurity with a continual improvement, realistic and programmatic risk-based approach.

It will be fundamental to identify and classifying all assets, determining those that are critical to the business or that contain sensitive data.

It will be as fundamental to identify the threats that could damage the Confidentiality, Integrity and Availability of the company's systems and data.

It will be practical to adopt a security framework and set of controls based on international security standards and regulatory requirements.

It will be necessary to define the current risk levels and determine target risk objectives, to prioritize the appropriate interventions in the areas of higher risk.



We have only just started, and there is a lot still to do to cover all 6 phases of the NIST framework, that depicts the fundamental phases of Cybersecurity: Governance, Identify, Protect, Detect, Respond, Recover.

At Pro CISO, we guide organizations to progressively build and improve Cybersecurity programs, for assessing and improving their levels of maturity, thus for implementing "basic cyber hygiene".

We also go one step further and suggest tactical "quick wins" for the mitigation of evident risks, but in a way that the tactical initiatives are always convergent with the overarching strategic plan.

Reach out to know more!