

When a significant cyber incident hits the news, what comes to your mind first? For me, it is to find out how and why it happened: the majority of the time it is due to inadequate implementation of fundamental controls as confirmed by the 2020 Data Breach Investigations Report. These controls are usually ignored, challenging to get right, and senior business leaders lack oversight, or even interested, in the status of these controls.
Building cyber resilience is a deliberate effort to protect high-value assets, starting with the fundamental controls. Equifax Chief Information Security Officer, Jamil Farshchi, highlighted this point of view in an interview. Having joined Equifax after the massive 2017 data breach, one of the three acts of his security transformation focused on fundamental controls. Regardless of the size and industry, these controls are critical, and any cyber strategy that doesn’t prioritise them will be in vain.
Let’s look at the five controls.
Passwords: Organisations use various business systems to perform internal business processes and functions, requiring users to use passwords to authenticate. However, ensuring that users have a complex, unique, and strong password is challenging. According to the new National Industry of Standards and Technology (NIST) password guidelines, users are more likely to choose a weaker password if they know they will have to change it soon. Asking users to change their password regularly is no longer the answer. The use of multiple systems with each requiring a different pair of credentials makes this password problem even worse.
To give users a fighting chance, organisations must implement single sign-on (SSO) for all business systems, as it will require users to remember only one identity – username and password. Users must also be encouraged to use memorable passphrases when creating passwords, with a length of at least eight characters; twelve for system administrators. As highlighted by the NIST password guidelines, organisations can let users have their passwords for an extended period, change them when compromised; and implement Multifactor authentication to access critical resources from remote locations.
Patching: Patching is challenging because it takes time, requires updating asset inventories, and there are always risks – downtime and failures associated with patching. In his book, Bruce Schneier, a renowned security technologist, emphasises that organisations must patch quickly and figure out how to mitigate failures associated with patching. Effective patching should prioritise high-value assets.
We don’t have the requisite skill in security engineering to get it right the first time, so we have no choice but to patch quickly. But we also have to figure out how to mitigate the costs of the failures inherent in this paradigm – Bruce Schneier.
User access reviews: When new staff join organisations, they are assigned access to various business systems to perform their responsibilities – most times, more than required. Over time, as they move jobs or leave, their access to multiple systems is not revoked. These systems store critical information – classified business, personal and health information. Unreviewed access to systems is a massive risk to any organisation. Some staff retain access to systems long after moving on: System owners are not aware of their responsibilities and don’t follow the established change in role or separation processes; users retain unrequired access.
Due to the risk, organisations must assign access commensurate to roles and regularly review the access – quarterly or annually. Although manual user access review can be tedious, it must be done, at the very least for critical systems. Alternatively, organisations can manage user access lifecycle with an identity and access management platform.
Phishing: Email is the primary mode of business communication, and organisations receive many a day – the majority are spam and phishing. Many of these, usually basic or generic, are blocked by mail filtering tools. However, cybercriminals are aware of the tools most organisations deploy to block emails and how they work – sometimes not even appropriately configured. The criminals research target organisations and customise the phishing emails, which eventually end up in the end-users’ mailbox. Once they are in front of the user, the only defence is users’ ability to identify and action appropriately.
United Kingdom’s National Cyber Security Centre (NCSC) recommends a multi-layered approach:
Organisations can apply this approach by reducing the information available to attackers across the internet, corporate websites and other platforms, implementing email authentication and blocking incoming phishing emails. As users can easily fall for phishing emails, organisations can also add external email warning messages in the subject or body, if they land in their mailboxes. This makes users read these emails carefully, looking out for any warning signs before they respond.
Penetration testing: Organisations are continually making changes like implementing new technologies and changing firewall rules. Some of these changes improve operations, and security, while others introduce unknown gaps and vulnerabilities; operational and developer teams that implement new technologies may not be aware of the security implications.
Although it is best to test any new system, application or implementation before production, many ignore it. At the very minimum, organisations must conduct an annual penetration test with a prioritised scope based on the high-value information.
In summary: Building anything without getting the fundamentals right is a grave mistake. For example, building a granny flat or making an addition to a house without getting the necessary approvals is a mistake – it always ends in fines and demolitions. Cyber resilience is the same.
To implement high-value cyber resilience strategies, cyber leaders must start with these fundamental controls, educate and provide senior management with ongoing oversight of these critical controls.