Organizations today suffer from malware myopia, a condition characterized by threat-centric security programs caused by the ease of imagining a takedown by malicious code. Malware myopia is a mental bug; a defect in reasoning that scrambles people’s judgment. If asked point-blank, few would say that malware is an existential threat.
To be sure, it is vital to acknowledge that an attacker only has to be ‘right’ once, and given eye-catching headlines surrounding new forms of malware, it’s only natural to conclude that a narrow focus on these threats is simply responsible stewardship. A recent study showed the use of fileless malware now represents 42 out of 1,000 (4.2%) endpoint attacks, raising fears and distorting our evaluation of the risk. To anchor our security programs to objective risk rather than subjective fear, we must turn our gaze inward and analyze our own cyber hygiene.
The ability to understand and prioritize cyber hygiene is the cure for overestimating malware’s impact, because it provides a statistically derived understanding that works as an antidote for malware myopia. For the purposes of this piece, I’ll define cyber hygiene as a composition of controls, protective technology and behaviors that, together, make up the character of a computing environment able to withstand cyber risks. First, let’s see what keeps us from putting our attention on cyber hygiene.
A matter of incentives
The fundamental truth behind malware myopia is that all malware requires a vulnerability or an exposure. But there’s often an execution gap when it comes to prioritizing cyber hygiene to uncover those weaknesses. A top reason for this execution gap is a lack of incentive. Unlike sexy, Hollywood depictions of the cyber realm, cyber hygiene looks nothing like a scene out of Minority Report. The work devoted to strong cyber hygiene does not have the same appeal as AI, robots, successful implementations of fileless antimalware or GPU crypto-blocking. The action movie visions of grandeur can lure us away from what really contributes to cyber resilience: incremental improvements of cyber hygiene.
Thomas Edison once quipped, “The reason most people miss opportunity is because it comes dressed in overalls and looks like hard work.” Unfortunately, the accoutrements of cyber hygiene are also stained and worn, veiling the fact that it’s the best way to protect data, devices, apps and users.
Because of its relatively low appeal, cyber hygiene often doesn’t provide the irresistible urge to pursue it, but this aversion can be overcome. By utilizing management by objectives (MBO) and tying bonuses to measured improvement in cyber hygiene, managers can encourage employees to focus on the basics.
While incorporating incentives adds a boost to renewed focus on cyber hygiene, there is an endogenous reason for the struggle. The Second Law of Thermodynamics tells us that everything in the universe goes from order to disorder: entropy. For example, if you build a sand castle on the beach and return the next day, there’s a very small chance it’ll still be standing. There’s a higher chance of a child knocking it over or the tide’s waters washing it away. There are far more ways for things to go wrong than for them to go right.
This order dissipation applies to IT resources as well. Without direct action, entropy will degrade configurations, security controls, application resilience or data protection. They will, inevitably, move toward disorder. Couple entropy with a lack of incentive and you get invisible influences that keep us from realizing strong security hygiene.
Lastly, environmental evolution can lead to a breakdown of the basics as well. New technology, processes and user demands have changed the makeup of IT resources and mandates. When confronted with mutations on the attack surface and generational turnover within the user population, it’s easy to see how IT teams are unable to spend time sustaining the gains of cyber hygiene. That’s not to say anyone is relinquishing responsibility, but rather that they can’t be in two places at once. When IT teams are dealing with a new environment or implementing digital transformation, it’s only natural for entropy to erode the hard-won gains of cyber hygiene.
These reasons for the execution gap may seem disconcerting and even fatalistic. But, don’t throw your hands up just yet. We can make extraordinary progress if we foster an environment where knowledge is unleashed to guide decisions, taking to heart the words of the physicist David Deutsche, “Anything that is not prohibited by natural law is achievable given the right knowledge.” For companies looking to close the execution gap, here are a few steps to prioritize.
1. Baseline your current cyber hygiene and break apart its defining attributes: To establish a baseline and forge strong cyber hygiene, start with asset intelligence—an intimate awareness of what makes up your IT environment. Then, form red teams to identify and assess risks, test assumptions and reveal the security blind spots for your organization. Give red teams full autonomy and listen to their findings. It’s better to have them discover your blind spots than someone with less benevolent intentions.
2. Monitor key metrics and tie incentives to them: To make cyber hygiene more attractive, tie incentives to the metrics that indicate cyber hygiene’s direction. A key metric is what I like to refer to as the endpoint hygiene index, a composite of true/false measures to see when resources drift from desired hygiene. Reward IT security teams for keeping the hygiene index above an agreed threshold. Two other key metrics to monitor include indicators of exposure (IOE), artifacts signifying the susceptibility to compromise, and the window of vulnerability (WoV), the average time it takes to mitigate IOEs. Align team incentives to performance against these variables and be honest about where you stand.
3. Automate actions that toggle the attributes to restore hygiene: After breaking apart your cyber hygiene’s defining attributes and tying incentives to key metrics, you should automate key functions. Is encryption disabled? Automate its restoration. Is there unauthorized software? Automate its removal. Using automation will enable IT security teams to catch any drifts away from the desired state and pull resources back to squeaky clean hygiene.
While these steps are a solid start to getting organizations on the right track, security teams must first acknowledge their need for a cyber hygiene scrub. Often, embarrassment and shame overshadow action, as security teams are reticent to admit that they don’t diligently practice the foundations. If they don’t see it, they have plausible deniability; it’s human nature.
However, in the world of cybersecurity, we must forgo childhood warnings and go looking for trouble. By paying attention to cyber hygiene and staying committed to maintaining it, we prevent malware myopia from taking root. When malware has no place to sprout, it becomes inert and our fears about it can be better aligned with its objective risk. This gives security teams the power minimize the likelihood of cybercriminals catching them disarmed when they arrive at the proverbial castle.