Eating your security vegetables – a call for improved cyber hygiene


Ransomware, a nefarious cybersecurity business model, thrives on holding valuable data hostage for profit. Victims are coerced into paying ransoms under the threat of data exposure or access denial. However, the efficacy of paying such ransoms is dubious, often resulting in no data restoration and leaving victims vulnerable to future threats. In 2023, ransomware accounted for approximately 10% of security incidents, according to the Australian Cyber Security Centre (ACSC), with notable global impacts across various industries including healthcare, food distribution, and gaming.
In response, some governments have proposed banning ransom payments, hoping to diminish the incentive for cybercriminals. However, merely treating the symptoms by prohibiting payments fails to address the root causes of ransomware attacks. To use a healthcare example, this is like treating heart disease only with a triple bypass, but ignoring the things that lead to the condition. Exercise, healthy eating, and minimizing alcohol consumption are all preventative measures. We should think of ransomware the same way. There needs to be a way to respond, but we should remove the need to respond by focusing on prevention.
So, what are these common causes? I’ve previously worked in security incident response. The top three causes which resulted in ransomware we saw were: credential leakage, unpatched applications or infrastructure exposed directly to the internet, and over-sharing of resources.
Cyber hygiene, or to continue our health analogy "eating your security vegetables”, involves maintaining minimum standards for security configuration and operation to reduce the chance of needing the triple bypass (or expensive, business-impacting data loss).
While prioritizing security measures may not be as glamorous as product development, it's indispensable for minimizing risks and fostering a resilient security posture. Collaboration between security and builder teams is pivotal in embedding cyber hygiene practices into organizational culture. We should start to think of cyber hygiene in the same way we do health and safety. It’s obvious that we need to make sure that the humans in our organizations should be protected and there is legislation or governance to make sure we operate safely. Cybersecurity is the same, we need to operate safely in the protection of our data. Prevention is better than needing a cure!
Security teams play a crucial role in facilitating secure product development. They are not there just to provide guidance, but to make sure that the mechanisms exist for the builder teams to build secure and resilient systems. Much like exercise is easier when you incorporate it into your daily routine, security is easier when it’s part of your day to day work. This means security teams and builder teams must work together to integrate security activities seamlessly into existing workflows. This minimizes friction and can increase business productivity because security work is not ‘extra’. For example, if builder teams don’t get overly broad permissions but just enough access to do their job that reduces risk. If data is only accessed by those with a business need, that reduces risk.
So, we need to not only treat the symptoms of a lack of cyber health (or hygiene), but address the root causes. Some of this is technology choices around access, data protection and monitoring. But I would argue that the cultural approaches to working collaboratively between security builder teams are more important. The technology choices will evolve, but if security works to make it easier for builders to make good (healthy) choices and builders consider security one of the quality metrics for systems then the whole organization will be better.