For agencies looking to implement cybersecurity solutions, Terry Kalka, Chief of Mission Support at the Department of Defense Cyber Crime Center, emphasized that basic cyber hygiene practices will block a majority of cyberattacks unless those attacks stem from a particularly advanced threat actor.
Methods such as email filtering, scanning attachments, software patching, multifactor authentication, and restricting administrative controls are “basic cybersecurity practices that don’t have to be profoundly expensive and profoundly complicated, and are likely to mitigate roughly 85 percent of the attacks you might face,” Kalka said at the August 27 Cybersmart event.
He continued, “Apart from truly advanced actors who have far more know-how than most of the rest of us, this will cover a lot of the problems that you’ll face in cyber.”
Despite the value that each tactic brings, Kalka added that there’s no single best solution for agencies deciding which cybersecurity measures to implement. For example, he explained, if an agency is restricting administrative privileges but not filtering email, the agency is not doing a whole lot to help itself.
In his career, however, Kalka said that software patching and updating is often the “least understood and least accepted” security practice, and he urged organizations to do better at that task. “If you’re working with vendors who release security patches,” Kalka said, “frankly, I would prioritize that over a lot of other things because that’s what’s going to eliminate vulnerabilities within your systems.”
Kalka acknowledged that each basic security measure comes with its own inconveniences, too. For instance, he said that with multifactor authentication there isn’t one solution for every type of technology out there. Plus, managing even basic cyber hygiene can be a burden on efficiency, Kalka acknowledged.
These basic cyber hygiene methods are risk management efforts not guaranteed to be a holistic solution, he said, so “we are always weighing the threat of an incident against the overhead of maintaining security.”