Evidence-Based Security Practices

Expansive compliance frameworks listing hundreds of security measures can be found in may places, from the likes of NIST, ISO and CIS.  While great for defining what “good” looks like – which controls give you the most risk reduction?  Researchers from the University of Edinburgh have combed through academic papers and industry reports to find what the data says about the effectiveness of various cybersecurity controls.  

In this blog, we look at the controls that they found were associated with the biggest reduction in risk.

Attack Surface Management

The research identifies ‘attack surface management’ as a pivotal control in mitigating cyber risk. The concept refers to the number of services, applications and code exposed to the general internet and potentially susceptible to attacks. Techniques like system hardening, minimising complexity and closing unnecessary ports form the crux of this approach. Notably, while some elements of the attack surface are intrinsic to the nature of the business and cannot be completely eliminated, steps can be taken to minimize risk without hindering operational efficiency.  For example, modern zero-trust techniques like authenticating proxies can hide complex and risky internal systems from attackers by securing them behind robust gateways.

Organizations employing system hardening techniques were found to be significantly less likely to suffer a cyber insurance claim, highlighting the critical role of proactive defence measures in risk reduction. This underscores a broader theme in cybersecurity: reducing attack vectors proactively rather than reacting to threats as they occur.

Patching

Another key finding from the research revolves around the speed and consistency of applying security patches—termed ‘patch cadence.’ This element was a strong predictor of security outcomes, with organizations that quickly patched high-severity vulnerabilities showing markedly lower likelihoods of filing a cyber insurance claim.

However, the challenge remains in ensuring that software and systems are not only patched promptly but also comprehensively, covering all critical vulnerabilities before they can be exploited by attackers. The research highlights the risks associated with using ‘End of Life’ software, which is no longer supported by vendors and, therefore, not subject to security updates.

Multi-Factor Authentication (MFA)

The effectiveness of Multi-factor Authentication (MFA) varied significantly depending on the context of its application. While MFA drastically reduces the risk of individual account compromises (with reductions up to 99% in some studies), its effectiveness at an organizational level appears less pronounced. This discrepancy may stem from the complexity of implementing MFA uniformly across different systems and user groups within large organizations, as well as the sophistication of threats targeted at such entities.

Monitoring and Cloud Services

Monitoring, specifically through AI and machine-learning-driven insights, has shown substantial effectiveness in reducing incident costs, according to the study. This finding advocates for a layered security approach that includes both proactive defences, like hardening and patch management, and reactive measures like comprehensive monitoring.

Interestingly, the transition from on-premises to cloud-based services, particularly email servers, was associated with a reduction in compromise incidents. This shift suggests that cloud providers’ security measures, which often include advanced security protocols and regular updates, can offer superior protection compared to traditional on-prem setups.

Conclusions

The overarching message from the research paper is clear: the most effective cybersecurity interventions focus on meticulous system configuration and ongoing maintenance rather than reliance on specific technology. Attack surface reduction and high patch cadence are vital, underscoring the importance of proactive and responsive security practices.

Incorporating these findings into organizational policy does not imply a one-size-fits-all approach but rather emphasizes the need for tailored strategies that align with specific operational and threat landscapes. As cybersecurity evolves, so too must the tactics we employ to defend against threats. This evidence-based approach not only guides organizations in crafting effective security policies but also supports a dynamic framework that adapts to the ever-changing digital threat environment.

By leaning on verified data and thorough research, organizations can better predict and pre-empt cybersecurity challenges, ensuring resilience against a backdrop of increasing cyber threats. For cybersecurity leaders, the key lies in enhancing data availability and supporting initiatives that provide organizations with the necessary tools to implement robust security measures effectively.