This season’s featured cybersecurity nightmare may be ransomware, but breaches of all kinds are going up in both numbers and cost. In response, security vendors are offering sophisticated — and costly — solutions to defend against evermore sophisticated attackers. However, the most effective protective measures have nothing to do with specific software and everything to do with risk governance. Even in our increasingly complex cybercrime landscape, most attacks are preventable and most costs are avoidable.

The Art of Active Defense

The best way to prevent attacks and minimize losses is to use policy and governance guided by the principles of risk management to ensure available defenses are active and focused primarily on the organizational assets most at risk. However, organizations often fail to take these basic, critical steps. In fact, according to Infosec Island, security teams fail to implement 10 percent to 15 percent of scheduled patches “due to human or technology errors.”

This adds up to a lot of known but unpatched security holes attackers can exploit. The WannaCry ransomware attack, for example, could have been prevented with automated alerts of pending patches, combined with a governance process to ensure the alerts were addressed and the patches installed.

Prepare to Prevent and Recover

Active governance measures help to prevent security breaches and minimize the losses from attacks that do get through. Resilience against ransomware is an outstanding example: Offsite backups are the first line of defense against all types of data losses, from ransomware attacks to natural mishaps such as a flooded data center.

No magical cutting-edge technology is needed to provide offsite backups. The required technical solutions are widely available and well-tested. But backups do not happen by themselves. When data is rapidly recovered from offsite backups, it is because the backups were scheduled, the schedule was followed and the organization had tested its recovery process to ensure it would work when it was needed.

Similar principles apply across the spectrum of cyber operations. For example, with sound governance in place, access privileges are granted only on the basis of least privilege, in which users have only the level of access they need to do their jobs. Maintaining this policy reduces the risk of data or operations being compromised by either inevitable user error or malicious insider actions.

An Integrated Approach to Risk Governance

Unified effort is essential. The InfoSec Island article noted that a “truly integrated approach requiring strong governance and broad oversight illuminates vulnerabilities shared by departments.” Security holes can only be closed when they have been brought into view. Creating this security transparency and acting on it is what effective risk governance is all about.