Stop 90% of Ransomware Attacks with Basic Cyber Hygiene

ByW. Curtis Preston
FacebookX

Basic cyber hygiene isn’t sexy. It’s not a product you can buy, a conference talk that’ll blow your mind, or a three-letter acronym that sounds impressive in a board meeting. It’s patch management, password management, and MFA. Three things. Do them consistently and you stop roughly 90% of the ransomware attacks that could hit your organization.

This blog post summarizes the main points of my latest podcast episode. If you’d like, you can listen to it or watch it at https://www.backupwrapup.com/stop-90-ransomware-attacks-basic-cyber-hygiene.

WannaCry. Rackspace. Pick almost any major ransomware incident from the last decade and work backwards. What went wrong? Nine times out of ten it comes down to one of three things: an unpatched system, a compromised password, or the absence of MFA. The bad guys don’t need to be sophisticated when the doors are wide open. Basic cyber hygiene closes those doors.

What Basic Cyber Hygiene Actually Means

The term gets thrown around a lot, so let’s be specific. In the real world, hygiene means doing the regular boring stuff — brushing your teeth, washing your hands — so you don’t get sick. The cyber version is the same idea. You’re not trying to build a fortress. You’re trying to not be the low-hanging fruit.

The three pillars are patch management (keeping systems updated and free of known vulnerabilities), password management (making sure credentials aren’t being reused across systems), and MFA (adding a second factor so a stolen password isn’t a free pass). These are the greatest common denominators across the majority of incidents out there. Not my words alone — this is what you find when you read the post-mortems. Over and over again.

Basic Cyber Hygiene Pillar 1: Patch Management Starts with Inventory

You can’t patch what you don’t know you have. That’s where patch management actually begins — a complete inventory of your environment. Physical systems, virtual machines, cloud workloads, SaaS applications. All of it.

WannaCry is the case study. Microsoft had released a patch for the SMB vulnerability WannaCry exploited. Organizations that applied it were fine. The 200,000+ systems that got hit hadn’t applied it. Some had automatic patching turned off. Some ran patch programs two, three, four months behind. The attack didn’t require anything exotic — it just required that patch programs be lax. Which they often are.

Rackspace is the more recent example. They had a workaround in place for a known Microsoft Exchange vulnerability, which led them to deprioritize the actual patch. What they didn’t know was that a zero-day was hiding behind that first vulnerability — one the patch would have addressed. Two weeks after the exploit became known, they were hit. An entire business line gone. Lawsuits. Chaos.

The lesson isn’t that patching is easy. It isn’t — especially now, when your environment isn’t just servers in a room you can walk into and check off on a clipboard. IaaS, PaaS, SaaS — the attack surface keeps growing. But the answer to “this is hard” isn’t “let’s skip it.” Build a system, start with inventory, and get the critical patches in fast.

Basic Cyber Hygiene Pillar 2: Password Management

The core rule is simple: never use the same password in more than one place. Ever.

Bad guys aren’t sitting there guessing your password character by character. They steal credentials from one breach and spray them across everything they can reach. If your email address is your username — and it usually is — and that password from a breach five years ago still works somewhere, you’re going to have a bad day.

A password manager is the right answer. I have around 500 passwords at this point. There’s no version of the world where I’m managing that in my head. A password manager generates strong unique passwords, stores them, and flags reuse. That’s the job. If you’re not ready for one, fine — at minimum, use a unique password everywhere. No exceptions.

Basic Cyber Hygiene Pillar 3: MFA

Even if a bad guy gets your password, MFA means they still can’t get in. Something you know plus something you have. One factor gets compromised, the other holds.

Not all MFA is equal. Email-based MFA is barely better than nothing — if your email is compromised, that second factor is too. SMS is better but not great. An authenticator app is the right call for most people, and the good ones are free.

Two things to watch: MFA fatigue is real — attackers will spam approval requests hoping you’ll tap “yes” to make it stop. And “remember this device” stores your MFA token in the browser, meaning anyone who scrapes that token has everything they need. Good MFA requires good policy.

If You’re Not Doing Basic Cyber Hygiene, Nothing Else Matters

There’s no point talking about EDR, XDR, SIEM, or any other security investment if these three things aren’t done. It’s the same logic as personal finance — you don’t open a Roth IRA before you have an emergency fund. Get the basics right first. Then we can talk about everything else.

Written by W. Curtis Preston (@wcpreston), four-time O'Reilly author, and host of The Backup Wrap-up podcast. I am now the Technology Evangelist at S2|DATA, which helps companies manage their legacy data

Related Posts

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.