Broken Windows in Cybersecurity strategy

Today most people would acknowledge that it’s far easier to scale a firm’s virtual walls than it is to break into their physical headquarters.

Gone are the days when a burglar would sneak into an office by tricking the receptionist into rushing to the aid of a nearby cat stuck in a tree, or by creeping to the rear of the building to receive a set of keys from a disgruntled cleaner.

Actually, those days probably never existed outside of an Ealing comedy, but the truth is, most offices look difficult to break into, while far too many IT networks appear disconcertingly vulnerable.

Broken Windows Theory

Of course, if something appears vulnerable, it’s more likely to be targeted by criminals. This is Broken Windows Theory in practice, the notion that a building with several broken windows is more likely to be subject to further vandalism. Or to put it another way, a building that appears well-maintained tends to deter criminal activity; buildings that aren't tend to encourage it.

This theory rings true in today’s cyber domain where, unlike their physical premises, businesses still have an awful lot of broken windows on display. These virtual windows may not be quite as obvious to passers-by, but they give criminals a vital insight into which businesses are the best to go after.

For example, if an email recipient responds positively to a Nigerian Prince email, that’s a broken window on display. If the company’s email domain isn’t protected by the DMARC protocol, yep – that’s a broken window too.

Ultimately criminals don’t want to waste time on targets that won’t be susceptible to their scams, so they use social engineering techniques to filter out the wary from the credulous. They don’t want to waste time on targets that have clearly invested money and effort in constructing effective cyber defences, so they focus on identifying those whose security ‘posture’ appears weakest (think of a burglar walking down the street looking for a property with an open window).

How does this affect your organization?

If your business can demonstrate – through your online behavior and demeanor – that you’re robust, then you’re less likely to be targeted in the first place.

Following this logic, your priority should be to address the biggest, most visible problem first, and then keep looking for other broken windows to mend. However small they might seem, this is key to reducing your exposure to a whole array of other potential risks.

Best-practice tips to fix broken windows

So here are our four best-practice tips to help fix those obvious vulnerabilities.

• Check your supply chain. Research suggests that half of attacks involve supply chains, so map yours to determine how far it extends, and insist that everyone within it has the basics covered, e.g. Cyber Essentials or the Minimum Cyber Security Standard.
• Keep up with patching. Patches are designed to stamp out software vulnerabilities, closing down attack vectors and showing criminals that robust internal security practices are in place.
• Implement global standard protocols. You need to get up-to-speed on which security standards are relevant to your organisation and consider how to implement them. Organisations that fail to uphold these standards are more likely to be attacked, as they’re visibly an easier target.
• Follow best-practice and spread the word. Look to credible, independent sources such as the NCSC for best-practice guidance. Reference what your competitors are doing, and don’t be afraid to promote your own security work, if it will help others. It’s in everyone’s interests to collectively raise our cyber security game, particularly since many of the most promising security standards – such as our own favourite, DMARC – will only achieve their true potential once there’s widespread adoption.

Sign up today to find out more about how you can use OnDMARC to combat phishing and fully secure your companies email domains.