The 80/20 Rule in Cyber Security

The 80/20 Rule (The Pareto Principle) in cyber security focuses on the 80% of your security risks can be mitigated by using only 20% effort.

At its core, it focuses on using fundamental security hygiene using the “vital few” actions to deliver most of the controls to protect against the most common cybersecurity threats.

Attempting to resolve 100% of your security issues can be a very time consuming and expensive task. Organisations can use this rule to help prioritise the efficient use of resources to achieve maximum results.

The Core20% (High-Impact Controls)

Through the implementation of the 80/20 rule, you are utilising foundational and effective security measures first:

  • Asset & Patch Management: Ensuring all systems and software are patched to the latest version can help eliminate most of the common external attack paths.
  • Access Control & MFA: Enforcing the use of Multi-Factor Authentication (MFA) and the principle of least privilege can stop unauthorised lateral movement within your network.
  • Security Awareness Training: Educating your employees on how to identify and report on phishing and social engineering attacks can prevent a substantial percentage of breaches.
  • Disable Unnecessary Ports and Services: Decreasing the size of your "attack surface" can prevent known vulnerabilities from being externally exposed to the internet

The 80%(The Risk Target)

By shifting your focus towards the implementation of basic controls, you can help protect your organisation against the most common attack vectors. By addressing the most common vulnerabilities first, you can target large security issues in an efficient and cost-effective manner.

 

The Risk-Management Caveat

The 80/20rule is an excellent starting point to utilise your cyber security budget in anefficient way by focusing on the most common vulnerabilities first. While this approach will assist in reducing your attack surface, it should be noted that the remaining 20% of unmonitored and unmanaged assets has the potential to contain a large amount of risk and should also be addressed.

For comprehensive and industry standard guidelines, refer to the Center for Internet Security (CIS).

Recent posts

Latest from us