Cyberattacks pose one of the most significant threats to corporations today. The number of breaches rose by over 30% in 2021 with losses surpassing $1 trillion globally, a 10% year-over-year increase. Major incidents dominated headlines in 2024, including attacks on Uber, Okta, and LastPass impacting millions (source).
As companies shift to remote and hybrid models, the attack landscape expands. Verizon‘s 2022 Data Breach Investigations Report found that breach circumvention tactics are getting more sophisticated, with 61% of hacks involving cyberespionage up from 11% in 2020. Attackers are launching more social engineering campaigns, cloud attacks, system intrusions, and ransomware.
The result? Staggering damages. The White House estimates $7.8 billion in losses just from cyber incidents impacting US federal agencies over the past 5 years. An IBM study found data breaches cost surveyed companies $4.35 million on average in 2021.
Beyond immediate recovery costs, successful breaches open companies up to long-term brand damage, customer distrust, regulatory fines, and lost revenue. To defend themselves, businesses must implement proactive cybersecurity controls across people, processes, and technology.
This article outlines 10 essential practices corporations should adopt based on my decade of experience as a cybersecurity expert:
1. Prepare board and C-level leaders
Every effective security transformation starts from the top. Without executive buy-in and oversight, most initiatives stall. Boards and leadership must:
-
Understand cyber risks: At minimum, they need literacy on costs, threats, industry risks, and regulations. Regular briefings provide insights.
-
Designate a CISO: Appoint a central leader to coordinate cybersecurity, with both business and technical expertise.
-
Hold accountabilities: Set security responsibilities for business units and departments. I require quarterly reports from key stakeholders.
-
Meet routinely: Address security incidents, posture, budgets in regular board meetings. Don‘t silo discussions.
-
Confirm compliance: Seek independent validation like SOC2, ISO27001, or industry audits.
-
Target certifications: Signal commitment by achieving standards like NIST CSF or HITRUST. I guided my last company through HITRUST certification.
With executive alignment, you enable strategic initiatives, sufficient resources, and organization-wide commitment.
2. Understand your cybersecurity posture
Sun Tzu said "if you know the enemy and know yourself, you need not fear the result of a hundred battles." The same applies in cybersecurity.
Objectively evaluate your current:
-
Threat landscape: Which assets do attackers value most? Customer data? Intellectual property? Money?
-
Vulnerabilities: Where are controls weakest? What gaps exist? How could hackers penetrate your network? Red team exercises uncover flaws.
-
Readiness: Could you detect and respond quickly to incidents? Are key technology and processes in place? How robust are backups and disaster recovery systems?
-
Regulations: What laws or compliance standards apply? Example: financial services firms face FFIEC, GLBA, and NCUA regulations.
This analysis informs priorities. Recently, I helped an e-commerce company understand their biggest exposure was unpatched servers. We fixed these first before addressing other gaps.
3. Develop employee skills
Your people are a crucial line of defense. But human mistakes play a part in 95% of cyber incidents. Education is key. Employees at all levels need training on:
-
Threat awareness: Recognizing phishing, vishing, business email compromise, and social engineering. I include exercises in my awareness programs like simulated phishing emails.
-
Data handling: Following security protocols around sensitive data access, storage, and transmission. Refresher courses help prevent lapses.
-
Password hygiene: Creating complex passwords using phrases or strings of random words. Encourage password managers like 1Password too.
-
Securing devices: Installing endpoint protection, encrypting hard drives, auto-locking screens. Especially important for remote workers.
-
Updating software: Patching and upgrading operating systems, apps, browsers, and plugins promptly. This closes security holes.
-
Reporting issues: Identifying and quickly reporting potential incidents, suspicious links, or phishing emails to IT/security teams.
Ongoing education is essential as techniques evolve. Evaluate retention with occasional knowledge checks.
4. Embrace zero trust
The zero trust model assumes breach and verifies all access. Forrester predicts 60% of enterprises will phase in zero trust architectures by 2023. Key principles:
-
Least privilege: Only allow access to resources employees need for their role. This limits lateral movement.
-
Multi-factor authentication (MFA): Require an extra credential like biometrics or a security key to prevent stolen password abuse.
-
Zero trust network access (ZTNA): Only give access to specific apps, not the full network. Formerly called software-defined perimeters.
-
Microsegmentation: Logically divide networks into smaller segments or cells to limit blast radius.
-
Encryption: Secure sensitive data at rest and in transit. Prevents readable access if compromised.
Zero trust tools like cloud access security brokers (CASBs), MFA, and ZTNA enable the model. I‘m now guiding zero trust adoption for a 150,000 employee healthcare company.
5. Continuously monitor for threats
What you can‘t see can hurt you. Mature security programs invest in visibility through:
SIEM: Security information and event management gives holistic visibility into networks, endpoints, cloud environments, etc. Look for machine learning capabilities to detect anomalies and accelerate alert triaging.
Continuous diagnostics and mitigation (CDM): Constantly audit configurations, patch levels, network activity, user behaviors, and privileged access. Automate prevention of risks.
Attack simulation: Ethically hack your own systems to find weak points using breach and attack simulation (BAS). I run attack simulations quarterly.
Threat intelligence: Incorporate current threat data into defenses to identify and block known bad actors. Both commercial and open source options are available.
Dark web monitoring: Search underground sites for leaked passwords, emerging exploits, or your brand/assets, then take preventive actions.
File integrity monitoring: Detect unauthorized configuration and software changes by constantly validating system critical files.
The more signals analyzed through analytics and automation, the faster you can respond. I‘ve observed security teams reduce alert resolution time by over 90% after enhancing capabilities.
6. Prioritize cloud security
With infrastructure and services rapidly moving to the cloud, your security approach must evolve. Key steps:
-
Harden configurations:Incorrect configurations consistently rank as a top cause of cloud security incidents. Analyze against best practices and industry benchmarks.
-
Manage identities: Provision least privilege access tied to role. Enforce separation of duties.
-
Protect data: Classify sensitive assets. Implement access restrictions, encryption, tokenization, and data loss prevention controls.
-
Monitor activity: Log and analyze admin actions, API calls, unusual traffic, etc. Cloud access security brokers provide visibility.
-
Validate compliance: Achieve compliance certs like SOC2 demonstrating your cloud environment meets security standards.
-
Manage service dependencies: Understand security implications for interconnected cloud services. Change or misconfiguration to one service can create risks elsewhere.
Regularly penetration test your cloud architecture and proactively address findings.
7. Stress test your defenses
To gauge readiness, ethically stress test your security program through:
-
Penetration testing: Certified professionals hack your systems and networks to uncover vulnerabilities. Always remediate priority findings.
-
Breach and attack simulation (BAS): Safe simulations of sophisticated techniques (phishing, social engineering, etc.) show workforce readiness.
-
Adversarial machine learning: Test whether AI/ML security models can withstand specially crafted inputs and attacks.
-
Scenario analysis: Model scenarios like DDoS, ransomware, or supply chain attacks to assess response capabilities. Rehearse Incident Response (IR) plans.
Include both internal team tests and third-party assessments for an unbiased perspective. I helped develop and implement a continuous testing program for a F500 retailer that dramatically improved their resilience.
8. Develop a proactive cyber strategy
With rising complexity, organizations need a strategic roadmap encompassing:
-
Risk-driven priorities: Focus on resolving gaps introducing the most material risks first. Continue aligning security to business needs.
-
Measurable targets: Establish clear metrics and KPIs for security posture, compliance, training efficacy, etc. Track progress.
-
Automation: Apply technologies like SOAR (security orchestration, automation, and response) to optimize efficiencies in prevention, detection, and incident response.
-
Supporting capabilities: Ensure foundational capabilities like asset management, identity governance, security training meet needs.
-
Talent development: Grow and retain cybersecurity experts. Consider partnerships or co-sourcing to access specialized skills.
Update strategies regularly as risks evolve. F500 insurance and healthcare companies have retained my firm to guide strategic plans.
9. Prepare for incidents
Despite best efforts, some attacks will succeed. Resilience depends on preparation:
-
IR plan: Document response processes, roles, communications protocols, stakeholders, and reporting procedures. Practice with simulated incidents.
-
Playbooks: Develop procedures for addressing common threats like ransomware, DDoS attacks, and data exposures tailored to your organization.
-
Backup/recovery: Segment and duplicate critical data, applications, and configurations to enable RTOs and RPOs.
-
Crisis communications: Plan internal and external communications to manage fallout. Share lessons learned to improve.
-
Third-party support: Establish relationships with forensic investigators, PR specialists, breach coaches, and other specialty providers before an incident.
-
Cyber insurance: Weigh policies to offset costs of downtime, legal expenses, ransoms, liability payments, and PR.
Revisit response plans annually. They‘ll evolve as you do tabletop exercises and experience real incidents.
10. Embed security across the organization
The most effective cybersecurity programs involve everyone. Strategies I‘ve used to mobilize organizations include:
-
Security ambassadors: Recruit influential employees across units to be advocates, feedback channels, and local champions.
-
Training incentives: Offer rewards to employees who complete awareness training. My team held a hackathon to make it fun.
-
Enable secure behaviors: Don‘t just set policies. Ensure tools and processes make compliance easy for workers. Remove roadblocks.
-
Collaboration platforms: Share threat intelligence, best practices, and procedures through groups on Slack, Teams, or your intranet. Promote discussions.
-
Phishing simulations: Let employees know you‘ll be testing defenses with mock phishing campaigns. Turn it into a team contest.
-
CISO workshops: Facilitate working sessions for business leaders and the CISO‘s team to develop solutions collaboratively.
By engaging stakeholders across the company, you amplify resources dedicated to cyber protection. At one company, I reduced click rates on simulated phishing emails by over 85% using these tactics.
The cyber threat landscape will continue evolving in 2024 and beyond. But by taking proactive measures and instilling security in your company‘s DNA, your organization will be well positioned to defend against emerging risks. Please reach out if you need help improving defenses – I would be happy to offer strategic guidance based on lessons learned in my cybersecurity career.