Every day as a Cybersecurity Advisor, I hear a familiar refrain: “The sheer number of technologies, buzzwords, and acronyms in this industry is overwhelming!” And you know what? I get it. Trying to keep up can feel like running on a never-ending treadmill. But here’s the good news: most breaches—more than 80%—don’t happen because you’re missing the latest and greatest tools or acronyms. They occur because of simple lapses in basic security practices.
Don’t believe me? Put it to the test. Fire up your favorite GenAI Search LLM and ask something like, “What are the most exploited CVEs today (with CVE numbers)?” You’ll get a list of vulnerabilities—CVE-XXXX-YYYY—where XXXX is the year these vulnerabilities were first discovered and made public. Many of them have been hanging around for years, just waiting to be patched or secured. With this in mind, let’s talk about some of the basic steps you can take to dramatically lower your odds of becoming part of that 80% statistic.
- You Shall Not Pass(word)
One of the most basic yet critical aspects of cybersecurity is having strong, unique passwords for each account. According to various studies, including the Verizon Data Breach Investigations Report, weak or stolen passwords are responsible for around 81% of data breaches. Some password creation and management best practices include:
- Use long, complex passwords (e.g., a mix of uppercase and lowercase letters, numbers, and special characters);
- Avoid reusing passwords for multiple accounts;
- Implement a password manager to help you keep track of different passwords securely;
- Enable multi-factor authentication (MFA) wherever possible for an added layer of protection (let’s talk more about this one later).
- Software Updates are Ready to Install
Remember that CVE search we talked about earlier? Many breaches happen because attackers exploit known vulnerabilities in outdated software. Whether it’s your operating system, web browser, or apps, security patches are released regularly to fix vulnerabilities that cybercriminals could use to infiltrate your system. So don’t ignore that system update popup, take these simple steps instead:
- Set your devices to update automatically whenever possible;
- Manually check for software updates regularly, especially if you’re not using automatic updates;
- Prioritize patching critical security vulnerabilities in software and systems.
- Gone Phishing
One hobby that cybercriminals particularly enjoy is Phishing. This type of attack is one of the most common ways breaches happen, even to the most tech-savvy individuals. Phishing attacks are usually sent by email or messages and attempt to look legitimate so employees will give up, or allow access to, sensitive information. Some best practices for spotting phishing attacks include:
- Educate yourself and your team members on the common signs of phishing attacks, such as suspicious links, strange attachments, or messages from unknown senders;
- Be skeptical of unsolicited emails asking for personal or financial information;
- When in doubt, always verify the legitimacy of a request by contacting the organization directly.
- Multi-Factor Authentication (MFA): Your Secret Weapon
Using Multi-Factor Authentication (MFA) is one of the simplest yet most powerful ways to secure your accounts. MFA requires more than just a password to access your accounts; it also requires something you have, such as a code sent to your phone or biometrics such as fingerprints. Think of MFA as the bouncer for your online accounts. Even if someone steals your password, they’ll still need a second form of verification to get in.
A few tips for setting up MFA:
- Enable MFA on all accounts that offer it, particularly for sensitive information like banking or email accounts;
- Consider using an authentication app or hardware key for added security rather than relying on SMS-based codes, which can be more easily intercepted.
- Authorized Users Only
Just like in everyday life, not everybody needs to see or know everything. Over-permissioned accounts are common security weaknesses, opening doors for potential breaches by giving employees or users access to data or systems that they don’t need for their role. Remember to adhere to the Principle of Least Privilege (POLP), a security practice which ensures users have only the minimal access necessary to perform their jobs. A couple of other items to keep in mind are:
- Regularly review user access permissions and revoke access when it’s no longer needed.
- Use role-based access control (RBAC) to restrict data access based on job responsibilities.
- Implement strong access management policies and tools.
In the world of cybersecurity, the smallest steps can have the biggest impact. From updating passwords to enabling multi-factor authentication, the power of basic cybersecurity hygiene cannot be overstated. These small actions might seem insignificant on their own, but when combined, they form a robust defense against the growing threat of cyberattacks. By making cybersecurity hygiene a priority, you’re protecting your organization from costly, avoidable breaches. Remember, good cybersecurity hygiene is a continuous process, much like personal hygiene. Start with the basics today, and you’ll be well on your way to building a safer, more secure digital future.
