Editor's note: This post was originally published on August 19, 2020, and has been revised for clarity and comprehensiveness.
Everyone’s heard “Be prepared!” from their IT team one way or another.
But what exactly does being prepared look like in 2025?
Here’s a closer look at what the top cybersecurity training companies are saying, with a quick list of all the best practices you can implement for your business.
As a managed security service provider (MSSP) we also invited our cybersecurity experts: Ed Griffin (ITS Partner), Sean Harris (ITS’ SVP of Cybersecurity), and Rob Schenk (ITS’ Chief Security Officer), to weigh in with their advice for cybersecurity implementation.
1. Work with a Zero Trust mindset.
A Zero Trust mindset means vetting every action you take on your network. There are no “100% safe” interactions out there. In fact, your IT is one of the few places where trust issues are completely helpful.
“One example of following a Zero Trust mindset,” Harris said, “involves using Zero Trust Network Access protocols. Another would be using Application Allow/Deny lists and Just in Time Privileged Access Management.”
Application Allow/Deny lists are admin approved or denied applications, while Just in Time Privileged Access Management is the minimization of a user’s access into only the time they need the application.
Always work under the assumption that people are out to get you - even if you’re a small business. Small businesses are much more likely to be hacked because they think they’re too small to be targeted.
2. Watch out for phishing scams.
Watch out for phishing scams. You’ve probably already heard of phishing, but what you might not know is how it's evolving rapidly to exploit new vulnerabilities. Cybercriminals are now launching smishing attacks through SMS and quishing scams through QR codes, aiming to catch you and your team members off-guard where you least expect it.
The US Internet Crime Complaint Center (IC3) has five times more phishing reports than personal data breach reports, highlighting the pressing need for robust defenses.
Most companies prepare for ransomware, identity theft, and malware, but it’s time for you to invest in more security measures against phishing, smishing, and quishing scams. These scams are often caused by human error, making your employees the most vulnerable part of your security network.
RELATED: 4 Ways Employees Are Cybersecurity Risks (& What to Do About It)
3. Invest in privacy, identity, and device protection.
Cybercriminals are getting smarter, and protecting your personal information is crucial. Here are the top privacy practices to keep your identity safe and your data secure in a world where online threats are constantly evolving:
- Privacy protection - keeping personal information out of the hands of others, whether they’re well-meaning advertisers or possible hackers
- Identity protection - involves the prevention of identity theft
- Device protection - the beefing up of the devices’ security through firewalls, anti-virus programs, and endpoint protection
Your privacy, identity, and devices are goldmines of information - which translates into dollar signs for hackers. Investing in their protection is a smart choice, especially considering the consequences of a data breach.
4. Follow a cybersecurity framework.
Organizations whose sole task is to analyze the cybersecurity landscape or protect national interests from cyber criminals create cybersecurity frameworks. These frameworks are great starting points for your cybersecurity programs.
Some examples of cybersecurity frameworks and guidelines are:
- The National Institute of Standards and Technology (NIST) framework
- The Department of Homeland Security (DHS) guidelines
- HIPAA (Health Insurance Portability and & Accountability Act) Guidelines
“Many businesses also underestimate the scope of IT,” Edward Griffin said. “It’s not just about installing and patching Windows. It’s strategic, too, right? People can’t just be running around fixing software issues or network issues. They also need to be talking to business leaders.”
By following a cybersecurity framework, you’re automatically following a strategic path laid out for you.
If you are also in a high-risk industry like healthcare, finance, and national defense, you must follow industry-specific cybersecurity standards. If you don’t, you’ll find yourself facing heavy fines in the future.
5. Conduct frequent and updated Employee Security Training.
Another common piece of advice among cybersecurity companies is to improve your team’s security savviness. Empowering employees to protect their - and your - data makes you immediately less likely to experience a data breach.
Your staff is your most significant security risk, but if they have clear instructions about data handling and the consequences of data mismanagement, you can rest easy.
6. Keep your IT equipment up to date.
The older a piece of equipment is, the larger the chances someone’s figured out how to hack into it. Thus, security program developers are constantly releasing security patches. Without the latest updates, you’re at a higher risk of a security breach.
Read: “Why Should You Upgrade Your Network This 2022? (5 Crucial Advantages)”
7. Use multi-factor authentication (MFA).
If you aren’t using multi-factor authentication (MFA), you’re missing out on one of the best endpoint security tools. It is often free, easy, and secure to use and should be added to all your most important accounts.
Many banks, shopping apps, and email services offer MFA, which makes your accounts significantly less appealing to hackers. However, not all MFA methods are equally secure. The Cybersecurity and Infrastructure Security Agency (CISA) recommends phishing-resistant MFA strategies.
For the strongest protection against phishing, the Cybersecurity and Infrastructure Security Agency (CISA) recommends using FIDO/WebAuthn authentication. This type of MFA, supported by most browsers and devices, relies on physical tokens (like USB keys) or built-in security features in laptops and smartphones to verify your identity. Larger organizations can also consider PKI-based MFA, which often uses smart cards to provide secure access. Although PKI-based MFA is highly secure, it’s typically used in complex settings like government agencies.
8. Monitor the dark web for compromised credentials or information.
If you’ve been hacked, criminals will likely broker your information on the dark web (a completely anonymous part of the internet that you can only access via special software). You’ll need an IT expert to dive deep into the leaked data.
If you don’t have an IT expert, websites like haveibeenpwnd (Have I Been Pawned?) are reliable sources to check if your email credentials have been compromised.
9. Invest in cyber insurance.
Cyber insurance is the safety net for your business, providing access to resources that will help you manage the consequences of a security breach. While you and your tech team are already probably doing everything within your power to keep your business safe, it’s never a bad idea to get cyber insurance.
10. Use reliable password managers.
Part of protecting your online presence is through strong passwords. Unfortunately, many people sacrifice password strength to keep the passwords easy to remember. A reliable password manager solves this problem, allowing users to add complexity without losing log-in information.
RELATED: NIST Password Guidelines: 9 Rules to Follow
11. Implement real-time monitoring.
For Rob Schenk, real-time monitoring is another cybersecurity must-have for businesses.
Real-time monitoring detects cybersecurity threats as they happen. It allows you to immediately response to potential breaches or malicious activities.
Afterall, hackers don’t sleep. Cyberattacks can happen at any time, and without continuous monitoring, it takes days or even weeks to detect a breach. On average, it takes 291 days for unsuspecting companies to identify and contain a breach.
Real-time monitoring will push that number down for you. You’ll empower your security team to take immediate action to contain and mitigate threats before they become full-blown problems.
12. Have an incident response plan.
Lastly, you’ll need to prepare an incident response playbook. This playbook serves two main purposes:
- To provide a structured and pre-planned approach for dealing with cybersecurity incidents and,
- To delegate tasks clearly and streamline decision-making.
Having this plan will reduce your overall downtime and empower you to recover quickly from an attack. Plus, it'll help prove to regulatory organizations and stakeholders that you take cybersecurity seriously.
Need help implementing top cybersecurity practices?
Following the advice from top cybersecurity companies will lead you to successfully keep your data safe. But, if it were that easy, everyone would be implementing this advice.
You and your IT team probably have unique obstacles to overcome when establishing these cybersecurity practices. As a cybersecurity and managed IT provider, we know how hard it is to pinpoint and deal with these security gaps.
Take the first step to solving your cybersecurity problems by getting a free cybersecurity assessment today. And if you want more resources about cybersecurity, check out the following resources:
- 5 Best Cybersecurity-Focused MSPs for Growing Businesses
- How Much Does Cybersecurity Cost? (and Factors that Affect the Budget)