As companies develop their goals for 2025, they should definitely include “improve our cybersecurity framework” at the top of the list. Considering the rate at which attacks are increasing, this should be a priority. Recent reports reveal that ransomware attacks in North America grew by 15 percent in 2024, with 60 percent of businesses saying they were targeted by such attacks.
The good news for businesses is that a few simple steps can significantly improve their security stance. The following are the primary steps businesses should consider taking.
Enforce multi-factor authentication
As it became clear that traditional passwords were no longer enough to keep networks safe, multi-factor authentication (MFA) was promoted as the next level of security. MFA is “password plus,” adding additional steps to the verification process.
While most companies acknowledge MFA as an essential part of an effective security framework, requiring consistent use is less common. Reports suggest companies are hesitant to mandate MFA because of productivity concerns, with one from CoreView finding that even “78 percent of Microsoft 365 admins don’t use MFA” and are “unmindful of security and data governance protocols and lack basic security protections.”
Completing the MFA process takes extra time and typically requires having a second device, such as a mobile phone, on hand. Yet even when employees understand its importance, organizations must actively encourage and guide them to enable it.
Another issue frustrating MFA implementation is the ever-increasing use of third-party platform providers. As companies rely more on these providers, they limit themselves to the security measures they are provided with.
Companies that have communicated the value of MFA without requiring it should consider making it mandatory in 2025. This could involve training employees on the topic, encouraging them to implement it, and guiding them through the steps that enable it. It’s also essential to require third-party vendors to implement MFA within their systems, ensuring consistent security standards across all aspects.
Provide human-centric cyber hygiene training
Keeping cybersecurity systems healthy requires regular, comprehensive cyber hygiene. Starting 2025 with refresher training on cyber hygiene will help employees remember the role they play, the practices that are important, and the consequences of letting cybersecurity slip.
The following are some key elements to include in cyber hygiene training:
- Update passwords regularly and ensure a strong combination of numbers, letters, and symbols that are unique for each platform.
- Stay up-to-date on the latest attack schemes.
- Use secure connections, especially for remote workers and those who access work networks from public locations.
- Conduct regular backups to minimize the impact of malware attacks and other breaches that threaten to steal companies’ critical data.
- Alert security departments immediately if you suspect an attack is occurring.
To optimize the impact of training, companies should ensure programs are human-centric. Taking a “one-size-fits-all” approach won’t give employees the motivation or the information they need to effectively play their part in security efforts. Instead, companies should consider the unique needs and activities of all of their employees when developing training.
Human-centric systems consider skill level as well as function when presenting training. They also strive to make training more user-friendly. Leveraging simulations, gamification, and role-playing exercises can make training more user-friendly and engaging and help companies identify knowledge gaps they need to address.
Ensure the security of software and systems
In many ways, cybersecurity is a contest between black-hat hackers and software developers to see who can identify system vulnerabilities first. When developers win, they issue security patches to address the vulnerabilities. When criminals win, they exploit the vulnerabilities to gain unauthorized access.
That said, businesses can only benefit from developers’ work to address vulnerabilities if they focus on updating software and systems as often as possible. By deploying new security patches as soon as they become available, businesses ensure they have the most substantial security framework available.
A “security-by-design” approach to software development significantly improves this area of cybersecurity. This approach addresses security concerns during each phase of software development and support rather than treating it as an afterthought or add-on. Companies seeking to leverage “security-by-design” software should look for platforms with secure coding practices, threat modeling, and continuous security testing.
“Security-by-design” can also guide a company’s overall cybersecurity strategy. Consideration of cybersecurity as a key to all of a company’s processes, from onboarding to vendor selection to change management and more, maximizes its effectiveness. The most secure companies will have a “security-by-design” culture that all employees understand, value, and support.
Adopt a proactive approach to cybersecurity
Cybersecurity statistics clearly show today’s cyber attackers are tireless and relentless. Some studies suggest, for example, that 3.4 billion phishing emails are sent daily. To stay safe, companies must take a proactive approach that anticipates and addresses the ongoing barrage of attacks.
A recent study found that human risks are involved in 74 percent of data breaches. Identifying and mitigating human risks is central to shifting to a proactive stance, as it involves exploring how employees interact with systems and the vulnerabilities they may be inadvertently creating. Mitigating risks requires building a strong security culture that promotes security awareness and fosters open communication about security concerns.
Cyber attacks are an operational risk that today’s companies must prepare for, regardless of their size or industry. By taking a proactive approach that puts security at the center of operations and effectively equips all employees to play a role, companies can increase their chances of repelling attacks and avoiding costly consequences.
About the Author
Marcelo Barros is Director of Global Operations of Hacker Rangers, and an IT veteran who has played an instrumental role in delivering cutting-edge cybersecurity solutions and services to clients around the world. His passion for cybersecurity led him to join the team at Hacker Rangers, a leading gamification company that makes cyber awareness fun and engaging for organizations worldwide.
Marcelo can be reached online at https://www.linkedin.com/in/marcelonunesbarros/ and at our company website https://hackerrangers.com/
