The days of a singular password for all applications and logins are long over, though some organizations have not implemented compliance policies for this simple but effective security step. For example, passwords should never be duplicated and should meet complexity requirements to prevent brute force attacks. These requirements should be verified on a regular basis through a password audit or automated password vulnerability scan. Updating password policy is a crucial step in safeguarding your first line of defense, as outlined in many compliance frameworks. Utilizing password managers and multi-factor authentication (MFA) as a part of your password policy will simplify these processes for all users and aid in the uptake of these requirements.

Adding multifactor authentication is one of the easiest ways to significantly improve your security posture. MFA takes advantage of a three-legged approach to security:

1. Something you know: Password or PIN
2. Something you have: Physical key or authenticator device
3. Something you are: Fingerprint or face scan

Using two or more of these “legs” will significantly improve protection of your company’s data, your customers’ data, and generally secure your business-related accounts. You may be familiar with authenticator apps used to confirm your identity prior to logging in to certain portals. (A text message MFA is notorious for involvement in cyber-attacks, so switch to an authenticator app if you can!)

Thankfully, many organizations are already paying for the tools to access MFA, and if not, there are affordable options to add this to your existing infrastructure. For example, Microsoft customers likely have access to MFA options which integrate into existing Windows infrastructure and single sign on configurations that can be added to existing applications. Additionally, these built-in features can be augmented to meet stringent compliance requirements like Cybersecurity Maturity Model Certification 2.0. Other organizations that use business suite software like Google Workspace have similar tools built-in and ready to implement. For small teams, this may be as simple as turning the MFA option “on.” For larger organizations, some special configurations may be necessary.

Creating and adhering to a password policy are two separate issues. Be sure to create a policy that is easy to follow, then utilize your information technology (IT) department and tools to ensure adherence to the policy. Layering an MFA or single sign-on methodology can complement your password policy, ease uptake for your users, and reduce the level of password fatigue experienced.

Having adequate password protection is only one component of what is known as a layered approach to information security. This tactic of layering security mechanisms is called Defense-in-Depth (DiD). When correctly implemented, DiD applies multiple points of authentication and continuously monitors to ensure the activity and users on a network are benign and belong.

Take, for example, the analogy of an apartment building. The exterior of the building may have a RFID/badge swipe system. A doorperson at the front desk could check the IDs of any unknown visitors. On the interior, each room has its own key and lock—including public spaces like the fitness area and mailroom. The maintenance and utility rooms are not accessible to tenants, though tenants have been instructed on move-in to report any activity that they believe to be suspicious.

Defense-in-Depth functions similarly. Physical barriers are in place to keep bad actors out of certain private rooms of your organization. Policies like password guidelines and data classification are created in consultation with your IT team or service provider to meet the needs of your organization or governing compliance structures. In addition, background processes like firewalls, spam filtering, antivirus, and vulnerability scanning keep your team protected with little manual input. Final layers of protection include direct user support with items like MFA and cybersecurity awareness training. Considered as their individual pieces, none of these are sufficient to protect your network. When layered, these components provide a highly secure environment.

Sometimes a service provider will bundle a collection of these services together. Be cautious of vendors or managed service providers or managed security service providers (MSSPs) selling packages as an approach to a complete security solution. Although it might feel like a cost-effective solution, this may not be optimal for your organization. In most cases it is better to understand the specifics of your environment and build a custom solution designed to meet specific business needs, as opposed to trying to fit an organization’s unique requirements into a predefined box of cybersecurity tools. When building a solution that takes into account your specific needs and workflows, the total cost of ownership may be less expensive than a bundled solution.

Documentation is key. It is important to understand that implementing a cybersecurity toolset is not a “set-it-and-forget-it” type of implementation. Whether you are utilizing in-house IT or an MSSP vendor, look for a plan that offers you an audit or an ongoing report which shows how your security is working and that it is tested and modified on a continuous basis. Understanding these reports will provide insights and show how your IT and security products are evolving to keep up with threat actors and malware. The reports, along with knowledgeable consultation, will provide actionable feedback to ensure your network meets the needs of various compliance frameworks.

“Who is responsible for our security?” is a commonly asked question. Your layered security is only as good as your weakest link. Robust security should be shared among every user that touches your network. While each user has a different role, it is the responsibility of your entire staff to help secure your network. The IT team is responsible for maintaining the infrastructure and monitoring, decision makers (with input from IT) oversee policy and allocating funds, and general users are tasked with flagging suspicious activity and following best practices.

A powerful tool in developing this mindset for your organization is to implement cybersecurity awareness training. The specifics of these trainings vary from modules to simulated social engineering, from phishing attempts to training videos. The important piece is that everyone in your organization experiences and understands what is expected of them. For example, the appropriate course of action one should take if a suspected phishing email is received.

Many vendors offer this training, and some providers include it as a part of their service package. For example, in adherence to US Department of Defense contracting compliance, Stratus Services provides training via KnowBe4. These training modules include a series of videos, comprehension checkpoints, and real-life exercises like simulated phishing emails. After initial training during employee onboarding, organizations can monitor the behavior of employees’ reactions to these fake, malicious emails and make adjustments to training or create follow ups as needed.

The goal is to create awareness that all team members are pivotal to the success of your cybersecurity. Each organization and department is unique, and you should work with your IT and compliance experts to ensure the training your employees receive meets the standards of the work they do. Different rules govern different compliance frameworks, and your team should help the organization meet these specific use cases.

Tackling cybersecurity can be daunting, and finding reputable vendors that will serve the needs of your organization is no small feat. The ever-evolving landscape of cybersecurity demands unwavering attention and proactive efforts. Reevaluating your approach to password policy, developing a multilayered approach, and getting your staff trained on the tactics threat actors are using are all great ways to begin securing your infrastructure.

The implications of a lax security posture have grown from mere inconveniences to potential financial ruin and reputation damage. Whether driven by regulatory mandates, insurance audit requirements, or the imperative of safeguarding your organization’s image, investing in robust cybersecurity is no longer optional. Additionally, instilling a foundation of trust with your customers, that their data is safe with your organization, is vital in our digital world.

In this dynamic cybersecurity landscape, staying ahead of the curve is not just a competitive advantage but a fundamental necessity. Investment in cybersecurity today can mitigate risks, protect sensitive data, and ultimately safeguard the reputation and financial health of your organization in the face of an increasingly sophisticated threat landscape.