Morey Haber, Chief Security Advisor at BeyondTrust, is an identity and technical evangelist with over 25 years of IT industry experience.
Cybersecurity doesn’t require a massive investment to be effective; it demands consistency.
Much like the steady beat of your favorite song, improving your security posture by just 1% at a time can yield massive, transformative results over time. Realistically, no business can guarantee immunity from a threat actor, but incremental, actionable improvements can significantly reduce risk and minimize dwell time.
As we enter the second half of the Roaring ’20s (and, yes, I like that expression), businesses should adopt a pragmatic, step-by-step approach to cybersecurity—one that is consistent rather than driven by bursts of energy, money or projects.
To make 2025 cyber-safe for everyone, consider these simple yet powerful recommendations to improve your cybersecurity posture by 1% at a time.
1. Regularly update and patch your systems.
The first 1% improvement starts with embracing the mundane: patching and updating. Cybercriminals exploit known vulnerabilities in outdated software—a risk that is entirely avoidable if you consistently patch your environment.
Unpatched systems are like unlocked windows and doors in your digital assets. Patching ensures you’re protected against the latest vulnerabilities, reducing attack surfaces from exploitation by threat actors, whether targeted or opportunistic.
Consider these actions:
• Schedule automatic updates for operating systems and applications, whether on-premises or in the cloud. Expect some updates to require downtime to be successful.
• Create a patch management plan to track and apply updates consistently, with policies and documentation to support cyber insurance initiatives.
• Prioritize critical patches for software tied to sensitive business functions, ensuring there is a service level agreement (SLA) that the business can measure and effectively own.
2. Enforce strong password policies, least privilege and multifactor authentication (MFA).
Poor password management is a major cybersecurity weak spot, but it doesn’t have to be—for a very low cost. By prioritizing unique and complex passwords, removing excessive administrative rights and implementing MFA, your business can mitigate many identity-based attacks.
Insecure passwords are often the entry point for breaches. If compromised passwords have administrative or root privileges, threat actors gain unrestricted access to your environment. Making passwords unique and complex mitigates this risk, and MFA provides an additional verification layer, ensuring stolen credentials alone aren’t enough to gain access.
To get started, you should:
• Require complex passwords with a mix of letters, numbers and symbols, ensuring they are unique for every system.
• Use a password manager or privileged access management (PAM) solution to generate and store complex passwords securely.
• Remove excessive privileges to prevent users from logging in as administrators or root by default, especially on local systems.
• Implement MFA for all business systems, including email, customer databases, and financial accounts. This simple step can be one of the most impactful 1% improvements against identity-based attacks.
3. Train employees to recognize cyber threats.
Your employees are your first line of defense—and, unfortunately, often the weakest link. Cybersecurity awareness training is a cost-effective way to reduce human error, raise risk awareness and improve your organization’s overall security.
Phishing, social engineering and accidental clicks on malicious links remain the leading causes of cybersecurity incidents. Educating employees helps them recognize and stop attacks before they escalate into breaches.
A few ways to help your employees include:
• Conduct regular training on recognizing phishing emails and malicious links. Training should occur at least annually, be mandated for all new employees and be documented for compliance and cyber insurance purposes.
• Use simulated phishing tests to reinforce lessons and identify employees who need additional coaching.
• Create a culture of accountability by encouraging employees to report suspicious activity rather than penalizing mistakes. This small improvement in awareness can be enough to stop the latest zero-day phishing attack.
4. Implement network segmentation.
Not every part of your network needs to be electronically visible to every other part, and not every device needs universal access. By segmenting your network and applying role-based access, you limit the spread of malware and unauthorized access. This concept is foundational to a zero-trust environment.
If a cybersecurity incident or breach occurs, segmentation ensures threat actors cannot easily move laterally across your network to access critical assets, applications or databases.
Here is how network segmentation works:
• Separate critical business systems (e.g., payroll, accounting, medical data) from less secure networks (e.g., guest Wi-Fi, IoT networks) using network segmentation.
• Use firewalls, virtual local area networks (VLANs) and access control lists to create logical boundaries between network segments.
• Assign access to network segments based on the principle of least privilege.
• Regularly review network segmentation and access permissions to ensure appropriateness.
5. Back up data and test recovery plans.
When all else fails, your backups are your safety net. However, they are only useful if they are current, secure and easily recoverable. Periodic testing ensures their reliability.
Ransomware payouts often succeed because businesses lack reliable backups. Frequent backups and rehearsed recovery plans minimize operational disruptions in the event of an attack.
An effective backup system means that you:
• Schedule automated backups of critical data and store them securely in multiple locations, including offsite and in the cloud.
• Encrypt backups to protect them from unauthorized access and potential physical theft.
• Test your recovery process at least quarterly to ensure backups are functional and accessible. Measuring recovery times will help justify this 1% improvement by optimizing downtime costs.
Why The 1% Matters
The beauty of the 1% improvement strategy lies in its simplicity and consistency. These small steps do not require a massive investment of time or money, but their cumulative impact is significant. Cybersecurity is not about perfection; it is about persistence.
By consistently focusing on incremental improvements, businesses can outpace threat actors one step (or percent) at a time.
As a final recommendation, start with one tip, then tackle the next. Over time, these 1% gains will compound into a robust defense strategy, ensuring your business is better prepared for the evolving cybersecurity landscape of 2025 and beyond.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
