Mitigate cyber risk by mastering the fundamentals

Cyber threats are top of mind for many individuals, businesses and public entities. The 2025 World Economic Forum Global Risks Report identified “cyber espionage and warfare” as the 5th most severe short-term and 9th long-term risk, just one indication of its worrisome global presence.1

Assessing your program and taking action to implement fundamental cyber security measures can help your organization strengthen its cyber defenses. Start with some basic questions.

What can be done to strengthen their cybersecurity posture and lessen the risk of being victimized by threat actors?

Businesses and individual users are justifiably concerned about cyber threats and general cyber insecurity. In looking at some of the latest cyber events, many come down to the same initial threat vectors that we have been dealing with for years: unpatched or unknown vulnerabilities, stolen credentials and social engineering.

The focus of conversations should be on ensuring all organizations, regardless of size or industry, are prioritizing the basics of cyber security. Following the basics goes a long way towards detecting malicious activity.

  • Does your organization use Multi-Factor Authentication (MFA) and, in general, what is the state of the credential management program?
  • What is the state of the vulnerability management program?
  • Do you perform regular vulnerability scanning? If yes, what tool(s) do you use?
  • How does vulnerability scanning integrate with the patching program?
  • How are employees being trained and tested on cyber security?

What should businesses do when they are unsure of what to do next?

With the plethora of software, tools, services and providers on the market, it can be overwhelming to simply get started with optimizing a cybersecurity program. An excellent place to start is with a controls assessment linked to a common framework or established benchmarks, including the NIST CSF2 or CIS Benchmarks.3 The proper choice may be dependent on the industry and regulatory requirements of the organization, and it is best to determine in consultation with an experienced cybersecurity team.

If the client is not following any specific framework, a starting point would be discussing their regulatory requirements to help them determine the best way to assess and improve their current controls and security posture. They need to determine their current state, their desired state and how to effectively measure their program.

  1. The Global Risks Report 2025 Edition. https://www.weforum.org/publications/global-risks-report-2025/
  2. Cybersecurity Framework. Nov. 2013. www.nist.gov, https://www.nist.gov/cyberframework.
  3. CIS Benchmarks. https://www.cisecurity.org/cis-benchmarks/. Accessed 15 July 2024.

What should leaders understand about these approaches to cybersecurity?

People often ask which is a “better” program to follow for an enhanced security posture, prevention or active detection and response. Much attention is given to preventing an event from ever taking place, when the reality is organizations need to focus on detecting and responding to malicious activity. Prevention is not always possible given the constant evolution of threat tactics and technology. To successfully detect and respond to cyber threats, there is a need to focus on two key factors:

  1. Enhancing visibility: Does the organization have visibility into all the device and user activity on their network?
  2. Preparation: Is the organization prepared with an appropriate and effective response plan when something is detected?

How can businesses better ensure they are keeping up with this evolution when they are not cybersecurity experts themselves?

A common refrain in the cyber world is that the landscape is ‘constantly evolving.’ Given this continuous evolution, it is important for organizations to establish an effective way to measure and communicate the maturity of their cybersecurity program. This comes down to building a program that suits your organization’s needs based on controls and frameworks that have been proven effective. The most important things to remember are enhancing visibility and preparing for a potential cyberattack.

As cyberattacks continue to increase, the likelihood of an incident against those who are un- or under-prepared to respond strategically and in a well-practiced manner become close to inevitable.

What can be done to strengthen their cybersecurity posture and lessen the risk of being victimized by threat actors?

Businesses and individual users are justifiably concerned about cyber threats and general cyber insecurity. In looking at some of the latest cyber events, many come down to the same initial threat vectors that we have been dealing with for years: unpatched or unknown vulnerabilities, stolen credentials and social engineering.

The focus of conversations should be on ensuring all organizations, regardless of size or industry, are prioritizing the basics of cyber security. Following the basics goes a long way towards detecting malicious activity.

  • Does your organization use Multi-Factor Authentication (MFA) and, in general, what is the state of the credential management program?
  • What is the state of the vulnerability management program?
  • Do you perform regular vulnerability scanning? If yes, what tool(s) do you use?
  • How does vulnerability scanning integrate with the patching program?
  • How are employees being trained and tested on cyber security?

What should businesses do when they are unsure of what to do next?

With the plethora of software, tools, services and providers on the market, it can be overwhelming to simply get started with optimizing a cybersecurity program. An excellent place to start is with a controls assessment linked to a common framework or established benchmarks, including the NIST CSF2 or CIS Benchmarks.3 The proper choice may be dependent on the industry and regulatory requirements of the organization, and it is best to determine in consultation with an experienced cybersecurity team.

If the client is not following any specific framework, a starting point would be discussing their regulatory requirements to help them determine the best way to assess and improve their current controls and security posture. They need to determine their current state, their desired state and how to effectively measure their program.

What should leaders understand about these approaches to cybersecurity?

People often ask which is a “better” program to follow for an enhanced security posture, prevention or active detection and response. Much attention is given to preventing an event from ever taking place, when the reality is organizations need to focus on detecting and responding to malicious activity. Prevention is not always possible given the constant evolution of threat tactics and technology. To successfully detect and respond to cyber threats, there is a need to focus on two key factors:

  1. Enhancing visibility: Does the organization have visibility into all the device and user activity on their network?
  2. Preparation: Is the organization prepared with an appropriate and effective response plan when something is detected?

How can businesses better ensure they are keeping up with this evolution when they are not cybersecurity experts themselves?

A common refrain in the cyber world is that the landscape is ‘constantly evolving.’ Given this continuous evolution, it is important for organizations to establish an effective way to measure and communicate the maturity of their cybersecurity program. This comes down to building a program that suits your organization’s needs based on controls and frameworks that have been proven effective. The most important things to remember are enhancing visibility and preparing for a potential cyberattack.

As cyberattacks continue to increase, the likelihood of an incident against those who are un- or under-prepared to respond strategically and in a well-practiced manner become close to inevitable.

  1. The Global Risks Report 2025 Edition. https://www.weforum.org/publications/global-risks-report-2025/
  2. Cybersecurity Framework. Nov. 2013. www.nist.gov, https://www.nist.gov/cyberframework.
  3. CIS Benchmarks. https://www.cisecurity.org/cis-benchmarks/. Accessed 15 July 2024.