Full Report
These simple cybersecurity resolutions can help keep your startup protected from most malicious hackers. © 2024 TechCrunch. All rights reserved. For personal use only.
Analysis Summary
# Best Practices: Foundational Cybersecurity Resolutions for 2025
## Overview
These practices address critical and often overlooked security controls that remain the primary vector for major data breaches, ransomware, and system compromise, as evidenced by incidents involving AT&T, Ticketmaster (via Snowflake), and Change Healthcare. The focus is on implementing simple, high-impact controls to prevent credential theft, unauthorized access, and data loss.
## Key Recommendations
### Immediate Actions (0-4 Weeks)
1. **Enforce Password Manager Adoption:** Immediately mandate the use of an approved password manager tool organization-wide to eliminate the need for employees to remember or reuse passwords.
2. **Deploy Authenticator MFA:** Mandate the use of Multi-Factor Authentication (MFA) on all critical accounts (email, cloud services, administrative access). Prioritize **authenticator applications** (TOTP/HOTP) over SMS-based MFA, as SMS can be intercepted.
3. **Verify Critical Software Patch Status:** Immediately scan and patch all third-party software, especially managed file-transfer tools, known to be high-value targets for exploitation.
### Short-term Improvements (1-3 months)
1. **Implement Offsite, Encrypted Backups:** Establish and test a recurring, automated backup schedule for all critical company data. Ensure backups are encrypted and stored securely *offsite* (immutable or air-gapped solutions are preferred to mitigate ransomware backup deletion).
2. **Launch Social Engineering Awareness for Voice:** Conduct mandatory immediate training to educate all employees, especially IT help desk staff, on modern social engineering tactics leveraging phone calls (vishing). Implement an explicit policy to **never share confidential information over the phone** without out-of-band verification.
3. **Begin Passkey Exploration/Pilot:** Initiate a review or pilot program to transition high-risk or high-volume services away from traditional passwords toward phishing-resistant methods like passkeys.
### Long-term Strategy (3+ months)
1. **Establish Vulnerability Management Program:** Formalize a continuous patching cadence, ensuring security patches for identified vulnerabilities (especially in long-standing enterprise software) are applied rapidly, minimizing the window for exploitation.
2. **Develop and Test Incident Response Plan (Transparency Focus):** Create or refine the incident response plan to include mandatory procedures for transparent public and customer disclosure following any confirmed data breach, ensuring compliance with disclosure timelines and avoiding regulatory penalties.
3. **Review Third-Party Software Inventory:** Audit all third-party and enterprise software systems, prioritizing those that store troves of sensitive data, to assess their inherent security posture and patching reliability.
## Implementation Guidance
### For Small Organizations
- **Start with MFA Everywhere:** Prioritize enabling MFA on all external-facing services (email, VPN, cloud SaaS) immediately using readily available authenticator apps.
- **Select a Single Password Manager:** Choose an affordable, reputable password manager and provide basic training on the necessity of using unique, complex credentials generated by the tool.
- **Adopt the 3-2-1 Backup Rule:** Implement a basic strategy: 3 copies of data, on 2 different media types, with 1 copy offsite/offline.
### For Medium Organizations
- **Centralize Patch Management:** Deploy centralized software update management tools to ensure consistent and timely patching across all endpoints and servers, focusing on high-risk applications like file transfer servers.
- **Formalize Access Control Reviews:** Conduct an initial review of who has access to sensitive systems, ensuring MFA is enforced for all elevated and administrative roles.
- **Develop Verification Procedures:** Mandate a specific, secondary communication channel (e.g., call back via a known internal extension after an initial unexpected call) for staff handling sensitive IT requests.
### For Large Enterprises
- **Automate Vulnerability Remediation:** Implement automated systems for vulnerability scanning and patch deployment, especially for legacy or complex enterprise software prone to zero-day exploitation.
- **Standardize Credential Management:** Fully integrate password management into onboarding/offboarding processes and mandate the adoption of phishing-resistant MFA (e.g., FIDO2/WebAuthn tokens or robust authenticator apps) across the workforce.
- **Stress Test Transparency Protocols:** During incident response drills, explicitly practice the communication and regulatory reporting timelines associated with transparent disclosure of data loss events.
## Configuration Examples
*Note: Specific tool configurations are absent in the source, but the guidance mandates specific approaches:*
| Control Area | Best Practice Configuration |
| :--- | :--- |
| **Multi-Factor Authentication** | Configure all services to **require Time-based One-Time Passwords (TOTP)** via authenticator apps (e.g., Google Authenticator, Microsoft Authenticator) and **disable SMS-based MFA** for high-value accounts. |
| **Password Policy** | Enforce that all passwords utilized must be **at least 16 characters long** and **unique** across all services, managed exclusively by the organizational password manager. |
| **Data Backup** | Utilize **immutable storage** or **air-gapped/offline storage** for the offsite portion of the data backup copies to protect them from compromise during a ransomware event. |
## Compliance Alignment
The recommended practices align with core principles across major security frameworks:
* **NIST Cybersecurity Framework (CSF):** Primarily addresses the **Protect** function (e.g., Access Control, Data Security) and the **Respond** function (e.g., Communication, Analysis).
* **ISO/IEC 27001:** Key controls relate to Access Control (A.9), Cryptographic Controls (A.10), and Operations Security (A.12 – including systems maintenance and patch management).
* **CIS Critical Security Controls (v8):** Directly maps to:
* **Control 1 & 2:** Inventory and Control of Enterprise Assets (Software Patching)
* **Control 5:** Account Management (MFA enforcement)
* **Control 6:** Access Control Management (Strong Authentication)
## Common Pitfalls to Avoid
1. **Relying Solely on SMS MFA:** Do not default to SMS for second factors, as this method is susceptible to SIM swapping and interception attacks.
2. **Treating Backups as an Afterthought:** Failing to regularly test the ability to restore data from encrypted, offsite backups, rendering the backup useless during a crisis.
3. **Hiding Breaches:** Attempting to conceal a security incident to avoid reputational damage, which almost always leads to larger regulatory fines and greater long-term customer distrust.
4. **Ignoring Voice Vectors:** Over-focusing on email phishing while neglecting the rising threat of social engineering conducted exclusively via telephone calls targeting help desks or employees with access credentials.
## Resources
- **Password Management Tools:** Utilize commercially available password manager solutions designed for enterprise environments.
- **MFA Implementation Guides:** Consult vendor-specific documentation for enforcing mandatory TOTP/Authenticator App usage across centralized identity providers (e.g., Azure AD, Okta).
- **Incident Communication Templates:** Develop pre-approved communication templates for data breach disclosure to streamline response and ensure timely transparency.