Small Steps, Big Impact: Expert Tips for Building a Stronger Cyber Defense

This year’s Cybersecurity Awareness Month theme, “Secure Our World,” emphasizes the importance of simple yet powerful measures everyone can take to protect their businesses, data, and loved ones. While there is no silver bullet to safeguard against all cyber threats, implementing basic best practices can significantly reduce risk.

Information Security Buzz spoke with several security experts and asked them, “What’s the one piece of advice that could make a difference?” Their responses highlight that cybersecurity is not one-size-fits-all—each organization must tailor its approach to its unique needs and vulnerabilities.

However, these foundational steps can help build a more secure world for all.

Tim Erlin, VP of Product at Wallarm

“For folks who aren’t immersed in technology or cybersecurity on a daily basis, keeping your personal data safe can seem daunting, if not impossible.”

It’s important to keep in mind that the basics of fraud haven’t changed over time; it’s the means of perpetrating it that has shifted. Whether it’s a con artist on the street, a piece of mail, a phone call, or an email, fraud artists and criminals use tactics such as trying to look official or creating a sense of urgency.

Today, that “official notice” might come as a browser pop-up or a text message, and that “act now to avoid a fine” might come through social media. So, be skeptical. If something doesn’t feel right, don’t follow through, especially if there’s money involved. The methods might change, but the basics of social engineering are consistent.

Antonio Sanchez, Principal Cybersecurity Evangelist at Fortra

“In the world we live in, we cannot expect others to protect our personal privacy, so we must take steps to protect ourselves.”

This year, for Cybersecurity Awareness Month, I challenge everyone to do one new thing that helps protect their privacy and increase the security of our digital interactions. 

If you use the same password/passphrase for all your sites, start using a password manager and create unique passwords.  Start with just a few sites to get used to using it, and then gradually add other sites with new passwords. Those already using a password manager should increase the number of characters and character types when generating a password.

If you have never used a multi-factor authentication app, use one. Google Authenticator and Microsoft Authenticator are available for iOS and Android; they are free and extremely popular, so there are lots of resources and videos to help people get comfortable with using them.  If you don’t use a shredder, buy one and get into the habit of shredding mail or other documents with sensitive information you want to discard by shredding them. This includes copies of tax returns that are over seven years old, checks that come in the mail from your bank that can be used for balance transfers, and monthly bills. 

There are lots of other examples. Just stop and think about anything that contains personal data and a step you can take to protect it. Also, make sure to freeze your credit reports with Experian, Equifax, and Transunion to prevent someone from taking out a credit card or mortgage in your name.

Karl Holmqvist, Founder & CEO at Lastwall

“We stand at a pivotal moment in cybersecurity, where we must confront a pressing question: “Are we genuinely doing enough to secure our world?”

As the digital landscape evolves with unprecedented speed, companies are uniquely positioned to lead by crafting and deploying robust, accessible solutions. It is time to move beyond the minimum thresholds of compliance and push for fortified defenses that truly make a difference. By embracing innovative pricing models, the industry can democratize access to high-quality protective measures, ensuring that organizations of all sizes can step up their security game. The priority must be to safeguard our society.

With the advent of post-quantum computing on the horizon, the stakes have never been higher. Protecting sensitive information and critical infrastructure demands a renewed and unwavering commitment. The cybersecurity community must unite to build a safer future, fostering collaboration and a proactive stance against emerging threats. When we view cybersecurity as a shared duty—to protect society—we lay the foundation for real, meaningful progress. This collective resolve will be our most robust defense in navigating the challenges ahead.

John Trest, Chief Learning Officer | Strategic Product Manager at VIPRE

“Get a password manager. If you’re like the majority of people, you’re not managing your passwords securely.”

There are too many of them. You’re reusing passwords and keeping them simple because it’s not worth the effort to track all of them, especially when you have to change them regularly. And now, you’re an easy target for having your bank funds drained, credit cards rung up, personal data stolen, etc.

Get a password manager so you only need to know one password. All your login credentials can be unique and extremely difficult to crack.

Bruno Kurtic, Co-founder, President, & CEO of Bedrock Security

“Modern enterprises understand that cybersecurity is not just the responsibility of IT teams—it’s a shared duty across the entire organization. By embracing this mindset, we can collectively secure our world.”

The theme “Secure Our World” is a stark reminder of our shared responsibility in securing the digital landscape. Data breaches continue to escalate, with the average data breach costing $4.88 million—the highest cost ever recorded—and the number of data compromises rising to 1,571 in the first half of 2024, up 14% from 2023.

The scale and speed of these breaches emphasize a critical truth: each organization must take full accountability for the sensitive data they handle. A key first step is ensuring complete visibility into where critical information resides and who has access to it. Without this, gaps and vulnerabilities, and thus breaches, multiply.

Adapting to new challenges from modern use cases such as GenAI is essential. To prevent sensitive data leaks in GenAI LLM models, it’s crucial to understand the data and the business context and control what data is used before it is used for GenAI training. Strong data governance and access controls enable the speed required for innovation without compromising security.

Grant Oviatt, Director of Security Operations at Prophet Security

“Invest in multi-factor authentication (MFA) across your security perimeter and all internet-facing assets, including VPN and SaaS applications. Compromised identities are the new malware of this day and age (typically harder to identify and stop).”

The Snowflake breach is an excellent example of why MFA remains critical 

Lynn Dohm, Executive Director, Women in Cybersecurity (WiCyS)

“During Cybersecurity Awareness Month, messaging to already-cyber-conscious audiences is often redundant. It’s time to take a different approach that focuses on students and builds real connections. To cut through the clutter, we need to simplify the message and empower the next generation to see themselves in cybersecurity. This month isn’t just about raising awareness; it’s about shaping the future leaders of this field.”

Teenagers are much more likely to listen to someone closer to their age who they can relate to. They’re not going to engage with adults lecturing them about cybersecurity. To shake things up, this Cybersecurity Awareness Month, we’re showing young women that they belong in this field by mobilizing our student chapters to reach high school students directly. We’re showing them that cybersecurity is already a part of their lives and doesn’t have to be intimidating.

We’ve developed a Cybersecurity Awareness Month toolkit, backed by our top-tier partners, that these student leaders will take into high schools, breaking cybersecurity into simple, everyday language. Many students don’t realize they already practice cybersecurity when using two-factor authentication. Having peers—people recently in their shoes—share this message makes cybersecurity feel relevant and accessible. It’s not a big, scary concept; they’re already part of it.

Ted Gruenloh, CEO of Nomic Networks

“Use a password manager for every login and apply Multi-factor Authentication (MFA) to every account that offers it. Password managers allow you to generate complex passwords easily and recall them, when necessary, across all your devices.”

There’s only one actual password to remember, and if your data is stolen from one site, that site’s password is the only one that needs to be changed. And yes, experts will say the SMS/text-based MFA is “broken,” but it is objectively better by a mile than no MFA.

Another easy one? Use Google, Apple, or your trusted vendor of choice to back up your data in their cloud. If something awful happens, your laptop or phone can easily be wiped or replaced, but you must ensure you can get your data back.

Scott Kannry, Co-founder & CEO of Axio  

“As cybersecurity threats evolve, so must our approach. Organizations that involve a broad range of voices and focus on practical outcomes will build more resilience and secure environments for everyone. This month serves as a reminder that securing our world is an ongoing effort that requires collaboration, clear strategies, and a commitment to continuous improvement.”

As we observe the 21st Cybersecurity Awareness Month, it’s essential to focus on raising awareness and taking concrete actions to reduce cyber risks. While increased engagement from the C-suite and boards is a positive step, many organizations still face challenges in turning this awareness into coordinated and effective action.

To truly “Secure Our World,” organizations must move beyond identifying cyber risks and concentrate on actionable mitigation strategies. This means fostering better communication among stakeholders, aligning priorities that matter most to the business, and making decisions that focus on minimizing the potential impact of cyber incidents. Recent events like Crowdstrike have shown that even well-defended companies can be significantly affected, sometimes due to accidents. Thus, it is imperative to understand the ramifications of a successful attack (or accidental event) to minimize business impact effectively.

Cyber Risk Quantification (CRQ) can be a powerful tool in this effort, but only when used to drive business decisions rather than measure risk. Aligning stakeholders on CRQ can help bridge the communication gap and create a unified approach to cybersecurity.

Ashok Kumar, Head of US Engineering at Cyware

“As AI becomes more integrated into cyberattacks and defenses, organizations must adopt modern security solutions to stay ahead of evolving threats. Continuous learning and adaptive strategies are vital in navigating this new era of AI-powered cybersecurity.”

National Cyber Security Awareness Month’s “Secure Our World” theme underscores the increasingly complex threat landscape. Malicious actors leverage AI to carry out advanced attacks, such as zero-day exploitation, where AI rapidly identifies previously unknown vulnerabilities in code. AI-powered phishing attacks are becoming more sophisticated and harder to detect, while AI-driven malware can modify its code to evade traditional security measures. Additionally, AI-generated deepfakes are being used to spread misinformation, potentially causing social unrest and posing significant threats to individuals, businesses, and governments.

The scale and intelligence of AI-driven attacks pose a significant challenge for all. However, AI is also a powerful tool for defense. It empowers security teams to detect and respond to threats faster and more accurately. The key lies in responsible AI implementation. Organizations must prioritize ethical use and data security to avoid unintended consequences.

Shawn Waldman, CEO & Founder, Secure Cyber Defense

“Cybersecurity Awareness Month is ineffective. I know I might be in the minority, but as a nation, we sometimes do the same things repeatedly without achieving different results—or sometimes, any result. I like the idea of Cybersecurity Awareness Month from an awareness perspective, but we need to do more.”

Cybersecurity is national security—let’s start there. Cybersecurity Awareness Month is focused on four things: recognizing and reporting phishing, using strong passwords, turning on MFA, and updating software. These are all high-level and essential tasks for basic security. However, what’s missing are step-by-step videos and documentation that guide the average citizen through these processes for some of the most critical apps in use today. A prime example (pun intended) is Amazon! It is likely one of the most widely used applications in most countries, possibly worldwide. Why not use this campaign to walk people through securing their accounts?

Lastly, we must educate the public on how fragile our critical infrastructure is and how they can protect themselves. This isn’t fear-mongering; it’s about simple awareness and utilizing sites like ready.gov to learn how to begin the preparation process.”

Panagiotis Soulos, Winner – ISC2 Outstanding Volunteer Award 2023

“I would advise everyone to accumulate cyber hygiene practices every day. As Cyberhygiene we refer to security best practices that we should take daily to protect our data and our devices.”

 These are summarized in six main categories:

Password Management:  Use strong and unique passwords managed with a password management tool and enable Multi-Factor Authentication (MFA) on your accounts.

Social Engineering Protection:  Identify and protect yourself from phishing, smishing, vishing, and impersonation.

Safe use of social media:  Make your profiles private and be cautious when posting. Avoid using location services and use block & report features.

Safe and secure internet usage: Use known and trusted websites for your e-purchases. Ensure communication is encrypted (padlock).

Device security controls. Ensure your devices are password protected and have installed antivirus and firewall.

Updates & Backups. Enable automatic security updates on your devices and take frequent data backups.

Irfan Shakeel, VP Training & Certification Services at OPSWAT

“To “Secure Our World,” protecting critical infrastructure must be a top priority, requiring proactive strategies to safeguard our society’s critical systems and sensitive data. This effort must go beyond raising awareness and demand targeted cybersecurity measures vital for national security.”

Organizations should focus on real-world attack vectors like SCADA system manipulation to better understand our risks and enhance preparedness in sectors we all rely on, such as energy, transportation, and healthcare. Regular tabletop exercises simulating OT/IT breaches, strict enforcement of multi-factor authentication (MFA) and network segmentation, and active leadership in fostering a security-first culture are essential for readiness and resilience. These foundational measures must be continuously reinforced to maintain vigilance across the organization.

Cybersecurity should also be embedded throughout the product development lifecycle, starting with secure coding practices and early threat modeling. Regular security reviews, vulnerability assessments, and static and dynamic analysis tools ensure security is integrated from the start, reducing post-deployment risks. Organizations minimize vulnerabilities and strengthen security postures by embedding cybersecurity into each phase.

Travis Howerton, CEO and Co-founder of RegScale

“In today’s landscape of growing regulatory demands and cybersecurity threats, organizations must adopt effective strategies to manage risk and ensure compliance. During Cybersecurity Awareness Month, it is crucial to focus on best practices for automating risk and compliance to enhance your organization’s cybersecurity framework.”

Automation remains the key to continuously monitoring systems for vulnerabilities, misconfigurations, and compliance gaps. Organizations can maintain real-time security and minimize potential threats by proactively identifying risks before they escalate. Also, automating routine security checks and generating audit reports is critical for streamlining compliance. Regular automated assessments help organizations stay aligned with industry standards and regulatory requirements, reducing the need for costly manual efforts. Finally, embedding security and compliance checks within the DevOps pipeline ensures vulnerabilities are identified and addressed early, reducing risks and preventing non-compliant code from reaching production.

By adopting these practices, organizations can reduce human error, improve operational efficiency, and maintain ongoing compliance with industry regulations while safeguarding their digital assets. Embracing automation in risk and compliance management is essential to “Secure Our World” and stay ahead of evolving cyber threats.

Dale Hoak, Director of Information Security at RegScale

“Traditional GRC methods often struggle to keep up with today’s fast-paced threat environment. The future of GRC lies in Dynamic Operational Control Management, which integrates Continuous Control Monitoring (CCM) with automation, AI, and real-time analytics to ensure robust security.”

Compliance should be an outcome of effective security practices, not a mere checkbox exercise. By continuously leveraging existing tools to monitor and automatically collect technical and non-technical evidence, organizations can create a real-time, unified view of their cybersecurity posture. This proactive approach aligns compliance with strong security practices, reducing the need for separate, burdensome compliance efforts.

Optimizing workflows and automating incident response is crucial as cyber threats grow more complex. Automated systems can deploy patches or alert teams for manual intervention when a vulnerability is detected, followed by validation and resolution. This strengthens security management and streamlines audits and compliance reviews, making it easier for organizations to meet regulatory requirements.

Conclusion

There’s no doubt that cybersecurity is a shared responsibility that requires collective action. While there is no single solution to all cyber threats, the expert insights in this article stress the power of small, foundational steps.

By focusing on simple yet effective measures—like multi-factor authentication, strong password management, and raising awareness of social engineering tactics—businesses and individuals alike can strengthen their defenses. As we strive to “Secure Our World,” these small actions can lead to a big impact, making the digital environment safer for us all.