Millions of computer systems went down at once; emergency services, travel, and financial systems were disrupted; and global shipping ground to a halt. It’s the kind of technological catastrophe many imagined would happen during Y2K, or in some distant dystopian future, but CrowdStrike’s service outage occurred in 2024, and the world was woefully unprepared. While the exact cause is still being investigated, the culprit appears to have been a bug in its software.
It’s hard to fathom how we can live in a world where faulty or buggy code can bring down so many critical systems and cause direct losses of $5 billion to Fortune 500 companies. And there’s no easy fix for these types of problems, but whether it’s avoiding poor software updates or staying compliant with constant requirements and changes, organizations can implement several practical steps to improve their cybersecurity hygiene and reduce their exposure to risk.
Below are four key areas we need to focus on:
Founder and CEO of Secureframe.
1. Strengthen employee awareness and access controls
Social engineering attacks have nearly doubled since last year and account for 17% of all data breaches. In the past, email phishing attempts were fairly easy to spot because they were often riddled with spelling and grammatical errors, and the email address they came from usually looked suspicious. Now, generative AI tools like ChatGPT allow attackers to create phishing emails that look very credible and might not be detected by spam filters.
New employees, in particular, are prime targets for cybercriminals. There is a common phishing scheme where malicious actors use LinkedIn to find employees who have recently joined a company and then send them a text message posing as the company’s CEO. They ask the employee to purchase gift cards and then send them the card numbers, scamming them out of hundreds or even thousands of dollars. In 2020, hackers gained access to Twitter’s systems through an employee phishing attack by calling customer service and technical support employees and ordering them to reset their passwords. That’s why it’s more important than ever to implement comprehensive security awareness training for all employees, especially new hires.
Another way businesses can protect their systems from phishing attempts and other types of scams is by implementing role-based access controls (RBAC). Each employee should only have access to the systems and data they need to do their job, reserving the most privileged permissions for IT roles and positions of the highest authority. RBAC allows IT teams to easily add, modify, or remove permissions for a single user or all users in a group at once, helping to prevent cyberattacks that take advantage of employee vulnerabilities.
2. Manage third-party risk
Many organizations don’t pay enough attention to security compliance for the services they use and the technology partners they work with. In fact, fifty-four percent of organizations reported experiencing a data breach caused by one of their third-party vendors within a year. That’s why it’s extremely important to assess and manage the risk of each vendor you work with and ensure they meet strict cybersecurity standards.
You should conduct regular due diligence assessments where you ask potential vendors about their encryption practices or use of an intrusion detection system (IDS) to better understand their network security practices. You should also ask them about their customer exit processes so you know how your data will be disposed of once the vendor relationship ends.
After the assessment, you should rank vendors based on the criticality of their services and the sensitivity of the data they handle, so you can exercise greater control over high-risk vendors. All vendor contracts should include specific assessment criteria, security requirements, incident reporting protocols, and compliance obligations to ensure they are aligned with your organization’s security requirements and risk tolerance.
3. Streamline compliance processes
While regular audits are a necessary part of good security hygiene, when companies are faced with numerous, repetitive compliance audits, they can become a serious distraction from business-critical priorities. Not to mention, they can kill morale. I call it “audit fatigue” – the constant cycle of compliance checks and documentation overload becomes too much of a burden, leading employees to disengage and sometimes quit. And unfortunately, this decrease in efficiency and increase in turnover can result in significant financial losses for the company.
That’s why it’s important to limit tedious work (such as the evidence collection process, for example) as much as possible and avoid duplication of tasks when you’re in the middle of an audit. Compliance automation can help with this by speeding up evidence collection, centralizing compliance data, and continuously monitoring security controls, reducing employee workload so they can focus on core tasks.
4. Adopt continuous surveillance
Maintaining good cyber hygiene requires constant effort and attention to changing threats.
The first step is to clearly understand your organization’s risk profile and security posture. From there, it will be important to implement a system to quickly address identified issues before they can be exploited.
Compliance automation tools can help in this regard by detecting vulnerabilities and failed controls, allowing security and IT teams to proactively fix issues before an attack occurs. These tools can also provide a complete picture of your risk profile and security posture, allowing for more efficient and effective risk management. By leveraging this technology, businesses can streamline their compliance efforts, reduce human error, and stay ahead of evolving threats.
This is particularly critical for financial institutions, healthcare organizations, and transportation systems, like those affected by the CrowdStrike service outage, because detecting and patching vulnerabilities quickly means saving highly sensitive data from being exposed and critical services from being disrupted.
By focusing on these four areas—employee awareness, third-party risk management, streamlined compliance, and continuous monitoring—organizations can significantly improve their cyber hygiene. This holistic approach not only protects sensitive data, but also fosters a culture of security awareness across the organization.
We list the best network monitoring tools.
This article was produced as part of TechRadarPro's Expert Insights channel, where we showcase the brightest and brightest minds in the tech industry today. The views expressed here are those of the author, and not necessarily those of TechRadarPro or Future plc. If you're interested in contributing, find out more here:
