10 cybersecurity best practices for organizations in 2025
To improve your organization's cybersecurity program, follow these best practices to safeguard your infrastructure and ensure a quick recovery after a breach.
When determining cybersecurity best practices, CISOs and their organizations need to implement a wide range of approaches to keep one step ahead of cyberthreats. Some of these best practices are timeless, such as backing up data and conducting regular cybersecurity training. Others, including air gapping backups to minimize the risk of attackers compromising systems, can be easier to overlook.
To that end, the typical organization should have the following 10 key cybersecurity best practices in place:
- Erect multiple layers of defense.
- Perform continuous vulnerability scanning.
- Secure the software supply chain.
- Back up data routinely.
- Isolate or air gap backup data.
- Require MFA and understand its limitations.
- Conduct regular security training.
- Test employee security awareness.
- Simulate real-world attacks.
- Manage physical security risks.
When used collectively, these strategies minimize the risk of experiencing a cyber incident and maximize the ability to recover quickly if a breach does occur. Let's take a more in-depth look at each of these strategies.
1. Erect multiple layers of defense
Perhaps the single most important cybersecurity best practice for businesses to follow today is to invest in a multi-layered defense strategy, also known as defense in depth. This means an organization deploys multiple types of security controls, such as firewalls to help secure the network, endpoint protection software to secure individual devices and encryption to protect databases.
Multiple layers of defense are important because they help to minimize the effect of a breach. For example, if threat actors manage to gain access to a company's internal network, endpoint protection software will help prevent them from also compromising the company's PCs and servers, while encryption will reduce the chances that they can find and exfiltrate sensitive data.
2. Perform continuous vulnerability scanning
Another core cybersecurity best practice is to carry out regular vulnerability scanning. Vulnerability scans identify software known to be vulnerable to attack. Some scanners can also detect insecure configurations, such as a database that's accessible to anonymous users over the internet.
Businesses should deploy tools that scan continuously to maximize the effect of vulnerability scans. This means that whenever a new IT asset enters a company's IT environment or an existing resource changes state, a scan occurs to identify whether risks are present. Periodic scans might not be sufficient to detect risks before threat actors exploit them.
3. Secure the software supply chain
Often, an organization's greatest cybersecurity threats originate not from IT resources that its own employees create but from third-party assets, such as open source software libraries used by the organization to satisfy software dependency requirements for its applications. If those third-party resources are vulnerable, threat actors could exploit them to gain access to a business's IT environment.
The practice of mitigating these risks, known as software supply chain security, is an essential component of an overall cybersecurity strategy for organizations that rely on third-party IT resources.
While software supply chain security tools and strategies often focus primarily on risks linked to third-party open source software, other types of potential third-party risks also exist, such as SaaS applications that process a company's sensitive data but are developed and managed by an external vendor. It's important to validate the security of these types of resources, too.
4. Back up data routinely
Data backups don't prevent cyberattacks, but they do play a key role in enabling recovery from certain types of breaches -- especially ransomware attacks, in which threat actors encrypt a business's data and demand payment in exchange for the decryption key.
With data backups in place, an organization can restore its systems rather than pay a ransom. This approach saves money and also helps reduce the risk that threat actors will continue to target the business if they know a ransom was paid in the past. The 2025 "Cyberthreat Defense Report" from CyberEdge Group found that only 54% of organizations that paid a ransom recovered their data.
To maximize the effectiveness of backups, an organization's backup schedules must align with its recovery time objective and recovery point objective requirements that define how frequently backups should occur and how quickly the organization can recover. Backups are useless following a ransomware attack if they aren't recent enough to enable successful recovery without the loss of critical data, or if recovery takes so long that the business loses massive amounts of revenue or suffers major reputational harm.
5. Isolate or air gap backup data
Threat actors know that businesses often create backups to protect themselves against ransomware attacks. For that reason, attackers frequently attempt to destroy or encrypt backups as part of a ransomware attack.
A best practice is to store backup data in an isolated location, such as a third-party data center or using air-gapped storage devices disconnected from the network. Attackers who compromise a company's main IT environment will find it difficult or impossible to access backup data using these approaches.
6. Require MFA and understand its limitations
MFA helps to reduce cybersecurity risks by requiring users to work through multiple authentication steps before they receive access to a resource. With MFA in place, attackers who manage to compromise one layer of access -- by stealing a user's password, for example -- won't necessarily be able to complete a login process. It's a best practice to enable MFA wherever feasible, but various techniques still allow threat actors to circumvent MFA in many cases.
While MFA is a key step toward a strong cybersecurity posture, it's critical to deploy additional protections, such as encrypting sensitive data, even if access to the data is managed through MFA. Auditing login activity by maintaining a record of who has accessed which resources can help to reveal unusual access patterns, such as a login that originates from an IP address that has never previously connected to the company's network, which might be a sign of efforts to bypass MFA.
7. Conduct regular cybersecurity training
Training staff in cybersecurity best practices is an important step toward minimizing security risks. Training should educate employees on topics such as how to recognize and respond to phishing attempts and why it's important to avoid using shadow IT resources to store or process the organization's data.
Security training should occur repeatedly, and the training content should evolve to reflect changes in the types of threats or risks the organization faces. For instance, anti-phishing training in the past tended to emphasize that emails rife with grammatical mistakes were likely to be phishing messages. AI has made it easier for attackers to generate more convincing, well-written phishing content. Modern phishing training should be updated to address this and other novel AI-related phishing challenges.
8. Test employee security awareness
It's also important to test employees ' security readiness to ensure they learn and act on the best practices conveyed to them by security training.
Ideally, testing should take the form of dynamic, real-world assessments of how employees respond to potential cybersecurity threats. For instance, a company could generate mock phishing emails and distribute them to staff to determine how many people engage with them. It could also simulate vishing attacks by requesting sensitive information from employees over the phone to assess how vulnerable they are to this more sophisticated phishing method.
9. Simulate real-world attacks
Organizations should assess their overall level of cyber-readiness by simulating breach attempts or attacks against the company's entire IT infrastructure.
The following are three common ways to carry out such simulations:
- Penetration testing. The company hires a cybersecurity firm to attempt to find and exploit specific types of risks, such as network- or software-related vulnerabilities.
- Red teaming. Cybersecurity experts posing as attackers attempt to find and exploit risks of any type across the organization, using any technique of their choosing. Unlike pen testing, which focuses on evaluating a predefined set of risks, red-team exercises are more open-ended assessments of an organization's overall preparedness.
- Breach and attack simulation (BAS). The IT department or an outside firm uses automated tools to find and attempt to exploit security vulnerabilities. Like red teaming, BAS focuses on testing for a variety of security weaknesses. But because BAS tools rely on automation, these types of exercises are typically less expensive to carry out.
The best way to simulate an attack depends on how far the organization wants to go when attempting to discover its own security vulnerabilities, as well as how many financial resources it can devote to the simulation.
10. Manage physical security risks
Cybersecurity defense strategies typically focus on preventing or mitigating the effects of attacks that take place over the network. However, physical security breaches are on the rise. Threat actors could, for example, target physical systems by entering an office building and planting malware on a company's PCs using USB sticks. They could also attempt to disrupt critical services by physically damaging network infrastructure.
To protect against these risks, it's vital to deploy adequate physical security controls, such as restricting who can physically access a company's facilities and using security cameras to monitor for unusual activity.
Chris Tozzi is a freelance writer, research adviser, and professor of IT and society. He has previously worked as a journalist and Linux systems administrator.
