10 cybersecurity best practices and tips for businesses

Each employee of a business, from end users to security professionals to executives, has a role in protecting their business from cyber attacks. The actions that each employee takes -- or doesn't take -- can make the difference between "just another day" and a major security breach that harms the business's reputation and costs the business a lot of money.

To help businesses improve their security practices, we've compiled a list of cybersecurity best practices for security professionals to follow, and a list of cybersecurity tips for all employees to keep in mind. These lists focus on particularly important things for businesses today to address.

Cybersecurity best practices for security professionals

1. Update security policies. Businesses often have outdated security policies that don't take into account the latest technologies, cyber threats, and cybersecurity best practices -- such as zero-trust architectures. Security policies are the foundation for enterprise security. Make sure to update your policies first, and then update your security practices and train your employees so they understand (and hopefully comply!) with the new policies.
2. Require strong authentication for all users. Cyber attacks often use compromised user accounts to gain access to a business's internal resources. Requiring multi-factor authentication, such as a smart card with a PIN or biometric, for every user can be effective at stopping many cyber attacks. If that's not feasible for your business, at least require users to have strong passwords that attackers won't be able to guess, and implement multi-factor authentication for security professionals, system administrators, and all others with privileged access to systems and networks.
3. Refresh your network security controls. If it's been a while since your business reviewed its network security controls, consider whether they need a refresh. For example, do your firewalls and virtual private network (VPN) gateways offers the functionality your hybrid workforce needs? Maybe it's time to upgrade or replace them. Also, are you able to monitor network traffic for all of your users, or has cloud migration reduced your visibility? Perhaps you need to deploy additional network security software, or consider adopting cloud-based security solutions like Secure Access Service Edge (SASE).
4. Prepare for compromises. Security breaches and other types of security incidents are inevitable. It's incredibly important to be prepared at all times to handle compromises to reduce the amount of damage that's done. Along with that, your business needs to be equipped to detect security incidents as early as possible. That means not only having the security technology in place to detect and analyze suspicious activity, but also educating employees on what the potential signs of an incident are and how to report them. Ideally, your business should foster a culture of honesty, and not punish employees for making innocent mistakes -- otherwise people may hide their errors, which can allow compromises to last longer and do more harm.
5. Keep your security knowledge current. One of the hazards of working in security is that you may be so busy that you don't have time to keep your security knowledge current. You're understandably focused on handling today's emergencies. However, not only should you stay up-to-date with the latest changes in your specialty areas, but also security is a vast field and there are always more things to learn. Cybersecurity topics such as risk assessment, cyber threats, threat detection and zero-trust architecture apply to so many areas of security. Also, topics such as physical security often get overlooked altogether. Online courses can help you fill in the gaps.
6. Improve employee awareness of security. All too often, security awareness activities for employees are just an hour a year of sitting through the same presentation, plus an occasional email. Security awareness activities may be perceived as a waste of time, and unfortunately they often are. What's needed is a broader cultural shift to understanding the importance of security and the need for everyone to do their part. You can help your business change its cybersecurity culture by taking a few minutes to explain to employees why they are being required or asked to do or not do things a certain way. Cultural changes happen gradually, every time an employee buys into the need for a security practice.