In celebration of Cybersecurity Month, Digital IT News is presenting a three-part series. The first part of this series focuses on how organizations can decrease their cyber threats. We have compiled advice from across the tech industry. See what they have to say.
Segregated Network Environments
As someone who manages global ERP implementations, I’ve found that creating segregated network environments for remote teams is essential. I used to worry about client data exposure until VPN tunnels with endpoint detection handled the heavy lifting keeping operations seamless but secure. We also implement role-based access controls in NetSuite so users only see what they need; it drastically reduces human error and internal breach risks while maintaining productivity.
Karl Threadgold, Managing Director, Threadgold Consulting
Zero Data Movement, Airlock System & GDPR Compliance
I run a biomedical data platform where we handle some of the most sensitive information possible–genomic data and health records for millions of people across hospitals, government agencies, and pharma companies. One thing we’ve learned the hard way: **data should never leave its home**.
The biggest shift we made was adopting a federated architecture. Instead of copying databases to central servers (which creates multiple attack surfaces), we bring the computation to where the data lives. When UK hospitals wanted to collaborate on COVID research, we connected 5 separate NHS trusts without moving a single patient record–only encrypted analysis results left each firewall. This “zero data movement” principle cuts your exposure dramatically.
Implement an **airlock system** for anything leaving your secure environment. We borrowed this from biohazard labs–nothing gets in or out without dual approval. Every code execution, every result export goes through automated scanning plus human review. Sounds paranoid, but we caught 73 attempted data exfiltrations last year this way, most unintentional from researchers not realizing their queries were too broad.
The certification that actually mattered for us was **ISO 27001 plus Cyber Essentials Plus**. GDPR compliance is table stakes, but these frameworks force you to document *everything*–who accessed what, when, and why. When a pharma client got audited, our audit logs meant they passed in 48 hours instead of weeks. Get certified by someone who’ll actually test your defenses, not just check boxes.
Maria Chatzou Dunford, CEO & Founder, Lifebit
Firewalls are still the foundation of business cybersecurity; but, they’re only as effective as HOW, WHEN, and WHERE YOU CONFIGURE and DEPLOY them. For me, a firewall should act as a LAYERED DEFENSE SYSTEM and not a stand-alone barrier. I usually share with our clients that firewalls should be thought of as dynamic assets that are constantly tuned, monitored, and tested over time. For instance – internal networks using VLANs and implementing application-layer filtering can significantly diminish the spread of threats after they have penetrated the perimeter. When complemented with real-time threat intelligence feeds, a well-tuned firewall has the ability to discover and block new attack patterns before they take a toll. From a leadership standpoint, I believe the greatest divide is in policy and visibility – not technology. Businesses rely on default rules for years, with no auditing. I’d recommend aquarterly review of your firewall rules, automated log analysis via a SIEM tool and integration with zero-trust principle in place.
Greg Bibeau, CEO/ IT & Cybersecurity Expert, Terminal B
Make Risks Real for Everyone
Awareness begins with making the risks concrete. Employees and leaders need to see cyberattacks not as technical jargon but as events that have direct business and societal impact. Using real incidents, like the recent airport attack which disrupted airport operations across Europe, helps employees understand why caution with phishing emails or suspicious links matters. Leaders also need to recognize that the cost of not prioritizing cyber resilience can be measured in disrupted services, lost revenue, and broken trust. In the worst cases, companies see no alternative but to pay the ransom, with demands that can run into the millions, and even then, recovery is far from guaranteed.
Awareness is only the starting point. To make it effective, companies need to turn knowledge into action through practice. Regular drills and incident simulations are far more effective than one-off training sessions. These exercises allow employees to experience the pressure of a real attack in a safe environment and to understand their specific roles in a response. For example, if a backup system is suddenly encrypted, who makes the first call? Who evaluates the scope of the damage? Who communicates with partners and customers? When these roles are rehearsed, they become instinctive, and the entire organization can respond faster and with more confidence. Importantly, these drills should extend beyond IT and security teams to include operations, HR, legal, and communications, because a real incident will involve every part of the business.
Paul Speciale, CMO, Scality
Zero-trust Architecture
With over two decades in dental cybersecurity, I’ve learned that prevention starts with limiting trust across every system. We implemented a zero-trust architecture at Medix Dental IT where even internal users must reauthenticate before accessing patient data. This drastically reduced potential breaches and helped clients meet HIPAA requirements more easily. Another crucial step is tokenizing all patient information so no exploitable data sits on the network. My advice: treat every device and user as untrusted until verifiedpatients will thank you for it.
Tom Terronez, CEO, Medix Dental IT
From my background in cloud infrastructure, I’ve seen how simple hygiene practices like regular patching and access audits prevent 80% of issues before they start. My old boss swore by enforcing zero-trust architecture for SaaS systems, and turns out she was spot-on. For businesses, I suggest combining cloud-native threat detection with immutable backupsthey cost little compared to recovering from a breach.
Alvin Poh, Chairman, CLDY.com Pte Ltd
Password Managers, Real-time Monitoring & Backups
I’ve managed IT infrastructure and cybersecurity for major clients including the City of San Antonio’s SAP implementation and University Health Systems, and the one thing that saved us from disaster repeatedly wasn’t fancy tools–it was eliminating password reuse across our teams. We had a finance employee at one client who used the same password for 11 different systems. When their personal email got breached, hackers had a roadmap to everything.
Here’s what actually works: Force password managers on your team NOW. We use 1Password for our company, but Bitwarden and Dashlane work great too. The resistance disappears after two weeks, and suddenly your employees have unique 20-character passwords for everything without the sticky notes under keyboards.
The second killer is monitoring your network 24/7, which sounds expensive but isn’t anymore. We’ve seen Business Email Compromise attacks jump 476% in one year–these are the attacks where someone impersonates your vendor and convinces accounting to wire $50k. Real-time monitoring catches the unusual login from Romania at 3am before the money moves. We use tools like Microsoft Defender, but even basic SIEM solutions will alert you to weird patterns.
Last thing: backup your data to TWO places–external drive AND cloud. I’ve watched businesses fold after ransomware because they had no backup or only one that got encrypted too. It’s boring advice, but I’ve never seen a company with proper backups go under from a cyberattack.
Manuel Villa, President & Founder, VIA Technology
Change Your View of Cybersecurity From A Fence to Enabling
Cybersecurity and its counterpart cyber threats are often treated as something that exists but is decoupled from regular business operations. Security tools and operations are seen as a fence between the organization and cyber adversaries, not as something embedded or enabling. There are three steps a company should take to be better prepared and create impactful awareness of cyber threats among employees.
First, it should map its data requirements and IT assets to crucial business processes. With that, the company not only knows which processes or process steps are vital, but also how endangered they are from a cyber threat point of view.
The second step is to communicate this dependency and the potential impact to all people involved, but in process terms, not IT lingo. This way, non-IT employees gain a better understanding of the risks to their processes and their contribution to the business.
The final step is to create awareness trainings that reflect the first two steps. Think of it as an extension of existing knowledge, not a distinct new topic. If you run awareness campaigns that describe cyber risks and how to avoid them within the context of an employee’s environment, physical or logical, the impact will be much bigger than with standardized trainings that talk about threats like phishing in technical terms.
Dirk Schrader, Field CISO (EMEA) / VP of Security Research, Netwrix
Multi-factor Authentication, Hardware Security Modules & Securing Your CI/CD Pipeline
I’ve been doing security architecture and pen testing since way before blockchain became my main focus, and here’s what actually matters: **implement multi-factor authentication everywhere, not just on your crown jewels**. I watched a DeFi client lose $800K because their developer’s Slack account (no MFA) got compromised, leading to a poisoned smart contract deployment. The attack surface isn’t always where you think it is.
The specific setup that’s saved multiple clients is **hardware security modules (HSMs) for key management combined with time-locked smart contracts**. We built a system for a logistics client on Hyperledger where private keys never existed in software–all signing happened in Thales HSMs with role-based access requiring physical presence. When their AWS account got popped, attackers couldn’t do anything because the keys weren’t there to steal.
Here’s the counterintuitive part from running 20+ person dev teams across borders: **your biggest vulnerability is usually your CI/CD pipeline, not your production environment**. I mandate that every repo uses signed commits, every deployment requires manual approval from geographically separated team members, and we air-gap our build servers. One insurance blockchain project dodged a supply chain attack because our paranoid deployment process caught a compromised dependency trying to phone home during the build step.
James Ruffer, Project Manager, Web3devs
Employee Training
Regularly train staff at all levels to recognize phishing emails and suspicious links. Reinforce the importance of verifying email senders and attachments before clicking.
Chris Spencer, Chief Information Security Officer, Nomadix
When it comes to raising awareness to cybersecurity threats within an organization, Security Awareness Training (SAT) is the obvious answer. So, I’d be remiss if I didn’t mention it. The important thing to remember when select SAT options is that they need to be fun and engaging. Ensure that your training, whether developed internally or using a partner, looks at current tactics and techniques. If the training is outdated, it may do more harm than good.
I believe that creating a forum for conversation is an excellent way to raise awareness. Cyber threats make the news today; it’s not like 20 years ago where you had to go to specialized news websites. Today, big items are on the 6 o’clock news and a part of regular conversation. Providing a place where employees can post and discuss these topics encourages them to take ownership of the information. Then, having your security team provide context and clarity provides additional insight that the media may have missed.
Tyler Reguly, Associate Director, Security R&D, Fortra
Protecting against cyber threats starts with education. Employees are often the weakest link, so routine training and even employee testing is essential.
Marcel Calef, Americas Field CTO, ControlUp
As we approach another Cybersecurity Awareness Month, it serves as a stark reminder that enterprises must get ‘back to basics’ and focus on creating stronger security foundations. Among the many different threat vectors, I implore business leaders to pay close attention to social engineering – the increasingly dangerous Achilles’ heel of every organization.
Enterprises are underestimating threat actors’ ability to understand the more formidable adult psyche. With the help of AI, cybercriminals can now alter their voices, accents, and launch social engineering attacks in multiple languages with real-time translation, leaving employees with no cues to suspect malicious intent. On top of that, threat actors recognize that employees only receive minimal cybersecurity training, meaning they don’t have the knowledge or skillset to recognize the newest and most sophisticated threats.
Chris Mierzwa, Sr. Director, Global Resilience Programs, Commvault
Have a Tested Plan
Promote a Security-first Culture
We encourage leadership teams to adopt a top-down approach to cybersecurity, emphasizing that awareness and accountability are everyone’s responsibility—from the C-suite to frontline employees.
Eddy Abou-Nehme, Owner and Director of Operations, RevNet Ottawa
Be Honest With Yourself
Security and IT teams need to be honest with themselves around three fundamental questions that expose their vulnerabilities: ‘Where is my data?’ ‘Who can access my data?’ and ‘How do I keep data available but confidential?’ When organizations work through these questions, the awareness shift is immediate. Mapping data locations reveals that sensitive information often lives in unexpected places (employee laptops, mobile devices, cloud apps), creating far more exposure than leadership probably realized. Understanding access patterns uncovers over-privileged accounts and weak authentication that attackers exploit daily. And then examining confidentiality measures often exposes gaps in encryption, backup strategies, and incident response capabilities.
I’ve continued to see firsthand that this question-based framework transforms abstract cyber threats into concrete, actionable concerns. Instead of generic security training, employees understand their specific role in protecting data they handle. IT teams move from reactive firefighting to proactive risk management, and leadership gains visibility into actual vulnerabilities rather than theoretical ones. This Cybersecurity Awareness Month, every organization should gather their teams and honestly answer these three questions. The gaps you discover (and then address) could be the difference between a secure operation and your next headline-making breach.
Cam Roberson, Vice President at Beachhead Solutions
Helping companies and employees become more aware of cyber threats starts with visibility. Too often, organizations rely on outdated approaches or treat connected assets as trusted by default. The truth is, you cannot defend what you cannot see. Awareness means understanding every device on the network, knowing what it is, where it is, what it’s doing, and then dynamically controlling its behavior. That level of visibility and control is essential for reducing risk and preventing disruption. Anything less leaves the door open to cyber threats.
Susanna Song, CMO, Aeris
Measure Your Progress
One of the most effective ways to build a strong security culture is to measure progress and recognize improvements. Tracking phishing click rates, patching speeds, and MFA adoption provides companies with a clear picture of their current standing and the progress they’ve made over time. When leaders share those metrics, it shifts cybersecurity from being a conceptual risk to something actionable and tangible. Just as important, celebrate the wins. Recognizing teams that get better reinforces good habits and makes security something people are proud to own, not just a box to check.
As an example, the global average of employees likely to click on a phishing simulation is about 33% before training. After a full year of training, that percentage drops to around 4% (source: KnowBe4 Report Reveals Security Training Reduces Global Phishing Click Rates by 86%).
James Cassata, senior cloud security architect at Myriad360
Personal Cybersecurity
To make employees truly aware of cyber threats, we have to move beyond the traditional “check-the-box” corporate training. Those generic phishing simulations and annual modules fail because they’re impersonal and stop at the office door. The reality is, an employer and employee’s greatest vulnerability isn’t their work laptop, it’s the individual’s personal digital life.
Paul Pioselli, Founder & CEO, Solace
Hiring a Trusted Workforce
The best defense against insider threats starts before an employee is even hired. Establishing a trusted workforce means putting a modern pre-employment vetting framework in place that goes beyond standard background checks. This includes verifying identity, validating credentials, and scanning for risk signals that could point to fraud, misrepresentation, or external infiltration attempts. Advanced risk assessment tools can highlight concerning patterns, while HR teams provide critical context around a candidate’s history, cultural alignment, and intent. Setting up a vetting process like this reduces the likelihood of bringing high-risk individuals into sensitive roles, while also reinforcing a culture of trust and accountability from the first day.
Ryan LaSalle, CEO, Nisos
Secure Your Endpoint Devices
Organizations also need to better address cybersecurity and recovery relative to their end user-facing endpoint devices – one of the biggest gaps in many cyber resilience programs. Most organizations have robust recovery plans that cover their centralized infrastructure and data. But they often overlook the time and effort required to recover their end user devices. That’s problematic both because end user endpoints are labor intensive to clean, reimage and redeploy as part of a recovery effort and because, in today’s distributed world, user endpoints may also need to be collected and redistributed. There is no such thing as perfect security, but devices that are secure by design and leverage a preventative security model make recovery easier, less labor intensive, and non-impactful to end users and business.
Jason Mafera, Field CTO, North America, IGEL
More Security News
Related News:
Black Duck Released the Balancing AI Usage and Risk in 2025 Report
CyberArk Enhances Machine Identity Security with Discovery and Context
