When it comes to securing your business, the best practice is often a collection of small, consistent actions. For our final article in this three-piece series, we reached out to experts to see what small actions they have seen make the most difference in their own and their clients’ security posture. We hope their insight helps as you recommit to making security a priority.
Enhance Your Security Posture
I can say that some companies have enhanced their security posture just by incorporating small but consistent habits into their daily work routines. These activities include enabling MFA, updating their software in due time, giving their workers short, practical security training, and many others. Cybersecurity routine activities absolutely help mitigate risk MUCH MORE EFFECTIVELY over time than any one-off initiative or costly technology.
Greg Bibeau, CEO | IT & Cybersecurity Expert, Terminal B
Boring Stuff Saves You
After 20 years in dental IT, I’ve learned that the boring stuff saves you. We check hundreds of practices each month, reviewing vendors and pushing software updates. That’s how we catch problems before they turn into major HIPAA violations. In a busy clinic, only a regular routine works. Set a monthly reminder and assign one person to own it. That’s the whole system.
Tom Terronez, CEO, Medix Dental IT
5-minute Security Huddles
From 15+ years protecting Central New Jersey businesses through Titan Technologies, I’ve seen one practice consistently stop breaches: weekly 5-minute security huddles where teams discuss actual phishing attempts that hit their inboxes that week. When we started this with a 40-person client, their click-through rate on test phishing emails dropped from 28% to 4% within three months.
The key is making it real-time and blame-free. Instead of quarterly training sessions everyone forgets, we have clients screenshot suspicious emails the moment they arrive and share them in their next team meeting. One accounting firm caught a CEO impersonation scam this way–an employee recognized the same tactics discussed two days earlier and stopped a $35,000 wire transfer.
For year-round implementation, tie it to existing weekly meetings and rotate who presents the example. This keeps everyone alert and turns cybersecurity into a team sport rather than an IT department lecture. The consistent visibility matters more than the time invested–5 minutes weekly beats a 2-hour annual training every time.
Paul Nebb, CEO, Titan Technologies
Treating Cybersecurity Like Brushing Your Teeth
In my experience, cybersecurity walls are maintained by tiny, regular actions. Over time, small routines like frequent software updates, password changes, and brief team check-ins have a huge impact. Treating cybersecurity like brushing your teeth rather than as a once-a-year dental checkup is more important than putting up elaborate defenses.
Eugene Musienko, CEO, Merehead.com
Secure Endpoints with Thin and Zero Clients
Endpoints are often the most vulnerable point of entry for cyberattacks, as they are widely distributed, frequently used by non-technical staff, and commonly targeted with phishing, malware, and unauthorized access attempts. Thin and zero client technologies strengthen security at the endpoint by minimizing the attack surface, which is one of the most effective ways to reduce overall risk. Unlike traditional PCs, these devices have no local data storage and a simplified operating environment, making it much harder for malware or unauthorized applications to gain a foothold. Centralized management further ensures that policies, patches, and access controls are consistently applied, eliminating gaps that often arise in distributed endpoint environments. By keeping sensitive data in the data center or cloud and reducing opportunities for compromise at the edge, organizations can better protect critical information while creating a more secure, controlled endpoint environment.
Stuart Pladgeman, Vice President, Sales, 10ZiG Technology
Code Review Discipline
During my decades building foundational internet infrastructure–writing software that ran on two-thirds of the world’s workstations at Open Software Foundation–I learned that the biggest security wins came from enforcing small discipline around code reviews. We required every single commit to be signed off by a second pair of eyes, which added maybe 20 minutes per developer per day but caught memory leaks and potential exploits that would’ve been catastrophic at that scale. When we were developing Kove:SDMtm, we instituted a simple practice: every Friday afternoon, one engineer walks through our patent portfolio and maps it against our current codebase to ensure we’re not drifting from our protected IP boundaries. Sounds boring, but it’s caught three instances where we were accidentally implementing features that could’ve created licensing vulnerabilities or opened attack surfaces we hadn’t properly hardened.
John Overton, CEO, Kove
Check Who Has Access to What
Look, in our line of work, you can’t stop every new threat, but the boring stuff is what saves you. A monthly check of who has access to what? That’s caught more issues than any fancy software. Just last month, we found an old account still active for someone who left six months ago. We use automated checklists to keep everyone on top of things like password rotations and quick training sessions. It’s not magic, but these basic steps layered together are what keep the real problems from happening.
Andrew Dunn, Vice President of Marketing, Zentro Internet
Reviewing System Logs & Running Security Drills
When I managed Unity Analytics, I started reviewing system logs daily and running security drills. It actually worked. We had fewer big problems because we caught the small stuff before it snowballed. I know, it sounds like a chore. But even ten-minute check-ups add up over time. My advice is to pick a few easy things and make them part of your routine. The key is just sticking with it.
John Cheng, CEO, PlayAbly.AI
Regular Patching, Password Hygiene and Staff Awareness Checks
As a managing director in tech, I’ve seen that cybersecurity isn’t strengthened by one-off initiatives but by daily discipline. Simple habits like regular patching, password hygiene, and staff awareness checks build real resilience over time. Embedding these actions into monthly routines keeps protection active rather than reactive.
Oliver Aleksejuk, Managing Director, Techcare
Embed Intelligence Gatherings into Your Existing Workflow
When I built Amazon’s Loss Prevention program from scratch, the game-changer wasn’t implementing some massive security overhaul–it was creating a daily 5-minute threat briefing that every team lead had to review before their shift. We embedded intelligence gathering into the existing workflow rather than treating it as extra work.
At McAfee Institute, we’ve trained over 4,000 organizations using this same principle: micro-habits beat big initiatives. Our certified investigators who complete just 15 minutes of OSINT practice daily catch more social engineering attempts than those who do monthly deep-dives. The consistency builds pattern recognition that becomes instinctive.
The practical move? Tie your security action to something you already do religiously. One federal agency we trained now runs a 3-question security check during their morning coffee routine–literally printed on cards next to the break room coffee maker. They’ve caught 17 phishing attempts in six months just by making threat awareness as automatic as caffeine.
Joshua McAfee, CEO & Founder, McAfee Institute
Regular Software Updates and Phishing Tests
Honestly, scheduling software updates and running a five-minute phishing test? Those small things change everything. Our clients aren’t as on edge anymore. We saw major problems all but disappear. Just having teams check their permissions monthly catches issues weeks ahead of time. It’s the small, steady stuff that works.
Karl Threadgold, Managing Director, Threadgold Consulting
Double Check Emails & Report Weird Links
The simple stuff works best. Monthly audits, regular refresher courses. I’ve seen it firsthand. Reminding everyone to double-check emails and report weird links cut our phishing incidents way down. Over time, people just got alert, not paranoid. That’s way better than some big, complicated security overhaul. Those small, steady habits are what actually make a difference.
Alvin Poh, Chairman, CLDY.com Pte Ltd
Staying Close to the Basics: Testing, Clean Records, Tight Access
We’ve seen organizations avoid serious incidents by staying close to the basics. Instead of only relying on alerts, they schedule time to test recovery plans. Additionally, they keep records clean and access tight. As a result, when something does go wrong, they already understand the limits of the impact. They can act quickly because they’ve done the work to stay ready.
Paul Speciale, CMO, Scality
Security Tip Friday
In my experience, the most meaningful improvements in cybersecurity come from small, routine habits—like reviewing user access monthly or sending a short security tip every Friday. One client reduced phishing click rates by over 40% just by embedding quick, real-world examples into their weekly team huddle. It’s not about one big initiative—it’s about making security part of the rhythm of the business.
Matt Mayo, Owner, Diamond IT
Data Points to A Gap in Consistent Actions
Consistent actions in data governance compound over time, but they only work if they’re embedded daily rather than treated as checkbox compliance exercises. Our recent survey found that while 90.6% of organizations claim to have effective information management programs, only 30.3% have actually implemented effective data classification systems—that gap represents years of missed small, consistent actions. The organizations succeeding aren’t doing massive security overhauls; they’re making governance a habit, classifying data, and maintaining quality control before problems cascade.
Dana Simberkoff, Chief Risk, Privacy and Information Security Officer, AvePoint
A Proactive Culture
I find that small, consistent actions—like regular threat intelligence reviews and control effectiveness assessments—are essential to maintaining a dynamic and responsive security posture in an ever-evolving threat landscape. Embedding these habits into structured, risk-based routines, such as periodic risk review meetings, keeps teams aligned with business context and ready to adapt quickly. Sustaining that rhythm through clear ownership, disciplined execution, and continuous feedback loops turns security from a reactive process into a proactive culture.
Ben Lipczynski, Director, Security & Regulatory Services, Origina
Immediate CVE Patches and Regular Phishing Training
In my experience, the most profound defense isn’t a single fortress but the cumulative effect of small, consistent actions over a longer period of time. Things like immediate patching of CVE’s and regular phishing awareness trainings with your team which can systematically eliminate vulnerabilities. This practice can be done by embedding automated security hygiene into daily workflows and fostering a culture where every employee sees cybersecurity as an integral part of their role, not just an bi-annual or annual training event.
Angelo Huang, CEO, Swif.ai
Department Cyber Champions
One practice I’ve found effective is empowering “cyber champions” across departments. When peers model good security behavior such as reporting suspicious emails, updating passwords, or flagging risks, it reinforces shared ownership. Combined with the right technical safeguards like automatic updates, endpoint protection, and zero-trust access, those human actions create a stronger, more adaptive defense.
John Astorino, COO, Auvik
MFA Enforcement, Phishing Simulations & System Audits
Cybersecurity is not about one-time fixes. To truly make a difference, a commitment to daily, small, and disciplined actions is necessary. Practices like MFA enforcement, phishing simulations, and system audits help to create resilience over time. Making this conscious effort turns these actions from a reaction into a strategy.
Eddy Abou-Nehme, Owner and Director of Operations, RevNet Ottawa
Calendar System Updates, Password Updates, Vendor Access & Trainings
The most secure organizations make cybersecurity part of their routine instead of a reaction. Teams can calendar tasks like system updates, monthly password updates, vendor access rights reviews, and quarterly employee trainings, making security easier to manage and communicate. When people know what’s coming and why it matters, it builds confidence, accountability, and a stronger culture of protection over time.
Gregg Smith, CEO, Pearl Solutions Group
Verify URLs and Senders
Small, consistent actions can be powerful against phishing attacks. Treating every email with care such as do not click links without verifying the URL, verifying sender email addresses, and reporting suspicious emails to IT can help prevent most attacks before they start. When you practice them every day, these actions become a habit of mind which is the best frontline defense in cybersecurity today.
Dr. Keith A. Morneau, Dean of Computer and Information Science, ECPI University
Create a Baseline
One of the best things an organization can do is to create a “baseline”. That is, a set of known software, users, devices, external services, etc. that are expected to be part of/connect to a given system. Then the organization needs to track the intentional changes to that baseline as the system evolves and the organization changes. Reviewing current configurations against that baseline allows the organization to quickly identify when unknown/unexpected changes are made to the system, which is the hallmark of a malicious threat actor. This one small change, consistently executed, can have massively reduce the time it takes to identify and remove a cyber criminal from the system.
James Goepel, Executive Vice President, Ascend Cyber
Low Effort High Impact Defense
In my experience, foundational cybersecurity rests on a few easy, critical actions: enabling multifactor authentication, using a password manager for complex credentials, and ensuring auto-updates are turned on for your operating system and browser. These small, consistent steps are a low-effort, high-impact defense.
Ali Aleali, Co-founder and CEO, Truvo
Making Compliance a Priority
Compliance, not breach prevention, is what cybersecurity is all about in the life sciences space. We learned that valuable lesson early on, when we were subjected to a tough initial audit. It is the small, ongoing things, like conducting a formally documented weekly inspection of user access permissions, that keeps you in sync with the data integrity requirements of standards such as ISO 13485 and FDA 21 CFR Part 11. It is this practice that keeps you alive for the unannounced inspections we confront as a matter of regularity.
Allan Bruun, Co-founder and Director of Business Development, SimplerQMS
Make Vigilance Second Nature
In cybersecurity, small, consistent actions—like timely patching, enforcing MFA, and regular awareness refreshers—compound into massive risk reduction over time. The key is discipline: embed micro-security habits into daily workflows so vigilance becomes second nature, not an afterthought.
Satinder Sandhu, Director, Security [Assured]
More Security News
Related News:
Security Tools Worth Checking Out
Decrease Your Organizational Cyber Threats Now
