There is no question that cybersecurity hygiene is critical and has improved over time. Yet it seldom gets its due. Why? Cybercriminals have also grown stronger and, unfortunately, breaches in America are near all-time highs.  

In many organizations, there are still frequent malware alerts, slow system performance issues, and common unauthorized access attempts. All portray weak security controls and a likely malware problem indicating insufficient protection to stop the attack. 

Several factors contribute to the rise in cybercrime. One is that increasing reliance on digital platforms for business operations has expanded the attack surface. Another is that accelerating digital transformation in recent years has pushed businesses to adopt remote work and online services at an unprecedented rate. Meanwhile, cybercriminals have become more sophisticated. And rapid technology shifts, such as hackers’ embrace of artificial intelligence, is a bigger headache still.

One of the two biggest issues of all is the sad reality that many companies, which commonly create their own business software, don’t make the additional effort to also insert proprietary software. Almost all cyber experts say this would make their security markedly more effective. The other issue is insufficient cybersecurity access management, which needs improvement at a time in which working from home a few days a week instead of the office has been exploding in recent years.

Before grasping additional operational details, take into account just how important top-of-the-line cybersecurity is.

The goal of cyber hygiene is to keep sensitive data secure and strengthen the organization’s ability to recover if a successful attack occurs. The concept is similar to and as important as personal hygiene. Individuals maintain their health, in part, by taking recommended actions, such as flossing to minimize cavities and handwashing to avoid infection. They also have to embrace an array of action items, ranging from exercising to getting vaccines to signing up for prescriptions and annual health reviews.

In the same way, organizations also aspire to maintain their health frequently and continually, thereby preventing data breaches and other security incidents by following cyber hygiene measures.

Cybersecurity leaders should step up to the plate and strongly consider a key software design approach that builds into the design from the start rather than included later as an afterthought – so-called "Software by Design."

As it stands now, traditional approaches to cybersecurity are largely at arms-length from innovation. The conventional approach is to reactively apply cybersecurity controls in compliance with corporate security policies and standards. The problem is that deploying cyber controls without fully understanding how a particular activity works too often makes them ineffective eventually. This issue is said to persist partly because corporate leaders are under pressure to offer new, in-house software quickly to beat the competition, thus adopting priority over installing software from the start.

It is impossible to provide a precise numerical answer to how many fewer breaches would occur with the implementation of “Security by Design,” partly because data breaches are often the result of multiple interacting invulnerabilities and attack vectors, not merely weaknesses in software security or access management alone.  

Nonetheless. studies suggest “Security by Design” can reduce vulnerabilities in software substantially.

 The other major issue, as mentioned, is insufficient cybersecurity access management, which has been the leading cause of numerous successful hacks and data breaches. 

One problem is so-called “privilege creep.” This occurs when companies end up with more access privileges than necessary, allowing them to access resources they no longer need. This increases the risk of an insider breach. It also boosts the chances of external breaches because hackers have to compromise only one privileged account instead of stringing together multiple accounts, thereby avoiding the possibility that some accounts are ineffective.

In addition, too many organizations fail to regularly review and refine roles to ensure job responsibilities have not changed amid new job responsibilities, often leaving a security gap. And, of course, a number of employees constantly change roles or leave the organization altogether.  If the organization fails to shut down access, that leaves accounts active, which can be exploited by inside threat actors or external attackers.

Another common problem is that some employees rely on passwords alone for protection, often opening the door to phishing, brute-force attacks, and credential theft. Many organizations don’t fully enforce multifactor authentication across accounts, apparently because of perceived inconvenience, cost concerns, or a lack of employee buy-in. 

In addition, more companies should embrace organizational cybersecurity -- a smaller but still significant challenge. This is the adoption of a so-called cybersecurity framework, a mechanism to align with recognized industry and regulatory best practices. It helps reduce cybersecurity risks with the help, among other things, of widespread processes and controls. 

A survey in 2024 by Dimension Reach found that many US organizations -- but certainly not all -- embraced a cybersecurity framework. In fact, 16%of organizations did not join the crowd, and smaller companies didn’t sign up substantially more often.  

The gold standard for this is the NIST 2.0 Framework, established in response to an executive order by former President Barak Obama. Also popular are ISO 27001 and 27002 Frameworks, considered the international cybersecurity standard for validating a cybersecurity program. 

The upshot of all of this is that improved cybersecurity needs to be better still if the growth of cyber breaches is to be contained once and for all. To happen, this requires a heightened commitment among organizations. This would better protect against breaches and wouldn’t be overly expensive in the long run because it will curb the expense of costly breaches at their organization, as well as many others.