IT security 2025: Best practices and strategies you haven’t heard a thousand times

The question isn’t if a cyberattack will occur but when and how badly it will affect your business. There are many flashy cybersecurity tools on the market that claim to solve all issues, but when it comes to keeping the bad guys out, it is more important to do the simple things very well than to purchase expensive software.

An effective incident response (IR) plan is your organization’s best defense to minimize downtime, protect sensitive data and restore operations quickly. A good IR plan coordinates everyone’s efforts to minimize impact, meaning that even if an attack was successful, the attacker may not have had time to cause much damage.

Waiting until an incident occurs to start creating a plan would be like inviting your friends to your house for dinner and waiting for them all to arrive before asking them what they want to eat. Preparing, cooking and entertaining the guests while they wait for their dinner would require a lot of time — time your guests were not anticipating spending at your house. As their host, you would see them grow incredibly frustrated with the lack of planning, preparation and communication.

Creating and testing your IR plan

Some important concepts to consider when creating and testing your IR plan include:

• Prioritize and personalize: Each incident can be different and will require a different response. Playbooks can be developed for different types of incidents. Each playbook prioritizes the most important response actions at the top of the plan and includes a logical sequence of response steps. Remember to involve all the IR players when drafting playbooks to make sure nothing is missing from the plan.
• Communication: Effective communication during a security incident is critical. Create and test a communication chain to ensure all stakeholders (executive leadership, IT personnel, legal and external partners) can access up-to-date, accurate information.
• Response vs. recovery: Response efforts prevent an incident from growing larger in impact and resolve the cause of the incident, while recovery efforts bring your business back to where it was before the incident. It’s important to include planning for both efforts, which often run simultaneously after an incident is discovered. Remember the critical need for root cause analysis to ensure you understand the reason for the incident so it can be avoided in the future.
• Test and update the plan: Perform a simulated attack or “tabletop exercise” on your environment to ensure your IR plan is still effective. These simulations help to identify gaps that could cause your IR plan to fail. It would have been difficult to predict the COVID-19 pandemic and how it affected our businesses, but putting a plan together that would enable users to quickly and seamlessly continue to work remotely is a recovery technique that could have been identified as a valuable recovery precaution in a simulated exercise.

Encourage collaboration

In an ideal world, IT, development and security teams should collaborate frequently to implement and support IT security best practices. Creating siloed departments can leave organizations vulnerable to security gaps and slower responses to threats. When a common goal is communicated and objectives are outlined, all team members should be encouraged to work together to accomplish the task.

When I am out fishing and see other people catching fish, I routinely ask them what they are using. This is a common practice on the river. The habit of asking other departments and companies what is working well is a tactic that should be incorporated into our work practices.

Fostering collaboration between IT, development and security teams will help build a unified defense strategy in 2025. Open communication channels between teams help ensure all groups work toward the same goals. Regular meetings, testing IR plans and shared platforms for identifying threats will help to break down silos. Every business has “those” team members who act like oil and water when asked to work together, but starting to get all the smart people in the same room before a security incident will create an exciting outcome. Grab some popcorn and enjoy the dialog.

Refresh security policies

Ironically, reviewing security policies is often the last item on the IT security team’s list of things to do. However, it is a critical step as it sets the bar for compliance and protection and provides a key communication link between IT, management and users. Security policies that are not updated regularly can expose businesses to emerging threats and noncompliance due to changes to IT regulations and best practices.

It is best practice to use a risk management program to help identify the highest risks to your business and sensitive data and to develop policy and the right security defenses. Often, just the act of identifying risks is half the battle of defending against them.

Consider the following when reviewing and updating security policies:

• Current technology: New technology — such as 5G, IoT, and AI — introduces unique risks to a business network. Make sure your security policies address these risks and provide clear guidelines for how employees can use these tools securely. Employees already use these tools at work, so updating the policies and notifying them of the best practices will help keep your information secure.
• Standards: IT policies must be updated regularly to stay aligned with frameworks like the NIST Cybersecurity Framework, ISO 27001, PCI or CIS Controls. These standards offer a great foundation for building and maintaining good security policies, but it is your responsibility to update them to align with your business operations.
• Feedback: Regularly update policies based on employee feedback, IR exercise results and IT audits. This suggestion is not normally discussed, but if you can incorporate it into your process, it will help to ensure policies remain practical and relevant to your organization’s needs. A policy that is not followed or in line with business operations will fail, and a policy that fails will open the door to negative outcomes for your business. Just as eating a dozen jalapeños on an empty stomach will cause you to question your dietary priorities, it’s impossible to avoid the consequences when policies are not well-designed and widely implemented.
• Risk management: Policies are useless unless they address your desired outcomes. Therefore, understanding what you’re protecting (business processes, sensitive data, etc.), how your valued assets can be attacked and by whom, and how to protect those assets is key to writing and maintaining good policy. Another indispensable consideration is understanding how your business environment, employee culture and management’s risk tolerance level affect your ability to implement effective security controls.

Cyber threats in 2025 aren’t going anywhere, and mitigating them will take more than wishful thinking. Most people are talking about the latest tool that will solve all their multilayered security concerns.

For example, solutions like AI promise easy and cost-effective solutions to the need for cyber defenses. However, whether these tools are used or not, I believe it is critically important to understand your key assets, understand the risks to those assets, focus on the simple tasks and do them very well. By updating IR plans, fostering collaboration between IT and security teams, and regularly refreshing security policies, businesses can be prepared for many of the world’s ever-evolving threats. The next time you are out fishing, I hope you remember to ask others what is working and invite them to a well-planned and prepared dinner with popcorn and jalapeños at your house.