Key Action #1: Use strong passwords and a password manager
Passwords are often your first and sometimes only line of defense. To strengthen them:
- It’s long and complicated: Please use at least 15 characters. Passphrases of unrelated words (e.g., Giraffe-House-River-Garden-Orange) are memorable and resistant to brute force and credential stuffing attacks.
- Keep it unique: Don’t reuse passwords between accounts. If one service is compromised, all accounts with the same password can be compromised. Attackers are increasingly weaponizing stolen credentials across multiple services.
- Make it unpredictable: Avoid using names, birthdays, or common dictionary words.
- Automate security: Whether it’s for enterprise applications or personal applications like email and online banking, rely on a trusted password manager to generate and store strong, unique credentials at scale.
Key action #2: Enable MFA
MFA builds critical resilience by requiring multiple elements: what you know, what you have, and who you are. Together, these layers make it exponentially more difficult for an attacker to succeed.
- Install app-based or hardware tokens: Deploy hardware tokens via SMS for added protection against SIM swapping and phishing attacks. For maximum protection, employ phishing-resistant MFA solutions such as hardware tokens (FIDO2) or passkeys.
- Enforce MFA on high-value accounts first and expand broadly. For personal accounts, apply MFA to shopping and health portals, starting with email, online banking, and social media.
- Use passkey. This is a passwordless way to sign in using a secure digital key stored on your device and verified by something like a fingerprint or facial scan.
Key action #3: Recognize and report fraud
Phishing remains one of the most prevalent attack vectors. Raising awareness and speeding up the response is critical. Here’s how:
- Pause before acting. Check the sender details and hover over the link to avoid downloading unexpected attachments.
- Spot subtle red flags: Typos, unusual domains, or urgent wording often indicate a threat.
- Report it now: In the workplace, IT or security teams can be immediately alerted to block campaigns before they spread, preventing broader exposure and breaches. For personal accounts or systems, respond without delay by securing affected accounts (e.g., resetting passwords and enabling MFA) and notifying close friends and family to reduce the risk of them becoming targets of the same attack.
Key action #4: Update all software
Cybercriminals often exploit unpatched vulnerabilities in operating systems, browsers, and applications. In particular, known exploits exploit vulnerabilities that are actively weaponized in the wild. A disciplined update routine closes known security gaps before attackers can exploit them.
- enable Automatic updates when available.
- patch As soon as software vendors release updates, we prioritize components that are connected to the Internet or that are associated with actively exploited vulnerabilities.
- run Firmware updates for routers, IoT devices, critical office and home hardware, smart doorbells and Wi-Fi routers can be targeted by malicious attackers.
Why fundamentals still rule
GenAI and automation will revolutionize security operations, accelerating detection, triage, and response. However, they are power multipliers and are not a substitute for good hygiene. A compromised password or unpatched system can compromise even the most advanced defenses. It’s also important for your team to ensure that your staff has the confidence to act on these fundamentals. That means combining tools with targeted training. That’s why CAM continues to focus on Core 4. The Core Four are the foundation of modern cyber resilience for businesses and individuals alike. When organizations combine a strong foundation with AI-enabled security tools, they can create layered, adaptive defenses that can address today’s threats as well as tomorrow’s unknown threats. For individuals, consistently applying these same basics will create a strong personal security posture that can thwart most everyday cyber threats. Embrace the potential of AI, but never ignore basic best practices. Cybersecurity success still starts with the discipline of strong passwords, MFA, fraud awareness, and patching. Whether you’re protecting a home, a small business, or a global corporation, the equation remains the same. By combining disciplined fundamentals with AI-enabled defenses, organizations can build resilience at scale. Get back to basics this October and make cybersecurity a year-round priority.Jack Cherkas, Global Chief Information Security Officer, SyntaxSC Media Perspectives columns are written by SC Media’s trusted community of cybersecurity subject matter experts. Each contribution has the goal of bringing a unique voice to important cybersecurity topics. We strive to ensure that our content is of the highest quality, objective, and non-commercial.
