As every CISO knows, maintaining a strong cybersecurity posture is costly. What’s not so well known is that there are many ways cybersecurity can be enhanced with the help of relatively trivial investments. Simply by thinking creatively, a security leader can substantially boost enterprise protection at a minimal cost.
Could your organization benefit from some extra low-cost protection? If so, here are eight ways to improve enterprise cybersecurity without seriously denting your budget.
1. Enforce MFA better
Risk mitigation should start with fundamentals, says Trevor Horwitz, CISO at compliance technology services firm TrustNet. “MFA directly supports confidentiality and access control, which are core security objectives,” he states. “In almost every breach we analyze, compromised credentials are involved.” Most organizations already have access to this capability. Turn it on, especially for privileged access, Horwitz advises.
Randy Gross, CISO at certification firm CompTIA, agrees. “Begin by clearly defining the crown jewels and the next tier of important systems, then enforce MFA and least privilege across those environments,” he recommends. “Next, establish time-bound remediation expectations for the meaningful vulnerabilities in those systems before expanding attention to the broader environment.”
2. Take full advantage of your existing tools
A practical way to strengthen enterprise security without incurring additional significant spend is to ensure you’re fully leveraging the capabilities of solutions already present within your organization, says Gary Brickhouse, CISO at security services firm GuidePoint Security.
“Most organizations have invested heavily in security solutions, yet most are only using a portion of what those tools can do,” he explains. “By optimizing and operationalizing existing technologies, organizations can realize a reduction in cybersecurity risk with little spend.”
Brickhouse says this approach is highly effective because it focuses on improving operational maturity rather than adding more technology solutions. “This tactic also increases ROI by helping to ensure organization are getting the most value from solutions they already own,” he says.
3. Conduct tabletop exercises
Don’t underestimate the power of tabletop exercises, advises Ryan Davis, CISO at IT services provider New Charter Technologies. “They almost guarantee a positive action, and the only cost is in time,” he says.
A tabletop exercise requires participants to view scenarios from an execution perspective rather than a theoretical position.
“Practicing for unexpected scenarios enables teams to exercise muscles they wouldn’t normally use,” Davis says. “It allows team members to ask questions they may not typically ask in everyday scenarios because there isn’t time or an obvious need to do so.”
He adds that the approach also quickly highlights strengths that don’t need further attention, as well as gaps that need to be closed.
4. Utilize the application layer
An effective way to bolster coverage and reduce overall risk is to include the application layer in your cybersecurity strategy, says Bill Oliver, managing director at cybersecurity platform provider SecurityBridge. He notes that ERP systems sit at the core of your company’s operations and have been targeted by bad actors for years.
“Monitoring your ERP systems for missing security patches, bad security configurations, real-time security events, and so on can give you great cybersecurity protection at a relatively low cost as compared to other cybersecurity initiatives,” he says. “Understanding what security events are happening in real time, will greatly bolster your company’s cybersecurity program and correct a weakness that has been there since day one.”
5. Implement passkeys
Passkeys eliminate the single biggest attack vector most organizations face: stolen or phished credentials, says John Coursen, CISO at Fortify Cyber, a firm that helps regulated industries secure their infrastructure.
“They remove the human element from authentication,” he explains. Coursen notes that passwords tend to get reused, phished, and stuffed into credential databases. “Passkeys can’t be phished, because there’s no shared secret to steal.”
Coursen observes that most modern identity providers, such as Azure AD and Okta, already support passkeys. “The tech isn’t hard to implement — it’s the behavior change and getting users to adopt it.”
Start with your highest-risk users, Coursen advises, including executives, finance teams, and anyone with access to sensitive client data or wire transfer authority.
6. Aim for the heart
Target what attackers actually exploit, suggests Mike Wilkes, CISO at security technology provider Aikido Security. “Set up redundant DNS providers — they’re low-cost, high-impact, and massively underused,” he says. “Put Cloudflare’s free plan in front of your public-facing apps, and you get DDoS mitigation and a WAF layer instantly.”
Turn on SPF, DMARC, and DKIM, since email is still the No. 1 initial access vector and these DNS controls take just an afternoon to implement. “Enable MFA everywhere using the free Google Authenticator,” Wilkes says, while also recommending checking DNS records and auditing MFA for gaps.
7. Consider human risk management
At a time when the vast majority of cyberattacks involve people, human risk management is a critical and cost-effective way to keep the enterprise safe, says Matt Lindley, chief innovation and security officer at cybersecurity awareness training firm NINJIO.
Human risk management works because it addresses the most urgent cyberthreat most enterprises face by establishing a culture of cybersecurity at every level of the organization, Lindley says.
“Instead of treating employees as the weak links in an organization’s cybersecurity posture, they should be regarded as its greatest security assets,” he states. “When employees are empowered to identify, report, and thwart cyberattacks, the enterprise now has a distributed and adaptive layer of cybersecurity.”
Effective human risk management requires security leaders to provide engaging, actionable, and personalized security awareness training, Lindley says. It also demands a high degree of accountability. He notes that security leaders should be able to determine whether behavioral interventions are actually working by using benchmarks beyond vanity metrics, such as completion rates.
“This means providing data on phish reporting and other real-world improvements to the organization’s cybersecurity posture, all of which will generate buy-in across the C-suite,” he says.
8. Double-down on cybersecurity fundamentals
One of the most effective low-cost security strategies is to double down on fundamentals such as identity protection, patching, visibility, and user awareness, says Jeff Foresman, vice president of cybersecurity at technology services firm Resultant.
Most organizations already have the tools they need through platforms like Microsoft and Google, as well as their endpoint and email security stacks, Foresman says. The real opportunity, he notes, lies in better configuration and disciplined execution, such as enforcing MFA everywhere, reducing unnecessary admin access, patching Internet-facing systems quickly, and improving phishing reporting and response. “Those steps alone significantly reduce real-world risk,” Foresman says.
Foresman notes that a fundamentalist approach works by targeting how attackers actually gain access. The majority of breaches still begin with compromised credentials, phishing, exposed systems, or misconfigurations, not advanced zero-day exploits, he explains. By focusing on identity, email, and attack surface reduction, organizations can address the most common entry points.
“It’s practical, measurable, and tied to the breach patterns we see every day, rather than theoretical controls,” Foresman says.
See also:
- How MFA gets hacked — and strategies to prevent it
- Redefining multifactor authentication: Why we need passkeys
- Human risk management: CISOs’ solution to the security awareness training paradox
- CISOs must rethink the tabletop, as 57% of incidents have never been rehearsed
- Phishing training needs a new hook — here’s how to rethink your approach