There hasn’t been official confirmation that the attackers who reportedly locked down MGM Resorts’ networks with ransomware earlier this month got in after a brief social-engineering phone conversation with help desk. But it’s plausible.

The cybersecurity landscape is always shifting, with new threats emerging every day, but the common ways malicious actors get inside enterprise networks stay remarkably constant. A call or an email by an impersonator. A weak password here. An unpatched application there.

Different organizations are at different levels of security preparedness, but there are a few basic steps any team can take to improve its security posture relatively quickly. This article highlights some of these security “quick wins” that collectively can add up to making a meaningful difference.

You may be managing internal systems at an organization that is quickly growing out of its startup phase and now find yourself wrangling a lot more users, devices and networks than you used to. Taking the following steps is a good way to bake good security practices into the systems and processes you are building to support that growth. If you happen to work at an already mature organization, it’s a good checklist for ensuring all your fundamental security hygiene bases are covered.

Laying the Groundwork

There is more value in getting a few quick security wins under your belt than the most immediate benefit of getting more secure. They demonstrate the value of your work to other stakeholders in the business, which can help secure budget for bigger cybersecurity initiatives and fuel momentum by giving employees a sense of accomplishment. The latter is important because some security implementations can significantly impact employees’ day-to-day experience. These quick wins can help shift your organization’s security model from being reactive to proactive—a much better place to be!

1. Patch Management

Unpatched vulnerabilities are today’s number-one threat vector, so establishing an effective system for keeping software and systems up to date is an impactful quick win. Automated patching tools can help ensure prompt and consistent updates.

Patch management is often more complicated than it may appear on the surface because of organizational structure and fear of breaking things. Many administrators do not patch systems because the systems are working fine, and they don't want to risk an outage. This type of thinking is outdated. It heightens the risk of an even bigger outage if an unpatched vulnerability   gets successfully exploited.

Patching can be as simple as clicking the 'Update' button in an application GUI, or more complex, involving patch deployment across an entire network.

Implement involves several key steps. The first is to ensure there is a clear understanding of all the software and systems that are in use. This includes not only the main operating systems and applications but also any third-party software or plugins.

Once this inventory is established, there needs to be regular monitoring for new patches or updates. This can be done manually, but many organizations choose to use automated patch management tools.  These tools can scan the network to identify missing patches, automatically download and install updates and provide reports on patching status.  

The biggest difficulty is often testing patches, which is how administrators prove that a patch will not negatively impact systems and cause downtime. One way to test patches and strengthen cybersecurity posture is to test them in conjunction with recovery tests. Once a recovery environment is operational, patches can be tested before the environment is torn down.

2. Network Segmentation 

Network segmentation is a key factor in your ability to contain a security breach. It helps limit an attacker’s movement within a network should they manage to get in.

Done to enhance both security and performance, it involves dividing a network into several smaller parts, or segments. It is a quick win because the benefits are immediate and significant, both to security and operational efficiency.

Again, before the network can be segmented, all network devices need to be identified. The segments can be defined once this network inventory is in place. They may be based on device function, the type of data devices handle or their location.

You can take segmentation further by using VLANs to group devices together based on the criteria of your choice and by creating firewall rules to control traffic between segments. 

Network segment-specific access controls ensure that resources on any individual segment are accessed only by users and devices who are authorized to access them. This may include the use of passwords and two-factor authentication.

3. Role-Based Access Controls (RBAC)

Attackers often use credentials bought on the dark web to get into a network. Limiting an individual employee’s access strictly to the tools and systems they need to do their job—applying the principle of least privilege—is another way to contain a breach.

This is achieved with Role-Based Access Control (RBAC), which also reduces administrative overhead. Instead of manually assigning permissions to each user, permissions are assigned to roles. When a user is assigned a role, they get the permissions associated with that role. RBAC is also helpful when auditing user access to ensure compliance.

A successful implementation of RBAC starts with clear definitions of roles and responsibilities. Permissions are then allocated according to those definitions.

The next step is to assign roles to users, based on their job function. For example, a network administrator wouldn’t get access to corporate accounting systems, while a finance employee wouldn’t be able to log in to a network switch in a data center.

Once RBAC is implemented, it’s important to audit roles and permissions regularly. This ensures that the least-privilege posture is maintained.

4. Multi-Factor Authentication (MFA)

Implementing Multi-Factor Authentication is a quick win that can stymie an attacker even if they manage to bypass RBAC. MFA means requiring users to provide multiple forms of identification before gaining access to a system or data.

It’s a quick win because it significantly enhances security with minimal effort and cost.  Implementing MFA is straightforward and does not require major system changes.

MFA works by combining something you know (like a password), something you have (like a smart card or mobile device) and something that uniquely identifies you (like a fingerprint or the sound of your voice). By requiring at least two of these identification methods, MFA makes it much more difficult for attackers to gain access.

Before an MFA implementation it is important to understand your organization's security requirements and the types of data you need to protect. When it comes to choosing a solution, there are many options available. Some are standalone products, while others are integrated into larger security suites. Consider factors such as ease of use, compatibility with your existing systems and the types of authentication methods supported.

Additionally, before implementing MFA, it is crucial to educate users on its importance and impact on their day to day. Communication and training should begin well before MFA goes live.

5. Encryption

Any comprehensive cybersecurity strategy must include encryption of data, both at rest and in transit. Encrypting data in transit mostly protects it from interception as it travels over networks (particularly unsecured ones), while encrypting data at rest also helps protect it from insider threats.

There are many different ways to do it, but full disk encryption is a common approach to encrypting data at rest. Once an entire storage drive is encrypted, it can only be read by someone or something with the correct encryption key. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are commonly used protocols for encrypting data in transit. These protocols encrypt it before it travels over a network and then decrypt it once it arrives at its destination.

It is important to manage encryption keys carefully. They should be stored separately from the data they decrypt and regularly rotated to reduce the risk of compromise.

6. Security Awareness Training

As the MGM breach and countless other breaches before it have illustrated, humans are usually the weakest link in any security strategy. This is why a robust Security Awareness Training program is one of the biggest quick wins you can get.

And it doesn’t have to take a huge investment of resources. Training can be delivered in various formats, such as online courses, in-person workshops, or regular email updates. The key to success is making the content engaging and relevant!

Training should cover a range of topics including the basics of cybersecurity, recognizing and avoiding phishing attacks, the importance of strong passwords and best practices for handling sensitive information. The content should be updated regularly to reflect the latest threats and security trends.

Phased implementation can be effective here. Many organizations start with a baseline assessment to understand their employees' current level of security awareness and then deliver training focused on the areas where most improvement is needed. It is also important to measure the impact of the training by conducting regular assessments and tracking key metrics, such as the number of security incidents or the percentage of employees who pass a security quiz.

7. Vulnerability Assessments

Vulnerability assessments are an essential part of any cybersecurity strategy. This is how you identify weaknesses malicious actors may exploit and address them proactively.

Like the other quick wins on this list, this one offers value that can be felt immediately. By identifying vulnerabilities, you can prioritize and address the most critical issues first, quickly improving your environment’s security in a short amount of time. A cost-effective way to manage risk and protect systems and data, the approach is particularly beneficial for organizations working with limited budgets.

There are different ways to conduct a vulnerability assessment, but it usually starts with defining the scope of the assessment, identifying the systems, networks and applications that will be assessed. The next step is applying various tools and techniques to identify vulnerabilities. This can include automated vulnerability scanning tools, manual testing, or even hiring a third-party cybersecurity firm to conduct the assessment.

Once the vulnerabilities have been identified, they should be ranked based on severity and potential impact. Then, a plan can be developed and implemented for remediation of the vulnerabilities, starting with the most severe and impactful ones. This could involve patching software, updating systems, changing configurations or other measures.

It is important to document this process so that changes can be made continuously. This documentation can be used for future reference and provide evidence of due diligence in the event of a cyber attack.

8. Visibility and Monitoring

Visibility and monitoring are two essential pillars of a robust cybersecurity strategy.

Visibility is the ability to see and understand activity occurring across your environment.  This includes knowing what devices are connected, who is accessing what data, where potential vulnerabilities lie and how data is being transferred. Without these capabilities, an organization operates in the dark and serves as an easy target for threat actors.

Monitoring is observing the environment to detect anomalies, breaches, and potential threats.  This involves using various tools and technologies to continuously track and analyze activity inside the environment.

Again, the first step is to identify the assets in the environment that will be monitored. Then, security tools can be implemented to gain visibility. Security Information and Event Management (SIEM) systems are very popular for this purchase and often integrate with existing tools, such as network and server monitoring systems.

Effective visibility and monitoring are highly dependent on configuring alerts and alerting thresholds. This is an area where new technologies such as AI can really help organizations cut through the noise and see clearly what is happening in their environment.

9. Penetration Testing

Penetration Testing is an authorized cyber attack on an environment conducted to evaluate the security of the system. It is a quick win because it helps identify any weak points hackers could exploit.

The process of penetration testing starts with assessing your systems for any potential vulnerabilities, such as unpatched software and vulnerable configurations. The penetration tester then attempts to exploit these vulnerabilities to understand the level of access or harm they could achieve if they were a malicious actor.  This could involve attempting to gain access to sensitive data or disrupt services.

One of the primary reasons penetration testing is a quick win is it provides immediate insights into the current level of protection. It allows you to see how well your current defenses would hold up against a real-world attack and provides clear, actionable steps to improve. This helps prioritize security investment, by focusing it on areas that would make the biggest difference in overall protection.

Organizations usually hire third-party cybersecurity companies that specialize in penetration testing. The engagements usually include production of a report detailing the findings. The vulnerabilities are then remediated using the information in the report.

10. Incident Response Planning

When a security incident occurs, time is of the essence. The quicker an organization can identify, contain and eliminate the threat, the less damage it is likely to cause. A well-structured incident response plan ensures that the organization is prepared to act swiftly and decisively when it needs to do so the most.

I saved this security win for last because it packs the most punch when implemented after things like vulnerability assessments and penetration testing are done. At that point, organizations have a better idea of what they may see in a security incident, which can then help them come up with a response plan. Visibility and monitoring also play a large role here, helping detect a security incident as it unfolds.

Once a security incident has been detected, the response plan is activated to contain and eradicate the threat. This can be tricky, as we often do not know how things will unfold until they do. A good plan should cover multiple scenarios and include provisions for engaging a third-party incident response firm if needed.

It’s usually a good idea to map and play out worst-case scenarios. This entails simulating potential security incidents and practicing the response. These simulations can help identify any weaknesses in the incident response plan itself so that it can be improved.

Quick Wins Make the Difference 

Implementing these quick security wins can significantly enhance your organization's cybersecurity posture. By demonstrating value and progress, you can secure more resources for your cybersecurity initiatives and foster a culture of security awareness within your organization. Remember, cybersecurity is not a destination but a journey, and it’s essential to continue to move forward!