Start your day with intelligence. Get The OODA Daily Pulse.

Home > Best Practices for Agile Cyber Defense

We have learned our methods through years of direct operational experience helping organizations defend their data. We have contributed to community activities designed to share and also work hard to consume the latest in best practices from our peers and other thought leaders in the space. 

We know every company is different. Many have well developed security programs led by world class teams that are continually learning and improving. Others are just starting their journey. This information is aimed primarily at the firm who is aiming to enhance a security program, but may have some new info for established security programs as well.

It is interesting that one of our key observations has been that simple checklists of what to do don’t help much at all. That also applies to the list below! This is just a review of best practices from the stand point of practitioners. To make the effective you need to contextualize them into a relevant action plan for your organization, something that makes sense for your business.  That said, you can benefit from our decades of expertise in threat modeling and risk mitigation by reviewing these lessons.

Our Short list of Cybersecurity Best Practices:

1. Use a “framework” that will guide your action. Our favorite one is the NIST Cybersecurity Framework, but there are many. A good framework will help guide your policies, procedures, contracting and incident response, and will also help improve communications with others inside and outside your organization. The NIST framework divides actions you need into categories of: Identify, Protect, Detect, Respond, Recover and then fills in many details below those categories. One problem with most of these frameworks: They focus only on defense, as if the bad guys are static. You need to give the right amount of time to adversary models as well as defensive models (see next best practice).

2. Work to know the threat. Knowing the cyber threat will help you more rapidly and economically adjust your defenses. Since the threat is dynamic you need continuous information. Our free daily report will keep you aware of the latest in threats and global business risks. For exclusive content and actionable intelligence join OODA Loop. No matter who you are you need to know what is happening in your adversary’s camp. Stay aware.

3. Think of your nightmare scenarios. Only you know your business and only you can really know what could go wrong if the worse happens, so your nightmares are what matters! Use these nightmare scenarios to help determine what your most important data is, this is going to help prioritize your defensive actions. Businesses should also seek to bring these nightmares to life, in a controlled environment, to see how you and your team will perform in response. A good way to do this is via a “Table Top Exercise”. This is a structured way to talk through who will do what and look for gaps in your incident response plans. We also discuss the need to “red team” your approaches to security below, which can reveal how your nightmare scenarios may come to pass and what to do about that.

4. Encrypt your data. And back it up! Prioritize this protection on your most important data. This will help mitigate the risks of your nightmare scenarios. Moving to the cloud will provide smart encryption solutions for some of your data and operations (more on the cloud below).  

5. Ensure you are patching your operating systems and applications. This sounds so basic, and it is so basic. But it is too frequently overlooked and it gets both individuals and companies hacked, again and again. So if you are a home user make sure you do this yourself and if you are a small business make sure you have processes in place for it to be done for all. Leaders in organizations of all sizes should realize it is a common mistake to just assume systems are being patched. Don’t just assume it is going on. Check it.

6. Go to the cloud! Recall the points we just made above, you have to keep your systems patched, and encryption is smart. Using cloud services shifts more of that patching and updating to highly qualified engineering teams and gives you new options for encryption. Moving to a well engineered cloud brings many other security functions too. You absolutely need to pay attention to how you configure your cloud services, including access control, identity management, and encryption and monitoring. But overall you will reduce risk with smartly configured cloud services. Based on our detailed and almost continuous review of security capabilities and future roadmaps right now we can say that any of the major cloud providers can contribute to your security posture, but only if they are configured properly. Get expert help to check that configuration.

7. Put multi-factor authentication in place for every employee, including on their use of cloud based services, and encourage all to do this at home as well. Depending on your business model, you may need to do this for customers and suppliers too. This is very important for a good defense. Some multi-factor methods are still open to attack.

8. If you operate in an environment where you are provided WiFi (like in a co-working space), we strongly recommend using the free open source web browser plugin called “HTTPs Everywhere” which will force the use of HTTPS everywhere possible and make your browsing more secure. This will minimize the very rare but real risk that you will be in unencrypted sessions that can be exploited by adversaries. For even more protection you can run your own hotspots that connect via cell, but we hardly recommend this anymore since well patched browsers have built in so much security already. That said, cellular speeds are so very high in most parts of the country you should be able to find a solution that gives you the performance you need while keeping your communications more secure, if you desire this path. This may include buying a hotspot designed to give your office direct connectivity. Notice that we are not recommending a VPN. Some may still use those, but if you have a well patched system and the very latest Chrome or Firefox and are using the HTTPs Everywhere plugin then your browser establishes your VPN.

9. Configure your WiFi to be as secure as possible. Larger businesses will have an ability to use the most up to date hardware and software and configure WiFi to leverage best practices. For smaller businesses and home offices we recommend leveraging the Google WiFi because it provides an easy management interface and simple way to make sure you are using DNS correctly (see below).

10. Configure your DNS to make it harder on the bad guys. There are simple configuration changes you can put in place that will greatly reduce the risk of malicious code and privacy attacks. There are many options for the changes to make to your DNS, but for most we recommend changing your DNS server to 9.9.9.9 (learn more at Quad9.net).

11. Configure your email to make it harder to be spoofed/phished. By using widely used configurations called DMARC you can significantly reduce the chance that your email will be spoofed and your partners or employees tricked because of you.

12. Use a password manager for personal passwords, at work and at home, and encourage every employee to do the same. Larger firms may have a password manager as part of an enterprise security solution. Small to mid-sized firms may leverage the capabilities o DashlaneLastPass or 1Password. All three of those have options for business use. A best practice for small business is to use the password manage to make employee’s workflows easier and also give them a license for free use at home.

13. Block malicious code. This is easier said than done, but work to put a strategy in place that ensures only approved applications can be installed in your computers, and, even though anti-virus solutions are not comprehensive, ensure you have them in place and keep them up to date. For home users and small businesses look into Sophos or Norton/Symantec. Both have versions for Mac and Windows. There are many other options, to research others see test results and reviews at av-test.org.

14. Prepare for the worse. Know what your incident response plan is and make sure it is well documented and reviewed. Ensure it includes notification procedures. Ensure your team is also prepared to respond to “digital swiftboating,” which can come at any time and may involve trolls and haters sponsored by your competitors or even hostile nations. Preparing for incidents means more than just planning. Exercise the plan by realistic scenario driven table top exercises.

15. Design your architecture to detect and respond to breach. This means put monitoring in place and also use proper segmentation of your systems so an adversary has a harder time moving around. Monitoring can be hard for any organization, so find a way to leverage cloud services to do that. For smaller organizations, we like the approach of Canary (see canary.tools), which will tell you when bad actors are in your net.

16. Ensure you are able to communicate with others in a way that cannot be monitored by criminals/hackers. This is important in day to day business and urgent in incident response. (This may be as simple as having a Signal room for your team).

17. Ensure every employee in the organization knows their role in cyber security. This is NOT just an IT function. Training and awareness is so critically important you should consider it your first line of defense. There are many firms that can help you execute on this goal in ways contextualized for your business. Contact us for recommendations. 

18. Keep learning, including the lessons of history. You can find the wisdom of the masters in books like The Cuckoos EggDark TerritoryA Fierce Domain.

19. Check everything. You need to get in the habit of checking things yourself, but it is also important to have independent assessments done (we would love to help with that!). Organizations can almost always make use of an external “red team” which seeks to replicate your adversaries. This type of assessment is best done by experienced professionals.

20. Join the ISAC for your industry. This will put you in contact with other professionals in your sector and will keep you informed on information you need to know to mount a solid defense.

For other special reports and country studies see the OODA Network Resources page. Also find a more expansive list of security recommendations here: Optimizing Cyber Defenses. Publicly traded corporations should review the governance rules and recommendations here: The SEC Announces Final Cybersecurity Rules: What the C-Suite Needs To Know and Do

Additional resources

The Intelligent Enterprise Series: Special reports from OODA focused on corporate intelligence

Useful Standards For Corporate Intelligence: Based on lessons learned from the US intelligence community and corporate America

Optimizing Corporate Intelligence: Tips and best practices and actionable recommendations to make intelligence programs better.

A Practitioner’s View of Corporate Intelligence: insights aimed at corporate strategists seeking competitive advantage through better and more accurate decision-making.

An Executive’s Guide To Cognitive Bias in Decision Making: Cognitive Bias and the errors in judgement they produce are seen in every aspect of human decision-making, including in the business world. Companies that have a better understanding of these cognitive biases can optimize decision making at all levels of the organization, leading to better performance in the market.