{"id":16024,"date":"2026-03-31T09:11:17","date_gmt":"2026-03-31T09:11:17","guid":{"rendered":"https:\/\/newestek.com\/?p=16024"},"modified":"2026-03-31T09:11:17","modified_gmt":"2026-03-31T09:11:17","slug":"8-ways-to-bolster-your-security-posture-on-the-cheap","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=16024","title":{"rendered":"8 ways to bolster your security posture on the cheap"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

As every CISO knows, maintaining a strong cybersecurity posture is costly. What\u2019s not so well known is that there are many ways cybersecurity can be enhanced with the help of relatively trivial investments. Simply by thinking creatively, a security leader can substantially boost enterprise protection at a minimal cost.<\/p>\n

Could your organization benefit from some extra low-cost protection? If so, here are eight ways to improve enterprise cybersecurity without seriously denting your budget.<\/p>\n

1. Enforce MFA better<\/h2>\n

Risk mitigation should start with fundamentals, says Trevor Horwitz<\/a>, CISO at compliance technology services firm TrustNet. \u201cMFA directly supports confidentiality and access control, which are core security objectives,\u201d he states. \u201cIn almost every breach we analyze, compromised credentials are involved.\u201d Most organizations already have access to this capability. Turn it on, especially for privileged access<\/a>, Horwitz advises.<\/p>\n

Randy Gross<\/a>, CISO at certification firm CompTIA, agrees. \u201cBegin by clearly defining the crown jewels and the next tier of important systems, then enforce MFA<\/a> and least privilege across those environments,\u201d he recommends. \u201cNext, establish time-bound remediation expectations for the meaningful vulnerabilities in those systems before expanding attention to the broader environment.\u201d<\/p>\n

2. Take full advantage of your existing tools<\/h2>\n

A practical way to strengthen enterprise security without incurring additional significant spend is to ensure you\u2019re fully leveraging the capabilities of solutions already present within your organization, says Gary Brickhouse<\/a>, CISO at security services firm GuidePoint Security.<\/p>\n

\u201cMost organizations have invested heavily in security solutions, yet most are only using a portion of what those tools can do,\u201d he explains. \u201cBy optimizing and operationalizing existing technologies, organizations can realize a reduction in cybersecurity risk with little spend.\u201d<\/p>\n

Brickhouse says this approach is highly effective because it focuses on improving operational maturity rather than adding more technology solutions. \u201cThis tactic also increases ROI by helping to ensure organization are getting the most value from solutions they already own,\u201d he says.<\/p>\n

3. Conduct tabletop exercises<\/h2>\n

Don\u2019t underestimate the power of tabletop exercises<\/a>, advises Ryan Davis<\/a>, CISO at IT services provider New Charter Technologies. \u201cThey almost guarantee a positive action, and the only cost is in time,\u201d he says.<\/p>\n

A tabletop exercise requires participants to view scenarios from an execution perspective<\/a> rather than a theoretical position.<\/p>\n

\u201cPracticing for unexpected scenarios enables teams to exercise muscles they wouldn\u2019t normally use,\u201d Davis says. \u201cIt allows team members to ask questions they may not typically ask in everyday scenarios because there isn\u2019t time or an obvious need to do so.\u201d<\/p>\n

He adds that the approach also quickly highlights strengths that don\u2019t need further attention, as well as gaps that need to be closed.<\/p>\n

4. Utilize the application layer<\/h2>\n

An effective way to bolster coverage and reduce overall risk is to include the application layer in your cybersecurity strategy, says Bill Oliver<\/a>, managing director at cybersecurity platform provider SecurityBridge. He notes that ERP systems sit at the core of your company\u2019s operations and have been targeted by bad actors for years.<\/p>\n

\u201cMonitoring your ERP systems for missing security patches, bad security configurations, real-time security events, and so on can give you great cybersecurity protection at a relatively low cost as compared to other cybersecurity initiatives,\u201d he says. \u201cUnderstanding what security events are happening in real time, will greatly bolster your company\u2019s cybersecurity program and correct a weakness that has been there since day one.\u201d<\/p>\n

5. Implement passkeys<\/h2>\n

Passkeys eliminate the single biggest attack vector most organizations face: stolen or phished credentials<\/a>, says John Coursen<\/a>, CISO at Fortify Cyber, a firm that helps regulated industries secure their infrastructure.<\/p>\n

\u201cThey remove the human element from authentication,\u201d he explains. Coursen notes that passwords tend to get reused, phished, and stuffed into credential databases. \u201cPasskeys can\u2019t be phished, because there\u2019s no shared secret to steal.\u201d<\/p>\n

Coursen observes that most modern identity providers, such as Azure AD and Okta, already support passkeys. \u201cThe tech isn\u2019t hard to implement \u2014 it\u2019s the behavior change and getting users to adopt it.\u201d<\/p>\n

Start with your highest-risk users, Coursen advises, including executives, finance teams, and anyone with access to sensitive client data or wire transfer authority.<\/p>\n

6. Aim for the heart<\/h2>\n

Target what attackers actually exploit, suggests Mike Wilkes<\/a>, CISO at security technology provider Aikido Security. \u201cSet up redundant DNS providers \u2014 they\u2019re low-cost, high-impact, and massively underused,\u201d he says. \u201cPut Cloudflare\u2019s free plan in front of your public-facing apps, and you get DDoS mitigation and a WAF layer instantly.\u201d<\/p>\n

Turn on SPF, DMARC, and DKIM, since email is still the No. 1 initial access vector and these DNS controls take just an afternoon to implement. \u201cEnable MFA everywhere using the free Google Authenticator,\u201d Wilkes says, while also recommending checking DNS records and auditing MFA for gaps.<\/p>\n

7. Consider human risk management<\/h2>\n

At a time when the vast majority of cyberattacks involve people, human risk management is a critical and cost-effective way to keep the enterprise safe, says Matt Lindley<\/a>, chief innovation and security officer at cybersecurity awareness training firm NINJIO.<\/p>\n

Human risk management<\/a> works because it addresses the most urgent cyberthreat most enterprises face by establishing a culture of cybersecurity at every level of the organization, Lindley says.<\/p>\n

\u201cInstead of treating employees as the weak links in an organization\u2019s cybersecurity posture, they should be regarded as its greatest security assets,\u201d he states. \u201cWhen employees are empowered to identify, report, and thwart cyberattacks, the enterprise now has a distributed and adaptive layer of cybersecurity.\u201d<\/p>\n

Effective human risk management requires security leaders to provide engaging, actionable, and personalized security awareness training<\/a>, Lindley says. It also demands a high degree of accountability. He notes that security leaders should be able to determine whether behavioral interventions are actually working by using benchmarks beyond vanity metrics, such as completion rates.<\/p>\n

\u201cThis means providing data on phish reporting and other real-world improvements to the organization\u2019s cybersecurity posture, all of which will generate buy-in across the C-suite,\u201d he says.<\/p>\n

8. Double-down on cybersecurity fundamentals<\/h2>\n

One of the most effective low-cost security strategies is to double down on fundamentals such as identity protection, patching, visibility, and user awareness, says Jeff Foresman<\/a>, vice president of cybersecurity at technology services firm Resultant.<\/p>\n

Most organizations already have the tools they need through platforms like Microsoft and Google, as well as their endpoint and email security stacks, Foresman says. The real opportunity, he notes, lies in better configuration and disciplined execution, such as enforcing MFA everywhere, reducing unnecessary admin access, patching Internet-facing systems quickly, and improving phishing reporting and response. \u201cThose steps alone significantly reduce real-world risk,\u201d Foresman says.<\/p>\n

Foresman notes that a fundamentalist approach works by targeting how attackers actually gain access. The majority of breaches still begin with compromised credentials, phishing, exposed systems, or misconfigurations, not advanced zero-day exploits, he explains. By focusing on identity, email, and attack surface reduction, organizations can address the most common entry points.<\/p>\n

\u201cIt\u2019s practical, measurable, and tied to the breach patterns we see every day, rather than theoretical controls,\u201d Foresman says.<\/p>\n

See also:<\/strong><\/p>\n