Top Security Controls of 2024

There is no perfect cybersecurity. With the emergence of AI hacking tools, as well as a constantly evolving threat landscape, defenders need to adapt quickly and invest in security controls that deliver the best ROI. At LMG, our security experts constantly monitor the latest threats, track data breach trends, analyze cyber regulations and legal cases, and evaluate the effectiveness of cybersecurity controls and solutions. Based on this extensive and continuous research, our team has identified the top security controls for 2024 based on today’s risks. We selected these controls as they are strong, cost-effective methods to help you protect your organization in today’s changing threat landscape and regulatory environment. This prioritized list is designed to augment a comprehensive list of cybersecurity controls such as the NIST Cybersecurity Framework or ISO 27001.

You can also Download a PDF Copy of the Top Security Controls of 2024 here.

When selecting the top security controls of 2024, LMG’s analysts consider:

• The current threat landscape and attack tactics.
• The effectiveness of each cybersecurity control against current threats and vulnerabilities.
• The relative financial investment and resources required in order to implement the control.
• The importance of each cybersecurity control for demonstrating compliance or meeting third-party expectations.

And now, without further ado…

The Top Security Controls of 2024

1. Data & Asset Inventory

   You need to know what data and assets you have in order to protect them. Mapping your data is a crucial first step. It helps you locate your sensitive data, so you can secure it. In addition, maintaining a comprehensive inventory of data and technology assets, including cloud applications, helps you properly address risk and align security investments.

   A 2023 survey found that 39% of businesses experienced a cloud data breach in the past year. We like the Tenable One solution as it gives you visibility into the risks affecting your identities, physical and virtual systems, cloud assets, and more. All too often, inventories are conducted in an emergency, post-breach, resulting in exorbitant bills. Every organization should proactively conduct data mapping and asset inventory using automated tools with robust reporting features.

2. Strong Multifactor Authentication (MFA)

   Strong Multifactor Authentication (MFA) is a must for all Internet-facing systems, and it is increasingly deployed throughout internal infrastructures as well. Use strong authentication technologies, such as hardware tokens or smartphone apps, and move away from weaker MFA tools such as SMS (text messages), phone calls, emailed codes, and more. The industry is shifting towards passwordless authentication solutions, and we recommend that you use them whenever they are available. In the meantime, use the strongest MFA available, and remember that configuration matters. With the rash of “MFA Fatigue” attacks, defenders need to limit the number of MFA attempts and leverage more advanced MFA options. Consider deploying adaptive MFA technologies that use context such as location, device type and time to automatically provide appropriate MFA challenges. MFA is an affordable, widely available, and highly effective security control that everyone should be using. Read this MFA Tip Sheet for more information and best practices.

3. Endpoint Protection

   Endpoint protection, such as EDR technology, quickly detects and neutralizes threats and facilitates effective response. Simple EDR is not enough these days: Managed Detection and Response (MDR) includes outsourced 24/7 monitoring and response, while Extended Detection and Response (XDR) centralizes and streamlines techniques holistically across the network, cloud, and endpoints of all kinds. XDR reduces risk, simplifies operations, and decreases the total average cost of a data breach by $174,267, according to IBM.

4. Cybersecurity Training & Awareness

   Humans are a critical part of your security arsenal. Every organization needs to keep security top-of-mind with a robust training program. Gone are the days when an annual webinar would suffice. Today, cybersecurity training needs to be provided monthly or more frequently to effectively address the latest threats. We recommend KnowBe4 and offer a managed on-demand cybersecurity awareness training experience with short videos and quizzes to train and test your team. A managed experience offers curated content to ensure it addresses your organization’s risks. Cybersecurity training is one of our top security controls for 2024 because it can dramatically reduce your risk of phishing—one of the top causes of a data breach for the past several years.

5. Identity and Access Management

   Hackers have perfected the art of account takeover, leveraging user, administrator, and system accounts at every stage of the attack. What’s more, cybercriminals offer insiders lucrative payments to help hack their employers. Modern Identity and Access Management (IAM) systems centralize identity management throughout an enterprise, facilitating quick onboarding and offboarding, effective role-based access and restrictions, detection of suspicious activity, and more. Every organization should have an IAM system and regularly maintain it to minimize the risk of account takeovers and insider attacks.

6. Scanning and Vulnerability Management

   Software exploits are a top entry vector for hackers, as evidenced by the fact that CISA’s Known Exploited Vulnerabilities catalog surpassed 1,000 vulnerabilities last year. Today’s hackers can easily shop for exploits on the dark web and develop new exploits using stolen source code and bug reports. In today’s threat landscape, monthly vulnerability scans are no longer sufficient. Defenders must employ automated tools to scan daily or even hourly and alert a ready response team when weaknesses are detected. Attackers are relentless—and defenders need to continuously monitor their attack surface, including operating systems and third-party applications, to prevent security breaches. Typically, this requires continuous automated vulnerability scanning and patch deployment, configuration checks, and automated asset discovery.

   With the rise in zero-day software vulnerabilities, defenders need to plan their response and be ready to deploy critical patches after hours and on weekends when needed.

7. Cloud Configuration

   More sensitive data is moving to the cloud: 75% of businesses say more than 40% of data stored in the cloud is sensitive. Make sure to update your cloud data security program accordingly. Unfortunately, many organizations overlook cloud application security and suffer needless data breaches as a result of minor configuration errors. Conduct a cloud application security review upon migration, and review configuration routinely as part of your ongoing cloud maintenance. This includes common platforms such as Microsoft 365, AWS, and others. Ensure that your configuration review is conducted by trained and experienced personnel or outsource as needed.

8. Penetration Testing

   Hackers often leverage weaknesses that can’t be detected by automated tools. Conduct routine penetration tests to uncover real-world issues such as misconfigurations, sensitive data exposure, unpatched vulnerabilities, authentication bypass, and more. Penetration tests enable you to proactively identify security risks that real hackers could actually exploit and effectively prioritize your cybersecurity investments. Make sure to conduct tests of your key assets, such as your network, websites, and any custom applications. Read our checklist on penetration testing best practices or watch penetration testers in action in LMG’s video, “How Hackers Go from Zero to Takeover”.

9. Incident Response Testing and Training

   Organizations that formally establish their incident response (IR) team and regularly test their IR plans reduce their cost of a data breach by $232,008, according to IBM. Assign incident response roles, document policies and procedures, and conduct tabletop exercises to train your staff and identify gaps in your response. Make sure to test your after-hours processes: Attackers frequently launch attacks at night, or on holidays and weekends, when organizations have fewer staff to monitor and respond to alerts.

10. Advanced Backups

    Attackers deploy sophisticated tools to extract passwords and valuable data from backup files, and routinely work to destroy backups. All organizations should configure immutable backups, which blocks even administrators from modifying or deleting data. Prevent attackers from accessing backup files and the backup environment using multilayer security. To accomplish this, invest in modern backup tools that support immutability, as well as trained and experienced professionals to configure and test your systems.

11. Supplier Risk Management

    IBM found that 15% of breaches were caused by a compromised vendor, and another 12% were caused by compromised software suppliers. Almost 1 in 3 breaches are caused by a compromised supplier. Since most organizations have over 100 suppliers, with many having over 300, it’s crucial to routinely vet your vendors and establish clear, documented cybersecurity standards and incident reporting policy requirements for your suppliers. You should also ensure that your suppliers are actively vetting THEIR suppliers and integrate your key vendors into your incident response planning process. At LMG, we regularly recommend and help organizations set up and automate vendor vetting processes.

12. Qualified Security Leadership

    Every organization needs an experienced CISO or security leader to provide effective guidance and meet compliance requirements. Regulators such as the FTC and NYDFS now require that certain organizations hire a “qualified individual” to oversee their cybersecurity programs. IBM found that having a skilled CISO decreased the average cost of a breach by $130,086. But skilled security leaders are hard to find and expensive to hire. Save money and gain access to skilled leadership with a virtual CISO.

Cybersecurity evolves rapidly—both adversary tactics and defensive solutions. Watch for our quarterly reports with our analysis of current threats trends and our pick for the top security control that is having the most impact based on recent events. For more information or help implementing these Top Security Controls, contact LMG’s team of experts.

You can also Download a Copy of the Top Security Controls of 2024 here.