Recalibrate before year’s end


Rhododendrons in bud

Rhododendrons are already producing next spring’s flowers. Similarly can you use this October to restart the work of improving your organization’s cybersecurity for 2026?

Georgetown professor Cal Newport argues that not January, but the fall is the right time to start new projects, recommit to goals and check in on initiatives that are still at the ‘to-do’ stage and still feel important.

In this spirit here is a list of five things you can do now to improve your cybersecurity defenses. Perhaps you already have some of these things in place. If you do, October is a good time to take stock of how your organization is faring in these areas. As an example, CIO Magazine reports that more than 30% of IT managers believe their businesses are experiencing cloud-subscription creep – maybe services are redundant or just no longer useful.

1. Add MFA

Electric lines

An example of multifactor authentication via an app on a phone that generates secondary credentials that expire in 30 seconds.

Multifactor Authentication (MFA) is a good place to start thinking about boosting defenses. Bryley CEO Garin Livingstone has advised everyone to implement it wherever possible. Multifactor authentication is when you verify who you are by two means, like with first a user name and password combination and secondarily by a unique time-sensitive code sent to you. The unique code can be via text, email or through a discreet app on your phone. Currently Bryley is mostly deploying Cisco’s DUO, but there are similar approaches like Microsoft’s Authenticator and Google Authenticator.

Other MFA possibilities include a hardware authenticator like a usb-port yubikey that contains a secure cryptographic chip that stores secret keys used to verify your identity.

2. Use strong passwords (at least 15 characters, random is best)

People often overlook password security on relatively unimportant websites like walmart.com and macys.com. Many reuse passwords. But with a single reused password attackers can have – addresses, phone numbers, purchase history, partial payment information – to get a pretty comprehensive profile to use toward identity theft.

Password reuse or using easy-to-guess passwords becomes especially problematic for your organization if an employee uses the same device for personal use and company work. Reused weak passwords compromise any activity on a machine. Your work VPN encrypts the connection, but if the employee’s device is compromised through a poor personal password choice, attackers are already inside when the employee connects to work. It opens up the possibility of organizational data theft or other kinds of attacks.

So consider a password manager that generates and stores strong passwords. Or use strong passwords of your own creation. Currently Bryley recommends a 15-character unique password for every account. Steve Gibson describes a system that uses a fairly easy-to-remember phrase-derived sequence like Peanut6shelL# which can then be modified at walmart.com or Netflix (something like Peanut6shelL#-WAL for the former and Peanut6shelL#-nFlix for the latter – these are samples only; best to think up your own.) If you use this method and one of these accounts gets breached, you should update all these related passwords – the criminals may be able to guess your method from one, and certainly from two breached examples.

Also Steve Gibson has tools on his website for generating long random passwords or checking how strong your password is (please read his notes at the bottom of the page for the tool’s proper use).

3. Look for vulnerabilities

Here’s a 4-question framework that can help you get a picture of your most obvious systems’ vulnerabilities and how they connect to your operation’s functioning. Ask yourself:

  1. What security gaps am I aware of in my organization?
  2. What is it that’s made these vulnerabilities clear to me?
  3. If I get attacked through these vulnerabilities, what course of events would I expect to unfold?
  4. If I don’t address these vulnerabilities, can I list any permanent damage that will not be able to be reversed (for instance, data can’t be un-stolen)?

4. Ask: How would I want things to be improved?

Does your current IT setup meet your expectations? For example, are there times when employees are waiting around because of unresolved IT issues? Is the system running at the speed you want? Do you wonder if the system is secured? Do you feel elements of your computer systems are outdated?

Do you have industry or governmental compliance requirements? Is your operation unable to qualify for projects that have these kinds of requirements? Would you like to take on these kinds of projects?

What resources would be required to make these improvements? Can you assign timeframes in which you’d like to see any of these improvements accomplished? How will you measure the ROI of making these improvements?

Check computers to see if the operating systems are recent – most of the incremental updates (like Windows 11 Build 26100.6584) are security-related, not new features. I don’t mean this to be advice to deploy the most current version – there may be incompatibilities between a current build and other software you need – but if your systems are more than two to three major versions behind, you’re probably missing critical security patches that protect against known vulnerabilities being actively exploited by attackers.

Have there been notices for software updates that you’ve been avoiding dealing with? Use this time to decide if you’re going to update the software (and get it done) or move in a different direction (like uninstalling software that no one is using).

5. Review your organization’s resilience plans

One of the best defenses for a cyberattack is good backups. For instance, in a ransomware attack that encrypts your data so it is unreadable, a backup can allow you to essentially dial your systems back in time before the criminal event, to recover a lot of your working files (recent files may be lost). You can use October to annually check your backups.

Here are some things you can check:

  • Look at your backup program’s most recent logs. Are the dates of the recent log activity what you expected to find? (e.g. are document changes you expect to find reflected in the backup?) Do the backup program’s logs show any recorded errors?
  • Go back a month into your backup and test it by restoring some random files of different types (such as PDFs, Word documents and jpegs).
  • If you have multiple types of backups running, check them each in these ways.
  • Do you use a 3-2-1 backup scheme? 3-2-1 means you have three copies of your data on two different media types in two locations: as an example, your working data would be one copy, a local backup another and a cloud backup another.
  • If you work largely in the Cloud (M365 for example), don’t ignore backing up these documents (not widely known that cloud server companies do not ensure your data), as data corrupts and servers go down wherever they are.
  • Does your backup solution have enough storage capacity to get you to at least the middle of 2027? You will reevaluate for another year-and-a-half next October.

Last, make sure you have a readily accessible document (printed and digital) that shows even non-IT personnel how to do a restore of specific files or systems, should the people who would normally do a restore not be available.

If you need help

If you’re working with Bryley and have any questions about these issues or would like recommendations specific to your organization, please contact Client Services at 978-562-6077 or ClientServices@Bryley.com.

If you are not currently working with Bryley and have questions about cybersecurity please contact us and schedule a no-obligation, no-cost call.

If you are considering an outsourced IT provider, Bryley can advise about addressing cyber-defenses, like Bryley has for dozens of other New England organizations since 1987. Even if you have an internal IT team, Bryley can offer another set of eyes on your systems – the most skilled IT people can benefit from another perspective. In fact about half of Bryley’s work is alongside internal IT teams. And should complex IT issues arise for you, Bryley brings to the table a diverse group of IT professionals – with a range of experiences – that is unlikely be true of a smaller internal team.

To speak to Bryley’s Roy Pacitto please complete the form, below, schedule a no-obligation call. Or you can email Roy at RPacitto@Bryley.com or reach him by phone at 978.562.6077 x217.

Connect with a Bryley IT expert about cybersecurity