The first half of 2025 has undeniably showcased the devastating power of data breaches and ransomware attacks. High-profile brands such as Marks & Spencer, Harrods, and Qantas Airlines have all been through cyber shockwaves, with countless amounts of employee and customer information lost to hackers. This has not only eroded brand trust but also raised serious questions about the solidity of overall business security infrastructure.
The breaches were primarily caused by social engineering attacks targeting IT help desks, which allowed attackers to gain access to systems and deploy ransomware. According to the latest insights, hackers impersonated employees to trick IT staff into granting access by requesting to reset passwords, ultimately leading to the compromise of sensitive data.
Security Evangelist at Hornetsecurity.
All evidence shows hackers’ deep understanding of human psychology, enabling them to exploit social norms and complacency to bypass some of the most robust data security systems. Affected businesses have responded swiftly to attacks and offered timely support to those impacted; however, it’s clear all businesses need to improve their cybersecurity if they are to stay safe in this ever-evolving world of cyber threats.
While some businesses may think that investing in advanced technology will be enough to address this, it will be useless if they don’t equally invest in human elements to strengthen cyber resilience and ensure long-term data security.
Understanding how tackling human-led vulnerabilities can build a smarter, stronger, and more adaptive cyber defense system will help businesses to transform their approach to cyber resilience.
Elevating password security: The human element of your first line of cyber defenses
As recent data breaches have shown, password-granted access is often the breakthrough hackers need to compromise systems. Introducing key changes to how businesses manage passwords can help in the fight against nefarious actors.
Firstly, small changes to password policies can add an extra layer of protection, making it more difficult for hackers to gain access. As you inspect your existing policies, DON’T forget the basics! For example, personal information in passwords should be avoided as it’s easy for hackers to get user logins if names, birthdays, or other personal information is directly included in passwords.
It seems simple, yes, but some of the largest organizations in the world have been breached because of the omission of basics like this. Once hackers gain access to the targeted systems, the risks of data breach is all but certain, raising the likelihood that confidential information will be exposed on malicious websites.
Businesses should therefore implement clear password policies, including setting rules for password length and complexity, and make sure you’re following NIST best practices for password generation. Take scheduled password resets, NIST no longer recommends forced password changes unless there is evidence of breach. This is due to the fact that users would make highly serialized passwords in an attempt to remember them, which ultimately lowers operational security..
The strict application of MFA
In addition to the password hygiene rules, the strict application of multi-factor authentication (MFA) across organizations, including their external partners, is necessary to maintain cybersecurity.
Here, PINcodes and biometric authentication that require verification via a physical device (like FIDO2) help prevent unauthorized users from accessing accounts, even when passwords have been stolen. Deploying MFA across business and personal accounts enhances protection against common security threats such as malware, phishing, and ransomware attacks.
Warning: while MFA helps, it isn’t a catch-all safeguard. Social engineering, or the use of reverse-proxy style toolkits, allows threat actors to account for MFA during the login process. This enables the attacker to capture the target’s authentication token regardless of MFA being enabled on the account.
Adoption of Passkeys
To counter this, technologies like Passkeys should also be adopted by businesses to create additional safeguards against cyber attacks. Operated by using public key cryptography, Passkeys generate a public/private key pair whenever a new passkey is established with an online service.
The authentication response is unique for each login, which means there are no passwords to be stolen on the service end of the login process. Passkeys are also typically URL-bound, rendering reverse-proxy phishing kits useless for threat actors.
Strict practices of password hygiene and the adaptation of evolving password technologies will strengthen businesses’ data protection and bolster cybersecurity against unverified attempts to access accounts.
While password security is important, to foster truly robust cyber resilience, more steps need to be taken across organizations in their day-to-day operations to maintain safety.
Cultivating a culture of cyber resilience: policies, training, and overlooked vulnerabilities
To embed cyber resilience into organizational culture, it is crucial to upgrade data security policies and ensure employees can implement them daily. These will foster a full-scale ecosystem of accountability and vigilance.
Businesses should implement ongoing tiered cybersecurity awareness training for their employees. Successful completion of a round of tests and simulations will automatically unlock progressively more challenging ones.
Those who don’t pass initial tests receive opportunities for further practice and re-testing at that difficulty level until they succeed. This approach fosters progressive cybersecurity training and rewards successful employees with less frequent testing.
Additionally, regular feedback loops, surveys or user-friendly polls can ensure the current security training stays up-to-date with cybersecurity trends, covering key topics such as phishing and ransomware.
A particular focus should also target the cyber vulnerabilities faced by organizations implementing remote and hybrid work. While implementing strategies for protecting devices and networks beyond the traditional office perimeter, such as applying MFA and role-based data access, businesses should make sure there are regular software updates and enhanced firewall configurations.
CISOs and IT teams should enforce a Zero Trust approach, ensuring that each user has no more than the access they need and that every connection and communication, no matter how trustworthy it may seem, is vetted for authenticity.
Building a proactive and adaptive cyber defense ecosystem
To stay safe from attacks, businesses must consistently refine and manage their cybersecurity strategy. Strengthening data security across all accounts is essential to minimizing data breaches and safeguarding sensitive information.
Additionally, businesses should prioritize other critical areas based on their specific risk profiles. This means a careful, case-by-case assessment of where vulnerabilities lie and where the greatest impact can be made. Focusing on the following key actions is vital:
– Enforce strong password hygiene across the organization, and mandate the use of Multi-Factor Authentication (MFA) or Passkeys to secure the first line of defense without exception
– Encourage progressive learning by implementing an ongoing, tiered cybersecurity testing program that adapts to roles, responsibilities, and knowledge
– Embrace regular feedback through employee surveys and polls to keep the current cybersecurity training relevant and effective
– Enhance remote and hybrid work settings by applying technical safeguards alongside a Zero Trust approach to limit data exposure and risk
The path forward requires a holistic view, a commitment to continuous adaptation, and the firm understanding that the strongest defense isn’t just about tech, but the informed and vigilant human element that underpins it.
We’ve listed the best business password managers.
This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
