Best Practices Archives | Page 3 of 5

Companies are rapidly adopting artificial intelligence (AI) and deploying it to help with multiple business functions. According to an April 2023 Forbes Advisor survey, 53% of businesses apply AI to improve production processes, 51% adopt it for process automation and 52% use it for search engine optimization tasks.

However, using AI comes with new cybersecurity threats that traditional policies don't address. AI systems can have flaws that attackers exploit. Developers may not fully understand how or why AI makes certain decisions, which allows biases and errors to go undetected. This "black box" effect exposes organizations to potential compliance, ethical and reliability issues.

As hackers get more advanced, manual monitoring needs to be improved. AI's pattern recognition is crucial for defense. Organizations must update their security policies to deal with AI-related risks, and failure to do so leaves them vulnerable.

Why Updating AI Security Policies Is Critical

As the use of AI accelerates, it's essential to formulate precise policies for its secure development, deployment and operation.

With more companies embracing remote work as a result of Covid-19, the "attack surface" has grown exponentially. This makes AI-powered threat detection and response essential. AI can instantly identify a compromise and initiate countermeasures before major harm occurs. Updating policies to incorporate AI security processes is vital for reducing risk.

The explosion of data from digital transformation, IoT devices and other sources has made manual analysis impossible. Policies must define how AI fits into the organization's technology stack and security strategy.

Regulations are also playing catch-up when it comes to AI. Frameworks like SOC 2 have compliance standards for traditional IT controls, but few have covered AI specifically to date. However, this is starting to be a consideration for other frameworks such as ISO. Organizations may need to draft custom AI policies that align with their industry's regulations. For example, healthcare companies subject to HIPAA rules must ensure any AI systems processing patient data meet strict security and privacy requirements.

How AI Strengthens Cybersecurity Defenses

AI is revolutionizing cybersecurity by providing businesses with innovative defense mechanisms against threats, and tech-savvy enterprises should prioritize integrating it into their security posture. In particular, software-as-a-service (SaaS) companies can reap significant benefits from the security enhancements that AI delivers. Updating policies is essential to incorporate AI, assess its multifaceted impact and plan for its effective deployment to maximize its potential while minimizing risks.

Integrating AI into cybersecurity can turn it into a formidable defense tool. The rapid data processing capabilities and knack for spotting critical signs can allow AI to thoroughly examine vast datasets, revealing any hints of suspicious activities, unauthorized access or looming security risks.

By swiftly sifting through and analyzing thousands of logs within seconds, AI can empower organizations to detect and mitigate risks promptly—safeguarding the integrity and security of their systems. AI can bolster a company's defense mechanisms through this proactive strategy, keeping it ahead of potential threats and vulnerabilities.

Addressing Policy Challenges

Developing robust policies is vital to securely integrating AI into your company's operations. While AI can be a formidable cyber defense tool, it poses policy-related challenges like ethics, data privacy, compliance, data governance and vendor relationships.

To integrate AI into your organization's policies effectively, provide in-depth employee training for responsible AI usage and data protection. Continuous policy monitoring, testing and risk assessments can ensure system reliability.

While global regulators work on AI governance, organizations must self-regulate for ethical and responsible AI use. For instance, biased data in AI can breach ethical and compliance standards. Crafting policies prioritizing safety and ethics is vital to protect your company and employees in the AI-powered landscape.

Maintaining Public Trust Requires Care

Organizations must meticulously evaluate and manage AI implementation to prevent unjust outcomes that could lead to legal liabilities or public backlash. Numerous real-world events illustrate the consequences of mismanaged AI implementations. In 2018, Reuters reported that Amazon had to scrap its AI-driven recruiting tool because it showed bias against job candidates who were women—reflecting the potential for biased outcomes in AI systems.

Such mishaps can erode public trust. Companies must thoroughly audit algorithms and data pipelines to uncover and address possible biases. Comprehensive policies encompassing detailed AI testing, documentation and oversight are indispensable for navigating the complexities of AI implementation. Internal policies are crucial in aligning AI initiatives with organizational values, preventing incidents that could harm the brand.

Clear Policies Are Needed

In general, the public remains wary of AI and its implications, with surveys showing a growing distrust among consumers and concerns about losing privacy and autonomy. Clear policies guiding AI's use in a transparent, ethical and secure manner are essential for maintaining trust.

As cognitive technologies continue permeating business operations, updated guidelines will prove critical. Companies hoping to capitalize on AI's promise must enact policies that ensure ethics, fairness and accountability. AI initiatives undertaken without these safeguards risk reputational damage.

The Future Depends On Thoughtful Integration

The expanding capabilities of AI are inspiring, but companies must approach integration thoughtfully. With deliberate planning, AI can be invaluable for identifying threats, responding to incidents and strengthening overall security posture. However, with updated policies addressing AI's unique risks, organizations can stay safe. It's time to revise security protocols and prepare for AI's integral role in the future of cyber defense.

You can read the original article posted in Forbes by Rhymetec CEO, Justin Rende.

About Rhymetec

Rhymetec was founded in 2015 as a Penetration Testing company. Since then, we have served hundreds of SaaS businesses globally in all their cybersecurity, compliance, and data privacy needs. We’re industry leaders in cloud security, and our custom services align with the specific needs of your business. If you want to learn more about how our team can help your business with your security needs, contact our team for more information.

If your organization is interested in exploring compliance with AI standards, we now offer ISO/IEC 42001 certification readiness and maintenance services and are happy to answer any questions you may have.

Contact Us

Interested in reading more? Check out additional content on our blog:

Vendor management is a crucial component in safeguarding company cybersecurity. As businesses increasingly rely on various external services and products, ensuring these external partners uphold strong security standards becomes imperative. I've found that the rapid progression of technology in the cyberspace, companies must completely understand each vendor with access to transmit or store end-user data. They must have in-depth knowledge of the vendor's security profile and monitor it diligently to mitigate potential risks. From my experience, here are some of the top reasons why many companies aren't secure in this respect.

1. Increasing Vendor Numbers

Companies are increasingly engaging with larger numbers of vendors due to globalization, the need for specialized expertise, and the drive for cost efficiency. Statistics show that organizations' average number of third-party SaaS vendors increased by 62% between 2020 and 2022. This trend is fueled by the desire to focus on core competencies, leverage technological advancements, and enhance competitive positioning in the market.

2. Higher Supply Chain Risks

The growing number of vendors is one reason for the higher percentage of supply chain attacks. These occur because key suppliers or vendors may be more vulnerable to attack than the primary target, making them weak links in the overall network. In 2020, Accenture reported that 40% of cyberattacks originated from the extended supply chain.

For instance, in 2017, NotPetya malware spread via a Ukrainian accounting software company called M.E.Doc. The malware spread to other companies that used M.E.Doc's software, including Maersk, a global shipping company. The attack caused Maersk to shut down its IT systems for several days, resulting in a loss of $300 million.

3. Lack Of Continuous Monitoring in Vendor Management

The absence of continuous vendor monitoring in vendor management can lead to missed vulnerabilities and escalating risks. Continuous monitoring is crucial for detecting changes in vendors' security postures and guaranteeing adherence to security standards. Without it, companies may find themselves blindsided by security breaches originating from their vendors. Remarkably, research from the Ponemon Institute shows that 50% of organizations don't monitor third parties accessing their sensitive and confidential information.

4. Cost-Cutting Measures

The pressure to constantly cut costs is another threat to vendor cybersecurity programs. Research shows over two-thirds of organizations spend less than 10% of their IT budgets on security. Such cost-cutting measures can lead to inadequate security practices, such as failure to renew certifications or maintain compliance annually, leaving companies vulnerable to data breaches and cyberattacks. While reducing expenses is a common business goal, it should not come at the expense of robust security measures.

5. Risk Of Non-Compliance in Vendor Management

Non-compliance with cybersecurity standards also presents considerable risks. A checkbox approach, where companies merely meet the minimum requirements for compliance, is insufficient protection against cyber threats. One study found that 59% of organizations experienced a data breach caused by a third party. This statistic emphasizes the importance of ensuring all vendors comply with security policies, as their non-compliance can lead to severe and costly security incidents, damaging both the company's data integrity and its reputation.

6. Reactive Security Approaches

Reactive third-party security approaches leave companies vulnerable because they focus on responding to breaches after they occur, allowing damage to unfold unchecked. A lack of continuous monitoring and proactive vendor risk assessments can result in unnoticed security gaps, increasing the risk of data breaches.

For example, intrusion detection is only good after the fact; it doesn't protect a company from risk. With 4,145 data breaches at an average cost of $9.44 million each, the financial impact of the 59% caused by third-party vendors in 2022 was $22.9 billion. Companies struggle to keep pace with evolving cyber threats, which can lead to non-compliance with regulatory frameworks and compromise their security posture further.

7. Inadequate Security Training

A common shortfall I've seen in vendor management is the lack of comprehensive security training for employees. Humans are every company's biggest risk factor, and training significantly impacts employees' awareness and behavior regarding information security. For example, research into permissions provided to third-party vendors in cloud environments showed that 82% of enterprise organizations provided vendors with highly privileged roles. Seventy-six percent gave vendors roles allowing full account takeover, and over 90% of cloud security teams were unaware they had given such high permissions to vendors.

How To Prioritize Security in Vendor Management

A comprehensive vendor security analysis includes sending suppliers questionnaires to vet their security profiles and continuously monitor their postures. As it stands, 98% of organizations globally have relationships with at least one breached third party, and those that haven't been breached yet aren't immune to it happening to them.

Vigilant vendor management is vital to maintain a secure business environment. The primary risk lies in how people understand and handle their data. This understanding extends to vendor management, where the real challenge is ensuring that every vendor involved in the company's operations maintains a high security standard.

I find it critical that companies have a proactive approach that focuses on intrusion prevention and comprehensive employee training. Understanding vendors' capabilities and continuously monitoring their security postures is vital for fostering a security culture that permeates every aspect of the business, ultimately safeguarding the company's future.

You can read the original article posted in Forbes by Rhymetec CEO, Justin Rende.

About Rhymetec

Our experts have been disrupting the cybersecurity, compliance and data privacy space since 2015. We make security simple and accessible so you can put more time and energy into other critical areas of your business—Some of our customers have gone on to be acquired by Meta and Zoom. Our customers trust us to help them reap the benefits of having a stronger security program.

What makes us unique is that we act as an extension to your team. We consult on developing stronger information security programs within your environment, and provide the services to meet these standards. Most organizations offer one or the other. From compliance readiness (SOC 2, ISO/IEC 27001, HIPAA, GDPR and more) to Penetration Testing (Web Application Pentest, API Pentest, External Network Pentest and Mobile Application Pentest) and ISO Internal Audits, we offer a wide range of consulting, security, vendor management, and managed compliance services that can be tailored to your business environment.

If you’re ready to learn about how Rhymetec can help you, contact us today to meet with our team.

Interested in reading more? Check out additional content on our blog:

Closing the stable door after the horse has escaped may be a centuries-old adage, but it's still relevant when it comes to cybersecurity in SaaS product design. Implementing data protection and other security measures after the product design has been completed has continued to be one of the biggest issues facing the SaaS industry.

Incidents like last year's Samsung data breach expose the vulnerabilities in systems that fail to introduce adequate security protocols during product development, leading to financial and reputational damage. That's why prioritizing security during product design is critical for addressing this issue at the source.

5 Tips to Build a More Secure Product

Include robust access control policies.
Incorporate comprehensive data management practices.
Adhere to compliance and regulatory requirements.
Conduct AI-specific risk assessments.
Cultivate transparency and public awareness around security measures.

SaaS programs, therefore, provide a conduit to billions of people and thousands of companies across the globe. This fact makes SaaS a tempting target for bad actors wanting to exploit confidential information for their own ends.

5 Important SaaS Product Design Security Steps

For most product developers, security comes after building the product. This notion is dangerous and can cause consequences later down the line. Implementing security controls after finalizing product development can appear as an easy fix solution to developing a product faster.

The reality is, certain security controls will be eventually required by your customers, internal needs, or laws and regulations. Here are some of the top factors software designers should consider when developing a new SaaS product to better prepare for future security needs. This approach not only safeguards against potential threats but also reinforces trust and reliability in the growing field of technology.

1. Robust Access Control Policies

Introducing effective access control protocols help secure company systems by regulating access to data and functionalities. SaaS product design should factor in editable password policies that allow organizations to tailor processes to meet their objectives and compliance regulations.

Multi-factor authentication (MFA) significantly reduces the risk of unauthorized access. Single sign-on (SAML) capabilities and auto log-off features contribute to robust access control, and suspicious alerts from applications when users sign in from a new device or a different location all strengthen security. Viewing access logs is also beneficial for detecting unauthorized activity in user accounts.

2. Comprehensive Data Management Practices

Sound data management practices are vital for SaaS applications that process vast amounts of personal and sensitive data. Product designs should incorporate privacy measures such as data encryption, regular audits and compliance with global data protection regulations like the General Data Protection Regulation (GDPR).

SaaS administrators must be able to access corporate data, set data retention parameters and delete data when necessary. Compliance frameworks like HIPAA, for instance, have specific deletion and retention requirements. System designs must provide for continuous data backups, and data management protocols must allow for redundancies in case of outages or disasters.

Data privacy protection options could also include the ability for users to opt out of having their data used for machine learning.

3. Adherence to Compliance and Regulatory Standards

Regulatory compliance is a necessity, not an option. The first step is a detailed understanding of the regulations and frameworks that apply to a particular industry. This is followed by building compliance into the SaaS product design. Identifying issues after the fact and adjusting a product to accommodate them is awkward, time-consuming, and risky.

Adherence to basic cybersecurity frameworks such as SOC 2 or ISO/IEC 27001:20233 strengthens comprehensive data privacy practices by providing a framework to manage and protect data effectively throughout the system’s life cycle. Companies like Philips have leveraged ISO standards to ensure healthcare products meet stringent regulatory requirements. This approach enhances patient safety and secures sensitive health information while fulfilling legal obligations and bolstering the product’s credibility and market acceptance.

4. AI-Specific Risk Assessments

If you are building a product with artificial intelligence technologies and language learning models (LLMs), AI-specific risk assessments help identify and address vulnerabilities unique to artificial intelligence technologies. The assessments consider factors such as data integrity, algorithmic bias and the potential for unintended machine-learning outcomes. The new ISO/IEC 42001:2023 guidelines provide a structured framework for conducting these evaluations, ensuring that all potential AI-specific threats are systematically identified and mitigated.

The framework, which resembles the ISO 27001 standard, emphasizes the importance of continuous risk assessment throughout the lifecycle of AI products, from development to deployment and maintenance. AI systems can evolve and learn from data over time, potentially introducing new risks that were not present at initial deployment. Organizations wanting to comply with ISO/IEC 42001:2023 can combine the process with the ISO 27001 framework since many requirements overlap.

5. Public Awareness and Transparency

Cultivating transparency about the security measures implemented in SaaS programs is crucial for building public trust and confidence. Open communication reassures users and stakeholders about the product’s reliability and safety, how systems operate, the data they use, and the safeguards in place to protect their data.

Strategies to engage the public and build trust include detailed disclosure of privacy policies, regular updates on security practices and public demonstrations of the product’s safety features. Educating users about how their data is handled and the benefits of AI can demystify the technology and reduce apprehensions about its use.

Stay Proactive About SaaS Product Design & Security

With cyber threats becoming more sophisticated every month, companies must stay up to date with security threats and proactively integrate updated security measures into their SaaS product design processes. The ongoing development of standards reflects the growing recognition of SaaS complexities and the need for robust governance frameworks. These standards deliver a benchmark for companies to measure their security protocols against industry best practices.

To remain competitive, SaaS providers must embrace these standards and other tools available to prioritize security at every stage of their product development.

You can read the original article posted in Built In by Rhymetec CISO, Metin Kortak.

About Rhymetec

Interested in reading more? Check out our other blogs:

Artificial intelligence (AI) has been around since before ChatGPT came on the scene, and it has become an essential component of modern business. It has completely changed how many companies operate, make decisions, and interact with customers. From startups to large corporations, AI's integration into business processes ranges from automating routine tasks to providing deep insights through data analysis, enhanced efficiencies, and innovation. There are also existing software products that are now starting to utilize AI.

However, implementing AI in a SaaS business is a strategic decision that requires careful planning and ethical considerations. Here are seven factors to consider when you're planning to implement AI in your organization.

1. How AI Processes Data

Companies must understand how AI providers process data. AI processing methods vary, but commonly include machine learning techniques such as neural networks, decision trees, and clustering algorithms. These methods enable AI systems to learn from data, make predictions, and improve through experience. For instance, in cybersecurity, AI algorithms analyze patterns in network traffic to detect anomalies that indicate potential security breaches.

Your customers need to know that if you're implementing AI, their data may be pooled with that of other users. This could give rise to some security concerns.

2. Data Privacy And Security Concerns

Before implementing AI systems, companies should recognize and address data privacy and security risks. AI systems, by their nature, process vast amounts of data, including sensitive personal and organizational information. This makes them attractive targets for cyberattacks. Potential security risks include data breaches, unauthorized access to AI models, and manipulating AI algorithms to produce biased or incorrect outputs.

The use of shared AI bots like ChatGPT means that any data uploaded is used for the individual user and contributes to the AI's learning for other users. This can be a significant concern in enterprise environments, so proactively addressing the issue is paramount.

3. Compliance With Regulatory Requirements

Regulatory compliance is an important thing for companies to consider, especially when dealing with sensitive data like health information. Certain types of data may not be permissible for use with AI under regulations like HIPAA or FedRAMP. Using data in AI systems without compliance can lead to significant legal issues.

Understanding and observing these regulations is an obligation to your customers and a step towards responsible AI use.

4. Contractual Obligations And Customer Agreements

Adhering to customer contracts and any specific requirements or prohibitions regarding the use of AI is crucial. Companies must ensure they are not violating any terms related to AI usage. This requires thoroughly reviewing new and existing agreements and possibly renegotiating terms to accommodate the integration of AI technologies.

Ensure compliance with these contractual obligations to maintain your customers’ trust and avoid legal complications.

5. Transparency and Customer Trust

Transparency in AI usage is vital for maintaining customer trust. Companies should inform customers about AI integration and provide ways to address security concerns. Customers should be educated about how their data is used in AI systems and provided with detailed information about its impact on products and services.

Foster customer trust by ensuring your AI decisions are fair and unbiased. For instance, in the context of AI-based customer service chatbots, research has shown that customer trust is influenced by factors like the chatbot’s perceived functional and social attributes and the user’s personal inclination to trust technology. Offering customers control over their data through opt-in and opt-out mechanisms respects their autonomy and fosters a trustworthy relationship.

6. Projected Impact On Products

Significant product changes can occur due to AI integration, and affect how customer data is processed. Companies should consider how these changes might impact their customers, particularly in enterprise settings.

AI integration can alter a product’s functionality, user experience, and data handling. Assess and communicate these impacts effectively to your customers, ensuring they are aware of and comfortable with the changes.

7. Data Isolation And Quality Control

The quality and quantity of data are pivotal in AI data processing. High-quality data is essential for accurate and reliable AI outcomes, particularly in complex networks managing large data volumes.

Businesses should ensure access to high-quality data and practical analysis tools to harness AI’s potential fully. Some AI providers offer options to isolate customer data. This can include hosting the AI within the company’s own environment and ensuring that data remains internal and is not used to train the AI with external data.

Conducting A Critical Security Assessment

A thorough AI security assessment is necessary before implementing AI in your operations. This requires several key steps:

Step 1: Identify all data sources and entry points in the AI system that could be vulnerable to attacks. This includes reviewing data collection processes, storage systems, and AI algorithms.
Step 2: Conduct vulnerability assessments and penetration testing to detect potential weaknesses in the system.
Step 3: Evaluate the AI model’s resilience against adversarial attacks where inputs are maliciously altered to deceive the AI system.

That’s not the end of it, either. You’ll need continuous monitoring and regular updates to maintain the security of your AI systems.

The Way Forward With AI

As businesses increasingly adopt AI, the path forward must be paved with thoughtfulness and responsibility. AI’s transformative potential in business is immense and ranges from enhancing decision-making processes to optimizing customer interactions. However, embracing AI is not just about harnessing technological power. It’s also about fostering trust and ensuring the ethical use of technology.

As AI continues to evolve, remain vigilant in updating your organization’s systems, protecting your customer data, and adhering to ethical guidelines. By approaching AI implementation with a balanced view of its benefits and challenges, your company can unlock its full potential while maintaining the trust and loyalty of your customers.

Kortak is the Chief Information Security Officer at Rhymetec, an industry-leading cybersecurity firm for SaaS companies.

You can read the original article posted in Fast Company by Rhymetec CISO, Metin Kortak.

About Rhymetec

Interested in reading more? Check out our other content:

The NIST Governance Function: What Businesses Need To Know
Phishing Training For Employees: 5 Steps To Success
Understanding ISO 42001 Controls: Implementing and Managing Artificial Intelligence Responsibly

Contact Us

Why is it that cyberattacks are so hard to stop? Why do organizations need to continually invest in security? And why are measures like phishing training for employees mandated under so many cybersecurity regulations and standards?

The answer is a strange one:

Trust.

For better or for worse, humans are naturally trusting. We want to trust that the used car we bought won't have any issues missed by the inspection, that our Grubhub order will arrive when it says it will, that House of the Dragon Season 2 will be as good as Season 1, and that the email purporting to be from our CEO giving us a $500 bonus is legitimate.

Statistically, phishing is the number one way that your organization may fall victim to a cyber attack, and it's precisely because of our tendency to trust:

According to ReliaQuest's 2024 Cyber-Threat Report, threat actors predominantly use methods that work by "exploiting the trust and vulnerability of unsuspecting individuals." To any experienced security professional, it's unsurprising to hear the report found that phishing was used in 71% of all security incidents in 2023.

There are a million terms for phishing: vishing, smishing, whaling, qrishing (yes, somebody has actually made 'qrishing' a word; no, you don't need to know what it means because even Google Docs flags it as made up).

When you cut down to it, every type of phishing involves abusing people's trust in order to gain some advantage, whether financial or informational in nature. If a threat actor or ransomware group gets privileged access to your organization, odds are it will be through phishing.

This fact has both an upside and a downside:

The upside is that it gives you an area to focus on that can help substantially reduce your company's risk. The downside is that stopping phishing attacks is a hard problem.

Fortunately, simulated phishing is an excellent tool that allows you to prepare employees for the real thing before they get an email that could lead to a ransomware attack. This article will answer the following questions:

How is phishing training conducted?
Do I need phishing training for employees?
Which cybersecurity standards and regulatory frameworks require phishing training?
What are the top current recommendations from experts to mitigate risk from social engineering attacks?
What is the role and importance of an incident response plan?

Let's jump right into the steps security professionals take to simulate how threat actors carry out phishing attacks and how you can conduct phishing training for employees:

Phishing Training For Employees - 5 Steps To Success

Phishing Training For Employees Phase 1: Reconnaissance

Being with the assumption that you know nothing about your business.

Your job is now to take the perspective of a threat actor. What can you find out about employees and your company through open-source intelligence (OSINT)?

First, you need to find your company's email format, such as [email protected].

This is exactly what a motivated attacker would do.

There are several areas you can look for this information:

Are employee emails listed on previous press releases?
Do employees have their work email addresses listed on their LinkedIn profiles? By default, LinkedIn reveals huge amounts of both personal and professional information.
Are any corporate email addresses related to individuals listed on the website?

Once you have this information, try to find out about the hierarchy of the organization. Who reports to whom? Who does what? A motivated threat actor may send incredibly detailed phishing emails to employees involving key aspects of their role or job duties.

Every piece of information you leverage should be publicly available to make the phishing exercise as realistic as possible.

Phase 2: Write Phishing Emails

Many organizations conduct simulated phishing with hopelessly generic emails that don't mimic the real thing. When building your phishing account and writing emails, take the perspective of a motivated and sophisticated threat actor who has done their homework.

Here are a few tips you can use:

Register an email with a domain that is very similar to your organization. If your company is called "[email protected]," you can register "[email protected]." (Fun fact: Our brains like to fill in the gaps when letters are omitted. This is one of the many ways phishing attacks prey on human psychology so effectively).
Don't use ChatGPT or other LLMs. Write the emails with care and precision, and mention key elements of the person's job if you were able to identify them during the reconnaissance phase. If you decide to send out mass emails that aren't targeted, utilize company language or recent company events as a real attacker might.
Make your subject line an urgent one. For example, depending on the person you are targeting, adding "EMERGENCY" to the subject line is one way to do this. This can help make people miss the key element.
Have a call to action. Downloading a benign file is common in simulated phishing tests. Another option is to set up a web page to "capture" their corporate credentials, as an attacker might.

Phase 3: Establishing A Baseline

If you do your job well people are going to click.

If you do your job exceptionally well, people are going to click…a lot.

Once you've set up your domain and carefully crafted your phishing emails, it's time to send them out to individual employees. This baseline will help identify which employees are the most susceptible to phishing.

A few tips during this phase:

Don't punish or shame employees for falling for it. If you punish employees, you will disincentivize them from reporting phishing attacks in the future.
Make it clear that the purpose of the exercise is to simulate a real attacker and not to embarrass employees. Show employees why it's important to do these exercises.
Show employees where you found their information that enabled you to craft your emails so that they can reduce their online footprint.

During this phase it can also be worthwhile to have employees review a service such as haveibeenpwned to see if they have credentials that are being traded on the dark web as well, as this is another common vector of attack.

Services like Picnic that search the web for personal information are also helpful to show employees. Picnic provides enterprises with the capability to manage their external human attack surface and to detect, prevent, and protect against social engineering attacks.

Using both dark and clear web monitoring services enables employees to pinpoint exactly where their information is available online and stay ahead of bad actors.

Phase 4: Training Employees

Follow up immediately and personally with employees who have downloaded a file or submitted credentials to your fake web page. There are many free or paid security training courses that you could prescribe to the individual.

Work with them to go over common phishing email tactics and strategies to avoid them:

Focus on providing customized instruction and time one-on-one. Employees should never be publicly ridiculed for clicking phishing links.
Showcase real examples of phishing emails that the company has received (or use online resources) to provide examples.
Emphasize that phishing can come in many forms. Any emails that aren't expected from known entities should be carefully scrutinized.

Don't come across with the mentality of, 'simulated phishing exercises won't end until the click rates get better.' Instead, provide educational material that will help people feel comfortable reporting incidents.

Statistics like the following can be used to help illustrate the importance of coming forward: In the case of a type of phishing attack where threat actors impersonate banks, over 50% of victims are able to recover most of their money.

Example Of A Phishing Email

Here is an example of a more sophisticated phishing email that you might use as part of your training materials:

Can you spot what gives it away as phishing?

And, even more importantly, would every single person at your company be able to spot it as phishing if they saw it in their inbox?

The key elements here are:

The misspelling in the sender's email address: Note the misspelling in the sender's email address ([email protected]). It doesn't match the official domain name of our fake company (Savviest Tech Solutions). This is almost always a sign of phishing.
The urgent call to action: This is common in many types of scams, not just phishing attempts. The scammer will attempt to instill a sense of urgency to create stress and try to prevent the victim from having time to think.
The use of a fear tactic: Although not explicitly threatening, the email states that failure to comply may result in the recipient having their access to important systems suspended. This could create a fear of their performance at work being impacted.
The link with a request for personal information: Any link asking for your credentials should always be thought twice about before clicking.
The nature of the request itself: The recipient of this email should be extremely wary if this is the first time they're hearing about the new "security protocols" at their company.

Phishing Training For Employees Phase 5: Reiterate and Collect Data

Within weeks to months, you should run another test.

Compare your results to the baseline data:

Have employees substantially improved?
Are there repeat offenders who have fallen for multiple tests?

These are excellent statistics to collect and can be powerful, as they enable you to measure your program's effectiveness.

Do You Need Phishing Training For Employees?

If your company uses email (or if your employees have cell phones, as texting can be another vector for phishing), the answer is simple:

Yes.

As stated above, phishing is extremely common and is the number one way organizations fall victim to cyberattacks. In 2023, over 25% of U.S. employees clicked a link in an email that opened a suspicious website.

If you are a startup or a small business, the answer is just an even more emphatic yes!

Cybersecurity for startups and small businesses is critical, as they are being increasingly targeted by threat actors. When it comes to phishing, the risk appears higher for smaller companies:

Consider the fact that an employee at a company with fewer than 100 employees receives 350% more phishing emails in their inbox than an employee at a large company.

This makes security awareness training one of the most effective ways to mitigate cybersecurity risk for SMBs.

Does phishing training for employees actually work?

Yes!

Threat actors engage in phishing because it's one of the most effective and low-effort tools they can use to gain access to usable credentials like passwords. Prevention is key when dealing with threats from phishing, and thankfully, training works:

According to Proofpoint's 2024 State of the Phish Report, 84% of U.S. organizations reported that after their employees underwent security awareness training, the ability to spot phishing attempts improved, and click rates on phishing emails decreased.

That represents a lot of users who avoided clicking a link that would've delivered malware like a virus or ransomware to their computers.

Do I need phishing training to meet controls under cybersecurity standards and regulatory frameworks?

If you are trying to ensure best practices for your cybersecurity - as well as compliance with standards relevant to your industry - you absolutely need to conduct robust security training.

Security awareness training is one of the top Critical Security Controls recommended for SMBs by the Center for Internet Security (CIS):

Control 14: Security Awareness and Skills Training. Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise.
Control 14.2: Train Workforce Members to Recognize Social Engineering Attacks.
Control 14.6: Train Workforce Members on Recognizing and Reporting Security incidents.

The CIS is far from the only entity to include security awareness training in its guidelines.

The laws that require security awareness training include:

The HIPAA Privacy Rule and the HIPAA Security Rule
The Gramm-Leach-Bliley Act (GLBA)
The Federal Information Security Management Act (FISMA)
Massachusett's Data Security Law

Security awareness training is also required under standards including:

PCI DSS
ISO 27002
NIST Special Publication 800-53.
GDPR

It is also a standard control organizations must fulfill as part of their SOC 2 audit.

The Bottom Line: Phishing training is one of the number one items addressed in security awareness training. A security awareness program that failed to include phishing training for employees would be viewed by auditors and regulators as insufficient.

The Top Current Recommendations To Mitigate Phishing Risk

The best-of-breed, most up-to-date practices to mitigate the risk of social engineering tactics are outlined in ReliaQuest's 2024 Cyber-Threat Report. Here's a summary from the report:

Harden MFA Mechanisms: Implement a certificate-based authentication policy. Use digital certificates to verify the authenticity of users during the authentication process. Additionally, consider limiting the token lifetimes for MFA—by setting a shorter timeframe, you reduce the window of opportunity for attackers to exploit them.
Add or use Alternative Authentication Factors: Consider implementing biometrics and adaptive authentication. Biometrics can include features like fingerprint or facial recognition, and adaptive authentication verifies users based on multiple factors, such as location, user behavior, and registered device.
Train Employees: Develop regular training sessions and simulation exercises to teach employees how to recognize and report social engineering attempts, such as phishing emails, phone calls, and in-person scams. Teach employees to scrutinize email headers, links, and attachments and to report any suspicious activity.
Enforce Password Security: Implement password policies requiring complex passwords (12-plus characters, uppercase, lowercase, number, and symbol), prevent password reuse, enforce password changes every 90 days, and enable MFA. Limit Access to Sensitive Information: Restrict information access to a need-to-know basis.

The Bottom Line: Phishing training for employees plays a key role in mitigating the risk of social engineering attacks and is one of the methods most commonly recommended for organizations by industry leaders in cybersecurity.

Why Do Companies Outsource Phishing Training For Employees?

Many companies choose to outsource phishing testing and training for several reasons:

Having a third party conduct your phishing testing and training is generally more robust from a security standpoint and works better from an auditing standpoint as well. The amount of work involved in phishing testing can also be a huge time suck and disruptive to daily business operations.

If your team has the security know-how and the bandwidth, you can certainly conduct phishing training for employees on your own using the 5 steps outlined above. But if you're curious about how outsourcing phishing testing and training to the experts works, here's Rhymetec's methodology that we've implemented with hundreds of clients:

Rhymetec's Method For Phishing Testing and Training

First, our Phishing Simulation Assessment determines the scope of the phishing campaign and which users to include. Our team has decades of experience in offensive security and is easily able to tailor the project to each organization's needs.

We use the exact same techniques cybercriminals use: making minor changes in URLs, crafting convincing email messages, and conducting reconnaissance on employees' online footprints.

The Phishing Simulation is scheduled to be performed at an agreed-upon time.

Once users fall for a phishing email or input their credentials into a phishing website, our team immediately provides security awareness guidance on what phishing is and how to spot phishing attempts in the future.

After the baseline assessment, Rhymetec produces a preliminary written report.

Our Phishing Platform Portal provides robust reporting to equip you with the information needed to create gradual improvements in your organization's security. This is typically represented through a gradual decline in month-on-month phishing click rates.

Our platform provides actionable data on the number of users who viewed a phishing email, users who clicked the link in a phishing email, and users who entered credentials into a phishing website. Post-report, we send additional educational training modules to staff members who did not pass the assessment.

Rhymetec's method is guaranteed to fulfill requirements for phishing training for employees under regulatory and voluntary standards, including SOC 2, GDPR, HIPAA, NIST, PCI DSS, and more.

Compliance Requirements For Security Awareness

In Conclusion: Two Key Recommendations For Phishing Training For Employees

We recommend conducting continuous phishing training throughout the year to keep employees mindful of phishing risks. Continuous phishing training can be an extremely powerful tool for reducing the risk that threat actors get access to your environment.

We also recommend having a solid incident response plan in place.

At the end of the day, people are only human, and mistakes happen. While measures like security awareness and phishing training for employees are essential and do work to mitigate a substantial amount of risk, nothing is foolproof when it comes to preventing human error 100% of the time. Having a documented incident response policy is vital:

We encourage companies to invest in prevention by preparing employees as best as they possibly can while also having a plan in place in case an incident were to occur.

Managed Security Services Providers like Rhymetec offer a full arsenal of prevention measures that mitigate a huge amount of risk, while also providing procedures, policies, and assistance in the event of a security incident.

To learn more about how our team can accelerate your security while keeping your budget in mind, contact us for more information.

About The Author: Metin Kortak, CISO

Metin Kortak is the Chief Information Security Officer at Rhymetec. Metin began his career working in IT security and gained extensive knowledge of compliance and data privacy frameworks such as SOC 2, ISO 27001, PCI, FedRAMP, NIST 800-53, GDPR, CCPA, HITRUST and HIPAA. He joined Rhymetec to build data privacy and compliance as a service offering. Under Metin’s leadership, these offerings have grown to more than 200 customers, positioning the company as a leading SaaS security service provider in the industry.

Businesses live and die by their budgets, so many organizations still consider an information security (or infosec) program "nice to have." They no longer have the luxury of thinking that way.

As businesses increasingly rely on technology and cloud-based infrastructures for their operations, the stakes for protecting sensitive data and systems have never been higher. The threat ecosystem evolves constantly, demanding vigilance and a proactive approach to security. This means a comprehensive security strategy is necessary for companies of all sizes.

A well-constructed infosec program is the first line of defense against potential breaches, safeguarding the company’s assets and reputation. It’s a critical component that supports a business’s overall health and sustainability in a world where cyber threats are becoming more sophisticated, and compliance is a foundational standard for stakeholders.

Understanding nuances of the cost helps you make informed decisions and ensures the long-term success and resilience of your company’s information security measures.

The Real Cost Of Cybersecurity

There’s a common misconception that the cost of building an infosec program is too high for many businesses, especially smaller ones. However, this perception overlooks the substantial long-term benefits and cost savings associated with a well-implemented security strategy.

The initial investment in a robust infosec program is often considered a major expenditure. Still, this perspective fails to account for the hidden costs of inadequate security, such as data breaches and regulatory fines.

Another key aspect that’s often misunderstood is the difference between merely ticking off compliance checklists and actually building a comprehensive infosec program. Compliance is a starting point, but it doesn’t equate to a foolproof security strategy. Relying solely on compliance checklists can create a false sense of security, leaving businesses vulnerable to evolving cyber threats.

A genuinely robust security program requires ongoing investment, attention and adaptation, going beyond compliance basics to establish a resilient and proactive defense mechanism.

Long-Term Cost Benefits Of A Strong InfoSec Program

Investing in an all-encompassing information security program can bring substantial long-term cost benefits, a fact often overlooked in initial budget considerations.

According to a report by IBM, the average data breach cost in 2020 was $3.86 million. In contrast, proactive investment in security infrastructure and personnel training may seem costly upfront but can save millions over the long term by preventing breaches. Additionally, a robust security approach can streamline operations, reduce downtime caused by security incidents and enhance overall business efficiency, leading to indirect cost savings and improved business continuity.

The High Price Of Non-Compliance

In contrast with these benefits, the high price of non-compliance also requires consideration. The consequences can be severe when businesses fail to comply with regulatory standards or fall short in their security measures.

For example, Indianapolis-based insurer Anthem, Inc. recently paid out $115 million to settle a class-action lawsuit due to its alleged failure to implement adequate information security controls after the electronic protected health information (ePHI) of nearly 79 million people was compromised in a 2015 breach.

In addition to the lawsuit settlement, Anthem paid a penalty of $16 million for HIPAA violations to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). The company was also required to undertake substantial corrective actions.

Building Your Information Security Program

Building an effective information security program requires careful evaluation of available resources.

Companies must assess personnel, financial allocations and technological infrastructure factors to establish a robust security framework. If internal resources are inadequate, outsourcing to managed security service providers (MSSPs) can be a viable option to bolster infosec capabilities.

With the necessary resources, a thorough evaluation of organizational assets becomes paramount. Understanding the scope and sensitivity of data, systems and networks lays the foundation for effective risk management.

After evaluating assets, identifying and comprehensively understanding risks is pivotal in shaping the security program. Numerous tools and specialized companies exist to assist organizations in mitigating potential threats. However, selecting the right solutions tailored to the company's specific needs and operational context is essential. By aligning risk mitigation strategies with organizational objectives, companies can fortify their information security posture and navigate evolving cyber threats with greater resilience and efficiency.

Balancing Cost And Quality In Vendor Selection

Selecting vendors intentionally for your security needs is crucial, and the balance between cost and quality must be carefully managed.

It is tempting for businesses to choose the lowest-cost option when selecting vendors, but this approach can compromise the quality and effectiveness of the security program. Decisions based on cost alone can lead to suboptimal outcomes. This principle is particularly pertinent in cybersecurity, where the stakes are high.

Selecting a vendor involves more than just comparing prices; it demands a thorough vetting process. It requires a comprehensive evaluation of the vendor’s capabilities, track record, compliance with industry standards and ability to adapt to the evolving threat landscape. The right vendor should fit within the budget and align with the company’s security objectives and values.

This approach ensures that the investment in security yields the desired level of protection without compromising quality.

An Essential Investment

Building a robust security program is an essential investment for modern businesses, transcending the traditional view of it being a mere expense. The misconceptions surrounding the costs of security programs need re-evaluation, considering the significant long-term benefits and cost savings they offer. The financial and reputational damages resulting from non-compliance and security failures further highlight the importance of such investments.

Viewing your company’s security as a strategic investment rather than a cost can lead to a safer, more resilient, financially sound future in the increasingly digital business world.

You can read the original article posted in Forbes by Rhymetec CEO, Justin Rende.

About Rhymetec

Rhymetec was founded in 2015 as a Penetration Testing company. Since then, we have served hundreds of SaaS businesses globally in all their cybersecurity, compliance, and data privacy needs. We’re industry leaders in cloud storage security, and our custom services align with the specific needs of your business. We offer managed compliance for frameworks including HITRUST, NIST, HIPAA, GDPR, SOC 2, and more. If you want to learn more about how our team can help your business with your security needs, contact our team for more information.

Interested in reading more? Check out our blogs:

There were many major releases in 2024. The hit new TV series FX Shogun, Dune Part 2, Taylor Swift's Eras Tour on Disney+, and most importantly, the new NIST Cybersecurity Framework Version 2.0 with the addition of the NIST Governance Function.

Thrilled yet? Well, you should be. The National Institute of Standards and Technology regularly releases technical guidance documents and frameworks for both the public and private sectors to use as best practices guides.

The original NIST Cybersecurity Framework (NIST CSF) serves as the basis for tens of thousands of cybersecurity programs around the world and directly inspires many other compliance frameworks and requirements.

By meeting NIST, organizations automatically cover many controls in other requirements that overlap with NIST. It's widely considered the gold standard of robust cybersecurity across many industries.

This article will explore NIST CSF V2.0, what's changed, and what's likely to change going forward.

If you have more specific questions on what these changes may mean for your organization, please feel free to contact our team for support:

What Is The NIST Cybersecurity Framework?

NIST CSF was originally intended as a cybersecurity framework for critical infrastructure companies.

Some key facts about NIST CSF V1.0:

The original NIST CSF was released in 2014
NIST CSF was developed in collaboration with industry and government stakeholders
Provided a high-level framework for cybersecurity risk management
Consisted of five core functions: Identify, Protect, Detect, Respond, and Recover
Each core function is broken down into subcategories and controls
NIST CSF is voluntary, but it is widely used by organizations of all sizes
NIST CSF was updated on a regular basis to reflect changes in the cybersecurity landscape

In addition, many regulations (particularly those in the United States) directly drew on controls originally formulated in the NIST Cybersecurity Framework.

NIST CSF is split into five modules reflecting elements of the cybersecurity lifecycle, including:

Identify:

Get visibility into the network environment, including asset categorization.
Create continuous monitoring for new assets being brought back online or added to the network.

Protect:

Implement robust security protocols across the organization to include IDS/IPS, firewalls, EDR systems, and anti-virus
Create and maintain a regular patching program to reduce exploitable vulnerabilities.
Utilize strong authentication (such as multi-factor authentication) to reduce the risk of unauthorized access.

Detect:

Use security monitoring tools to get visibility into suspicious activity such as unauthorized access attempts.
Set up a notifications and alerts system to inform your security team in a timely manner of potential incidents and threats.

Respond:

Have a well-documented incident response plan that describes the procedures for responding to security incidents.
Be able to contain security incidents to minimize their impact and mitigate further damage.

Recover:

Ensure a comprehensive backup and recovery program is in place to protect critical assets and restore data in the event of a security incident or natural disaster.
Test back up and recovery programs regularly and update as needed.

NIST CSF V2.0: What's In It?

NIST CSF version two carries on many of the fundamental themes found in the original NIST CSF. However, a new element has been added: NIST Governance.

Source: NIST Drafts Major Update To Its Widely Used Cybersecurity Framework.

Note the clear emphasis of the guidance under this new function:

Governance

Executives take on an active role in organizational risk management and collaborate on how potential cybersecurity gaps across the organization may impact broader objectives.
Regularly hold dialogue among executives about risk management strategies, roles, and policies.
Establish security goals tailored to the industry and organization at the executive level.
Document and communicate security policies and expectations down the line to managers and individuals.
Encourage collaboration at the executive level and across the organization about risk management strategies, including cybersecurity supply chain risk.
Ensure cybersecurity risk management is explicitly rolled into overall Enterprise Risk Management (ERM).

In short, the updated CSF is intended to help executives communicate better about cybersecurity, with the goal of ensuring robust security through every level of the organization:

"The CSF helps organizations translate their terminology for cybersecurity and cybersecurity risk management into general risk management language that executives will understand."

The features of the new version also help enforce that the CSF applies to small organizations as well as large ones, and can be easily tailored to fit their needs.

A New Addition: NIST Governance and What It Means For Businesses Going Forward

It's important to remember, that compared to many functions of a business, cybersecurity in its current state is still extremely young.

Cybersecurity began as a sub-discipline of Information Technology.

In the 2010s, business leaders, particularly in industries with a heavy reliance on information technology, increasingly came to see cybersecurity as a standalone field - one that needed adequate resources and provisioning to succeed.

The NIST Governance section is an effort to add concreteness to cybersecurity as a board-level conversation in its own right and not just an offshoot of information technology. NIST states:

"The CSF's governance component emphasizes that cybersecurity is a major source of enterprise risk that senior leaders should consider alongside others such as finance and reputation."

It's worth pausing for a moment and reflecting on what a significant statement this is.

NIST is advising companies to consider cybersecurity as significant of a risk as running out of money or having their reputation destroyed (note that bad cyber practices can cause both of these things).

The new NIST governance function includes six key aspects:

Organizational Context (GV.OC)
Risk Management Strategy (GV.RM)
Roles, Responsibilities, and Authorities (GV.RR)
Policy (GV.PO)
Oversight (GV.OV)
Cybersecurity Supply Chain Risk Management (GV.SC)

The introduction of Cybersecurity Supply Chain Risk Management (C-SCRM) under governance is another critical addition.

Software supply chain attacks have become increasingly common in recent years, such as the 2020 SolarWinds breach and the 2023 MOVEit vulnerability, famously exploited by the CL0P ransomware group.

Rhymetec's Take: The business impact of investing in cybersecurity is exceptionally high. The threat landscape has continued to increase in risk, and organizations are increasingly expecting third-party suppliers to not only meet compliance but also demonstrate security that goes past it. NIST CSF's Governance change is an excellent addition that reflects the growing importance of security for modern businesses.

The Expanded Scope: NIST Governance

NIST CSF V1.0 was focused specifically on critical infrastructure. While this did not stop organizations all over the world from using it as a basis, it did create a sense that it might be overkill for some businesses.

NIST CSF V2.0 has remedied this flaw and makes it clear that the CSF can be tailored to fit any business regardless of size or maturity.

Rhymetec's Take: In this case NIST is catching up to where many organizations already are. NIST has long and widely been used as the basis for cybersecurity programs, but it is a positive development for them to acknowledge and expand the use case.

Additional Resources for Implementation and The NIST Governance Section

One of the most profound and significant changes has been the additional material NIST is publishing to help organizations build their security programs based on the cybersecurity framework.

NIST is publishing several appendix documents, including:

Implementation Guidance for CSF V2.0

The implementation guidance is an extremely valuable addition to the CSF.

Many organizations, particularly those that don't yet have dedicated cybersecurity staff, may struggle to understand what the cybersecurity framework is actually asking of them. The addition of remediation guidance provides an enormous amount of additional clarity.

For example, let's take a control found in the new governance section:

GV.SC-06: Planning and due diligence are performed to reduce risks before entering into formal supplier or other third-party relationships.

For seasoned governance risk and compliance professionals, this may seem straightforward.

But for an organization without GRC staff that is just beginning to think about third-party due diligence, how can this be implemented?

Fortunately, the Implementation Guidance provides real-life, concrete examples for businesses to better understand how to do a practical implementation of a security control. For GV.SC-06, NIST provides 4 implementation examples:

Ex1: Perform thorough due diligence on prospective suppliers that is consistent with procurement planning and commensurate with the level of risk, criticality, and complexity of each supplier relationship.
Ex2: Assess the suitability of the technology and cybersecurity capabilities and the risk management practices of prospective suppliers.
Ex3: Conduct supplier risk assessments against business and applicable cybersecurity requirements, including lower-tier suppliers and the supply chain for critical suppliers.
Ex4: Assess the authenticity, integrity, and security of critical products prior to acquisition and use.

For many organizations, implementation examples will undoubtedly be key to help clarify the request being made of them by the guidance. Note how each example has slightly different wording: compliance isn't a one-size-fits-all project.

Many compliance requirements leave room for organizations to implement the security control in a way that will optimally benefit their organization.

Working with a vCISO can help by leveraging decades of experience in tailoring security controls to your company's unique risk profile, maximizing your return on investment while also ensuring that your organization meets the technical and intended definition of the control.

For instance, example 4 only has the organization assessing critical suppliers, whereas example 1 has the organization tiering their suppliers and level of due diligence. If an organization is just beginning their C-SCRM program, they may not have the sophistication or resources (or need!) to fully vet every single supplier based on a tiered approach.

While the company matures, only assessing mission-critical suppliers can be an excellent addition to a security program, and it is far better than doing nothing.

Rhymetec's Take: Implementation guidance should substantially help bridge the gap, particularly with small or immature organizations to effectively implement NIST CSF 2.0's guidance. Note that simply claiming you are meeting a control will not pass an auditor's scrutiny. You need to have a documented process for meeting the control, appropriate technology, and evidence that your policy is acted upon.

NIST CSF 2.0 Reference Tool

Another addition with NIST CSF 2.0 is a new reference tool that can be used to identify requirements and export data quickly.

Rather than reading a massive PDF, the new reference tool makes it simple to rapidly identify controls or subsets of controls within NIST and export that section or subset either in machine or human-readable format.

Users are able to filter based on the control family and whether the control is focused on first or third parties and then export the data into JSON or Excel. The reference tool also includes the aforementioned implementation guidance, significantly simplifying the process of understanding and complying with controls.

This makes it considerably more user friendly and allows easy exporting of data.

The reference tool could be helpful for many organizations, but particularly for large or complex organizations that may have many different individuals and functions responsible for implementing the second version of NIST CSF to include updates in alignment with the NIST Governance element.

NIST CSF 2.0 Quick Start Guides

The last major addition to NIST CSF 2.0 we will cover is quick start guides, designed to help organizations get started on implementing controls from NIST Governance and other functions based on their unique circumstances and risk posture.

Quick start guides are segmented into:

Organizational Profiles: According to NIST, an organizational profile "...describes an organization's current and/or target cybersecurity posture in terms of cybersecurity outcomes from the Cybersecurity Framework (CSF) Core."
Community Profiles: These are designed to help specific industries and sectors implement the CSF based on their unique risk profile. According to NIST, "A Community Profile can be thought of as guidance for a specific community that is organized around the common taxonomy of the CSF."
Small Business Resources: The small business section of the quick start guide is focused on providing actionable, easy-to-implement steps that small businesses can use to begin implementing CSF V2.0 controls.
Cyber Supply Chain Risk Management (C-SCRM): C-SCRM is a growing concern for organizations of all sizes that continues to be highlighted by major supply chain breaches. The C-SCRM quick start guide provides specific guidance on how you can use the CSF to establish your C-SCRM program.
Enterprise Risk Management: The Enterprise Risk Management quick start guide helps organizations better understand the implementation of NIST CSF 2.0, particularly NIST Governance, in a complex and multifaceted enterprise context.
Tiers: NIST CSF 2.0 tiers "...can be applied to CSF Organizational Profiles to characterize the rigor of an organization's cybersecurity risk governance and management outcomes. This can help provide context on how an organization views cybersecurity risks and the processes in place to manage those risks."

Concluding Thoughts On NIST Governance and NIST CSF 2.0

NIST CSF 2.0 represents a huge step from the original NIST.

There has clearly been a focus on making it easier to conceptualize, understand, and implement CSF controls in a way that will reduce organizational risk for businesses.

The NIST governance section is a critical addition that helps solidify the case that cybersecurity and cyber risk management are no longer a function of the IT department, but a function that requires whole-business buy-in from the board of directors down to individual department heads.

Contact our team at Rhymetec for more information:

About Rhymetec

Our mission is to make cutting-edge cybersecurity available to SaaS companies and startups. We’ve worked with hundreds of companies to provide practical security solutions tailored to their needs, enabling them to be secure and compliant while also balancing security with budget. We offer a full suite of security services including mobile application penetration testing services, phishing testing services, PCI compliance scanning, and more.

Our team has extensive experience helping organizations implement a variety of security frameworks and compliance requirements, including NIST CSF, SOC 2, HIPAA, GDPR, and many more.

We enable our clients to outsource the complexity of security and focus on what really matters – their business. If you are interested in our services, or if you simply have questions about security, you can contact our team for more information.

About The Author: Metin Kortak, CISO

An Interview With Metin Kortak, Rhymetec CISO, & Cynthia Corsetti On The Impact of AI.

"Have human oversight during AI-assisted development.

AI can and is helping software developers across the globe build software, identify code-related issues, and assist with overall development. Although the results can be very useful, AI is not flawless and there may be mistakes. Which is why it's so important to review results from generative AI tools before using them in practice."

Metin Kortak Of Rhymetec: How AI Is Disrupting Our Industry, and What We Can Do About It

The Fast-Moving Impact of AI: Artificial Intelligence is no longer the future; it is the present. It’s reshaping landscapes, altering industries, and transforming the way we live and work. With its rapid advancement, AI is causing disruption — for better or worse — in every field imaginable.While it promises efficiency and growth, it also brings challenges and uncertainties that professionals and businesses must navigate. What can one do to pivot if AI is disrupting their industry? As part of this series, we had the pleasure of interviewing Metin Kortak.

Thank you so much for joining us in this interview series. Before we dive into our discussion our readers would love to “get to know you” a bit better. Can you share with us the backstory about what brought you to your specific career path?

Having a technical background in computer science, I came across an opportunity to work for a small cyber security company in New York City. This opportunity included working on cyber security projects for SaaS companies offering FinTech, CRM, and health care services. At first, this was meant to be a small contracting job, but my clients were incredibly happy with the services I provided — so much so, that they referred our company to several other businesses. In fact, the majority of our clients came through referrals from the network of our clients and partners in the beginning. These connections and the experience led me to Rhymetec, where I joined as the second employee and a partner to build my own department. Six years later, Rhymetec successfully provides cyber security and compliance services to hundreds of businesses across the globe.

What do you think makes your company stand out? Can you share a story?

Rhymetec is and has been 100% bootstrapped from the beginning. This has allowed the executive team to direct all of our focus on improving the quality of our services and our customer satisfaction. The reality is, taking an investment is a full time job and our energy is better spent on the company itself and not searching for funds.

You are a successful business leader. Which three character traits do you think were most instrumental to your success? Can you please share a story or example for each?

Patience. In the early stages of our business, we only had three clients that we were working with, and this was the case for at least half a year. Growth comes slowly but when it does, it can be overwhelming. We had to scale for high growth while maintaining our patience when we only had a few clients.
Hard Work. I remember needing to often work at our client offices until 1–2 a.m. in the morning due to issues related to their network firewalls or conducting penetration tests. There have been many all-nighters just because we didn’t have enough resources to complete some projects, but at the end of it we always did because we kept believing in what this company could become.
Trust. As a cyber security company, our top priority is the security of our customers. Customers trust us and we trust our employees to protect and secure our customers. We put a lot of trust in our employees because we see them as part of this business and not as disposable assets. We are also very transparent with our employees and with that comes a lot of trust. I think it’s important to have mutual trust in this business because we value long term relationships with our employees, and we believe that’s what drives our business forward.

Let’s now move to the main point of our discussion about the impact of AI. Can you explain how AI is disrupting your industry? Is this disruption hurting or helping your bottom line?

Artificial intelligence (AI) has been one of the hottest topics to discuss since the emergence of ChatGPT, and it has made its way into the consumer space. My stance on Artificial Intelligence may be considered controversial. Artificial Intelligence has massive potential, from creating art to solving complex world issues. However, we see SaaS businesses jumping on the bandwagon and offering services utilizing AI without much due diligence or further thought into integrating AI with their product. I think the reason why we’re seeing the emergence of AI is due to the competitive space. It doesn’t matter how well it works, by offering AI services, you are trying to stay one step ahead of the game from your competitors.

The cold reality is, AI is growing faster than us. As a cyber security professional, I can’t underestimate the consequences on the security and privacy of customer data. Most of us do not understand how AI works because it is designed to be constantly evolving and learning from different data inputs.

Our approach to cyber security is compliance and regulation based. The work doesn’t stop there, but one of the first steps in building a strong information security program is to ensure compliance with applicable laws and regulations. There are currently no laws or regulations to protect the use of Artificial Intelligence, and that alone is a concern on its own.

Which specific AI technology has had the most significant impact on your industry?

Generative AI has had the most impact on not just our industry, but also the consumer space. It has revolutionized the way we approach creativity, problem-solving, and communication. Its ability to generate content, whether in the form of text, images, or even multimedia, has redefined possibilities and opened up new horizons for innovation. The dynamic nature of generative AI has not only streamlined processes within our industry but has also created more engaging and personalized experiences for consumers, leading to a paradigm shift in how we interact with technology. As we continue to witness advancements in this field, the influence of generative AI is bound to extend even further, shaping the future landscape of both my industry and consumer interactions.

Can you share a pivotal moment when you recognized the profound impact AI would have on your sector?

A couple of months ago, during a podcast I was a guest on, we discussed the potential impact of AI on the cyber security industry. It was brought up that some vulnerability scanning tools were considering utilizing AI to understand security vulnerabilities and conduct improved penetration tests. This can be a great tool to identify security vulnerabilities before an attacker does. However, if AI can be used for defensive security, it can most likely be used as an offensive if it was in the hands of the wrong people.

In a world where we rely on technology to harvest our crops, perform surgeries, secure our finances, and keep hospice patients alive, the impact of using AI as an offensive form of cyber attacks can have devastating effects.

How are you preparing your workforce for the integration of AI, and what skills do you believe will be most valuable in an AI-enhanced future?

At Rhymetec, we have banned the use of public consumer-facing generative AI tools such as ChatGPT, and conduct several cyber security awareness training to ensure our employees understand the importance of following our information security policies.

However, in an AI-enhanced future, valuable skills will include technical proficiency, adaptability, critical thinking, creativity, interpersonal skills, and ethical awareness. These attributes will enable individuals to collaborate effectively with AI, contribute innovative solutions, and navigate ethical considerations in a rapidly evolving technological landscape.

What are the biggest challenges in upskilling your workforce for an AI-centric future?

As a cyber security business, the security of our clients come at the forefront of our objectives. We are doing the following:

Conducting a comprehensive vendor security analysis on behalf of our customers. Many SaaS products have already enabled AI services without notifying their customers. Just as I mentioned earlier, these are the companies that jumped the bandwagon and due diligence of these vendors is crucial to protecting our customers.
Creating Artificial Intelligence security policies. Many businesses do not currently have internal policies around how to protect themselves from the risks of artificial intelligence. This is where we play our part and help our customers build applicable internal policies.
In order to plan for the future, we are closely monitoring any laws, regulations, and compliance frameworks that focus on AI security. On December 8, 2023, the European Union agreed on the “A.I. Act.” According to the New York Times, this is one of the world’s first comprehensive attempts to limit the use of a rapidly evolving technology that has wide-ranging societal and economic implications.

What ethical considerations does AI introduce into your industry, and how are you tackling these concerns?

Data privacy is one of the top concerns that comes with the emergence of AI. AI uses algorithms to create responses and perform various activities. The algorithm learns from different data inputs, which in some cases include personally identifiable information (PII), financial data, and even electronic protected health information (EPHI). The lack of control over these data sets is problematic and may be already violating certain privacy laws such as GDPR and CCPA. It was already very difficult to provide full control over sensitive information to data subjects without Artificial Intelligence, and I can’t imagine it is easier or possible now.

What are your “Five Things You Need To Do, If AI Is Disrupting Your Industry”?

1. Isolate your AI systems

If you are using or building generative AI tools, maintaining control over your data is crucial and can be confusing. In order to tackle this issue, many organizations use self-hosted Large Language Models (LLMs). Large Language Models, also known as “LLMs” are deep learning data models pre-trained on vast amounts of data to recognize and generate content. Generative AI applications are built on top of large language models (LLMs) such as ChatGPT. When using generative AI systems, using self-hosted LLMs can protect the privacy of your customers’ data and give you more control over the data you receive as LLMs improve with more data.

2. Do not train public AI Tools with your data

Although this is new, some AI systems now give you the option to opt out of model training. This means your data will not be used for model training generative AI tools like ChatGPT. More importantly, organizations also have the option to opt out of model training if they are utilizing Open AI’s APIs for building their own generative AI tools.

3. Have human oversight during AI assisted development.

AI can and is helping software developers across the globe build software, identify code related issues, and assist with overall development. Although the results can be very useful, AI is not flawless and there may be mistakes. Which is why it’s so important to review results from generative AI tools before using them in practice.

4. Test your AI systems against OWASP Top 10 for LLM

As with all applications, testing for security vulnerabilities is crucial, and in some cases required by many compliance frameworks. The OWASP Top 10 for Large Language Model Applications project aims to educate developers, designers, architects, managers, and organizations about the potential security risks when deploying and managing Large Language Models (LLMs). The project has created a list of the top 10 security vulnerabilities when working with LLMs.

5. Create an AI security policy

Even if you do understand the security implications of AI, your employees may not. As generative AI tools become more consumer facing, employees often use tools like ChatGPT to assist them with their tasks. What happens if an employee inputs credentials or customer data? Samsung had to learn this lesson the hard way after an employee leaked sensitive code through ChatGPT. Having a strong AI policy written and implemented can ensure incidents like this don’t happen in the future and that your employees are trained on the security best practices of using AI tools.

What are the most common misconceptions about AI within your industry, and how do you address them?

A lot of people think that AI is biased and doesn’t yield satisfactory results. AI is not a person, it’s an algorithm generating answers and completing tasks based on data it’s provided with. If results are not satisfactory, that is likely due to issues with the data AI is provided to be trained with. AI systems learn from historical data, which may unintentionally embed existing biases present in that data.

To address this concern, it’s essential to educate the public about the nature of AI and its dependency on the quality and diversity of the training data. If the results appear biased or unsatisfactory, it is more likely a reflection of the biases present in the data used for training. In essence, addressing the misconception involves a combination of education, transparency, and a commitment to refining AI models to align with ethical and unbiased standards, reinforcing the understanding that AI’s performance is intricately tied to the quality and fairness of the data it learns from.

Can you please give us your favorite “Life Lesson Quote”? Do you have a story about how that was relevant in your life?

“Live like there is no tomorrow!” It may sound like a cliché, but it’s more relevant now than ever. My life is busy. I reside in New York City, and travel frequently for work. I have to always have an organized schedule to keep up with my lifestyle, and I have found it is crucial to prioritize being fully present. I realized the key to a happier life is to be more fully present. Everyday I try to adopt habits to be more present in life, like using less social media, taking a walk without my phone, or having small talk with co-workers. These intentional practices contribute to a more balanced and ultimately happier lifestyle.

Off-topic, but I’m curious. As someone steering the ship, what thoughts or concerns often keep you awake at night? How do those thoughts influence your daily decision-making process?

The responsibility of overseeing the technological landscape and security postures of organizations requires a heightened awareness of evolving threats and vulnerabilities. Each day, my efforts are dedicated to assisting an increasing number of organizations fortify their security postures, and the knowledge that another business is more secure as a result of my team’s efforts brings me greater peace of mind at night.

You are a person of great influence. If you could start a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-)

A movement advocating for enhanced laws and protections around consumer privacy would bring substantial benefits for consumers. We live in an era dominated by digital interactions, and individuals are increasingly vulnerable to the misuse of their personal information. Strengthening privacy regulations would establish clear boundaries, ensuring that companies handle consumer data responsibly and ethically.

How can our readers further follow you online?

You can follow my work on Linkedin.

Thank you for the time you spent sharing these fantastic insights. We wish you only continued success in your great work!

About the Interviewer: Cynthia Corsetti is an esteemed executive coach with over two decades in corporate leadership and 11 years in executive coaching. Author of the upcoming book, “Dark Drivers,” she guides high-performing professionals and Fortune 500 firms to recognize and manage underlying influences affecting their leadership. Beyond individual coaching, Cynthia offers a 6-month executive transition program and partners with organizations to nurture the next wave of leadership excellence.

About Metin Kortak: Metin Kortak is the the Chief Information Security Officer at Rhymetec, a cybersecurity firm providing cybersecurity, compliance and data privacy needs to SaaS companies. Metin began his career working in IT security and gained extensive knowledge of compliance and data privacy frameworks such as SOC 2, ISO 27001, PCI, FEDRAMP, NIST 800–53, GDPR, CCPA, HITRUST and HIPAA. Metin joined Rhymetec to build data privacy and compliance as a service offering. Under his leadership, these offerings have grown to more than 200 customers, positioning the company as a leading SaaS security service provider in the industry. For more thoughts on the impact of AI, check out Metin's article on AI in Cyber Defense.

You can read the original article on the impact of AI posted in Medium, by Cynthia Corsetti

About Rhymetec

Rhymetec was founded in 2015 as a Penetration Testing company. Since then, we have served hundreds of SaaS businesses globally in all their cybersecurity, compliance, and data privacy needs. We’re industry leaders in cloud security, and our custom services align with the specific needs of your business. If you'd like to learn more about how our team can help your business with security, contact our team for more information.

Interested in reading more about the impact of AI, or cybersecurity in general? Check out our other content:

So, you've just been handed a security questionnaire by a potential customer, and you're not sure where to start.

What is access control? What should you answer when asked if you utilize strong authentication across all applications with sensitive data?

This Rhymetec guide will not only help you answer these questions but will also provide suggestions that you can use to strengthen your security posture and work with potential customers more confidently, with less risk of non-compliance or a data breach.

What Is A Security Questionnaire?

Security questionnaires are used by your potential customers to assess their third-party vendors and suppliers. Numerous major third-party incidents have occurred in recent years, and threat actors are increasingly attempting "supply chain attacks" - cyberattacks that target a critical element of a particular supply chain and then attempt to move laterally into other parts of the supply chain.

For example, the identity and access management platform Okta recently suffered from numerous compromises that threat actors attempted to use to gain access to Okta's customers' data. All of this was a long way of saying companies with mature cybersecurity programs care about supply chain attacks - a lot.

Enter the security questionnaire.

Security questionnaires are required by some compliance requirements such as HIPAA, GLBA, and PCI DSS. In addition, understanding who you're doing business with, what their security controls are, and what types of data you will be sharing with them is important from a simple risk mitigation perspective.

Security Questionnaire Example Questions

So, what exactly do security questionnaires typically ask?

It can vary a lot, but here are some common types of questions:

Does your organization employ strong authentication measures such as multi-factor authentication for all corporate applications that hold customer data?
Does your organization offboard employees within 8 hours of the termination of employment?
Does your organization conduct routine penetration testing to identify vulnerabilities in your environment?
Does your organization have documented incident response plans and processes?
Does your organization routinely train users regarding information security and risk?

Depending on the potential customer you are working with, questions may be very in-depth or very cursory. In many cases, your customers may tier their security questionnaires; a company that stores data about tennis shoe manufacturing needs far less scrutiny than a company storing Protected Health Information (PHI).

Security Questionnaires and Compliance

Security questionnaires aren't only driven by risk requirements. They are also driven by specific legal compliance requirements that your customers fall under. We will provide two examples of major compliance regulations that directly touch on vendor security.

In both of these, notice that nowhere is it mandated that you must send a security questionnaire. Instead, both require that organizations assess their vendors. The security questionnaire is the form that this assessment takes.

The HIPAA Security Rule

The Health Insurance Portability and Accountability Act Security Rule (HIPAA): HIPAA applies to healthcare organizations and other organizations that handle Protected Health Information (PHI).

Under HIPAA, any organization handling PHI that is considered a "covered entity" is required to comply with the HIPAA Security Rule, a specific set of information security standards. In addition, "business associates" of covered entities are also required to meet all requirements in the security rule:

164.308 Administrative safeguards. (A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.

The U.S. Department of Health and Human Services also publishes guidance on how to conduct the risk analysis required by section 164.308.

The Bottom Line: If your organization gets a security questionnaire from a healthcare organization and you will be handing PHI, take it extremely seriously. You may be considered a HIPAA business associate and be required to comply with the HIPAA Security Rule. An experienced vCISO can help guide you on how to answer questions and implement missing security controls.

The Gramm-Leach Bliley Act and The Security Questionnaire

The GLBA applies to financial services organizations. Part of the regulation requires organizations to meet certain information security requirements. eCFR Part 16, § 314.4 spells out specifically what financial institutions need to do in order to maintain compliance regarding third-party suppliers:

Oversee service providers by:

Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue;
Requiring your service providers by contract to implement and maintain such safeguards; and
Periodically assessing your service providers based on the risk they present and the continued adequacy of their safeguards.

The Bottom Line: If you are getting a security questionnaire from a financial services organization, they are likely trying to meet their legal requirements under GLBA. The organization likely isn't measuring you against a specific standard where all requirements must be met to do work with your organization. If you don't meet every control in the risk questionnaire, consider having a conversation with the customer about which ones they find totally necessary to work with a vendor, and identify a plan to meet those on a set time scale.

How Do You Answer a Security Questionnaire?

Answers to security questionnaires from customers should be honest, straightforward, and complete.

For example, to answer the following question:

Does your organization routinely train users regarding information security and risk?

You might reply:

Users are trained on a monthly basis on information security best practices using the security awareness training platform KnowBe4. In addition, regular simulated phishing campaigns are conducted against employees. If an employee fails a phishing test additional training is mandated.

Notice this answer gives a specific example of not only that the activity is being carried out but how the activity is being carried out (KnowBe4).

It also goes into detail about how often the phishing test takes place, and even provides additional evidence of a serious security posture by describing an interrelated simulated exercise.

However, don't go overboard with information. If your customer is asking a question about training, you don't need to tell them about your amazing vulnerability management practice. Instead, answering questions with additional detail on related policies, procedures, or technology can help make the customer's job easier.

The most important thing to do is never lie.

If there are certain questions that your potential customer has asked that you don't want to disclose, have a frank and honest discussion about what information you can provide, what you can't, and why. Lying on vendor risk questionnaires can put your organization in potential legal jeopardy, both civilly and criminally.

Should I Get Outside Help in Answering a Security Questionnaire?

Many organizations turn to managed security services organizations for help in answering security questionnaires.

Why choose a managed security services company to help you?

There are a few different reasons.

First, cybersecurity can be extremely complex! Answering vendor risk questionnaires isn't always a straightforward exercise. Does your routine security assessment performed by a third party satisfy the definition of a penetration test? Does annual user training meet the question, "Do you regularly engage in security awareness training?"

These types of details matter but aren't always immediately apparent to those answering a security questionnaire.

Secondly, the "why" of a security questionnaire matters. Mistakenly answering a question on a security questionnaire from a customer who is simply doing their due diligence can be damaging. But mistakenly answering a question for an organization assessing your HIPAA compliance under the business associates rule can be fraught with legal peril.

An experienced vCISO can help navigate these waters and ensure that answers are correct and backed with evidence.

Finally, answering security questionnaires doesn't have to be hard! There's no reason that you should be spending weeks fretting over whether your security awareness training program is up to snuff.

Engaging a managed security services company can help you rapidly respond to security questionnaires, unclogging your sales pipeline and turning security compliance into a selling strength.

SOC 2 and The Security Questionnaire

Fortunately, there may be a way that you don't need to answer every security questionnaire that comes your way.

Enter the SOC 2 Report.

SOC 2 is a voluntary framework that organizations can meet and be audited against on an annual basis. By meeting requirements under SOC 2 Type 2 and undergoing an annual audit, you can have a specific report outlining your security controls to provide to prospective customers, dramatically simplifying the process.

SOC 2 isn't just a way to get out of doing security questionnaires, though.

Organizations are increasingly choosing their vendors based on good security practices and continuous compliance. Using a vendor like Rhymetec to help you meet SOC 2 can expedite your sales process, build trust with potential customers, and enable you to engage prospects who want to see evidence of your security before doing business.

The Bottom Line

Many organizations use security questionnaires as a way to screen potential vendors for unacceptable security risks. This is becoming increasingly common, as companies wish to strengthen their third-party risk management in light of recent breaches due to vendors and suppliers.

Hopefully, this guide helped clarify how to answer questions on security questionnaires and how to turn risk assessments into a business enabler rather than a cost center.

About Rhymetec

Our mission is to make cutting-edge cybersecurity available to SaaS companies and startups. We've worked with hundreds of companies to provide practical security solutions tailored to their needs, enabling them to be secure and compliant while also balancing security with budget.

We enable our clients to outsource the complexity of security and focus on what really matters - their business. If you are interested in our services, or if you simply have questions about security, you can contact our team for more information.

About The Author: Metin Kortak, CISO

Metin Kortak is the Chief Information Security Officer at Rhymetec. Metin began his career working in IT security and gained extensive knowledge of compliance and data privacy frameworks such as SOC 2, ISO 27001, PCI, FedRAMP, NIST 800-53, GDPR, CCPA, HITRUST and HIPAA. He joined Rhymetec to build data privacy and compliance as a service offering. Under Metin's leadership, these offerings have grown to more than 200 customers, positioning the company as a leading SaaS security service provider in the industry.

Interested in reading more? Check out our blog.

You might be wondering - Why would a threat actor bother targeting a startup? Don't they focus on larger companies?

In 2025, cybersecurity for startups is just as critical as it is for the world's largest organizations. You may be surprised to learn that small businesses nowadays are actually more frequent targets of cyberattacks than larger companies.

According to Verizon's 2023 Data Breach Investigations Report, there's a very clear reason for this:

Regardless of organizational size, companies are increasingly adopting similar services and infrastructure. This means that the attack surface of small organizations - all of the points from which a threat actor can access a system - looks more similar than ever to that of large companies.

When it comes to the attack surface of small versus large businesses, "...by now there is so little difference based on organizational size that we were hard-pressed to make any distinctions whatsoever." (Verizon, 2023).

While it's great that many business-accelerating tools are now equally accessible to small organizations, this democratization of technology has a dark side:

Organizations, from startups to Fortune 500, have increasingly similar risk profiles but do not have the same resources to prevent and respond to attacks.

From a threat actor's perspective, this makes smaller organizations ripe targets. In light of this, what can you do as a startup to improve your security, especially without breaking the bank?

This guide will discuss:

Rhymetec was specifically founded with the mission to make cutting-edge security available to startups. We've worked with hundreds of companies to provide practical solutions that enable them to be as secure as possible while also balancing security with budget.

This guide will provide actionable solutions for cybersecurity for startups based on:

Our experience working with hundreds of startups.
Current trends in the industry in 2025.

Why is Cybersecurity for Startups Important?

Large companies have the resources to continuously sharpen their security measures and keep up with increasingly stringent compliance requirements. Meanwhile, smaller businesses without the same resources to devote to security are left behind.

Threat actors know this, and that's why an employee at a company with less than 100 employees receives 350% more social engineering attacks in their email than an employee at a large company.

And the smaller the business, the harder the attack hits: For over half of small companies, all it takes is one data breach to go out of business within 6 months.

What does this mean?

Startups need to invest in cybersecurity as much as large companies do, ideally from the onset. Fortunately, nowadays, there are affordable solutions for startups to access cybersecurity services and expertise historically reserved for large companies:

Instead of building out expensive in-house security teams, many startups turn to Virtual CISO Services as an alternative. Additionally, there are measures any startup can take right away to improve security, which we'll discuss in the section "5 Practical Things To Do Right Away".

But first, let's talk about the most common threats faced by startups in 2025. We'll keep these in mind when suggesting security measures you should consider.

Common Security Threats Faced by Startups in 2025

According to Verizon, 92% of tactics threat actors use against small businesses are either:

Social engineering tactics, such as phishing emails.
Basic web application attacks.

User credentials (like passwords) are the most frequently compromised type of data. This is because threat actors know this type of data is particularly vulnerable when hosted and processed by small organizations without strong security.

Even if you aren't at the stage where you want to explore building out a comprehensive security program, there are a few things you can do in the short term.

With the most common threats faced by startups in mind, here are 5 solutions that will mitigate a huge amount of risk right off the bat:

Cybersecurity for Startups: 5 Practical Things To Do Right Away

We get how much running a startup involves on a daily basis.

Even if you're crunched for time and resources, fortunately, there are a few 'quick win' measures you can take to improve your security immediately!

Some of these may seem basic. But you would be stunned how many people, even in high-level positions, are using passwords like "032564Oreo (user's birthday + their cat's name), or "newpassword2025!" (self-explanatory).

It's best to play it safe and operate from the assumption that most people simply don't practice good security hygiene. It's on company leadership to provide guidance and policies.

With this in mind, here are 5 measures you can take right away:

1. Ensure All Employees Use MFA At Your Startup

Multi-factor authentication (MFA) is critical to an effective security program.

Implementing MFA across all accounts, including cloud access, network access, and even SaaS access accounts, is the number one thing you can do to reduce the risk of a major incident or breach.

Without MFA, all a major breach takes is a single employee setting a weak password, which a threat actor then identifies through password spraying or traditional leaks.

Beyond simply setting up and requiring MFA, there are additional steps you should take in light of the current threat landscape in 2025. Unfortunately, threat actors have inventive ways around MFA nowadays.

To mitigate this risk, here are some important tips when setting up MFA controls:

Understand where your customer data lives. Individual teams and employees may purchase new SaaS applications on their own authority and begin storing customer and other data in these systems. Without adequate controls and visibility, employees may be storing customer data in SaaS solutions without MFA that your IT and security teams are unaware of.
Set short time-to-live (TLL) on session cookies where possible. Session cookies allow a user to reauthenticate without having to reenter a code for a set duration of time. If session cookies are stolen in the meantime, they can be used in a session replay attack to bypass codes. Setting time-to-live for cookies as shortly as possible does inconvenience users, but reduces the risk that if a threat actor steals cookies, they can be effectively used.
When implementing MFA, it is strongly recommended to use authenticator applications rather than SMS-based authentication when possible. SMS-based authentication is susceptible through a practice known as "SIM Swapping," in which threat actors either social engineer or steal the means to swap SIM devices at the carrier level, allowing them to hijack a user's cellphone traffic.

2. Make Sure All Systems Are Patched

Many cyberattacks happen as a result of organizations not building a successful vulnerability management practice. Threat actors continuously scan for publicly facing IT assets with known vulnerabilities to identify potential targets to exploit.

A great example of this is the WannaCry ransomware attack in 2017. The exploit used by threat actors had actually been patched in Windows two months prior to the attack. Devices up-to-date on the latest security updates were not impacted by the attack. Meanwhile, devices that hadn't kept up with the latest patches were left vulnerable.

Vulnerability prioritization can be a pain. It isn't always clear when a vulnerability is critical versus when it can be delayed somewhat. Additionally, patches can be extremely disruptive to existing IT infrastructure. All of this makes effectively patching systems quite difficult. Here are a few tips:

Prioritize vulnerabilities on publicly facing systems first: Threat actors regularly scan the internet looking for known exploitable vulnerabilities on publicly facing systems. An instance of this in 2025 includes the ConnectWise ScreenConnect vulnerability. Another recent example includes the MOVEit vulnerability.
Prioritize actively exploited vulnerabilities: Not all vulnerabilities are equally high-risk. Vulnerabilities that are theoretical or haven't been known to be "actively exploited in the wild" are likely lower risk and can be deprioritized compared to those that threat actors are utilizing.
Use a vulnerability management service like Shodan: Shodan can help identify publicly facing IT assets along with services running on them. This can dramatically expedite mapping your organization's attack surface and identifying services that may have exploitable vulnerabilities.

3. Build A Cybersecurity Program With an Extensive Backup and Recovery Program

It's no secret that ransomware groups often encrypt sensitive data belonging to organizations. But ransomware isn't the only reason you should have a strong backup and recovery program.

Natural disasters, unexpected outages, and threat actors can all compromise the confidentiality, integrity, and availability of data. This creates enormous risk.

Create not just a backup system for your startup, but a backup and recovery program that includes technology (either localized or cloud backups), processes (policies and procedures), and people responsible for ensuring it all works together.

Once you have a system that works, test it!

Tabletop exercises can be invaluable in testing real-world examples to make sure that your system works, everyone knows their role, and you can effectively respond to a crisis.

Bonus Tip: Be sure to back up your "less" critical systems.

Don't underestimate the dependencies between data and software applications. Even if your organization has multiple systems, don't isolate backup and recovery to "only" the most critical. It is often easy to overlook data dependencies between systems where one system going down can render another entirely nonfunctional.

4. Ensure All Employees Have A Strong Password

Many organizations make the mistake of believing that if they have strong two-factor authentication, they are adequately protected and don't need to worry too much about weak passwords. This couldn't be further from the truth.

If you have a weak, easily guessable password and two-factor authentication, you only really have single-factor authentication!

IBM's recent X-Force Report showed that identity-based attacks that involve leveraging valid user accounts are now the predominant way threat actors compromise environments. Compromising a single valid user account with administrative privileges can quickly escalate into a full-blown breach.

Multi-factor authentication means your organization has strong passwords and monitors password reuse. Here are a few tips to ensure employees are using good passwords:

Create strong passwords with a length requirement, special characters, numbers, and letters.
Use a credential monitoring service like haveibeenpwned to identify if a user's credentials have been compromised in a data breach. Rotate credentials immediately if this has happened.
Talk extensively about password hygiene during regular security trainings. Emphasize not to reuse passwords across services. Walk users through how reusing passwords can result in the organization being compromised.

Bonus Tip: Use a password manager like 1Password.

Tools like 1Password automatically create strong passwords, which are then encrypted and stored so that only authorized users can access them.

This allows members of your team to share passwords without showing the actual password. Additionally, employees can access business-critical accounts across multiple devices without having to remember complex passwords.

If your startup has a remote workforce and employees are logging into their work accounts on multiple devices, a password manager is a must-have.

5. Establish A Written Security Policy

Establishing a written security policy is one of the most critical things you can do to create a strong cybersecurity baseline for your startup.

Rhymetec's Senior Cybersecurity Analyst, Kyle Jones, recently spoke about how to draft and communicate strong security policies. Here are a few tips he suggested:

Know your audience. If the people who need to understand and adhere to your security policies aren't security knowledgeable, keep that in mind. Don't use overly technical language in your policies. Instead, tailor your language to your audience.
Emphasize your policies continuously, and connect policies with the reasons behind them. People will be more likely to follow policies if the reason behind them is explained. Find opportunities, such as when an employee has an IT-related question, to reference the policies and see what they say.
Make sure your policies reflect current trends. Your risk profile changes depending on what's going on in the world! For instance, the launching of large language models (LLMs) like Google's Gemini should make you rethink your policies.

Here are several critical questions about AI:

Do you know if your employees are sharing data with any LLMs they may be using for work?
Do you have an established policy around the use of this technology at your startup?
What about updates to regulatory language around AI? Do your policies take that into account?

A great example of why these questions need to be visited can be seen in Samsung's 2023 data leak with Chat GPT - the company has since banned the internal use of generative AI tools.

Bonus Tip: Create a culture that prioritizes security and transparency.

Share resources and talk to your team regularly about the importance of security.

Don't fearmonger - you never want your employees to feel like they can't come to you if something happens. Make it clear that your door is open, and you want to know if they receive a suspicious email or if they notice unfamiliar software on their work device.

Cybersecurity for Startups: Measures To Further Improve

So, you've made sure your employees are using MFA and that nobody's password is their cat's name. You regularly update all of your systems, back up your data, and already have security policies in place.

Here are the next steps you should take:

1. Build A Formal Process to Assess The Security of Third-Party Vendors and Suppliers

Third-party risk management continues to grow in importance for organizations of all sizes.

We recommend building a full inventory of all third-party suppliers your organization uses and implementing a standard risk screening. Fortunately, modern standards make it easy to quickly screen to see if a potential third party takes information security seriously.

We recommend asking questions like:

Does your organization have a SOC 2 Type 2 Report, or other third-party attestation on your information security program?
Are you compliant with the HIPAA Security Rule, New York Department of Financial Services Cybersecurity Rule, or other formal legal requirements?
Does your organization have documented security policies?
Do you share customer data with third parties? If so, which ones?

2. Conduct Routine Pen Testing Engagements

Engage a third party (such as Rhymetec) to regularly put your security controls to the test.

Regular pen testing identifies gaps that potential attackers could exploit. Pen tests should be scoped to the specific risks that your organization faces. For example, Rhymetec can help with:

Web application pen testing to identify vulnerabilities and misconfigurations in web apps.
Mobile application penetration testing to identify vulnerabilities or exploits in mobile apps that could be exploited.
Network penetration testing to identify ways that your organization's network could be exposed.

Pen testing is critical to meeting numerous security requirements. It also enables you to better answer questionnaires about your organization's security provided by potential customers.

3. Conduct Simulated Spear-Phishing Tests

Simulated phishing exercises represent another very significant opportunity to improve your security.

Running realistic simulated phishing tests can help condition employees to be wary of even realistic-looking emails purporting to offer them gift cards and sensitive information. Make sure emails look realistic and are targeted. Sending generic emails generated by a platform can come across as too obvious and fail to adequately test users.

Take an attacker's perspective - what might an attacker write without inside knowledge of users to get users to click links?

Bonus Tip: Have An Incident Response Plan In Place.

An incident response plan is a set of documented procedures to act on in the event of a security incident. For instance, do you know what steps to take in the event your startup experiences a ransomware attack?

To recall an earlier example, during the WannaCry ransomware attack in 2017, many victims paid the ransom to try to get their data back. Security professionals generally do not advise paying ransoms. The threat actors behind the WannaCry attack did not restore people's data even after they'd paid the ransom.

Having a documented incident response plan equips you with important know-how in the event you are to experience an attack or a data breach. This saves time, money, and headaches if an incident were to occur.

Balancing Security With Budget

Building good organizational security is critical. However the cost of protecting an asset shouldn't have to exceed the value of the asset.

Cybersecurity for startups needs to be balanced against ease of access, business processes, and the risks associated with the service, data, or application being secured.

At Rhymetec, we work with a lot of SaaS startups who need to build a security program typically because their customers require it and it's difficult to compete in the marketplace without one. These startups are working off a limited budget.

A good place to start to figure out how to balance security with budget is to think about the answers to the following two questions:

What does your risk profile look like? Narrowing down the specific risks facing your organization helps prioritize where you need to spend your security dollars. For example, if you are located somewhere that's prone to earthquakes and your servers are stored there, that's a high risk. You would want to prioritize taking steps to remediate this.
What's your risk appetite? Understand what your own risk tolerance is - If you have a low-risk appetite, you will want to commit to remediating any medium or high risks. Or, at the very least, look at how to reduce your risk from high to low in the areas of highest risk.

At Rhymetec, after we assess your risk profile and answer these questions, we get creative on the best way to proceed with building your information security program while keeping in mind budget constraints.

Frequently Asked Questions (FAQ) for Cybersecurity for Startups in 2025

Here are 5 questions we see frequently from startups in 2025. Knowing the answers to these questions - and implementing corresponding policies - is essential for robust cybersecurity for startups.

1. What are some commonly required or requested compliance frameworks for startups in 2025?

SOC 2 is a voluntary standard often requested by customers to show you take security seriously and that their data will be in good hands if they share it with you.
ISO 27001 is the leading international standard for information security.
PCI DISS is necessary if your startup processes credit card payments.
GDPR is required in 2025 if you handle the personal data of EU citizens.
HIPAA privacy regulations require organizations dealing with healthcare data to follow procedures around the confidentiality and security of PHI (Protected Health Information).

Compliance Measures for Cybersecurity for Startups

2. How does the increasing shift to remote work impact cybersecurity for startups in 2025?

Cloud security is critical in the age of remote work.

Without proper controls, even daily activities like file sharing can result in sensitive information being shared with unauthorized users. Following best practices for cloud storage is essential in 2025, including:

Make sure your employees have a strong separation between work and personal documents and devices.
Invest in backing up your data to prevent the loss of important information and documents.

3. What should startups do from a security standpoint with all the AI hype?

AI amplifies existing threats, especially social engineering attacks. For example, AI can be used by threat actors to generate a larger number of personalized phishing emails.

This simply means that the best way to protect your business from AI-assisted threats is to strengthen your core security program. Staff awareness training to protect against social engineering attacks is especially important.

4. What are some best-of-breed tools startups can easily utilize in 2025?

As discussed earlier, the attack surface of small organizations is starting to increasingly resemble that of large organizations. What if you could monitor this, even down to the individual employee level?

Services like Picnic enable you to minimize the human attack surface of your startup and protect executives, contractors, and employees from social engineering attacks.

Nowadays, fortunately, there are tools that make security more accessible. Even if you have zero technical background, you can seamlessly integrate tools like Zip Security that provide enterprise-grade security and endpoint threat detection.

5. When is the right time to start looking into cybersecurity for startups?

The straightforward answer here is that if you're reading this, the right time is now.

Don't wait for the perfect time. The reality is that early-stage startups are unfortunately particularly vulnerable to cyberattacks, precisely because threat actors know they often lack even basic security practices.

Plus, it's always better to start building your security program early on so it can grow in alignment with your needs as your startup scales. Implementing a robust information security program after growth involves even more time, money, and resources to catch up.

How MSSPs Can Accelerate Cybersecurity for Startups in 2025

Hiring an external security team can substantially help organizations, especially in the early stages.

Virtual CISOs at organizations like Rhymetec have extensive experience balancing budgetary needs, usability, and security for start-up cybersecurity programs. It's not an easy balance, but leveraging an experienced partner can deliver huge amounts of specialized talent without the need to spend millions of dollars on an in-house security team.

Managed Security Services Providers like Rhymetec have dozens of professionals across security disciplines like cloud security, compliance, web application security, penetration testing, and others. They have the experience putting these skills to work for startups in a way that drives real security outcomes as you scale while also keeping your budget in mind.

To learn more about how our team can accelerate your security while keeping your budget in mind, contact us for more information.

About The Author: Metin Kortak, CISO

Metin Kortak is the Chief Information Security Officer at Rhymetec. Metin began his career working in IT security and gained extensive knowledge of compliance and data privacy frameworks such as SOC 2, ISO 27001, PCI, FedRAMP, NIST 800-53, GDPR, CCPA, HITRUST and HIPAA. He joined Rhymetec to build data privacy and compliance as a service offering. Under Metin's leadership, these offerings have grown to more than 200 customers, positioning the company as a leading SaaS security service provider in the industry.