The 80/20 Guide to Essential Cybersecurity Tips for Professionals

80-20 guide to cybersecurity tips for businesses

When providing cybersecurity tips for businesses, we like to use the 80/20 rule, also known as the Pareto Principle. The 80/20 rule suggests that roughly 80 percent of effects come from 20 percent of the causes. While this principle originally applied to economics, indicating that 80 percent of wealth is owned by 20 percent of the population, it has been adapted to various fields, including cybersecurity.

In the context of cybersecurity, the idea is that the top 20 percent of cybersecurity best practices can potentially mitigate 80 percent of risks associated with vulnerabilities and threats.

This principle encourages organizations to focus their resources and efforts on the most impactful security measures. By identifying and prioritizing the most critical vulnerabilities and threats, organizations can achieve a significant improvement in their overall security posture with relatively less effort compared to addressing all potential security issues.

The 80/20 rule of cybersecurity ensures the best ROI in terms of security enhancements. That said, organizations cannot completely ignore the other 80 percent of threats. Comprehensive security strategies require a balanced approach that includes regular risk assessments and the flexibility to adapt to emerging threats.

Understanding Cybersecurity in Today’s Digital Landscape

Cybercrime has come a long way from the days when thrill-seeking lone hackers, driven by curiosity and mischief, worked to bypass an organization’s security system for fun. Organized crime rings now control the cybercrime industry, which is estimated to be a $9.5 trillion enterprise, per Cybersecurity Ventures 2023 Official Cybercrime Report.

To put that into perspective, if cybercrime were a country, its economy would be the third-largest in the world, trailing behind the United States and China.

As cyber syndicates have evolved, so has the nature of cyber threats. Because these gangs operate with a level of professionalism and efficiency similar to legitimate businesses, they can exploit vulnerabilities at an unprecedented scale. No one is safe from cybercriminals, and that includes small and midsized businesses.

Rapidly advancing AI technologies will only exacerbate the problem making it nearly impossible for would-be victims to spot potential threats.

Enforcing cybersecurity best practices and offering cybersecurity tips for employees will lessen the possibility of your company being a victim of cybercrime. If we are to apply the 80/20 rule, business owners and decision-makers should start with educating their employees.

Study after study has shown that a significant percentage of cyber incidents could have been avoided had more focus been on the No.1 security threat – you and your employees. The IBM Security Report showed that human error is a major contributing factor in 95 percent of all cybersecurity incidents – 95 percent! Various other sources have indicated that 90 percent of all cyberattacks begin with a phishing email.

This underscores the vital importance of arming your staff with the resources and cybersecurity tips they need to protect your company’s data.

The following cybersecurity tips for businesses center around the three pillars of cybersecurity: People, Process, and Technology. A comprehensive cybersecurity program must incorporate all three to be effective.

The Top 20 Percent Cybersecurity Tips That Offer 80 Percent Protection

The following are the top 20 percent cybersecurity tips for businesses to mitigate 80 percent of the threats.

1. Security Awareness Training

Security Awareness Training

Employees are the weakest link in an organization’s cybersecurity defenses. As stated above, it’s becoming almost impossible to spot potential threats such as phishing emails or social engineering attacks. Examples of social engineering attacks are pretexting (impersonating a co-worker or someone of authority) and baiting (too-good-to-be-true offers that trick people into providing private information). With the emergence of AI, deep fakes (audio, video, or images created with AI) compound the problem further.

However, organizations with ongoing comprehensive security awareness training programs can significantly reduce incidents caused by human error.

2. Strong Password Policies and Management

It’s often said that hackers don’t hack into a network; they simply log in. Employees make it too easy for criminals by using simple or weak passwords. Here are some tips for creating strong passwords:

  • Use upper and lowercase letters, numbers, and special characters.
  • Make sure it is at least 12 characters long. The longer, the better.
  • Consider using a passphrase. This is a string of unrelated words that you can remember but others would find nonsensical.
Strong Password Policies

Once you’ve created a strong password, never use it twice. For more information about the risks of reusing passwords, read this blog.

The reason people refuse to create strong passwords is that they are hard to remember, especially if they need to create separate passwords for every login. This is where a business-grade password manager would be beneficial. Password managers or vaults can generate lengthy, hard-to-crack passwords that can easily be copied and pasted into login forms. Users only need to remember their master password to access the vault. Our top recommendations for highly secure password managers are Secret Server by Delinea and PasswordState by Clickstudios.

3. Multi-factor Authentication (MFA)

Multi factor Authentication

Multi-factor authentication, also known as MFA or 2FA, offers an added layer of protection by requiring a user to authenticate a login attempt. Even if a cybercriminal manages to get your password, they will still need the second factor – usually a code sent to your phone or generated by an app – to gain access. Most online accounts now offer the option to enable MFA. According to various sources, it is estimated that MFA can block anywhere from 80 to 99 percent of account compromise attacks.

SMS-based verification is just one form of MFA. Another is time-based authentication apps which tend to be more secure than SMS. Examples are Microsoft Authenticator and Authy. These apps generate a new code every 30 seconds that users must enter during the login process.

Another type of MFA is Push Notifications. Duo is an app that sends a push notification to a user’s smartphone. The user simply taps a button to approve the login. This type of MFA is simple, making it attractive to businesses that are looking for user-friendly yet secure methods.

A hardware security key, such as YubiKey, plugs into a computer’s USB port or connects via Bluetooth or Near Field Communication (NFC). This allows the user to bring the security key close to an NFC-enabled device. 

Choosing the right MFA method involves careful consideration. Consulting with a managed IT service provider (MSP) can help business owners and IT managers identify their needs while considering the security, usability, and logistical aspects of each method.

4. Regular Software and Hardware Updates

Regular software maintenance and hardware updates are crucial to a business’s cybersecurity. Software updates include patches for newly discovered vulnerabilities and sometimes introduce new features, improvements, and optimizations that enhance performance.

It’s equally important to update and refresh hardware when a device has reached its end of life. Replacing outdated equipment ensures compatibility with software and reduces the risk of hardware failure, which can lead to costly downtime.

Working with an MSP is beneficial for businesses looking to offload the burden of updates and maintenance, which often need to be done after hours.

Software and Hardware Updates

5. Use a VPN

Virtual Private network

A Virtual Private Network (VPN) is a secure connection method that encrypts data transmitted to the Internet and allows for private, anonymous browsing. It creates a secure tunnel for data transmission, ensuring that only authenticated users can access certain network resources or services. Combined with MFA, VPNs allow organizations to control who has access to their network.

Although VPNs enhance security by encrypting data, there are drawbacks to the technology. Some of those are:

  • Security Risks. VPNs are not immune to vulnerabilities mostly because of poor configurations or using an unreliable VPN service provider.
  • Reduced Speed. Encryption and routing of traffic through a VPN server can reduce internet speed and increase latency. The exact result depends on the service provider, server location, and the current load on the server.
  • Provider’s Reputation. Choosing an untrustworthy service provider could cause problems for the business owner. There is a risk that the provider could log user activity or that the service could be compromised, leading to data exposure.

Private cloud computing is a good alternative to using a VPN. Some MSPs offer private cloud networking, which allows users to access their network remotely. 

6. Practice Good Web Hygiene

When browsing online, it’s important to choose a secure web browser. Some things to look for are:

  • Regular Updates and Security Patches. Check if your browser updates automatically or if you can manually check for and install updates.
  • Privacy and Security Settings. A secure browser offers robust options to control tracking, manage cookies, block unwanted content, and protect your browsing data.
  • HTTPS Support. Hyper Text Transfer Protocol Secure (HTTPS) encrypts data between the browser and websites.


Good Web Hygiene
  • Phishing and Malware Protection. Look for built-in protection against phishing and malware, which can alert users about dangerous websites.
  • Extension Management. Secure browsers offer vetted extensions and provide settings to control the permissions granted to each extension.
  • A browser’s strong, positive reputation in the security community is a good sign of its commitment to security.

Although Chrome is the most widely used browser in the world, there are alternatives that can improve security and help users stay anonymous online, including Brave, Firefox, and CyberAsk.

And when it comes to search engines, remember that Google tracks, collects, uses, and sells detailed user search and metadata. Safer alternatives are DuckDuckGo and BraveSearch.

7. Secure Your Email

Secure Email

Email continues to be a primary target for cybercriminals. The 2020 Verizon Data Breach Report showed that phishing was involved in 22 percent of all breaches. Data from the FBI’s Internet Crime Complaint Center indicated that Business Email Compromise scams climbed to $1.8 billion in 2020. Compromised emails and email accounts have a considerable financial and operational impact on organizations.

Simple Mail Transfer Protocol (SMTP), the protocol for email delivery, was developed in the early ‘80s, and it hasn’t changed much since then. Over the years, other technologies, such as DMARC and DKIM, have been developed in attempts to make email more secure. Even so, email content is displayed in clear text, which means any minimally skilled hacker can intercept and read your email unless it is encrypted.

Using end-to-end email encryption technology is critical for organizations that collect personal information and even for organizations that occasionally need to send or receive sensitive information, including social security numbers, birth dates, credit card numbers, etc.

If an organization requests sensitive information from a customer but does not provide a secure method for that customer to send it, the organization could be complicit in the event of a breach.

The bottom line is that email encryption is not convenient and can be annoying to users. However, it is absolutely necessary to protect private information from prying eyes.

Leveraging Advanced Cybersecurity Strategies

As mentioned above, a comprehensive cybersecurity strategy has three components: people, process, and technology. While the technology (tools and systems) used to protect businesses is just one piece of the cybersecurity puzzle, it plays an important role.

The Role of Cybersecurity Tools and Software

As bad actors have honed their skills in recent years, organizations can no longer rely on simple antivirus and anti-malware tools to keep their data safe. The threat landscape demands that advanced cybersecurity tools be implemented to secure sensitive data and detect and respond to threats.

Endpoint Protection. To protect end-user devices such as laptops, desktops, and mobile devices, a layered approach to security is necessary. Next-generation antivirus (NGAV) is more robust than traditional antivirus and can detect anomalous processes triggered by a possible infection. Traditional AV, on the other hand, only detects known viruses. For more information, download our guide to Layered Security.

SIEM Systems. Security Information and Event Management (SIEM) solutions collect and aggregate telemetry data from various sources within an organization’s IT environment. Organizations can use this data to identify patterns and anomalies that may indicate a cybersecurity threat.

Access Management. Access management is a fundamental concept of cybersecurity that controls who has access to what resources and systems on an organization’s network. Granting users the absolute minimum level of access and permissions needed to perform their tasks decreases the potential impact of security breaches and insider threats. Access management has more to do with administrative policies. However, tools such as MFA can enhance security by requiring users to provide a second form of verification before accessing assets on a network.

Engaging Cybersecurity Professionals

Cybersecurity is complex and constantly evolving, making it challenging to stay on top of trends and threats. All businesses, but especially those in highly regulated industries such as healthcare, insurance, legal, critical infrastructure, or financial services, can benefit from consulting with a well-respected cybersecurity firm.

A cybersecurity specialist will start with a comprehensive risk assessment, taking into account an organization’s people, processes, and technology to identify assets, threats, and vulnerabilities. This type of audit offers a broad and strategic view of risks and allows companies to prioritize those risks based on potential impact.

Other assessments that a cybersecurity firm might perform are vulnerability scans and penetration tests, which are more technical in nature. Similar to the risk assessment, vulnerability scans and pen tests are designed to assess a network’s security posture, but each offers unique insights that provide a more complete picture of an organization’s security posture.

 A vulnerability scan involves scanning systems, networks, and applications for known vulnerabilities. These scans can take weeks to complete and involve many hours of analysis to identify, quantify, and prioritize vulnerabilities in the organization’s assets.

Unlike vulnerability scans, pen tests actively exploit vulnerabilities to determine what information and systems bad actors can access. These tests are done by White Hat Hackers, also known as Certified Ethical Hackers, and provide valuable insight into the potential impact of a breach.

Conclusion: Integrating the 80/20 Approach to Cybersecurity

In summary, implementing the 80/20 guide to cybersecurity can significantly reduce the likelihood of a devastating cybersecurity incident. Consider implementing the following cybersecurity tips:

  • Provide cybersecurity training for end users.
  • Practice good password hygiene and use a password manager.
  • Implement MFA on all systems and applications.
  • Don’t neglect software and hardware updates.
  • Use a VPN.
  • Stay safe online and practice secure web browsing.
  • Protect sensitive information with secure email.

By following these best practices, businesses can potentially mitigate 80 percent of the risks associated with vulnerabilities and threats.

Schedule a free 15-minute discovery call
We’ll discuss your IT requirements and assess whether we’re the right fit for you.


Liked the articles?

Well, there’s plenty more where that came from! Our incredible team is constantly on the lookout for the latest and greatest IT content to keep you informed about what’s cooking in the world of technology. Make sure you don’t miss out on our amazing content by subscribing to receive blog updates.

  • Remark: We will collect your information for marketing purposes. However, we respect your privacy rights. If you wish to access or amend any Personal Data we hold about you, or request that we delete any information about you that we have collected, please send us an email:
  • This field is for validation purposes and should be left unchanged.