Responsive Navbar Refined

From ‘Easy Target’ to ‘Digital Fortress’: Building and Maintaining a Strong Security Posture

by William Downing | January 08, 2025

From ‘Easy Target’ to ‘Digital Fortress’: Building and Maintaining a Strong Security Posture

Maintaining a Strong Security Posture

When I was a young recruit going through the training academy, my sergeant told us a story. He spoke of an off-duty officer who was ambushed and attacked at a convenience store while stopping on his way home. Later, the criminal was interviewed and asked why he chose that particular officer. His answer was simple:

“Because he looked like a target.”

Naturally, this begs the question: What makes someone look like a target? According to the story, the officer’s appearance gave him away. His boots weren’t shined, his uniform looked shabby, and his laces weren’t properly tied. Although I sometimes question the veracity of this anecdote — it could well be a tactic to scare new recruits — I’ve grown to appreciate the wisdom in its underlying message.

Put yourself in the attacker’s shoes: If you were going to rob someone, who would you choose? The well-groomed person who carries themselves with confidence, or the individual walking with slumped shoulders, eyes on the ground, and an overall aura of insecurity? For criminals who want the maximum reward with the minimum effort, the answer is obvious.

This principle goes far beyond personal appearance. Every day, criminals look for the “easy” target — be it a car, a building, or a computer system. Which car would you steal? The one with advanced anti-theft systems, or the older model that disabled an immobilizer feature to cut costs? Which building would you break into? The one with a security guard and an alarm system, or the one with an uncovered window in the back? And from a cybersecurity standpoint, which system would you hack? The one with updated software, patch management, and layered defenses, or the one that hasn’t upgraded its modem in 15 years?

The choice is clear. In fact, there are numerous automated tools that scan for outdated software and publicly known vulnerabilities — giving cybercriminals a convenient list of entry points to exploit. When there are so many low-hanging fruits, why waste time trying to penetrate well-fortified systems?

This concept is often referred to as your “security posture.” Just like having strong posture in everyday life, having a solid security posture can deter or eliminate many problems before they arise. But how does one achieve and — just as importantly — maintain it?

Much like correcting your physical posture, strengthening your security posture requires conscious effort at first. It may feel awkward or cumbersome in the beginning, but if done correctly, it becomes second nature. Below are some critical steps and best practices:

1. Engage Everyone — Starting with Leadership

A strong security posture is a company-wide responsibility, and it begins at the top. Management must set the standard. This includes:

  • Regular Cybersecurity Training: Your employees can’t be expected to follow best practices if they’re not informed about them. Make sure you offer periodic training sessions on phishing awareness, social engineering tactics, and safe internet usage.
  • Clear Policies and Expectations: Establish guidelines for password management, device usage (especially if you allow BYOD — Bring Your Own Device), and data handling. There’s nothing wrong with setting high standards as long as they are unambiguous, well-documented, and easily accessible.
  • Scheduled Patching and Updates: Keeping systems and software up-to-date is one of the easiest ways to close security gaps. Develop a patch management schedule and hold people accountable for adhering to it.
  • Incident Response and Escalation Paths: What if an employee suspects they’ve received a phishing email? What if a computer is acting suspiciously? Clearly define the chain of command and processes for reporting potential threats and anomalies. In an emergency, knowing whom to contact can mean the difference between a minor incident and a major breach.
Incident response planning

Practice before it happens

2. Make It Easy to Do the Right Thing

Implementing policies is one thing; making them easy to follow is another. Many well-intentioned security measures fail because they place unnecessary burdens on staff. Consider the example of a Japanese delivery company that requires drivers to clean and inspect their vehicles before heading out. This could be time-consuming, but they streamline the process by providing a fully stocked cleaning station in each vehicle stall, plus an inspection sheet and a drop box right there on site.

Relating this back to cybersecurity:

  • Streamlined Tools and Automated Systems: Provide user-friendly password managers, auto-update tools, or single sign-on (SSO) solutions that make compliance effortless. If employees have to jump through hoops, they’re more likely to circumvent your security measures.
  • Centralized Knowledge Base: Host a well-organized, easily searchable repository of FAQs, tutorials, and guides to answer basic security questions and provide step-by-step instructions for common tasks.
  • One-Click Reporting: Make reporting suspicious emails or activities as simple as clicking a button in an email client or opening a short online form. Eliminate the friction of having to hunt for the right contact or the right form.

3. Layered Defenses

Just as a determined criminal will try multiple avenues — windows, doors, back entrances — attackers will probe your digital environment from different angles. At this point, most of these defenses are well known cornerstones of good cybersecurity practices, but it never hurts to remind ourselves of the fundamentals:

  • Firewalls and Intrusion Detection Systems (IDS/IPS): These act as a first line of defense, monitoring incoming and outgoing network traffic and blocking known malicious activity.
  • Endpoint Protection: Beyond just antivirus, look for endpoint detection and response (EDR) solutions that can identify and isolate suspicious behavior on individual devices.
  • Multi-Factor Authentication (MFA): MFA adds an additional layer of verification (e.g., a one-time code on a smartphone) to ensure that even if a password is compromised, the attacker still can’t gain access.
  • Encryption: Whether it’s data at rest or in transit, encryption reduces the risk of intercepting sensitive information — even if bad actors manage to gain access to your networks or devices.
Shrek meme

Shrek knows best

4. Regular Testing and Auditing

A security posture isn’t static; threats evolve, and so must your defenses. Proactive measures include:

  • Vulnerability Scanning: Use automated tools (or partner with a cybersecurity firm) to regularly scan your systems for weaknesses. Address any findings promptly.
  • Penetration Testing: Ethical hackers can simulate real-world attacks to find gaps before criminals do.
  • Policy and Procedure Audits: Even the best policies can become outdated or circumvented over time. Conduct periodic reviews to ensure your guidelines align with current best practices and business operations.
  • Tabletop Exercises: Walk through hypothetical attack scenarios with your team. This helps everyone understand their roles and responsibilities in a crisis and clarifies any procedural gaps.

5. Foster a Culture of Security

Ultimately, a strong security posture isn’t just about hardware and software. It’s about mindset. When employees — from management to entry-level — genuinely care about security, they become your strongest line of defense.

  • Reward Good Security Behavior: Recognize employees who report phishing emails or come forward with suspicious findings. Positive reinforcement goes a long way in building a proactive culture.
  • Open Communication: Encourage employees to ask questions and voice concerns without fear of ridicule or reprisal. Make it clear that security is everyone’s responsibility and that no question is too basic or unimportant.
  • Ongoing Education: Offer short, engaging lessons on current threat trends, safe data handling, and emerging risks. Regular reminders keep security front of mind.
Shaking Hands

Conclusion

Maintaining a strong security posture can appear daunting, but by prioritizing ease of compliance and clarity of expectations, you dramatically increase your chances of success. Think of the off-duty officer who “looked like a target” and remember that criminals overwhelmingly prefer the path of least resistance. Whether you’re securing a physical building or your organization’s IT infrastructure, making your systems appear less vulnerable can deter an attack before it ever begins.

We all have a part to play in guarding against threats — both physical and digital. By engaging everyone in your organization, simplifying best practices, and continuously updating your defenses, you’ll foster a culture where good security habits become second nature. The result is a robust, resilient environment — one that criminals would rather not waste their time on.