Back to Casestudies
Adopting a proactive cyber hygiene approach
Timothy Mayers Jr., CISSP, CEH, CCSK, Delviom - Chief Cyber Solutions Architect
More than ever organizations must adopt a systematic security posture that proactively addresses each device, user, and asset across the IT enterprise. According to the FBI’s Internet Crime Complaint Center, or IC3, 2024 marked the largest amount of annual losses reported at over $16.6 billion with ransomware as the most pervasive threat [1]. Proactive cyber hygiene is an effective practice that identifies weakness before exploitation and proactively fulfills regulatory compliance requirements. As depicted in the corresponding graphic, leading industry guidance recommends a three (3) component strategy for proactive cyber hygiene that consists of 1) Vulnerability Management, 2) Penetration Testing and 3) Cybersecurity Education to help organizations stay ahead of cyber attackers.
Vulnerability Management
Vulnerability Management applies an iterative and continuous process to proactively identify endpoints with vulnerabilities across the enterprise, determine the level of exposure, evaluate the impact of successful exploitation, and perform the necessary timely risk mitigation steps. According to the 2025 Verizon Data Breach Investigations Report (DBIR) [2] of the 13.5 million vulnerabilities with publicly disclosed Common Vulnerabilities and Exposures (CVE’s) IDs only 9% have been remediated, with 85% reported as partially remediated and 6% as un-remediated. All organizations must leverage resources such as the Cybersecurity Infrastructure and Security Agency (CISA) Known Exploited Vulnerability (KEV) catalog [3], which is maintained by CISA to provide vulnerabilities that are actively being used to exploit public or private organizations. Under the DHS Binding Operational Directive (BOD) 22-01, all federal civilian executive branch (FCEB) agencies are required to remediate vulnerabilities in the KEV catalog according to the required timeframes. It takes an average of 5 days for a CISA KEV vulnerability to be mass exploited and should be immediately addressed for any forward-facing assets. Vulnerabilities should be tracked using key performance indicators (KPIs) such as scan frequency, number of devices scanned, and the time taken for remediation from initial notification. These metrics aid decision-making and should be prioritized based on the risk impact to the organization and its ability to execute its mission or business.
Reliable guidance is available to help every organization better manage vulnerabilities which includes industry leading practices from the National Institute of Standards and Technology® (NIST®) and the Cloud Security Alliance (CSA) for cloud security. Today’s threats require automated solutions with security integrated into the development lifecycle and promote “shift-left” principles. Static Application Security Testing (SAST) must be implemented early in the development process to discover weakness in the software code before further implementation and deployment. Web applications are common targets for cyber adversaries. Dynamic Application Security Testing (DAST) is used for identifying weaknesses on internet-connected machines, web applications, and Application Programming Interfaces APIs and their susceptibility to attack methods such as injection attacks, authentication-based attacks, and Distributed Denial-of-Service (DDoS) attacks For software development, organizations must incorporate the CISA Secure by Design principles and secure software development best practices and methods provided by non-profit organizations such as Open Worldwide Application Security Project (OWASP) and The Software Assurance Forum for Excellence in Code (SAFECode) which identifies critical risks to application security and provides fundamental secure development practices.
Penetration Testing
Proactive penetration testing is important to understand the internal and external vulnerabilities to the organization that can be exploited by cyber threat actors. Red and Blue Teaming exercises are an effective way for organizations to proactively understand the weakness within the attack surface. The Red Team are authorized offensive security experts that emulate cyber adversaries and tactics to compromise the network infrastructure. Red Team members can be composed of the internal cybersecurity teams who have the penetration testing experience and skills to provide a white box or gray box approach to understand the susceptibility to insider threats. Third party independent testers should be leveraged to perform external black box testing to understand the weaknesses pertaining to internet facing resources and network connections to advanced persistent threat (APT) scenarios. The Blue Team should consist of personnel who are responsible for incident response, such as network administration and operations specialists, Security Operations Center (SOC) analysts, and Information System Security Officers (ISSOs). The Blue Team confirms the organization’s state of managerial and technical incident response procedures and processes to monitor, detect, respond and recover from targeted attacks. Results from both teams should be shared to provide Purple Team effect to understand what was detected and blocked and the attacks that were successful without detection to help build custom indicators of compromise (IOC) and support the fine tuning of Security Information and Event Management SEIM and EDR tools. Red and Blue Team operations should utilize time-tested and proven frameworks such as the Penetration Testing Execution Standard (PTES) and the MITRE ATT&CK® which provides the tactics used by adversaries, along with the MITRE D3FEND® which provides the taxonomy and defensive maneuvers for cyber defenders to effectively protect the network environments.
Cybersecurity Education
In today's digital age, cultivating a highly cyber-literate workforce is essential for any organization. While people are the most valuable assets, they also represent significant exposure to external threat actors using social engineering and credential theft to gain access to networks. According to the FBI’s 2024 IC3 Annual Report, phishing and spoofing were the most reported cybercrimes, with over 193,407 complaints. Business Email Compromise accounted for 21,442 complaints, resulting in losses exceeding $2.7 billion. In addition, according to the Verizon 2025 DBIR stated that human involvement in breaches was at 60% for the 10,798 breaches reported.
To safeguard our people and IT infrastructure from increasingly sophisticated cyber-criminals, we must equip them with the best technical and educational cyber hygiene resources. Continuous cybersecurity education should extend beyond annual training to regular phishing exercises, brown-bag workshops, and regular cybersecurity seminars ensuring both cybersecurity and non-cybersecurity personnel are well-informed to protect themselves and customers from cyber threats. The benefits of a highly cyber-literate workforce include increased awareness of cyber threats, enhanced protection of IT assets, and heightened vigilance among users in safeguarding organizational intellectual property and personal information. This vigilance also boosts the likelihood of reporting suspicious activities, enabling incident response teams to proactively investigate, communicate, and eradicate potential threats. By fostering cyber literacy, organizations can significantly strengthen their defenses against cyber threats and ensure a safer, more secure operational environment.
Contact Us
If you need help in your cyber journey. We offer access to state-of-the-art cyber hygiene services, including, VCISO & cyber advisory services, automated pen testing, cyber training & education, and project & program management.