CreativMinds
Eng
CreativMinds
Eng
April 29th 2026

Cybersecurity in business: the three foundations we overlook too often

Cyberattacks cost companies billions every year. That much is widely known — or should be. What’s less understood is how far the damage goes beyond financial loss: operations can be paralyzed for days or even weeks, customers lose trust and don’t come back, regulatory penalties pile up, and recovery can take months — if recovery happens at all.

Yet when we work with companies on these issues — and at CreativMinds, it’s been our daily focus for the past seven years — we often see the same pattern: the foundations aren’t in place. There’s a desire for sophisticated solutions, cutting-edge tools, AI-driven threat detection. But the groundwork hasn’t been done. It’s like installing a state-of-the-art alarm system in a house where the windows don’t close properly.

This article is the first in a two-part series. Here, we’ll focus on the foundations: assessing where you really stand, strengthening what needs to be strengthened, and — perhaps most importantly — bringing your teams along in the process. In the second article, we’ll move on to advanced solutions and continuous monitoring.

But let’s start at the beginning.

Step 1: Know where you really stand

Before strengthening anything, you need to understand what you’re protecting — and where the weaknesses are. It sounds obvious when put that way. And yet, how many companies invest in security tools without having a clear view of their own infrastructure? How many buy solutions because a salesperson convinced them, without knowing whether they actually address their real needs?

Security assessment is the starting point for everything else. Without it, you’re operating blind.

The audit: far more than a checklist

A security audit isn’t about ticking boxes on a checklist. It’s about mapping all your assets — hardware, software, data — and methodically identifying what could be exploited by an attacker.

The tools are available and accessible: vulnerability scanners like Nessus, OpenVAS, or Qualys can quickly identify known weaknesses in your systems. Penetration tests simulate real attacks to uncover what automated tools miss. Reviews of network configurations, servers, firewalls.

But tools alone aren’t enough — far from it. What really matters is configuring them based on your context and business priorities. A critical vulnerability for a bank may not be one for a marketing agency. If you rely on generic settings, you’ll drown in false positives and miss what truly matters.

And then there’s everything tools don’t see. Poorly managed access rights — like a former employee who still has access six months after leaving. Delayed updates because “everything still works.” Incident response procedures that only exist on paper — if they exist at all. None of this will show up in a scan.

An effective audit is iterative. It’s not something you do once and forget. At least once a year — quarterly if your environment is critical or you handle sensitive data.

Prioritize risks: not all risks are equal

Identifying vulnerabilities is a good start. Knowing which ones to address first is even better. Because no organization has the resources to fix everything at once.

For each vulnerability, two questions should always be asked: what’s the likelihood it will be exploited? And if it is, what would be the real impact on the business?

Take a simple example. A vulnerability in your internal messaging system, easy to exploit and exposing customer data? High risk — fix it now, this week. A flaw in an isolated, low-impact system that’s difficult to exploit? That can wait until next month.

A simple risk matrix — severity multiplied by likelihood — is often enough to prioritize effectively. More advanced tools exist (RiskLens, Resolver) for complex environments, but what matters most is having a clear method and sticking to it.

And this prioritization work is never finished. It needs to be revisited with every major change: a new application deployed, a move to the cloud, an acquisition, the opening of a new site. The risk landscape is constantly evolving.

From assessment to action

The audit and risk analysis need to lead to something concrete. Not a 200-page document no one will read, but a clear report with prioritized recommendations and a realistic action plan.

What this report should include: a list of identified vulnerabilities, an assessment of the risk associated with each, and concrete recommendations with clear prioritization. And for every recommendation, a justification based on audit data — this makes validation by leadership easier and avoids endless debates.

Then, build an action plan that includes priority actions, implementation timelines, clearly assigned owners, and metrics to track progress.

One recommendation we consistently make: involve leadership from the start. Not just to approve the budget at the end, but to ensure security becomes a strategic topic driven at the highest level. Otherwise, it remains “an IT issue” — and never really moves forward.

Step 2: Strengthen the infrastructure

Once you’ve identified and prioritized your vulnerabilities, it’s time to strengthen what can be reinforced. Network, systems, endpoints — every link in the chain matters, and your overall security is only as strong as your weakest point.

The network: your backbone

Your network is the backbone of your information system. If it’s compromised, your entire business can be affected. We’ve seen attacks bring hospitals, public institutions, and industrial companies to a standstill for weeks.

The basics — still too often missing or poorly configured:

  • Firewalls filter incoming and outgoing traffic based on defined rules. But beware: a firewall left with default settings and never reviewed is almost worse than none at all. It creates a false sense of security. Review your rules quarterly and adapt them as your business evolves.
  • VPNs secure remote connections through encryption. With the rise of remote work, they’ve become essential. But again, a poorly configured VPN or weak credentials offer little real protection.
  • Network segmentation limits the spread of an attack by isolating critical resources. If an attacker gets in through one door, they shouldn’t have access to the entire house. Customer data doesn’t need to sit on the same segment as every employee workstation.
  • Monitor your network logs. This is where early signs of abnormal activity appear — unusual login times, unexpected data volumes. But only if someone is actually looking.

Patching: the Achilles’ heel

Here’s a figure worth noting: according to the Ponemon Institute, 60% of data breaches in 2023 were due to known but unpatched vulnerabilities. In other words, flaws for which fixes already existed — but were never applied.

It’s frustrating, because it’s avoidable. No need for expensive tools or rare expertise. Just discipline.

A solid patch management policy means:

  • Centralizing patch management with appropriate tools (WSUS, SCCM, ManageEngine, etc.)
  • Scheduling regular maintenance windows and communicating them in advance
  • Documenting every update applied
  • Testing critical updates in a pre-production environment when possible

It’s not glamorous. It doesn’t impress in board meetings. But it works.

Endpoints: every device is an entry point

Desktops, laptops, smartphones, tablets, and increasingly connected devices — anything connected to your network can become an attack vector. And with hybrid work, the attack surface has expanded significantly.

Traditional antivirus solutions are no longer enough. Threats have evolved — protections must too. EDR (Endpoint Detection and Response) and XDR (Extended Detection and Response) solutions provide far greater visibility into what’s actually happening on your devices.

Mobile Device Management (MDM) helps maintain control over smartphones and tablets accessing your resources — including personal devices if you allow BYOD.

Multi-factor authentication (MFA) should be enforced across all devices, without exception. Yes, it adds friction. But it’s also one of the most effective ways to prevent unauthorized access.

And above all, adopt a Zero Trust approach: every device must prove it’s legitimate before accessing resources. No default trust — even for “known” devices. Because a compromised device is still compromised, even if it belongs to a trusted employee.

Step 3: Train your teams (the real challenge)

You can have the best infrastructure in the world, the most sophisticated tools, the strongest configurations — if someone clicks the wrong link in a phishing email, everything can fall apart in minutes.

The human factor remains the primary attack vector. Studies vary, but it’s generally estimated that 80–90% of security incidents involve human error at some point. And it’s also the hardest factor to secure, because you can’t “patch” a human the way you patch software.

Training that actually sticks

Forget two-hour PowerPoint presentations that everyone sits through while thinking about something else. That format doesn’t work. People forget 90% of what they hear within a week.

What does work: short formats (10–15 minutes max), interactive, repeated regularly throughout the year. Well-designed e-learning that people can follow at their own pace. In-person sessions with real demonstrations — showing an actual phishing attack is far more impactful than explaining it abstractly. Gamification for those who respond to it, with challenges and rewards.

And most importantly: measure what people actually retain. Regular quizzes — not to shame or punish, but to identify gaps and adjust the content accordingly.

Phishing simulations: learning by doing

Sending simulated phishing emails to your teams is one of the most effective ways to test — and improve — their vigilance in real conditions.

The principle: fake emails that mimic real attacker techniques, sent to all employees. Then you analyze the reactions — who clicked, who reported it, who ignored it.

What matters is what happens next. If someone clicks: no public shaming, no punishment — but immediate, constructive feedback. Here’s what you could have spotted, here’s how to react next time. The goal is learning, not blaming.

Over time, click rates drop significantly. Reflexes improve. People start reporting suspicious emails proactively instead of ignoring them — or worse, clicking.

Clear, living policies

A security policy that sits in a shared folder and no one ever reads is useless. It needs to be accessible, understandable for non-technical staff, and illustrated with real-life examples.

An annual overview of key points, an up-to-date FAQ, regular reminders on critical topics — the goal isn’t for people to memorize the document. It’s for them to know what to do when faced with an unusual situation: who to contact, what not to do, how to respond.

What’s next

These three steps — an honest assessment of your situation, methodically strengthening your infrastructure, and continuous team training — are the foundations. Without them, everything you build on top will be fragile. You can invest in the best tools on the market — it won’t hold.

In the next article, we’ll move up a gear: advanced security solutions (IDS/IPS, encryption, backup strategies) and the implementation of continuous monitoring capable of detecting and neutralizing threats before they cause serious damage.

Latest articles
Advanced cybersecurity: anticipate, detect, respond
April 29th 2026
Cyber maturity: a competitive advantage to leverage
April 28th 2026
How cybersecurity directly impacts your revenue
April 24th 2026
Explore more insights in our blog
View all articles

    Contact our team
    Share your contact details, and we’ll reach out shortly
    Thank you!
    Your request has been received.
    We will contact you shortly
    We use third-party cookies to personalize content and analyze site traffic. Learn more