In today’s constantly changing cyber landscape, answering the question “what does best practice now look like?” is far from simple. While emerging technologies and AI-driven security tools continue to make the headlines and become the topics of discussion, the real pivot point for modern security lies not just in the technological advancements but in context, people and process.
The recent Signal messaging platform incident in which a journalist was mistakenly added to a group chat, exposing sensitive information, serves as a timely reminder that even the most secure platform is vulnerable to human error. The platform wasn’t breached by malicious actors, or a zero-day exploit being utilised or the end-to-end encryption failing; the shortfall here was likely poorly defined acceptable use polices and controls alongside a lack of training and awareness.
This incident, if nothing else, highlights a critical truth within cyber security – security tools are only as good as the environment, policies, and people operating them. While it’s tempting to focus on implementing more technical controls to prevent this from happening again, the reality is that many incidents result from a failure of process, governance, or awareness.
What does good security look like today? Some key areas include:
- Context over features, for example, whether Signal should have been used in the first place;
- There is no such thing as a silver bullet approach to protect your organisation;
- The importance of your team’s training and education;
- Reviewing and adapting continuously.
Security must be context-driven. Business leaders need to consider what their key area of concern is – reputational risk, state-sponsored surveillance, insider threats, or regulatory compliance. Each threat vector requires a different set of controls. For example, an organisation handling official-sensitive or classified data will require not just encryption, but assured platforms, robust access controls, identity validation, and clear auditability.
Conversely, a commercial enterprise concerned about intellectual property leakage might strategically focus on user training, data loss prevention, and device control. Best practice isn’t picking the platform with the cheapest price tag or the most commonly used; it’s selecting a platform that supports the controls and policies required based on a deep understanding of your specific risks and use cases.
There is no one-size-fits-all solution for your organisation. The security product landscape is filled with vendors offering overlapping solutions that all claim to provide more protection than the other. And, although we know some potentially do offer better protection, features or functionality, even the best tool will fail if used incorrectly or implemented without a clear understanding of its limitations. Worse, organisations may gain a false sense of security by relying solely on a supplier’s claims. The priority must be to assess your organisation’s internal capability to manage and operate these tools effectively. Reassessing the threat landscape and taking advantage of the wealth of threat intelligence tools available, helps ensure you have the right skills, policies, and processes in place.
Best practice in 2025 means recognising that many security incidents stem from simple human mistakes, misaddressed emails, poor password hygiene, or even sharing access with the wrong person. Investing in continual staff education, security awareness, and skills gap analysis is essential to risk reduction.
This doesn’t mean showing an annual 10-minute cyber awareness video; you need to identify what will motivate your people and run security campaigns that capture their attention and change behaviour. For example you could consider using engaging nudges such as mandatory phishing alerts on laptops, interactive lock screen campaigns, and quizzes on key policies such as acceptable use and password complexity. Incorporate gamification elements, for example rewards for completing quizzes, and timely reminders to reinforce security best practices and fostering a culture of vigilance.
These campaigns should be a mixture of communications that engage people coupled with training which is seen as relevant by the workforce, as well as meeting role specific needs. Your developers need to understand secure coding practices, while those in front line operations may need training in how to detect phishing or social engineering attacks. In doing so this helps to create a better security culture within the organisation and enhance your overall security posture.
Finally, what’s considered “best practice” today may be outdated by tomorrow. Threats are constantly evolving, regulations change, and your own business operations and strategy may shift. Adopting a cyber security lifecycle that encompasses people, process and technology, supported by business continuous improvement activities and a clear vision from senior stakeholders will be vital. Conducting regular security reviews, red-teaming, and reassessing governance and policies will help ensure that defences remain relevant and proportional to your organisation’s threats.
Encryption, however, still matters. As do SSO, MFA, secure coding practises, and access controls. But the real cornerstone of best practice in today’s cyber world is understanding why you need them, and how they’ll be used in practice. Securing your organisation is no longer just about picking the best platform, it’s about creating a holistic view that incorporates people, process, and technology. And that may be the most secure approach, after all.
Russell Auld is digital trust and cyber security expert at PA Consulting
