October is here, which means Cybersecurity Month has officially kicked off. Cue the awareness campaigns, webinars, and endless posts about password hygiene. All good stuff, really. But every year I find myself asking the same question: are we actually fixing anything, or just talking about fixing things?
After years of working with companies on their security posture, I keep seeing the same gaps. Not the complex, cutting-edge threats that make headlines. Just the fundamental practices that should have been sorted years ago but somehow still aren’t.
Here’s my simple pitch for this Cybersecurity Month: let’s actually fix things. Not just talk about them. These are three basics I keep seeing missing, and what you can do about them.
Multi-Factor Authentication: still not everywhere
This one frustrates me the most because it’s 2025 and we’re still having this conversation.
I see it constantly: critical systems that allow login with just a password. MFA that’s “available” but not enforced. Legacy exceptions nobody remembers setting up. And usually, it’s the most critical systems that have these holes, the ones that would actually hurt if compromised.
Here’s what needs to happen: check every single system. Not just the obvious ones. Enforce MFA everywhere. No exceptions, no “we’ll get to it next quarter,” no admin accounts that bypass it because it’s “more convenient.”
And when I say enforce, I mean enforce. Not the kind where you can hit “remind me later” forever. Make it impossible to log in without that second factor. Yes, people will complain. Yes, it adds friction. But you know what adds more friction? A breach.
Legacy VPNs: time to let go
That VPN has been there forever. It works (mostly). People know how to use it. Replacing it feels like a massive project nobody has time for.
But here’s the reality: many of these solutions are unpatched. Known vulnerabilities, exploits available to anyone, and the only thing protecting you is luck. That’s not a strategy. That’s just hoping nothing bad happens.
Even if you patch constantly, the architecture itself is the problem. These solutions were built for another era. They assume “inside the network = trusted.” They don’t enforce proper identity hygiene. They don’t fit how people actually work today.
Zero Trust isn’t just a buzzword. It’s a better model. Different locations, devices, contexts. The castle and moat idea doesn’t cut it anymore.
I’m not saying rip everything out tomorrow. But if you’ve had “replace VPN” on the to-do list for two years, this is your sign. Make a plan. Start the conversation. At minimum, audit what you’ve got and understand the risk you’re carrying.
Vulnerability management: everyone’s problem, nobody’s job
This is the one that keeps me up at night. Not because it’s dramatic, but because it’s so quiet. Unpatched systems just sitting there. No process. No ownership. Just the vague sense that “someone” will look at it eventually.
The problem is that nothing bad happens until something really bad happens. You can ignore vulnerabilities for months, even years, and everything looks fine. Until it very much isn’t.
You need a real process here. Not a spreadsheet. Not an occasional scan. A system. Identify vulnerabilities, assess risk, prioritize remediation, track progress. And give someone clear ownership.
Most organizations need a partner for this. Whether that’s Netox or someone else, you need expertise. This isn’t something you can half-do. Either you have a mature vulnerability management practice, or you’re hoping nothing breaks.
The hardest part is risk management. Not every vulnerability needs fixing tomorrow. But you need to decide which ones to fix and which ones to accept, based on risk. Not just what’s easiest.
Why only three?
I could list ten, or twenty. There’s always more to do. But security is like a puzzle, you need the edge pieces before you can see the picture. These three are part of your edge pieces.
If they’re weak, everything else is guesswork. You can have the best incident response plan in the world, but if someone logs in with a stolen password because you didn’t enforce MFA, that plan just becomes expensive documentation. You can train users all you want, but if your old VPN is sitting there with known exploits, all that training is just theory.
Everything matters in security. Not just some things.
And let’s be honest: we live in a 24/7/365 world. Threats don’t wait for office hours. Attackers don’t take weekends off. Which means your security posture can’t be 9-to-5 either. That’s why partnerships matter. Why having someone like Netox matters. Because you can’t be awake all the time, but your security needs to be.
Every month should be Cybersecurity Month
Here’s the uncomfortable truth: dedicating one month a year to security is like going to the gym every January and wondering why you’re not in shape by December. Security isn’t a campaign. It’s not an awareness week. It’s the daily work of staying protected in a world where threats never take a break.
October can be a spark. A reminder to finally tackle the things that have been on the list too long. But don’t let it be the only time you think about security.
The three fundamentals I’ve talked about here are not October problems. They’re ongoing practices. MFA configurations drift. New systems get added. VPN replacements take time. Vulnerability management is never finished. It’s continuous by definition.
That’s why partnerships matter. Why having dedicated expertise matters. Because security can’t be a side project. It needs focus, skill, and that 24/7/365 capability to react when things go wrong. And they will go wrong. That’s not pessimism. That’s reality.
So use Cybersecurity Month as your excuse to start. Get the approvals. Allocate the budget. Make the case to leadership that this can’t wait another year. But then keep going. Make every month the month where security actually gets done.
