\u201cAssume breach\u201d is the popular computer defense strategy based on the idea that your company is either already breached or could easily be breached by a dedicated attacker. There is a lot of validity to this approach. Most companies and organizations are super easy to hack and compromise. However, it doesn\u2019t have to be this way.Some senior management folks might find this strange, but you can significantly make your organization harder to breach. In fact, just a handful of defenses can do more to lower your cybersecurity risk than anything else. These include fighting social engineering and phishing better, patching the most likely to be attacked software far better, and requiring multi-factor authentication (MFA) for all logons. This won\u2019t guarantee that you won\u2019t be attacked, but it does reduce the risk. How much?Depending on which survey you read, up to 91 percent of all cyber attacks begin with a successful phishing attempt. Think of the benefit you would get just from an effective social engineering awareness program. Based on my experience, doing significantly better at all three things might reduce your cybersecurity risk 99%. An assume-breach strategy will not do that. Assume breach is after the fact. You\u2019re just trying to limit the damage by detecting the bad guys earlier and limiting their spread.If you want to stop getting hacked, you have to concentrate on not getting hacked in the first place. You can\u2019t completely get rid of assume-breach strategies like better security monitoring, domain isolation and intrusion detection. Sadly, most organizations spending more money on assume-breach defenses instead of prevent-breach strategies.Patching and anti-social engineering and phishing programs most effectiveTwo of the three defenses I mentioned above, fighting social engineering and patching software, are not \u00a0expensive. You\u2019re already paying for them. Just do them better. You\u2019re probably only spending 5% or less of your IT security budget on the two problems that likely make up 90% or more of your risk. In most organizations, it\u2019s nearly 100% of the risk.Use multi-factor authentication when and where you canFighting social engineering and patching will decrease your cybersecurity risk the fastest. Requiring MFA across all organizational logons is probably the third best thing you can do to lower your risk. Many passwords are compromised because of the first two issues, and most people re-use the same passwords across different sites. It\u2019s a mess. The only way to fix it is to require MFA logons. Unfortunately, I don\u2019t know of a MFA solution that works across all software, services, logons and devices. The best that you can do is to pick an MFA solution that works across the largest number of your sites, services and devices.Ensure you have reliable backups for everyoneI\u2019m amazed by how many companies with supposedly good backups pay the ransom from ransomware that has locked up their systems. They often say they have good backups, but the time and resources needed to restore those backups would cost more than paying the ransom. Well, I\u2019ve got news for you. Many companies pay the ransom and the unlock keys don\u2019t work or the criminal culprit just doesn\u2019t try to help them. If you can\u2019t trust your backup solution to help with a massive restore event, then perhaps you need a better backup system.Use your company\u2019s cybersecurity experience to figure out the restAfter you implement those four defenses, what you do then is up to you and your company\u2019s cybersecurity weaknesses. Some companies, like those that develop lots of public and in-house software, should probably focus on better securing the software that they write. Other companies are traditionally under the threat of denial-of-service attacks and should strengthen their DDoS defenses. A lot of super-secure companies that don\u2019t suffer breaches implement whitelisting application control software.Figure out where your remaining cybersecurity gaps are and fill them, but only after fixing the first four problems I recommend above. You can do significantly better in preventing breaches. Assume-breach defenses are OK and needed, but they can\u2019t beat stopping breaches in the first place.