In June 2025, cybersecurity researchers discovered a leak of 16 billion passwords in one of the largest data breaches ever, impacting a wide range of platforms and placing billions of users’ information at risk. This incident underscores the urgent need for companies to adopt proactive cybersecurity measures and remain vigilant in the face of evolving threats.
The Rising Costs of Breaches
Despite advancements in security procedures and protocols, the frequency and costs of data breaches continue to rise. The FBI released its Annual Internet Crime Report in April 2025, and the 2024 data detailed reported losses exceeding $16 billion, a 33% increase in losses from the previous year. Given this trend, companies should take proactive steps to minimize cybersecurity risk and protect sensitive information and data while staying informed about updates regarding best practices.
CISA’s Evolving Role
As companies grapple with these escalating challenges, the role of the Cyber Security and Infrastructure Security Agency (CISA) is increasingly vital in guiding organizations toward effective cybersecurity practices. CISA provides a range of cybersecurity services to government agencies, private sector organizations, and individuals. They also publish a wide range of ongoing best practices and considerations for organizations striving to reduce their cybersecurity risk exposure.
CISA has recently undergone significant organizational and managerial changes that may affect the way in which cyber threats are monitored and responded to by the federal government. For example, in 2023, CISA expanded its advisory guidance role to include collaboration with international agencies to enhance cyber resilience through initiatives like the Joint Guidance on Deploying AI Systems Securely, which drew upon the expertise of the Australian Signals Directorate’s Australian Cyber Security Center and the Canadian Centre for Cyber Security.
Adding to the complexity, the several of the top officials at CISA have recently departed the agency at both the division and regional level. For example, five of CISA’s six operational divisions and six of its 10 regional offices lost their leaders in the most recent round of departures. While CISA maintains a prominent role in promulgating cybersecurity guidance, these changes in leadership may impact the agency’s future and new regulatory guidance.
Example Guidance from CISA
As such, companies should collaborate with internal stakeholders to ensure that cybersecurity and privacy remain at the forefront of business-oriented decision-making. Fortunately, example guidance from CISA remains a primary source of cybersecurity best practices.
CISA’s recent guidance offers actionable steps for organizations to reduce their internet exposure to common vulnerabilities and weaknesses that may lead to costly cybersecurity incidents. As the range and number of internet-accessible assets, such as industrial internet of things, supervisory control and data acquisition systems, and remote access technology, continue to grow, securing these assets becomes increasingly important. CISA recommends the following four steps for reducing internet exposure:
- Assess your current exposure: Identify publicly exposed systems in order to gain visibility into your organization’s online footprint
- Evaluate your necessity of exposure: Determine which assets are required to be internet-accessible for operational purposes, and remove or restrict access for those assets that are not
- Mitigate risks to remaining exposed assets: Engage in steps to secure assets that must remain internet-accessible, including changing default passwords and ensuring systems are up to date with the latest security patches
- Establish routine assessments: Regular and continuous assessments assist an organization in maintaining a secure posture and quickly adapting to new exposure
While this guidance provides a framework by which companies can determine a starting point to reduce cybersecurity vulnerabilities and weaknesses, operationalizing these processes as tailored to the specific needs of an individual business or company is crucial to successful, long-term implementation. Companies should look to organizations such as CISA for a general approach; however, given CISA’s shifting structure, internal stakeholders should follow guidance and independently anticipate what may work most effectively on complement to an individual business’s culture. Organizations must hold themselves accountable, ensuring that cybersecurity is not just an IT issue but a core business priority.
Cybersecurity’s Importance Is Here to Stay
Now is the time for businesses to take decisive action, leveraging CISA”s insights to safeguard their digital assets and maintain customer trust. In light of the rapidly changing landscape of cybersecurity and cybersecurity regulation, organizations should continue to adapt by implementing robust security protocols that include following CISA updates and guidance. By doing so, affected organizations can better protect their assets and maintain the trust of their customers in an increasingly digital world.
Summer Associate Danielle Genovese contributed to this post.