Entering 2026 with unnecessary active accounts, partial authentication, and backups untested backups can cost millions. According to IBM's Cost of a Data Breach 2024, the global average cost of a breach reached US$ 4.88 million, while in Brazil the average impact per incident reached R$ 7.19 million in 2025, an increase of 6.5% compared to 2024. Faced with this scenario, the information security consultancy LC SEC has outlined seven practical adjustments that companies of all sizes can apply in December or early in the year to reduce digital risks and protect sensitive information:
1. Credential and access cleanup drive
The first step is to list all accounts linked to the company's domain, including employees, interns, temporary workers, third parties, service accounts, and integrations, and immediately deactivate those that are no longer necessary. The focus is to eliminate orphaned accounts, temporary accesses that became permanent, and unknown generic users. “This significantly reduces the attack surface, closing doors that often remain open for years,” explains Luiz Claudio, CEO of LC SEC.
2. Adjust privileges to the minimum necessary
After identifying who truly needs access, the next step is to review and reduce excessive privileges. This includes administrator profiles, cloud keys, and service accounts with “unlimited powers.” For Luiz,, the rule is simple: “Each access must be proportional to the role, preventing an error or breach from a compromised user from turning into a high-impact corporate risk.”.
3. Prioritize MFA where it hurts most
Even with advances in large companies, almost two-thirds of small and medium-sized businesses still do not use multifactor authentication (MFA) nor plan to adopt it. LC SEC recommends making it mandatory for the most critical systems, such as corporate emails, VPNs, ERPs, CRMs, and cloud consoles, starting with executives, finance, and IT teams. “This measure drastically reduces the likelihood of breaches via stolen credentials,” points out the expert.
4. Check for password leaks before New Year's Eve
With billions of passwords circulating in criminal databases, checking if corporate credentials have already been exposed is essential. Specialized tools allow identifying and forcing the change of compromised passwords, blocking reuse, and reinforcing MFA, reducing the risk of targeted phishing or infostealer attacks.
5. Give logs a reality check
Having monitoring systems is useless if critical events are not logged. LC SEC advises validating whether logins, login failures, user creation and deletion, privilege changes, and non-standard access are being properly monitored. Better logs help reduce detection and response time, which can mean savings of millions in case of a breach, according to the IBM Cost of a Data Breach.
6. Put backups to the test
Ransomware often targets backup repositories: 96% of attacks have this objective, and 76% succeed in compromising copies, according to the Veeam Ransomware Trends Report 2024. Therefore, it is essential to test restorations, maintain immutable or offline copies, and strictly control who can alter or delete backups. “These measures increase resilience and reduce critical data loss,” says the executive.
7. Tie it all together with clear communication for the team
Finally, consolidating these actions with internal communication is crucial. Campaigns such as “access reset week” explain to the team why passwords were changed, MFA expanded, and logs reviewed. This humanized approach reduces resistance, strengthens the security culture, and ensures each employee understands their role in protecting the company.
According to Luiz Claudio, states, “The intensification of the campaign marks the shift from ‘taking the course’ to adopting security as everyday behavior. There is still a perception that awareness is a checklist, but that no longer works. Our goal is to support companies in this cultural change.” With these seven measures, companies of different sizes can significantly reduce their exposure to digital attacks, turning the transition from 2025 to 2026 into a milestone of information security maturity.
