January 1, 2020 By Douglas Bonderud 5 min read

The new year has arrived, and with glasses raised and timeless stories recounted, we can now look to that well-meaning but often short-lived practice we know too well: setting resolutions.

Industry leaders often make fulsome commitments to changing systems for the better, fully intending to carry through, but they may end up missing the mark once the holiday shine wears off and the cold, hard reality of January sets in. As Forbes noted, just 25 percent of people make it 30 days into the new year with their resolution still in place, and only 8 percent turn their resolutions into reality.

With business email compromise (BEC), phishing attacks and even old-school malware reboots on the rise, how can you beat the odds with your security New Year’s resolutions? How can you stay the course when things don’t go as planned? Let’s answer these questions by looking at some security bad habits you should be rid of right now so you can tackle the top goals for both enterprises and end users to maximize cybersecurity posture.

Break Your Bad Security Habits

The first step toward a better you is giving up bad habits. Abstaining from fatty foods and alcoholic drinks tends to top the list of personal promises, but it’s often difficult to go without them since they’re simply so familiar.

This can also hold true for cybersecurity best practices. Before industry CISOs and end users can improve their 2020 outlook, they need to give up bad habits — even if they’re hard to break. Three of the worst IT offenders include:

  • Weak passwordsIn many cases, weak doesn’t do it justice. As recent data from the U.K.’s National Cyber Security Centre (NCSC) showed, some of the most common passwords cracked by cybercriminals this year included absolute gems like “pokemon,” “superman,” “qwerty,” “password” and everyone’s favorite, “123456.” Why do weak passwords remain so popular? They’re easy to create and easier to remember, but they also pose absolutely no barrier to even slightly determined hackers.
  • Free or public Wi-Fi Free Wi-Fi is simple, convenient and fraught with potential security challenges — everything from man-in-the-middle (MitM) attacks to network spoofing and plain old eavesdropping can take place. Despite these dangers, 77 percent of staff still say they connect to free Wi-Fi when they’re away from the office.
  • Security blind spotsThe increasing risk of cybersecurity attacks often creates blind spots for C-suite executives. Some take a fatalistic approach and assume that since compromise is inevitable, it’s not worth the time and resources to defend the indefensible. Others aim for perfection with their cybersecurity best practices and become frustrated when it becomes apparent that this is an impossible mark.

Skip the Resolution — Set Enterprise Security Goals Instead

Why do security New Year’s resolutions fail? Because they tend to prioritize promises instead of planning. Goals, meanwhile, focus on measurable outcomes tied to specific time frames, which can enable individuals and enterprises to measure their success and adapt to setbacks better. The all-encompassing nature of resolutions makes it easy to fail — skip the gym once and what’s the point? “Might as well give up.”

On the other hand, goals can provide attainable steps at a reasonable scale to help guide success instead of assuming that determination will be enough on its own. So what does this look like in practice? Here are a few New Year’s resolutions re-imagined to provide goal-driven outcomes.

Exercise More

This stands as the classic New Year’s resolution. It leads to overcrowded gyms come January 1 — and gym memberships collecting dust by the first week of February.

For enterprise cybersecurity, exercise comes down to stretching your defensive muscles as often as possible to ensure your networks and services aren’t at risk. While promises to “increase IT security” can easily fall flat, there are several steps companies can take to ensure this resolution carries momentum.

Start by creating a regular test schedule that leverages in-house talent to evaluate phishing resilience with training and email campaigns. Then, outsource some of the heavy lifting to security providers who can deliver both robust penetration testing and red-team exercises to find weaknesses in places you may not expect.

Save More, Spend Less

Every company makes this resolution and either breaks it when new cybersecurity threats emerge or sticks to it at the expense of effective defense. Here, goal-setting demands solutions to root causes instead of security symptoms. Consider passwords, for instance. Deploying password restrictions and mandatory updates every 60–90 days can help reduce overall risk, but a larger problem exists: identity.

Start by layering access security with two-factor or biometric authentication, and then deploy identity and access management (IAM) tools that provide granular control over permissions. While achieving this goal may require some initial spending, the long-term savings should outweigh the cash outlay.

Learn a New Skill

Enterprises are facing a cybersecurity skills gap. This makes it easy to avoid goal-setting, as when you’re just staying ahead of new threats, resolutions can seem out of reach. Here, it’s all about leaning into a new skillset: artificial intelligence (AI).

AI tools can help safeguard security blind spots and bolster skill gaps by taking over tedious work involving data collection or pattern detection. At the same time, they can also empower IT staff to work on more mission-critical problems. Your best bet is to look for industry leaders with experience in AI, machine learning and cybersecurity deployment.

Bolster Your Personal Protection — Think Like a Business

Individuals came under threat this year as malicious actors recognized the value of personal data and the often limited scope of personal IT protection. To stay safe in 2020, end users must think like enterprises and identify their most valuable assets, deploy defensive measures and regularly evaluate their security posture. To that end, here are some personal cybersecurity best practices for the new year.

Adopt a Zero-Trust Model

Apps are everywhere, and they all want permissions. But does your new loyalty card application really need camera and microphone access? Why does a video-streaming app want your contact list? Improving security in 2020 starts by adopting the enterprise mindset of zero trust: Instead of granting permission, err on the side of refusal until you can verify application trustworthiness.

Read Between the Lines

Attackers are coming for your data, with billions of accounts being compromised year after year. Email remains the easiest way to crack user cybersecurity, so train yourself to read between the lines like enterprise IT. Always ask the following questions: Was I expecting this email? Is the message overly urgent or demanding? Does it seem too good to be true? Trust your gut and watch for red flags. If something seems wrong, it probably is.

Define (and Defend) Your Network

Corporate networks span servers, data centers and cloud providers, but consumer networks are also on the rise, connected by financial, retail, healthcare and government accounts and applications. This year, resolve to limit risk by defining your network — where do your accounts live? Are they all current? Do they share passwords? What type of information do they store and access? Definition can empower your defense and allow you to curate and manage your personal IT presence better.

2020 is here, so toss any bad habits and take on new goals in the new year by identifying critical outcomes, defining key metrics and implementing your security New Year’s resolutions step-by-step.

More from CISO

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Boardroom cyber expertise comes under scrutiny

3 min read - Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close…

The CISO’s guide to accelerating quantum-safe readiness

3 min read - Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.A future cryptographically…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today