January 1, 2020 By Douglas Bonderud 5 min read

The new year has arrived, and with glasses raised and timeless stories recounted, we can now look to that well-meaning but often short-lived practice we know too well: setting resolutions.

Industry leaders often make fulsome commitments to changing systems for the better, fully intending to carry through, but they may end up missing the mark once the holiday shine wears off and the cold, hard reality of January sets in. As Forbes noted, just 25 percent of people make it 30 days into the new year with their resolution still in place, and only 8 percent turn their resolutions into reality.

With business email compromise (BEC), phishing attacks and even old-school malware reboots on the rise, how can you beat the odds with your security New Year’s resolutions? How can you stay the course when things don’t go as planned? Let’s answer these questions by looking at some security bad habits you should be rid of right now so you can tackle the top goals for both enterprises and end users to maximize cybersecurity posture.

Break Your Bad Security Habits

The first step toward a better you is giving up bad habits. Abstaining from fatty foods and alcoholic drinks tends to top the list of personal promises, but it’s often difficult to go without them since they’re simply so familiar.

This can also hold true for cybersecurity best practices. Before industry CISOs and end users can improve their 2020 outlook, they need to give up bad habits — even if they’re hard to break. Three of the worst IT offenders include:

  • Weak passwordsIn many cases, weak doesn’t do it justice. As recent data from the U.K.’s National Cyber Security Centre (NCSC) showed, some of the most common passwords cracked by cybercriminals this year included absolute gems like “pokemon,” “superman,” “qwerty,” “password” and everyone’s favorite, “123456.” Why do weak passwords remain so popular? They’re easy to create and easier to remember, but they also pose absolutely no barrier to even slightly determined hackers.
  • Free or public Wi-Fi Free Wi-Fi is simple, convenient and fraught with potential security challenges — everything from man-in-the-middle (MitM) attacks to network spoofing and plain old eavesdropping can take place. Despite these dangers, 77 percent of staff still say they connect to free Wi-Fi when they’re away from the office.
  • Security blind spotsThe increasing risk of cybersecurity attacks often creates blind spots for C-suite executives. Some take a fatalistic approach and assume that since compromise is inevitable, it’s not worth the time and resources to defend the indefensible. Others aim for perfection with their cybersecurity best practices and become frustrated when it becomes apparent that this is an impossible mark.

Skip the Resolution — Set Enterprise Security Goals Instead

Why do security New Year’s resolutions fail? Because they tend to prioritize promises instead of planning. Goals, meanwhile, focus on measurable outcomes tied to specific time frames, which can enable individuals and enterprises to measure their success and adapt to setbacks better. The all-encompassing nature of resolutions makes it easy to fail — skip the gym once and what’s the point? “Might as well give up.”

On the other hand, goals can provide attainable steps at a reasonable scale to help guide success instead of assuming that determination will be enough on its own. So what does this look like in practice? Here are a few New Year’s resolutions re-imagined to provide goal-driven outcomes.

Exercise More

This stands as the classic New Year’s resolution. It leads to overcrowded gyms come January 1 — and gym memberships collecting dust by the first week of February.

For enterprise cybersecurity, exercise comes down to stretching your defensive muscles as often as possible to ensure your networks and services aren’t at risk. While promises to “increase IT security” can easily fall flat, there are several steps companies can take to ensure this resolution carries momentum.

Start by creating a regular test schedule that leverages in-house talent to evaluate phishing resilience with training and email campaigns. Then, outsource some of the heavy lifting to security providers who can deliver both robust penetration testing and red-team exercises to find weaknesses in places you may not expect.

Save More, Spend Less

Every company makes this resolution and either breaks it when new cybersecurity threats emerge or sticks to it at the expense of effective defense. Here, goal-setting demands solutions to root causes instead of security symptoms. Consider passwords, for instance. Deploying password restrictions and mandatory updates every 60–90 days can help reduce overall risk, but a larger problem exists: identity.

Start by layering access security with two-factor or biometric authentication, and then deploy identity and access management (IAM) tools that provide granular control over permissions. While achieving this goal may require some initial spending, the long-term savings should outweigh the cash outlay.

Learn a New Skill

Enterprises are facing a cybersecurity skills gap. This makes it easy to avoid goal-setting, as when you’re just staying ahead of new threats, resolutions can seem out of reach. Here, it’s all about leaning into a new skillset: artificial intelligence (AI).

AI tools can help safeguard security blind spots and bolster skill gaps by taking over tedious work involving data collection or pattern detection. At the same time, they can also empower IT staff to work on more mission-critical problems. Your best bet is to look for industry leaders with experience in AI, machine learning and cybersecurity deployment.

Bolster Your Personal Protection — Think Like a Business

Individuals came under threat this year as malicious actors recognized the value of personal data and the often limited scope of personal IT protection. To stay safe in 2020, end users must think like enterprises and identify their most valuable assets, deploy defensive measures and regularly evaluate their security posture. To that end, here are some personal cybersecurity best practices for the new year.

Adopt a Zero-Trust Model

Apps are everywhere, and they all want permissions. But does your new loyalty card application really need camera and microphone access? Why does a video-streaming app want your contact list? Improving security in 2020 starts by adopting the enterprise mindset of zero trust: Instead of granting permission, err on the side of refusal until you can verify application trustworthiness.

Read Between the Lines

Attackers are coming for your data, with billions of accounts being compromised year after year. Email remains the easiest way to crack user cybersecurity, so train yourself to read between the lines like enterprise IT. Always ask the following questions: Was I expecting this email? Is the message overly urgent or demanding? Does it seem too good to be true? Trust your gut and watch for red flags. If something seems wrong, it probably is.

Define (and Defend) Your Network

Corporate networks span servers, data centers and cloud providers, but consumer networks are also on the rise, connected by financial, retail, healthcare and government accounts and applications. This year, resolve to limit risk by defining your network — where do your accounts live? Are they all current? Do they share passwords? What type of information do they store and access? Definition can empower your defense and allow you to curate and manage your personal IT presence better.

2020 is here, so toss any bad habits and take on new goals in the new year by identifying critical outcomes, defining key metrics and implementing your security New Year’s resolutions step-by-step.

More from CISO

Empowering cybersecurity leadership: Strategies for effective Board engagement

4 min read - With the increased regulation surrounding cyberattacks, more and more executives are seeing these attacks for what they are - serious threats to business operations, profitability and business survivability. But what about the Board of Directors? Are they getting all the information they need? Are they aware of your organization’s cybersecurity initiatives? Do they understand why those initiatives matter? Maybe not. According to Harvard Business Review, only 47% of board members regularly engage with their CISO. There appears to be a…

The evolution of 20 years of cybersecurity awareness

3 min read - Since 2004, the White House and Congress have designated October National Cybersecurity Awareness Month. This year marks the 20th anniversary of this effort to raise awareness about the importance of cybersecurity and online safety. How have cybersecurity and malware evolved over the last two decades? What types of threat management tools surfaced and when? The Cybersecurity Awareness Month themes over the years give us a clue. 2004 - 2009: Inaugural year and beyond This early period emphasized general cybersecurity hygiene,…

C-suite weighs in on generative AI and security

3 min read - Generative AI (GenAI) is poised to deliver significant benefits to enterprises and their ability to readily respond to and effectively defend against cyber threats. But AI that is not itself secured may introduce a whole new set of threats to businesses. Today IBM’s Institute for Business Value published “The CEO's guide to generative AI: Cybersecurity," part of a larger series providing guidance for senior leaders planning to adopt generative AI models and tools. The materials highlight key considerations for CEOs…

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today