The new year has arrived, and with glasses raised and timeless stories recounted, we can now look to that well-meaning but often short-lived practice we know too well: setting resolutions.
Industry leaders often make fulsome commitments to changing systems for the better, fully intending to carry through, but they may end up missing the mark once the holiday shine wears off and the cold, hard reality of January sets in. As Forbes noted, just 25 percent of people make it 30 days into the new year with their resolution still in place, and only 8 percent turn their resolutions into reality.
With business email compromise (BEC), phishing attacks and even old-school malware reboots on the rise, how can you beat the odds with your security New Year’s resolutions? How can you stay the course when things don’t go as planned? Let’s answer these questions by looking at some security bad habits you should be rid of right now so you can tackle the top goals for both enterprises and end users to maximize cybersecurity posture.
Break Your Bad Security Habits
The first step toward a better you is giving up bad habits. Abstaining from fatty foods and alcoholic drinks tends to top the list of personal promises, but it’s often difficult to go without them since they’re simply so familiar.
This can also hold true for cybersecurity best practices. Before industry CISOs and end users can improve their 2020 outlook, they need to give up bad habits — even if they’re hard to break. Three of the worst IT offenders include:
- Weak passwords — In many cases, weak doesn’t do it justice. As recent data from the U.K.’s National Cyber Security Centre (NCSC) showed, some of the most common passwords cracked by cybercriminals this year included absolute gems like “pokemon,” “superman,” “qwerty,” “password” and everyone’s favorite, “123456.” Why do weak passwords remain so popular? They’re easy to create and easier to remember, but they also pose absolutely no barrier to even slightly determined hackers.
- Free or public Wi-Fi — Free Wi-Fi is simple, convenient and fraught with potential security challenges — everything from man-in-the-middle (MitM) attacks to network spoofing and plain old eavesdropping can take place. Despite these dangers, 77 percent of staff still say they connect to free Wi-Fi when they’re away from the office.
- Security blind spots — The increasing risk of cybersecurity attacks often creates blind spots for C-suite executives. Some take a fatalistic approach and assume that since compromise is inevitable, it’s not worth the time and resources to defend the indefensible. Others aim for perfection with their cybersecurity best practices and become frustrated when it becomes apparent that this is an impossible mark.
Skip the Resolution — Set Enterprise Security Goals Instead
Why do security New Year’s resolutions fail? Because they tend to prioritize promises instead of planning. Goals, meanwhile, focus on measurable outcomes tied to specific time frames, which can enable individuals and enterprises to measure their success and adapt to setbacks better. The all-encompassing nature of resolutions makes it easy to fail — skip the gym once and what’s the point? “Might as well give up.”
On the other hand, goals can provide attainable steps at a reasonable scale to help guide success instead of assuming that determination will be enough on its own. So what does this look like in practice? Here are a few New Year’s resolutions re-imagined to provide goal-driven outcomes.
This stands as the classic New Year’s resolution. It leads to overcrowded gyms come January 1 — and gym memberships collecting dust by the first week of February.
For enterprise cybersecurity, exercise comes down to stretching your defensive muscles as often as possible to ensure your networks and services aren’t at risk. While promises to “increase IT security” can easily fall flat, there are several steps companies can take to ensure this resolution carries momentum.
Start by creating a regular test schedule that leverages in-house talent to evaluate phishing resilience with training and email campaigns. Then, outsource some of the heavy lifting to security providers who can deliver both robust penetration testing and red-team exercises to find weaknesses in places you may not expect.
Save More, Spend Less
Every company makes this resolution and either breaks it when new cybersecurity threats emerge or sticks to it at the expense of effective defense. Here, goal-setting demands solutions to root causes instead of security symptoms. Consider passwords, for instance. Deploying password restrictions and mandatory updates every 60–90 days can help reduce overall risk, but a larger problem exists: identity.
Start by layering access security with two-factor or biometric authentication, and then deploy identity and access management (IAM) tools that provide granular control over permissions. While achieving this goal may require some initial spending, the long-term savings should outweigh the cash outlay.
Learn a New Skill
Enterprises are facing a cybersecurity skills gap. This makes it easy to avoid goal-setting, as when you’re just staying ahead of new threats, resolutions can seem out of reach. Here, it’s all about leaning into a new skillset: artificial intelligence (AI).
AI tools can help safeguard security blind spots and bolster skill gaps by taking over tedious work involving data collection or pattern detection. At the same time, they can also empower IT staff to work on more mission-critical problems. Your best bet is to look for industry leaders with experience in AI, machine learning and cybersecurity deployment.
Bolster Your Personal Protection — Think Like a Business
Individuals came under threat this year as malicious actors recognized the value of personal data and the often limited scope of personal IT protection. To stay safe in 2020, end users must think like enterprises and identify their most valuable assets, deploy defensive measures and regularly evaluate their security posture. To that end, here are some personal cybersecurity best practices for the new year.
Adopt a Zero-Trust Model
Apps are everywhere, and they all want permissions. But does your new loyalty card application really need camera and microphone access? Why does a video-streaming app want your contact list? Improving security in 2020 starts by adopting the enterprise mindset of zero trust: Instead of granting permission, err on the side of refusal until you can verify application trustworthiness.
Read Between the Lines
Attackers are coming for your data, with billions of accounts being compromised year after year. Email remains the easiest way to crack user cybersecurity, so train yourself to read between the lines like enterprise IT. Always ask the following questions: Was I expecting this email? Is the message overly urgent or demanding? Does it seem too good to be true? Trust your gut and watch for red flags. If something seems wrong, it probably is.
Define (and Defend) Your Network
Corporate networks span servers, data centers and cloud providers, but consumer networks are also on the rise, connected by financial, retail, healthcare and government accounts and applications. This year, resolve to limit risk by defining your network — where do your accounts live? Are they all current? Do they share passwords? What type of information do they store and access? Definition can empower your defense and allow you to curate and manage your personal IT presence better.
2020 is here, so toss any bad habits and take on new goals in the new year by identifying critical outcomes, defining key metrics and implementing your security New Year’s resolutions step-by-step.