Spring is (almost) here, which means it’s time for some in-house security cleaning. With the holiday shopping season — one of the most treacherous times of year for security — in the rearview, organizations should take a step back to assess what is working, drop what isn’t and invest in the tools they need to take their security strategy to the next level.

With that in mind, let’s take a closer look at three cybersecurity practices chief information security officers (CISOs) need to toss this year, and three that could help reduce overall risk for the enterprise.

Clean Up Your Security Act This Spring

Regardless of the size or type of company, awareness level of employees, or maturity of the technology infrastructure, there is always room for security leaders to improve the enterprise’s overall risk posture. CISOs should crack down on these bad habits to help clean up their organizations’ security act this spring.

1. Patch Postponement

Other tasks often take priority over patching, especially if updates aren’t considered critical. What happens if patches cause app outages, network challenges or productivity loss? This is especially problematic when CISOs tackle spring cybersecurity cleaning. Given the high level of disruption that comes with annual cleanups, patches are often put off until later, but in many cases later never comes.

Here’s the good news for security hygiene: According to a Kenna Security report, less than 2 percent of published Common Vulnerabilities and Exposures (CVEs) have been actively exploited in the wild. The not-so-good news is that, with more than 3 billion vulnerabilities identified in volume two of the same study, this amounts to more than 540 million potentially problematic exploits. It’s no surprise, then, that only 30 percent of vulnerabilities are remediated within 30 days of being discovered.

To get back on track, organizations must toss the notion that patches are optional and prioritize patch progress.

2. Overvalued VPNs

Many companies still use virtual private networks (VPNs) as their preferred method of securing network access, especially for remote users. The problem is that, as reported by Tech Beacon, VPNs often provide complete network access (whether it is needed or not), are cumbersome to manage and can fragment security controls.

Consider the use case for VPNs. Designed to secure internal services when users interact with external applications, VPNs excel at encrypting traffic and obfuscating origin points. But they come with a built-in flaw: They’re natively external, introducing an inherent element of risk. This externality is contagious. The rise of mobile and cloud computing services has shifted the bulk of corporate IT outside of local server stacks, in turn reducing the efficacy of VPN offerings. Widespread use of VPNs, meanwhile, has led to an uptick in VPN-based malware; according to Top10VPN, roughly 20 percent of the top 150 free Android VPN clients may contain malicious code.

The bottom line is that while VPNs have their uses, many corporations are due for a connection cleanup to maximize their value.

3. Password Paradoxes

CISOs are stuck: While standard login security measures remain a staple of network access, they’re notoriously insecure. The proof is in the passwords, and some of the worst of this past year included “123456,” “sunshine,” “qwerty” and the ever-popular “password,” according to SplashData, making it easy for malicious actors to compromise accounts and steal data.

Common cybersecurity practices to improve password potency include asking employees to regularly change passwords or use complex combinations of characters and numbers. The problem is that, according to LastPass, only 55 percent of users change their passwords — even when hacked. Increased complexity, meanwhile, can lead to user frustration and insecure password practices such as keeping hard copies near desktop computers. Even password managers are no guarantee of safety; misconfigured cloud storage or targeted attacks can put millions of credentials at risk.

Get on Track With These Next-Level Cybersecurity Practices and Technologies

While streamlined security hygiene helps limit overall risk, deep cuts must be balanced with solid cybersecurity additions. This spring, start by bolstering your strategy with the following cutting-edge technologies.

1. Prioritize Patching With Intelligent Automation

2019 will see the rise of automated tools that can schedule patches and other maintenance around corporate needs and help avoid the problem of put-off patches. As noted by Forbes, “more organizations will combine artificial intelligence and robotic process automation to create digital workers.”

Artificial intelligence (AI) offers a more efficient way to manage the biggest problem with security patching: prioritization. Given the sheer number of vulnerabilities and patches, it’s difficult for CISOs to know what’s worth the workflow interruption and what can go (temporarily) unpatched. Intelligent automation can help streamline this process.

2. Shift to Zero-Trust IAM

Identity is everything. While VPNs exist as a catch-all — a kind of all-in-one security solution that often overprovisions access — advanced identity and access management (IAM) tools can help solve this problem by focusing on user identity as the defining factor for access.

IAM solutions focus on zero-trust paradigms, which CSO Online described as a model of “never trust, always verify.” By using multiple factors to authenticate user identities and providing IT professionals with granular management controls, it’s possible to tackle security on a per-user rather than per-connection basis and enhance the protection of critical assets.

Also in development are blockchain-based IAM technologies that link access to a shared ledger of identities. The challenge is to balance the need for ID certainty against potential privacy concerns.

3. Address Persistent Password Problems With U2F

It’s one thing to acknowledge that passwords are a problem — many IT professionals can speak at length about the issues surrounding typical access credentials. The hard truth, however, is that passwords aren’t going anywhere.

But it’s not all bad news: Companies can toss overly restrictive password management by pairing passwords with additional authentication layers. Two-factor authentication (2FA) is the most obvious choice, but recent research produced proof-of-concept attacks that can easily spy on 2FA delivery methods. Another option is universal second factor (U2F), which uses physical tokens to eliminate the possibility of man-in-the-middle (MitM) authentication attacks. With 2FA now potentially vulnerable, U2F offers a way to secure valuable assets with minimal workflow disruption.

Spring Into Action to Boost Your Security Posture

Spring offers the perfect opportunity to clean out old cybersecurity practices that are cluttering up IT environments and bolster security efforts with more effective additions.

Start with patch postponement. Instead of waiting for the worst and hoping for the best, leverage intelligent automation to prioritize application updates. Reduce corporate reliance on VPN solutions by opting for ID-based IAM, and push back against bad passwords with the secure authentication of U2F.

More from Risk Management

Did Brazil DSL Modem Attacks Change Device Security?

From 2011 to 2012, millions of Internet users in Brazil fell victim to a massive attack against vulnerable DSL modems. By configuring the modems remotely, attackers could redirect users to malicious domain name system (DNS) servers. Victims trying to visit popular websites (Google, Facebook) were instead directed to imposter sites. These rogue sites then installed malware on victims' computers. According to a report from Kaspersky Lab Expert Fabio Assolini citing statistics from Brazil's Computer Emergency Response Team, the attack ultimately…

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Worms of Wisdom: How WannaCry Shapes Cybersecurity Today

WannaCry wasn't a particularly complex or innovative ransomware attack. What made it unique, however, was its rapid spread. Using the EternalBlue exploit, malware could quickly move from device to device, leveraging a flaw in the Microsoft Windows Server Message Block (SMB) protocol. As a result, when the WannaCry "ransomworm" hit networks in 2017, it expanded to wreak havoc on high-profile systems worldwide. While the discovery of a "kill switch" in the code blunted the spread of the attack and newly…

Why Operational Technology Security Cannot Be Avoided

Operational technology (OT) includes any hardware and software that directly monitors and controls industrial equipment and all its assets, processes and events to detect or initiate a change. Yet despite occupying a critical role in a large number of essential industries, OT security is also uniquely vulnerable to attack. From power grids to nuclear plants, attacks on OT systems have caused devastating work interruptions and physical damage in industries across the globe. In fact, cyberattacks with OT targets have substantially…