4 New Year’s resolutions for a more cybersecure organization

Some promises you can actually keep for a change.

new year post-it resolution

With the arrival of another New Year, we often make resolutions – whether we vow to exercise every day, lose weight or spend more time with our families. However, less than one in ten people actually succeed in achieving their resolutions, according to research from the Statistic Brain Research Institute.

CISOs and their teams may also resolve to make improvements come Jan. 1st – in this case, to enhance the protected state of their enterprise network, systems, data and devices. Fortunately, as a cybersecurity professional, you’ll likely have an easier time accomplishing these goals through the following, relatively do-able steps than you would in keeping your personal-life New Year’s resolutions:

1. Conduct a cyber “cleanse”

This kind of cleanse is much less torturous than the month-long body detox that many commit to. With less data flow during the holiday weeks, it’s a perfect time for the security operations center (SOC) folks to scan the entire enterprise environment for vulnerabilities. You and your team should look for new servers, apps and devices which have popped up lately, and assess which ones may expose your cyber assets to, ahem, unpleasant stuff. Then, you should “clean” up any potential messes by removing them.

2. Promote best practices

Numerous studies reveal that everyday employees – whether they’re in finance, marketing, manufacturing, etc. – pose major risks due to their sometimes-ill-conceived behaviors. Employees, in fact, account for two-thirds of all breaches, according to research from Willis Towers Watson. This is motivating companies to “focus more heavily on operating procedures and creating a more cyber-savvy workforce in the months and years to come,” according to Willis Towers Watson’s research summary. You can get started by proactively educating everyone with a simple memo at the beginning of the year which promotes best practices: Don’t click on links sent by anyone other than a known, trusted party. Don’t share passwords. Don’t borrow or lend out a USB flash drive stick. Change passwords on a routine basis with difficult-to-guess combinations of letters, numbers and symbols, etc. … There’s nothing profoundly earth-shaking here. And if you convince employees that good cyber hygiene translates directly to good business (not to mention the protection of personal devices they use for work), you’ll readily gain buy-in.

3. Encourage safer – and more sophisticated – password management

Given the ubiquitous nature of attacks, we can’t store passwords the way we used to – such as writing them down on a collection of Post-it notes. We rely upon so many passwords, after all, to access work-related networks and docs and, on the same machines (thanks to Bring Your Own Device, or BYOD), call up our banking, credit card, social media and additional personal accounts. We need better tools to protect it all. So, you may want to encourage employees to check out password management tools such as Password Safe, which allows users to organize and store passwords in an encrypted database or databases – accessing them through a master key. A quick Google search will produce a long list of these tools, so you (or someone with your SOC team) should check a few out to see which will provide the best sense of comfort.

4. Patch routers and other “things”

The latter referring to the Internet of Things (IoT), of course. With the success of Mirai – which infected a mass of IoT devices and essentially turned them into malicious botnets – a slew of “We can do that too!” copycat hacks have taken hold. In December, for example, “Satori” (named for a breed of Japanese mind-reading monsters) hijacked more than 100,000 routers (and counting?) to hit at least 280,000 IP addresses, according to published reports. Clearly, this makes a compelling case to use the holiday “downtime” to examine all routers which support your enterprise to ensure firmware is up-to-date to ward off the latest threats. You probably want to do the same for the IoT-connected lighting, elevator, refrigerator, HVAC and additional systems your company uses. Whether they’re called Mirai, Satori or some other funky name, these ever-proliferating malware creations seek to feast on all things IoT, great and small.

Let’s face it: The odds are a bit stacked against us if we attempt to completely transform the way we look, exercise and eat. It isn’t a natural transition, and that’s why so many resolutions fail. But our four recommendations here do not require a dramatic, top-to-bottom overhaul. Instead, they strive to raise awareness of best (and often common-sense) practices and effective password tools, while taking inventory of what’s out there that could hurt your organization. For CISOs and SOC teams, there’s no better way to get 2018 off to a great start.

This article is published as part of the IDG Contributor Network. Want to Join?

SUBSCRIBE! Get the best of CSO delivered to your email inbox.