Cybersecurity New Year’s resolutions every enterprise leader (and user) should make

Another year is behind us, and many are making resolutions about habits we want to build (or break) in the months ahead. 

Cybersecurity should be no exception to this. Much like day-to-day life, good hygiene forms the basis of any cybersecurity program. It’s always better to take proactive steps than to regret not doing so later (for instance, when faced with a costly breach). 

With that in mind, here are the top cybersecurity New Year’s resolutions every enterprise should make. 

1: I will stop being sloppy with passwords

We can all agree that passwords can be irritating, particularly when we have to remember a whole slew of them incorporating intricate strings of numbers, letters, upper and lower cases and special characters. 

But we all must accept the fact that passwords are a facet of our modern lives underpinned by technology. 

Yet, weak, uncreative passwords prevail. Even in 2023, the top admin passwords were, astoundingly, “admin,” “123456,” “12345678,” “1234” and “password.” 

As Karin Garrido, an AT&T VP and GM put it: “Weak and predictable passwords are like a flimsy lock on a treasure chest of gifts.”

So how can we avoid the pitfalls of banal passwords? For starters, don’t create ones that are easy for hackers to guess (like the ones above). Come up with unique, long, strong ones for each account and remember to update them regularly. 

Just as importantly, don’t share passwords. And, while it may be tempting to physically write them down, email them to yourself or save them in a draft document or email, don’t make that mistake. 

Password managers can help users store and protect their valuable credentials, and other tools can block common passwords. Furthermore, anti-malware platforms perform continuous scanning of login credentials to ensure they haven’t been compromised and determine whether they are used on multiple accounts or are identical, blank or expired. 

Another critical practice is disabling auto-fill settings and browser password saving. 

2: I will always turn on multifactor authentication

No doubt, it can be annoying: You enter your username and password and think you’re good to go — then you have to deal with a second step follow-up email, call or text providing a one-time code. 

But a few extra seconds performing an additional task as part of multi-factor authentication (MFA) is far better than potentially releasing your credentials into the wild and putting yourself and your organization at risk. 

Microsoft research posits that enabling MFA can block 99.9% of account compromise attacks. 

“Compromising more than one authentication factor presents a significant challenge for attackers because knowing (or cracking) a password won’t be enough to gain access to a system,” Microsoft researchers write. 

Still, it’s just important to integrate MFA in a way that presents the least amount of friction, experts advise. For instance, implement it only when extra authentication will help protect sensitive data and critical systems. The use of pass-through authentication and single sign-on (SSO) tools will also reduce password fatigue. 

Remember: MFA does not have to be challenging for end users. If it seems overly restrictive, employees are more likely to find workarounds that put the organization at greater risk (so-called “shadow IT”). 

3: I will avoid social engineering attacks

Even though it’s age-old in the cybersecurity world, phishing is still very much a thing.

Phishing remains so prevalent because it exploits human weakness and creates a false sense of urgency — the dire consequences of which can expose enterprises to ransomware attacks. 

An estimated 73% of organizations globally have been impacted by ransomware attacks as hackers step up (and diversify) their phishing tactics. Some evolving methods include: 

–Spearphishing and whaling: These forms of phishing are more sophisticated, targeted and personalized (as opposed to traditional phishing that casts about a wide net). For instance, spearphishing emails will be sent to members of a company’s finance department purporting to be the CFO. Whaling goes a step beyond that, targeting specific executives or other high-level employees. 

–Vishing: Hackers will call a target in hopes they will pick up. This method typically involves cloning tools or deepfakes. Often it may follow a spearphishing or whaling email to lend credibility. 

–SMishing: Text message phishing can bypass anti-spam filters and can be used to obtain one-time codes for MFA tools. For instance, a hacker will log in to a user’s account, and then send a text to get a target to provide the MFA-generated code. 

–Quishing: In this newer phishing method, threat actors imitate seemingly innocuous, ubiquitous QR codes, leading users to spoofed sites that steal their information or install malware. 

–Angler phishing: This evolving method targets a user’s social media accounts. For instance, hackers will pretend to be customer support agents ‘helping’ users dealing with a problem. They can observe public complaint messages on Meta or X, then contact targets to get them to give up their credentials or provide ‘helpful’ links that actually deliver malware. 

Other harmful methods include domain typosquatting (when hackers register domains with purposely misspelled names of common websites) and man-in-the-middle attacks (when threat actors get in the middle of a conversation between two users or a user and an app). 

The key to not falling prey: Be vigilant. If something looks, well, fishy, it most likely is. Never provide sensitive information to unsolicited calls, texts, emails or chatbots; don’t just wantonly scan QR codes; keep an eye out for links with misspellings; if you’re unsure whether a message is coming from who it claims to be, reach out to that person directly. 

As Garrido noted, “Not all links are wrapped with good intentions. Think twice before clicking on them, and three times before entering information.”

At the same time, avoid “keeping a cluttered digital house,” she advised. “It’s wise to delete old downloads and emails that are full of personal information.”

4: As an admin, I will follow the principles of least privilege

Zero trust has been around as a concept for some time, but it is finally now beginning to be realized. 

“Least privilege access,” as it’s also known, assumes from the outset that every user could be a legitimate threat. All users are verified upon login, and are only granted access to data and systems they need (and when they need it) and are often required to re-verify at certain stages. 

With zero trust, all network traffic is logged, inspected and authenticated. Users are granted access based on the level of privilege and security policies. Anomalies are identified through data patterns. 

Along with this, admins should also be diligent about revoking permissions when an employee leaves or after a project. 

5: I will back up data and keep apps and systems up to date

As it’s been said, data is your ‘crown jewel.’ Enterprises need to have a backup strategy that duplicates and stores data in secure locations. Experts advise following the 3-2-1 rule: Having three copies of data; two on different media platforms such as cloud or on-prem and one offsite for disaster recovery. Backups should also be done regularly. 

Meanwhile, hackers get by exploiting vulnerabilities, and one of the easiest ways in is through out-of-date systems. Regularly patching and eliminating unnecessary connections and ports is critical. 

Just as importantly in today’s hybrid work environment, enterprise leaders should educate employees about patching their own devices. This includes hidden devices like smart thermostats, which can give hackers an easy way in. 

In the end, taking stock of your organization’s security posture can identify critical vulnerabilities and weaknesses. 

While you don’t want to think a breach will happen to your enterprise, the percentages are high that it eventually will (if it hasn’t already). It’s always best to prepare for the worst and hope for the best!

Originally appeared on: TheSpuzz