Is Improving Cybersecurity One of Your New Year’s Resolutions?

By: Jon D. Hightower, CISA, CRISC, CIPT, and FAIR

As we embark upon a new year, most people are contemplating their New Year’s resolutions, shifting their focus from holiday festivities to personal and professional goals, not “dull” tasks like cybersecurity. But hackers don’t take vacations, so constant vigilance is crucial to protect your organization. If you are resolute in reducing cybersecurity risk this year, use these strategies to help keep hackers out, keep your data safe, and be successful in 2024!

1. Don’t allow the re-use of passwords. With numerous password-protected applications and accounts, many people prefer to re-use the same password or cycle through a set of familiar ones for accounts that require regular password changes. Sympathize with the problem but resist the urge to let staff slide on this point because previously used passwords are often compromised and accessible on the dark web or elsewhere. 
2. Enable multi-factor authentication (MFA) wherever possible. A survey by the Cyber Readiness Institute found that less than half of small and mid-sized businesses implement MFA and only 28% require its use. That is unfortunate because this additional layer of security can have a huge impact on risk — reducing the rate of compromise by as much as 99%, according to Microsoft. Your policy should mandate MFA anywhere you can use it. 
3. Conduct regular phishing exercises. Your data security protocol should include routine phishing exercises to gauge compliance and help identify the need for retraining. Simulate a variety of real-life phishing scenarios at least once a month. Be sure to follow up compromise responses with additional support to help team members across the organization learn how to recognize phishing attempts and respond appropriately.
4. Reset default credentials on all devices. Can hackers access your networks and systems by entering ‘admin’ and ‘password’ on a neglected device? For too many organizations, the answer is yes. Avoid an entirely preventable disaster by verifying that you’ve reset default login credentials on every device the organization owns or uses. That includes printers, which frequently escape this kind of mundane but critically important attention.
5. Perform pen testing before major software releases or infrastructure changes. All software requires thorough penetration testing before going live; that need is multiplied for software that handles sensitive information. Pay special attention to error handling, access limitations and securing and masking configuration files. Infrastructure changes demand the same level of scrutiny to ensure that neither architecture nor user actions create additional risk.  
6. Ensure strong encryption for data. Use end-to-end encryption for transferring data and S/MIME for email. Only store data that you must retain and focus on high-quality encryption to protect sensitive information. Generally speaking, it’s best to rely on native cryptography APIs; use caution with external algorithms and verify that they meet or exceed industry standards. Best practices call for segmenting encrypted data away from decryption keys. 
7. Patch infrastructure and workstations immediately. A patch is available for yet another vulnerability, but you haven’t applied it. Your IT department is overworked and understaffed, so time-consuming patching will have to wait. It’ll be okay… right? Leaving known vulnerabilities unpatched is begging for trouble. Prioritize patching all affected software and devices right away, because hackers don’t give you a grace period to catch up.  
8. Secure ports and services, turning off any that are not in use. Risk associated with ports is another frequently neglected area. Besides keeping services and applications updated, routinely monitor all ports and their inbound and outbound traffic. Disable unused ports, verify that all open ports are being used appropriately and run penetration testing on a regular basis. It’s also a good idea to disable obsolete or unfamiliar proxies and deactivate unnecessary or default response headers. 
9. Keep an accurate asset inventory. How well do you monitor network- and internet-enabled equipment, including printers and handheld devices? Whether it’s a laptop issued to a long-ago freelancer or a batch of workstations that were replaced but not disposed of, stray devices can pose a security threat. Reduce the risk of unauthorized access by implementing a rigorous asset inventory management program that lets you track potentially vulnerable devices across their entire lifecycle.
10. Implement and test for effective network segmentation. You’ve established sub-networks and silos to limit access across the network, but how well does your segmentation work in practice? Can internal users, decision-makers and vendors consistently access the data and functions they need? Could a breached device represent a single point of failure that allows organization-wide data compromise? It’s important to actively monitor network traffic, review your segmentation strategy for usability and test the practical limits it provides, updating as necessary to ensure a safe and fully functional environment. It’s important to pen test both established segments on your network and when implementing new ones to determine the strength of your network’s security.   

These best practices can not completely eliminate cyberthreats, but they make it a lot harder for hackers to achieve their nefarious objectives, reducing the chances of unwelcome visitors to your network — ghostly or otherwise. Your Mauldin & Jenkins advisor can show you more ways you can secure your systems and data to protect your organization from digital and cyber risks.