Cybersecurity Strategy: Top Security Resolutions for 2018

From conducting a top-to-bottom IT security audit to ensuring your computing infrastructure and software are completely updated and patched, there are plenty of important tasks related to cybersecurity strategy for IT pros to check off as 2018 approaches.

To help enterprises get a fresh start on the New Year, ITPro asked several IT analysts to share their top ideas for 2018 security resolutions which IT pros can follow as part of a broader cybersecurity strategy to help keep their business systems running smoothly.

To start, the New Year is a good time to check to ensure that all your company's endpoints – from laptops to desktops to switches and everything in-between – are secured where they connect with your secure company networks, says Dan Olds, principal analyst at Gabriel Consulting Group.

"This is also a good time to check the security profiles for everyone on your network," and make sure that everyone is obeying policies when using their devices, he says. "By this I mean making sure that every employee has just the right amount of access to data needed to do their jobs – and no more." By conducting such checks, you'll likely uncover many potential threats, such as contractors and ex-employees who might still have accounts on your systems, he adds.

Another important resolution that's often forgotten is to be sure all your hardware and software are given the latest security updates and patches to protect your users and IT systems, says Olds. "The biggest threat vector today is unpatched systems. Get everything brought up to date to face the New Year behind a reinforced wall of security."

"You could even put your IT systems to the acid test by hiring hackers actually try to penetrate your systems from outside your firewall," says Olds. "This isn't an exercise for the faint of heart, but it will pay dividends."

Sean Pike, a security analyst with IDC, recommends tightening your cybersecurity strategy and ensuring cloud security by taking steps to harmonize your company's tools for managing on-premise and cloud-based cloud infrastructure.

"Once upon a time, traditional, on-premise security providers generally failed to innovate toward the cloud as rapidly as perhaps they should have," says Pike. "As a result, many organizations ended up treating cloud and on-premise infrastructure differently," which meant learning and maintaining separate security tools for two different environments.

To simplify such issues in 2018 and better manage your company's clouds, IT pros should work in 2018 to integrate their hybrid or multi-cloud security using a single tool, he says.

"A great example of this are cloud security gateways (CSG) in which security vendors have spent a great deal of time adding functionality over the last two years," says Pike. "The CSG is the central control point for hybrid cloud environments for a number of large security vendor incumbents."

Another important resolution to prepare for is the upcoming General Data Protection Regulation (GDPR), which will take effect in the European Union on May 25, 2018, says Pike.

The GDPR replaces earlier data privacy laws and applies to businesses outside the EU if they offer goods or services to EU residents. The GDPR applies to all companies processing and holding the personal data of EU residents, regardless of where a company is located. Penalties for non-compliance with the GDPR are costly – up to four percent of a company's global revenue or $22.7 million for violations, such as not having sufficient customer consent to process their data and not notifying the supervising authority and users about a data breach within 72 hours. 

"Security pros will be scrambling to meet GDPR as the May deadline edges closer," he says, and once 2018 arrives it will be time to act. "Unfortunately, many businesses will just be kicking off their efforts so it's a good idea to start by identifying business processes and establishing how data flows throughout each process."

Since there will be so much to do if you haven't yet gotten started, "it's important to first understand how business processes actually work and what kind of data is out there," says Pike. "Otherwise, you run the risk of overwhelming staff with too many instances of potentially sensitive data to chase. I always like to start with the process where possible."

IT pros should also spend more time with network access control (NAC) in 2018, he says, as they continue to connect new kinds of devices and sensors to the Internet of Things as part of their corporate infrastructure. 

"IDC sees NAC as a necessary first line of defense as businesses expand to allow unknown, unmanaged, or unintelligent devices access to network resources," says Pike. "NAC's core discovery functionality can help businesses identify and inventory devices that connect," and can control access to network resources by acting as a gatekeeper and disallowing devices that do not meet a preset corporate profile.

Another analyst, Charles King of Pund-IT, suggests trying a new tack in 2018 by making "best-case scenario" projections for security, rather than the typical worst-case scenario planning that seeks to plan for disasters that can occur. Instead of overwhelming IT staffers and other employees with worst-case planning, "imagine what your organization would need to make it through 2018 without any security breaches or problems, then consider what it would take to achieve that state," says King.

"Maybe you'll find that it's virtually impossible due to factors like fundamental disconnects between the security solutions you use and the systems they're meant to protect," he says. "Maybe your company has employees or executives who can't be bothered with security procedures they're asked to follow. But each of those discoveries will identify incremental action items that you and your co-workers can work to correct" in the New Year.

Not every security resolution for 2018 must be huge, though, says Andras Cser, an analyst at Forrester Research.

"Change passwords every 90 days and enforce them to be at least 10 characters in length," says Cser. In addition, "implement at least the option for two-factor authentication for employees and customers on your websites," while taking detailed steps to revise and fortify your enterprise's incident security responses to better protect the company.

Ensuring that your IT security starts strong in 2018 and continues throughout the year is a great goal to have for every enterprise. Using these expert IT security resolutions and tips can help you accomplish those tasks.