As we enter the new year, many of us will have taken the initiative to improve our personal habits. Whether that is starting a new exercise regime, beginning a diet, or learning a new skill, the new year is about setting goals and aiming for improvement.

Likewise, with these personal resolutions, organisations should also be seizing this opportunity to look back at their practices, ask themselves honestly what can be bettered, and set goals to improve their information security in 2021.

With cyber and information security threats, such as phishing attacks and ransomware set to likely increase and evolve throughout this new year, the following are some of the areas you and your organisation should consider as we begin 2021.

Information security in 2021

When we look back at the information security developments of 2020, one thing which stands out is that even the most security conscious organisations are still vulnerable to attack.

Late last year, prominent cybersecurity firm FireEye revealed that it had fallen victim to a ‘highly sophisticated’ attack in which cybercriminals stole a cache of proprietary hacking software. Many were surprised that a company, whose whole business is built on security, could have fallen prey to this kind of attack.

Despite the astonishment, the reality is clear: no organisation is invulnerable to information security threats, and any organisation would be wise to take the time to conduct an in-depth analysis of where their weaknesses lie; measuring, minimising, managing and mitigating the avoidable risks that are posed to their information security.

Take for example the recent SolarWinds hack. A software company who was repeatedly warned years before by a former security adviser that they were vulnerable to attack. Failing to heed these warnings, three years later the inevitable happened, resulting in not only a crash in stock price, but also dozens of high-profile clients suffering the downwind effects.

Though conducting a comprehensive information security risk assessment may not sound like the most appealing way to start the new year, in the end, the integrity, reputation and survival of your organisation may be at stake.

Read More: Communicating Human Risk to your Board (Hut Six Webinar)

Password Security

When we talk about improving information security, a good place to begin is by ensuring that the foundations of this are as solid as they can be; and it doesn’t get much more fundamental than strong password security.

Repeat password use is a common issue with organisations’ basic information security.  The average user uses approximately 13 unique passwords across all their accounts, and though this may sound like a lot, just consider this number relative to the number of accounts.

With accounts and databases compromised every day, we all need to remember – if you reuse passwords, when one account password is compromised, then there is very little stopping someone from compromising the rest of your accounts.

Likewise, overly simple passwords pose a significant risk., though there are a few simple steps and measures that you can take to help strengthen your password process and your overall information security.

One of the most common methods of creating a secure, yet memorable password is to combine 4 unrelated random words, such as ‘CorrectHorseBatteryStable’. To make it more difficult for this to be ‘cracked’, it is important these words have no relation to the user, i.e., username or date of birth.

Whereas a two-word combination may be broken within a few hours, if you ensure that your unique passwords have at least 15 characters long, any ‘would-be’ attacker will be waiting years to crack your password.

Read More: How Secure is Your Password Process?

Consider Zero Trust

Zero trust security is an IT security model based on a foundational principle of ‘never trust, always verify’. Limiting unnecessary access by authenticating, authorising, and verifying actions and privileges within a network, zero trust drastically helps to diminish the chances of a potential breach.

Combining a range of preventative procedures, including micro segmentation, least privilege controls, strong identity verification and endpoint security, with neither devices nor individuals being trusted by default, a zero trust network increases the layers of security within a system.

Removing inherent trust from your network design is a holistic approach allowing an organisation to contain breaches, as well as minimising the potential damage that can be caused by both external threats and insider attacks.

Read More: How Zero Trust Works

Multi-Factor Authentication

Increasingly common in the digital world is ‘multi/two-factor authentication’ (MFA/2FA). Generally, now a standard for banks and many other high-target services, this process prompts the user for a second form of verification during the login process. Helping prove the user’s legitimacy and increasing account security.

This two-factor authentication could be an access-code sent via text, a phone call or even a device-generated code. Meaning that should an attacker gain your password; they would still not be able to get their hands on your account or your information.

With a great deal of us still working outside of the usual office environment, keeping the accounts used to share sensitive information secure is an increasingly pressing matter. As an element of building a zero trust security model, MFA is one of the best ways ensuring your organisations accounts are secure.

Ongoing Information Security Training

We unfortunately live at a time when barely a day goes by without a significant data breach or hack being reported. Though organisations are up against cunning, sophisticated, and ultimately hard-working cyber-criminals, many of these incidents could have been either significantly mitigated, or even completely avoided given the right preparation.

Investing in the latest technological solutions may be one element of ensuring strong information security, but the confidentiality, integrity, and availability of your and your client’s data, is ultimately in the hands of your staff.

With human error facilitating so many attacks, effective information security awareness training is one of the best ways your organisation can reduce risk and help build a secure culture mindset. By educating members of staff about a range of vital information security topics, every member of an organisation can act as a defensive line against attackers and threats.

When considering your new years information security resolutions and how to improve your organisation’s information security in 2021, think about the everyday habits of employees and the degree to which this impacts your organisation as a whole. Regardless of your organisation, training, testing, and tracking these practices should always be a priority; not just for January, but for the entire new year.