New Year's Security Resolutions for 2019: Small Changes, Big Impact

Happy New Year! It's January 1, 2019, which means people everywhere are making resolutions they'll abandon by Valentine's Day. Gym memberships spike. Meal prep enthusiasm peaks. And by March, most people are back to their old habits.

Security resolutions fail for the same reasons diet resolutions fail: they're too ambitious, too disruptive, and they don't account for real-world constraints.

Let's try something different. Instead of "completely overhaul your entire security posture," how about small, achievable changes that actually stick? Here are security resolutions that work for small businesses.

January: Enable Multi-Factor Authentication

Start the year with one high-impact change: turn on multi-factor authentication (MFA) for critical systems.

Begin with:

• Email accounts (especially admin accounts)
• Financial systems (banking, accounting software, payroll)
• Practice management or CRM systems
• Cloud storage

MFA means even if someone steals or guesses your password, they can't access the account without the second factor (usually a code from your phone).

Yes, it's slightly less convenient. It's also the single most effective defense against account takeover.

Don't try to implement MFA everywhere at once. Pick one critical system per week. By end of January, you'll have MFA protecting your most important accounts.

February: Clean Up User Accounts

Take an afternoon to review who has access to what systems and clean up accounts that shouldn't exist anymore.

Look for:

• Former employees still with active accounts
• Contractors who finished projects months ago but still have access
• Shared accounts that multiple people use
• Accounts with excessive permissions (people who have admin rights but don't need them)

Disable or delete accounts that are no longer needed. Reduce permissions for accounts that have more access than necessary.

This takes maybe two hours quarterly but significantly reduces your attack surface.

March: Test Your Backups

You have backups. Probably. But when was the last time you actually restored something from them to verify they work?

This month, do a test restore:

1. Pick something representative (a folder of important files, a database, whatever matters for your business)
2. Restore it from backup to a test location
3. Verify the restored files open correctly and are current
4. Time how long the restore took
5. Document any problems you encountered

A backup you've never tested is a hope, not a plan. Testing reveals problems while you have time to fix them, not during an emergency.

April: Update Your Software

Set aside time to get all your critical software current on updates.

Priority list:

• Windows updates on all computers
• Business software (practice management, accounting, CRM)
• Network equipment firmware (routers, firewalls, access points)
• Antivirus definitions

Then establish a schedule for staying current. Monthly update day works for most small businesses.

May: Conduct Phishing Training

May is a good month for security awareness training because tax season is over and summer vacation season hasn't started yet.

Spend 15 minutes with your team covering:

• How to recognize phishing emails
• What to do with suspicious messages
• Recent examples of phishing attempts targeting your industry
• Who to notify if they suspect they've clicked something they shouldn't have

Make it interactive. Show real examples. Answer questions. Keep it short and practical.

Repeat this quarterly. One annual training session doesn't work. Regular brief refreshers do.

June: Review Your Passwords

Mid-year is a good time to audit your password practices.

Questions to ask:

• Are you reusing passwords across multiple systems?
• Are any of your passwords short or simple?
• Have any of your passwords been compromised in known data breaches? (Check at haveibeenpwned.com)
• Do you have a secure way to store and share passwords among authorized users?

Consider implementing a password manager for your practice. It makes using strong, unique passwords manageable.

July: Audit Your Vendor Access

How many vendors have remote access to your systems? Do you know what they're accessing? When was the last time they used that access?

Create a list of:

• Every vendor with remote access
• What they access and why
• When they last used the access
• Whether the access is still needed

Disable remote access for vendors who don't need it anymore. Restrict access for vendors to only what they actually need.

August: Document Your Critical Systems

If your server died tomorrow and you needed to rebuild everything, do you have the information needed to do that?

Spend an afternoon documenting:

• What software is installed and where license keys are
• How your network is configured
• What your backup process is
• Who to call for help with each system
• Login credentials (stored securely)

You don't need a 100-page manual. A few pages of notes is enough to prevent complete chaos during an emergency.

September: Review Your Cyber Insurance

If you have cyber insurance, review the policy. Do you know what's covered? What the limits are? What the notification requirements are if you have an incident?

If you don't have cyber insurance, get quotes. It's more affordable than most people think, and it provides both financial protection and access to incident response resources.

October: Conduct a Security Drill

October is Cybersecurity Awareness Month, making it perfect for a security drill.

Simple scenario: "A staff member clicked a phishing email and malware is spreading through the network. What do you do?"

Walk through your response:

• Who do we call for IT help?
• How do we isolate affected systems?
• Where are our backups?
• Who communicates with patients/clients?
• What's our plan for operating if systems are down?

Identify gaps and fix them before you have a real incident.

November: Clean Up Your Data

The more data you have, the more you have at risk. Spend time deleting what you don't need to keep.

Target:

• Old email you're not required to retain
• Duplicate files cluttering shared drives
• Former client/patient data past your retention requirements
• Obsolete documents and records

Data you don't have can't be stolen in a breach.

December: Plan for Next Year

End the year by reviewing what worked and what didn't from a security perspective.

Questions to consider:

• What security improvements did we make this year?
• Did we have any close calls or actual incidents?
• What should we budget for security in the coming year?
• What are our security priorities for 2020?

Document your answers. They'll inform your planning and budgeting for next year.

Why This Approach Works

These resolutions work because they're:

• Specific: Each month has one clear task
• Achievable: Nothing here requires massive investment or disruption
• Incremental: Small improvements compound over time
• Practical: Each task addresses real security risks

By December 2019, if you've done even half of these monthly tasks, your security posture will be significantly better than it was in January. And you'll have established habits and processes that continue beyond 2019.

Getting Started

Don't try to do everything at once. Pick one month's task and do it. Next month, pick another. Progress, not perfection.

If you want help with any of these security improvements, or if you'd like a professional assessment of where your practice stands, we can help. We've been working with Arizona businesses since 1991, and we're good at translating security requirements into practical, achievable steps.

Here's to a more secure 2019. One small improvement at a time.