The CISA (Cybersecurity & Infrastructure Security Agency) recently started an initiative to create a catalogue of exceptionally risky cybersecurity bad practices. While this will be a welcome and very useful tool once it is complete, only two practices are currently listed.
Since cybersecurity and business decisions can be time-sensitive, we wanted to expand on the CISA’s list. Our Head Sales and Marketing Nerd, Stefanie Hammond, is also covering the number one, cybersecurity-related business bad practice that managed services providers should be aware of.
We encourage you to read through all the cybersecurity and business bad practices regardless of what your role and responsibilities are within your organization.
Most of them do not arise out of ill intentions but rather out of bad habits, or a lack of guidance and planning. It would be a worthwhile use of your organization’s time to make sure none of these bad practices are at play in your MSP business or your clients’ environments.
Now we’re on to our own recommendations of some common, bad cybersecurity practices that should be avoided:
- Use of Windows 7 without ESU or air-gaping
- No disaster recovery or incident response plan
- Not practicing disaster recovery or not utilizing incident response plans
- In workgroup environments, giving users file share access with admin credentials
- Not performing permissions audits quarterly, or more frequently
- Not monitoring for suspicious log-in activity
- Leaving SMBv1 enabled
- Not using a password manager to facilitate auditing, reduce password reuse, and enforce password strength
- Not forcing session timeouts
- Giving client business owners full admin access
- Not segmenting unmanaged BYOD to their own network or VLAN
- Not segmenting IoT devices to their own network or VLAN
- Not implementing physical access controls for server rooms/telco closets
- No documented security framework
- Not documenting and planning remediation for discovered vulnerabilities
- Not monitoring for and automatically disabling accounts that haven’t been used in more than 90 days
- Not implementing a principle of least-privilege approach to permissions
- Leaving Windows’ built-in administrator account enabled
- Using Windows Automatic Updates to handle patching instead of a dedicated solution, which creates a lack of visibility across an environment of current patch status
- Assuming a traditional AV is enough to protect endpoints
- Not using an email security and filtering solution
- Not having external security audits of your internal processes
- Not performing quarterly or yearly penetration testing
- Leaving RDP ports open to the internet, because “hey, it’s free”
- Not disabling RDP in environments that do not need it
If this information is helpful to you read our blog for more interesting and useful content, tips and guidelines on similar topics. Contact the team of COMPUTER 2000 Bulgaria now if you have a specific question. Our specialists will be assisting you with your query.
Content curated by the team of COMPUTER 2000 on the bases of marketing materials provided by our partners.
Follow us to learn more
Let’s walk through the journey of digital transformation together.