Bad Cybersecurity Practices to Avoid

 The ransomware epidemic has ignited a flurry of best practices lists coming from cybersecurity professionals warning innocent victims about what to do to stay safe online. However, on Monday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added to its list of some bad cybersecurity practices to help professionals understand the things they may be doing that put them in harm's way.

Who is CISA?

As described on its website CISA, “CISA is the Nation's risk advisor, working with partners to defend against today's threats and collaborating to build more secure and resilient infrastructure for the future.”

CISA's job is to evaluate the national risk of cyber threats and advise the government and the private sector on how to protect themselves. In addition, CISA partners with other government agencies and private threat assessment organizations to find the most viable solutions to mitigate and prevent threats to our collective digital security.

Bad Cybersecurity Practices

On Monday, CISA published its list of risky behaviors and bad practices for cybersecurity, and they added to this list single-factor authentication. In its notice, CISA called single-factor authentication "exceptionally risky."

Single-factor authentication refers to signing into an online resource such as a website or app using only one way to verify your identity, such as a password. CISA explains that it is considered very low security because of "matching one factor — such as a password — to a username to gain access to a system."

The biggest issue with passwords is that most are weak and insecure, and they have been stolen in data breaches and show up on the dark web for anyone to steal.

According to CISA What is Poor Cybersecurity?

1. "Use of unsupported (or end-of-life) software in service of Critical Infrastructure and National Critical Functions is dangerous and significantly elevates risk to national security, national economic security, and national public health and safety. This dangerous practice is especially egregious in technologies accessible from the Internet.
2. Use of known/fixed/default passwords and credentials in service of Critical Infrastructure and National Critical Functions is dangerous and significantly elevates risk to national security, national economic security, and national public health and safety. This dangerous practice is especially egregious in technologies accessible from the Internet.
3. The use of single-factor authentication for remote or administrative access to systems supporting the operation of Critical Infrastructure and National Critical Functions (NCF) is dangerous and significantly elevates risk to national security, national economic security, and national public health and safety. This dangerous practice is especially egregious in technologies accessible from the Internet."

CISA hammered home this message with "The presence of these Bad Practices in organizations that support Critical Infrastructure or NCFs is exceptionally dangerous and increases risk to our critical infrastructure, on which we rely for national security, economic stability, and life, health, and safety of the public."

Other bad cybersecurity practices to steer clear from include:

• Clicking links that come through unsolicited, suspicious emails or downloading attachments without first verifying the sender.
• Using weak or easy-to-guess passwords.
• Creating passwords from familiar details (your child's birthday, pet's name, etc.).
• Using apps on unsecured networks (FREE Wi-Fi).
• Poor physical management/control over devices.
• Improper privileges to network resources.
• Not encrypting data between networks.
• Storing critical files on unencrypted cloud servers.
• Not installing robust networking monitoring and antivirus on all servers and computers.
• Insufficient staff training around social engineering and phishing campaigns.
• Not updating devices, software, and operating systems with the latest security patches. 
• Not properly vetting third-party systems and vendors.
• Not keeping solid backups.
• Not employing multi-factor authentication for all devices, systems, and services.