The Cybersecurity & Infrastructure Security Agency (CISA) is a U.S. government agency focused on risk management for the nation’s infrastructure protection. Its mission is to guide national efforts to understand and monitor physical and cyber risks to the nation’s critical infrastructure.
CISA formulates cybersecurity hygiene strategies and tools for the public and private sector, along with incident response services to safeguard the nation’s critical infrastructure.
The very existence of such a government agency demonstrates the importance of cybersecurity in today’s world. CISA has already helped to remediate crises such as the Colonial Pipelines attack in April 2021, and worked on other attacks that targeted the healthcare sector.
The damages from cybersecurity threats and data breaches can include remediation costs, payouts for ransomware attacks, statutory penalties ($760 million in 2020 alone), reputational damages, and even loss of life if critical infrastructure is compromised.
Poor cybersecurity practices give cybercriminals an easier path to infect systems, extract sensitive information, restrict the use of business infrastructure, and cripple processes.
To protect businesses and government agencies from those consequences and to raise awareness of the cybersecurity risks they face daily, the CISA has introduced a dynamic list of cybersecurity bad practices.
Examples of Poor Cybersecurity According to CISA
The CISA has identified two practices that put the nation’s critical infrastructure (and companies in general) at high risk.
Unsupported or End-of-life Software Use
First is the bad habit of continuing to use software that is out of date or no longer supported by the software vendor that created it.
Any software that does not have active technical support is an information security risk, because without the possibility of upgrades to keep security measures current, attackers will eventually find new zero-day exploits to use. Your organization’s software must stay current with security threats through upgrades, patches, or continued technical support.
The other chief problem is password mismanagement. Businesses must use passwords that are difficult to guess and change passwords regularly — and too many businesses don’t do that.
In July 2021, for example, a password “dictionary” was discovered online with more than 8 billion entries, the largest compilation of passwords in history. Given the number of software apps and services that have suffered data breaches, there’s a fair chance that at least some of your passwords are in that dictionary.
The tendency to recycle passwords has also affected millions of users worldwide. This bad practice multiplies the success rate of attacks where personal data is stolen, because cybercriminals know that one extracted password will be enough to access a number of accounts for each victim. It’s yet another reason why CISA is pushing business owners to adopt multi-factor authentication as standard practice.
Be Aware of Other Bad Cybersecurity Practices
These aren’t the only bad cybersecurity practices to watch out for. We’ve compiled a few others that can help organizations to avoid cybersecurity threats.
No Public WiFi Policies
Most public WiFi networks aren’t as secure as corporate networks. Cafes and public spaces are ideal places for information theft, thanks to the weakness of open networks.
With the recent case of routers infected with TrickBot Malware, malicious software within a network had the ability to steal data from its victims and serve as a gateway for malware and ransomware.
Microsoft partnered with telecommunication companies to remove these infected devices from circulation, but something similar could always happen again.
So companies should have a policy about whether their employees can use public networks at all, and if so, to use a virtual private network (VPN). VPNs are a security best practice that adds a layer of security for your movements in these spaces.
Cybersecurity as Remediation
Investing in cybersecurity should not be an afterthought following an attack or some other security incident. Rather, take the opportunity to implement tactics such as firewalls, antivirus software, and continuous monitoring to provide optimal data security for the organization.
This also includes training on cybersecurity risks as well as the constant evaluation and implementation of new controls as IT security updates and new risks emerge.
Turning a Blind Eye on Mobile Devices’ Risks
With the rise of Bring Your Own Device arrangement in the office, companies’ risk of cyberattack has increased.
The absence of data protection measures on mobile phones opens the door to security risks that come through the mobile device, which can sometimes be compromised with surprising ease. So businesses must have policies and security measures that apply specifically to personal devices.
Prevent Cybersecurity Risks With ZenGRC
ZenGRC is a governance, risk management, and compliance tool that helps cybersecurity officers and CIOs maintain a thorough overview of changing cybersecurity risks.
ZenGRC automates the tedious, repetitive tasks associated with continuous monitoring by compiling audit information, streamlining workflows, and eliminating the chance for human error as well as the need for manual follow-up of outstanding tasks.
Additionally, ZenGRC can map controls across multiple cybersecurity frameworks and show you where your existing gaps are and how to fill them.
ZenGRC empowers organizations to focus on fundamental compliance issues instead of the burdensome tasks associated with compliance workflows.
To see how ZenGRC can improve your cybersecurity strategies, schedule a free demo today.