Bad Cybersecurity Practices: What Would You Add?

First there was the movie Bad Santa. Then came another hit, Bad Moms.

And now we have something brand new from CISA: Bad Practices.

Will this new list from the U.S. Cybersecurity and Infrastructure Security Agency be a hit with cybersecurity professionals?

Why did CISA create a list of bad cybersecurity practices?

Eric Goldstein, Executive Assistant Director at CISA, explains the purpose of the list as a way to cut through all the noise around best practices:

"There is certainly no lack of standards, practices, control catalogs, and guidelines available to improve an organization's cybersecurity.

While this body of guidance is invaluable, the sheer breadth of recommendations can often be daunting for leaders and risk managers.

Given the risk facing our nation's critical infrastructure, as reflected by recent incidents, additional perspective is needed. Putting an end to the most egregious risks requires organizations to make a concerted effort to stop bad practices."

And CISA is looking for information security professionals to help add to this list. 

However, it's tough to do that if you are not sure what is already listed, so let's take a quick look at the Bad Cybersecurity Practices List at this point.

CISA Bad Practices: the first things on the list

When CISA announced the Bad Practices list, it did so with an eye on cybersecurity practices that it calls dangerous. Here is the start of the list:

1. "Use of unsupported (or end-of-life) software in service of Critical Infrastructure and National Critical Functions is dangerous and significantly elevates risk to national security, national economic security, and national public health and safety. This dangerous practice is especially egregious in internet-accessible technologies."
2. "Use of known/fixed/default passwords and credentials in service of Critical Infrastructure and National Critical Functions is dangerous and significantly elevates risk to national security, national economic security, and national public health and safety. This dangerous practice is especially egregious in internet-accessible technologies."

These practices greatly increase cyber risk in critical functions and infrastructure, according to CISA. But CISA calls on "all organizations to engage in the necessary actions and critical conversations to address Bad Practices."

CISA Bad Cybersecurity Practices List: what would you add?

CISA says the start of this list is just that—the beginning. And this is where the rest of us come in.

What would you add to this list of bad cyber practices? CISA's Eric Goldstein wants to know, using this as a frame of reference:

"The principle of 'focus on the critical few' is a fundamental element of risk management. Based on the understanding that organizations have limited resources to identify and mitigate all risks it should also be an essential element of every organization's strategic approach to security.

Addressing bad practices is not a substitute for implementing best practices, but it provides a rubric for prioritization and a helpful answer to the question of what to do first."

Let us know what you think should be added to the list, in the comments below, and we will share them with CISA. 

[Note: comments are moderated and will take a few minutes to appear]