There are some bad IT practices that are dangerous for any organization and especially for companies in important industries like healthcare.
A. RSA Conference 2022Joshua Corman, Donald Benak, deputy associate director of the Cybersecurity and Infrastructure Security Agency (CISA) and founder of I Am the Cavalry, outlines what the US government sees as the three most critical bad practices for IT today.
“The uncomfortable fact is that we can’t just say best practice,” Corman said.
Corman noted that there is a shortage of resources in healthcare settings, in particular, and that there is a chronic shortage of IT workers of any kind, let alone those who are focused on safety. He defined the healthcare environment as goal-rich but resource-poor in terms of IT security.
Corman defined the notion of being ‘cyber-poor’ as deficient in a number of cases. A field of inadequate information and awareness, which can be fixed with education. Another area is inadequate incentives to ensure that an organization is working to keep the public safe. But in many cases, it is insufficient resources. Lack of staff, skills or money defines any organization as cyber-poor.
CISA’s bad habits
Benak explained that CISA’s goal in publicly declaring what are bad practices for IT is to provide simple, direct guidance to any organization, including those with limited access to cyber skills or cyber skills.
“Bad habits are the equivalent of your doctor telling you not to eat fried fatty foods every day of your life because it’s bad,” Benak said.
There are only three items on the first list of bad habits, and Benak insisted that there are three things that must be stopped.
- Unsupported or end-of-life software use
- Use familiar / specific / default certificate
- Use of single-factor authentication for remote or administrative access
“All of these practices are not based on theory; they are based on analysis of all incident reports and access to information on what is being exploited in the wild near CISA,” Benak said.