There are a few bad IT practices that are dangerous for any organization and particularly for organizations in critical industries like healthcare.
At the RSA Conference 2022, Donald Benack, deputy associate director at the Cybersecurity and Infrastructure Security Agency (CISA), and Joshua Corman, founder of I am the Cavalry, outlined what the US Government sees as the three most critical bad practices for IT today.
"The uncomfortable truth is that we can't just say do best practices," Corman said.
Corman noted that in healthcare settings, in particular, there are resource shortages and a chronic lack of IT staff of any type, let alone those focused on security. He defined the healthcare environment as target-rich but resource-poor regarding IT security.
The concept of being 'cyber-poor' was defined by Corman as being deficient in a few areas. One area is insufficient information and awareness, which can be fixed with education. Another area is insufficient incentives to make sure that an organization is doing the things that keep the public safe. But in many cases, it's insufficient resources. The lack of staff, skills or money leads any organization to being defined as cyber-poor.
CISA's Bad Practices
Benack explained that CISA's goal of publicly declaring what the bad practices are for IT is about providing simple, direct guidance to any organization with no cyber expertise on staff or limited access to cyber expertise.
"The bad practices are the equivalent of your doctor telling you don't eat fried fatty foods every single day of your life because that's bad," Benack said.
The first list of bad practices only has three items, and Benack emphasized that the three things are activities that absolutely must stop.
The Bad Practices:
- Use of unsupported or end-of-life software
- Use of known/fixed/default credentials
- Use of single-factor authentication for remote or administrative access
"All of these practices are not based on theory; they're based on analysis of all the incident reports and access to information CISA has around what's being exploited in the wild," Benack said.