bad cybersecurity practices 2

3 Bad Cybersecurity Practices According To CISA In 2021

Reading Time: 3 minutes

Last Updated on September 1, 2021 by Calvin C.

Shocking statistics show that the cost of cybersecurity insurance will balloon to $25 billion by 2025 and 51% of companies that get a ransomware attack pay the ransom. Cybersecurity and Infrastructure Security Agency released a list of 3 bad cybersecurity practices you have to avoid.

A cyberattack can be costly to an organization and in the worst case scenario, ruin its reputation. These deadly sins outlined by CISA give you an idea of what needs to be prioritized when addressing security gaps.

These practices affect both the government and private sector, so any solutions apply to both parties.

CISA came up with a catalog of extremely risky “Bad Practices” and organizations that support Critical Infrastructure or NCFs should address these issues as a top priority.

We rely on critical infrastructure for national security, health, economic stability, public safety and life.

bad cybersecurity practices

The catalog of bad cybersecurity practices

1. Use of an unsupported (end-of-life) software

If your organization falls in the service of Critical Infrastructure and National Critical Functions, all the software must be genuine and up-to-date.

The danger of using obsolete software is amplified if the organization relies on the internet to execute day-to-day business because there is more exposure to threat actors.

All software must come from an official manufacturer and the IT department must be vigilant in making sure only the latest versions are used.

Upgrading systems can be costly for an organization, but it helps maintain an overall good cyber hygiene.

2. Poor password practices

The use of a strong password to protect your system is very important.

CISA highlights that you should avoid a known, fixed or default password at all costs and this applies to other login credentials.

With a tool like NordPass password manager, you can easily generate a very strong, complex password that is hard to crack.

In organizations, it’s common for the IT department to force employees to create new passwords, not previously used, after a certain period.

Without a tool like a password manager, it becomes increasingly difficult to generate a new, reliable password.

Cybercriminals use tactics like social engineering to get an idea of what passwords are commonly used by potential targets.

3. Use of single-factor authentication

No-matter how long or complex a password is, if it’s the only security barrier between your systems and cybercriminals, it’s a recipe for disaster.

This is crucial in systems to do with Critical Infrastructure and National Critical Functions.

CISA puts it as follows, “The use of single-factor authentication for remote or administrative access to systems supporting the operation of Critical Infrastructure and National Critical Functions (NCF) is dangerous and significantly elevates risk to national security, national economic security, and national public health and safety. This dangerous practice is especially egregious in technologies accessible from the Internet.”

Multi-factor authentication (MFA) is more secure as it adds an extra layer of security, making it even harder for miscreants to break into protected systems.

Note that app-based MFA is better than 2-factor authentication using SMS for reasons outlined in this article.


Obviously these are not the only bad practices that an organization needs to address.

A VPN is one way to prevent unauthorized access to an organization’s network by allowing employees to connect to the company network remotely and securely.

When working with private data, using a trusted VPN is important and this where free VPNs fall short because of privacy issues.

I recommend NordVPN because it has plenty of security features and the company has NordPass, a highly effective password manager.

NordVPN has more than 5100 secure servers in all major regions around the world and supports all operating systems.

Is your organization aware of the bad cybersecurity practices above and is it taking any actions? Leave comments below and share this article with your friends on social media.

Tech writer and VPN expert. DIY enthusiast and loves anything to do with space science.

Leave a Reply

Your email address will not be published. Required fields are marked *