25 cybersecurity bad practices: more than just bad habits

The CISA (Cybersecurity & Infrastructure Security Agency) recently started an initiative to create a catalogue of exceptionally risky cybersecurity bad practices. While this will be a welcome and very useful tool once it is complete, only two practices are currently listed. Since cybersecurity and business decisions can be time-sensitive, we wanted to expand on the CISA’s list. Our Head Sales and Marketing Nerd, Stefanie Hammond, is also covering the number one, cybersecurity-related business bad practice that managed services providers should be aware of—click here to read it.

We encourage you to read through all the cybersecurity and business bad practices regardless of what your role and responsibilities are within your organization. Most of them do not arise out of ill intentions but rather out of bad habits, or a lack of guidance and planning. It would be a worthwhile use of your organization’s time to make sure none of these bad practices are at play in your MSP business or your clients’ environments.

Cybersecurity bad practices

According to the CISA, the number one bad practice is the use of unsupported or end-of-life software—and they consider it to be “especially egregious in internet-accessible technologies.” Attempting to support and protect EOL hardware and software can be a challenge in some situations and impossible in others. Sometimes you’re left crossing your fingers and hoping that nothing breaks. This isn’t sustainable long-term, and it makes it difficult to deliver on a promise to offer your clients the best protection possible.

Use of known/fixed/default passwords or credentials is number two on the CISA’s list. We all know it’s important to change the default password on managed switches or other appliances, but are you verifying it? Make sure you have an audit process in place to ensure default credentials are not being left in place.

Now we’re on to our own recommendations of some common, bad cybersecurity practices that should be avoided:

  1. Use of Windows 7 without ESU or air-gaping
  2. No disaster recovery or incident response plan
  3. Not practicing disaster recovery or not utilizing incident response plans
  4. In workgroup environments, giving users file share access with admin credentials
  5. Not performing permissions audits quarterly, or more frequently
  6. Not monitoring for suspicious log-in activity
  7. Leaving SMBv1 enabled
  8. Not using a password manager to facilitate auditing, reduce password reuse, and enforce password strength
  9. Not forcing session timeouts
  10. Giving client business owners full admin access
  11. Not segmenting unmanaged BYOD to their own network or VLAN
  12. Not segmenting IoT devices to their own network or VLAN
  13. Not implementing physical access controls for server rooms/telco closets
  14. No documented security framework
  15. Not documenting and planning remediation for discovered vulnerabilities 
  16. Not monitoring for and automatically disabling accounts that haven’t been used in more than 90 days
  17. Not implementing a principle of least-privilege approach to permissions
  18. Leaving Windows’ built-in administrator account enabled
  19. Using Windows Automatic Updates to handle patching instead of a dedicated solution, which creates a lack of visibility across an environment of current patch status
  20. Assuming a traditional AV is enough to protect endpoints
  21. Not using an email security and filtering solution
  22. Not having external security audits of your internal processes
  23. Not performing quarterly or yearly penetration testing
  24. Leaving RDP ports open to the internet, because “hey, it’s free”
  25. Not disabling RDP in environments that do not need it

The list of cybersecurity bad practices could go on, but we’re going to switch gears and encourage you to read more about the number one, business bad practice concerning cybersecurity that MSPs should avoid. If you would like to have a more in-depth conversation about any of the cybersecurity bad practices listed, please reach out via the contact information below.

Lewis Pope is the Head Security Nerd at N-able. You can follow him on

Twitter: @cybersec_nerd

LinkedIn: thesecuritypope

Twitch: cybersec_nerd


© 2021 N-able Solutions ULC and N-able Technologies Ltd. All rights reserved.

The N-able trademarks, service marks, and logos are the exclusive property of N-able Solutions ULC and N-able Technologies Ltd.  All other trademarks are the property of their respective owners.

This document is provided for informational purposes only. Information and views expressed in this document may change and/or may not be applicable to you.  N-able makes no warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information contained herein.


Want to stay up to date?

Get the latest MSP tips, tricks, and ideas sent to your inbox each week.

Loading form....

If the form does not load in a few seconds, it is probably because your browser is using Tracking Protection. This is either an Ad Blocker plug-in or your browser is in private mode. Please allow tracking on this page to request a trial.

Note: Firefox users may see a shield icon to the left of the URL in the address bar. Click on this to disable tracking protection for this session/site