In mid-March, the Cybersecurity and Infrastructure Security Agency (CISA) released a report highlighting how cyber actors routinely exploit poor security configurations, weak controls, and other poor cyber hygiene practices to gain access and compromise user systems. These included not enforcing multifactor authentication, primarily with remote desktop access, the use of vendor-supplied default login usernames and passwords, and the failure to detect and block phishing attempts.

CISA suggested organisations can help strengthen their network defences against commonly exploited practices by adopting a zero-trust security model, which enables users to be assigned only the access rights required to perform their assigned tasks. Access control can limit the actions of malicious cyber actors and reduce the chance of user errors.

However, CISA also stresses the importance of implementing multi-factor authentication (MFA) protocols, employing antivirus programs and detection tools and searching for vulnerabilities, as well as initiating a software and patch management program. These are all said to provide a higher degree of visibility into endpoint security, or else effectively aid in protecting against malicious cyber actors.

Julia O’Toole, Founder and CEO of MyCena Security Solutions, believes that these recommendations are simply not enough and that organisations need more than surface-level fixes to prevent cyber-breaches.

“Preventing malicious actors from gaining network access won’t happen through antivirus programs. These are simply temporary fixes that do nothing to correct the fundamental vulnerabilities in how organisations approach their cybersecurity. It’s time for businesses to take control and lead their own cyber resilience, rather than hide their difficulties behind third-party software.” “We’ve seen earlier this year how MFA can be easily exploited by malicious cyber actors wishing to gain network access. These vulnerabilities are often known and exploited by hackers for months before affected organizations are made aware, posing a significant danger to those whose systems are compromised.” “MFA is not the solution CISA wants to pretend it is and enforcing the use of stronger passwords doesn’t stop the problem either. When, according to the 2022 Verizon Data Breach Investigation Report, 82% of network breaches start with a compromised login – whether using stolen credentials or phishing – the difference between “123456” and “1&!7A8%9gh3Tio” is negligible in protecting your network. Hackers don’t “hack in”, they simply log in using “found” passwords, be it through social engineering, phishing or even just paying employees for their credentials. Trusting employees to create their own keys is the ultimate problem that CISA should be addressing.”

Whilst O’Toole agrees with CISA’s advice to give role-based access, she explains this does not fix the credentials vulnerabilities.