Cybersecurity Risk Assessment Common Findings: Account Management

What are the most common gaps found within companies, when performing a formal cybersecurity risk assessment?

In the video below, Mike explains the most common findings within CIS Control #5 – Account Management.

Want Mike’s recommendations on the best vendors to quote for a formal cybersecurity risk assessment for your business? Click the button below and ask Mike today.

About Mike

Mike Smith has been helping companies select the best telecom, WAN, security, and cloud services since 1999. He founded AeroCom in 2003, and has been the recipient of numerous business telecommunications industry awards, including being recognized as one of the top 40 business people in tech-heavy Orange County, CA. Follow Mike on YouTube, LinkedIn, Reddit and SpiceWorks.

Transcript

Your company is looking into having a formal cybersecurity risk assessment, but before you go there, you’re wondering, are there any things that I should do? Just some quick house cleaning things before I go get this formal assessment?

So that I don’t get embarrassed when they come in and start looking at things and start realizing, “Hey, here’s what we found,” and it’s all this easy stuff that you knew you kind of needed to do and things like that. If you are thinking that, I wanted to make a video series on the most common findings of a cybersecurity risk assessment. To kind of guide us through this video series, I’m using the CIS framework, and the reason I’m using that framework is because there’s 18 controls and not 100 controls or a ton of controls like you see in some of the other framework.

Today’s video is going to be on CIS Control number five, which is account management. I’m going to cover that one…

Take the shortcut

But before I get too deep into it, just a quick plug. If you’d like my recommendations on the best company that you should be quoting for a formal cybersecurity risk assessment, there’s a lot of them out there, probably thousands. Don’t feel like you have to scour through them on your own. I’m a broker for all these different companies. Based on your company’s requirements, I can find the best companies that you should be quoting, so reach out and contact me on email or by phone (714.593.0011). I’m happy to help. More information on that at the end of the video.

Account Management

Well, when it comes to account management and CIS Control number five, what’s the most common findings? If somebody hires a formal cybersecurity risk assessment company to come in and look at that kind of stuff, when it comes to account management, what are they finding time and time again with companies that you might want to know upfront?

Well, the most common finding there… I learned this from talking to the actual engineers who are going in and doing these risk assessments for companies. I’m asking them these same questions, and what they’re coming back to me and telling me, is that the most common finding that they find in account management is that companies have one set of login credentials for an admin. What I mean by that, is that it’s best in terms of cybersecurity best practices to not just have one login credential for an admin-level user to use.

Examples

Say, for instance, they can do their normal thing on an application, and then if they want to make account changes, like add or remove user, they don’t have to log in again. It’s better to have an additional login required for higher level tasks. For instance, somebody in your IT department, their everyday use for that application is one login, but then for them to go another level into the admin level, it’s a different login. Say, for instance, Office 365, is it the same login for your admin credential as an IT professional? Is it the same login to access your email and everything on a daily basis as it is for you to add or delete a user? That’s bad. You should have a different login for higher level tasks or higher level capabilities, like removing users or changing your account, things like that. You should have different logins, and it should be multifactor authentication for those logins in order to perform account-level little tasks, things like that.

That’s the most common finding, is that a lot of companies just have one login for admin-level users, and it’s the same login that they’re using for everyday tasks as the login that they’re using to do higher level account-level changes, which is obviously susceptible to… somebody can come in and hack in and get one login credential and then do all kinds of stuff, laterally, within that organization. Obviously, something that you can clean up a little bit before you even get a formal assessment, which will help that formal assessment go deeper into the less common findings that your company might need.

Don’t be shy

I hope that was helpful. If so, don’t forget to hit the like button down below and subscribe to our channel. If you’d like my recommendation for the best companies for your organization to quote for a formal cybersecurity risk assessment, I definitely can help you out. I’m a broker for all the major companies that do this, and different companies are a better fit than others when it comes to your particular organization’s requirements. If you want to know which companies, those are reach out and contact me, via email or by phone (714.593.0011). I’m happy to ask you a few questions and pair you up with the right organizations to quote. I’ll oversee the quoting process, as well. The nice thing is, those companies will pay me my broker fee, so you don’t have to pay me anything. There’s absolutely no reason not to at least reach out and see what I have to say. All right. Well, hope that helps, again, and I will catch you on the next video.