Center for Internet Security Controls or CISControls for short have become an industry standard to help businesses and organizations of all sizes maintain a best practice standard of Cyber security controls.

Safeguard 5.4 requires that you RESTRICT administrator privileges to dedicated administrator accounts. Yes! General computing activities such as web browsing, email, Microsoft office suite, gaming, etc should be done as a non-administrator.

One thing that is still common today is IT people love the power, and they don't like having to log off and log back on as their YOURNAME_Admin account to get it. It slows us down, It makes me less productive, I can't do my job without the elevated rights.

Let's get real. You can't be secure if you are not taking the time to even secure your own usage. Out of the 8 hour work day, maybe 30 minutes (on most days) you need to be elevated. Outside of that, it's not needed.

Everyone that should have administrative level rights, including domain admins, enterprise admins, global admins, and admin level rights to your SaaS apps - have two different credentials.

I commonly see the appending 'admin' to the username to designate the difference for the end user. Hackers know this as well. So ensuring MFA or long passwords is a must (remember 5.2).

This one isn't rocket science but it is required for Implementation Groups 1, 2, and 3 so this is something we all have to improve with, and the biggest obstacle in our way is ourselves.