Bad habits can be hard to break. Yet when it comes to security, outdated practices are not only useless, but potentially dangerous. Even so, these bad habits continue to linger on even though they have become a huge liability everywhere.

1. Expecting perimeter-only security to be enough. The expectation of “we have a firewall” and “that is all protection that we need” is simply not true anymore. Global IT and cybersecurity leader Amit Basu has observed that “the majority of today’s work environments are cloud-based, often remote, and highly distributed. The old practice of securing a fixed boundary simply doesn’t apply.” And that is what a firewall does. It puts up a heavily fortified perimeter up for an office environment or a very specific cloud environment.

In a cloud-first or hybrid-work environment, where users and data reside both inside and outside the traditional firewall perimeter, perimeter-only security leaves organizations dangerously exposed to lateral movement attacks, ransomware, and data exfiltration. Basu advises adopting zero trust, never trust, and always verifying, regardless of location.

Does this mean that there is no place for hardware firewalls today? NO, that is not the case at all! Firewalls must be used to protect office networks or dedicated cloud workloads. The idea behind zero trust is to put the firewall where the user, data and the computer are at all times. That may be at home or in a hotel when they are traveling. Previously this would be nearly impossible, but now it can be done easily with a Firewall as a Service or Secure access service Edge solution. These bring the protection of the firewall to the user wherever they are, even when they are not in the office. It authenticates the user and the computer where they are and this is a fundamental part of a zero-trust solution.

2. Relying on legacy VPNs. Legacy VPNs can be inefficient and cumbersome, and this makes them difficult to manage and prone to significant downtime. VPNs provide security through encrypted connections, but they were never designed for the scale and flexibility of today’s hybrid workforce.

There is also an inherent risk with VPN usage. Anyone with the VPN software, and user credentials can connect via any computer at any time. This is the exact opposite of zero trust. And since a VPN connection is essentially an unrestricted doorway into a remote network with little to no restrictions, it becomes a potential source of lateral movement, and this is a huge security risk. This broad access to the internal trusted network is the main reason why VPN’s are no longer acceptable.

Replacing VPN’s with Secure access service edge (SASE) or Firewall as a Service solution and adopting a zero-trust mindset are essential. Every user and every device that accesses a resource should be identified when trying to implement zero trust.

3. Assuming EDR provides sufficient protection. While endpoint detection and response (EDR) solutions represent a significant advancement over traditional antivirus protection, relying solely on this approach is inadequate in today’s threat landscape, says Michel Sahyoun, chief solutions architect at cybersecurity technology provider NopalCyber.

While EDR excels at monitoring and responding to endpoint-based activities, leveraging behavioral analysis, and using threat hunting to detect sophisticated attacks, attackers are increasingly bypassing endpoints entirely, targeting cloud environments, network devices, and embedded systems. These are areas where EDR cannot protect.

Sahyoun notes that it is possible that adversaries can exploit OAuth tokens to gain unauthorized access to cloud platforms, such as Microsoft 365, Google Workspace, or AWS, without ever interacting with an EDR-monitored endpoint. “Similarly, network appliances and IoT devices, which often lack robust monitoring or forensic capabilities, serve as blind spots,” he says. Meanwhile, cloud environments further complicate detection due to limited logging, paywalled visibility features, and a lack of comprehensive detection content. Furthermore, EDR can only see or detect what it knows or is able to look for.

EDR is just one layer of a complete security solution. EDR should be replaced with MDR or XDR and a Security Operations Center should be monitoring it all using a modern agentic AI security orchestration, automation, and response (SOAR) platform. Network segmentation should also be utilized to get network appliances and IoT devices off the trusted network. Servers and workstations should be on different network segments as well.

4. Using SMS text messages for two-factor authentication. SMS-based two-factor authentication was once considered a significant security improvement over password-based authentication alone, but it’s now recognized as vulnerable to several attack vectors, says Aparna Himmatramka, senior security assurance lead at Microsoft Security.

Unfortunately, the telecommunications infrastructure was never designed with security in mind, she notes. “On top of that, even today, cellular networks use outdated protocols that can be exploited, and the process for transferring phone numbers between carriers lacks rigorous identity verification.” Another cellular-related danger, Himmatramka says, is SIM-swapping attacks, a tactic many criminals use to convince mobile carriers to transfer a victim’s phone number to a device they control, allowing them to intercept authentication codes.

Multifactor authentication should be controlled at the corporate level and should use high security tokens. SAML should also be utilized on all applications. This reduces the number of credentials required, reduces administrative overhead, and increases security posture.

5. Requiring security awareness training only once a year or not at all. End users can no longer be passive participants in a company’s security culture. Many years ago, internationally renowned security technologist and cryptologist Bruce Schneier said “People are the weakest link in information security” and it still true today. In fact, it is even more true than ever before. Today, roughly 90% of cyberattacks start with end users, primarily through human error or social engineering.

The bad guys who are putting together attacks only need to get it right one time, and they can target millions of people, processes, and systems in a single attack. On the other hand, those who are on the defense, a company’s end users, need to get every decision right every single time, every single day.

No one sees themselves as likely victims of a phishing attack or cyber-attacks in general, yet people are falling prey to them constantly. The bad guys know that they only need to catch a user at the wrong time on the wrong day and they get the win. AI has made phishing attacks even more sophisticated and the degree of precision and realistic nature of the attacks are increasing all the time.

Many believe that without an ongoing commitment to continuing education, preparation, and participation, companies are setting themselves up for failure despite significant investments in security tools, solutions, and strategies. The layered approach to security requires the Human Firewall layer to be a well-educated, well-prepared userbase to become the first and strongest line of defense.

6. Not managing identity properly. Today, protecting identity is more important than ever. All businesses should adopt strong policies regarding the protection of usernames and passwords.

Length should be prioritized over complexity. It is best to have passwords be at least 16 characters and use all types of characters. The longer the password is the harder it is to guess or to break. Technological advancements, such as those in quantum computing, and AI require that today’s passwords be longer. The passwords for each application or website should be unique. Using a different password for every account is an effective way to prevent credential stuffing attacks.

It is also very important to monitor against account compromise. Ideally, passwords should automatically be screened against “bad” or “known breached” password lists. One easy way to do this is to utilize dark web monitoring. This way users can see when credentials are breached and then they know that they need to update the credentials on their accounts.

Multi-Factor Authentication or MFA should be required for all employees on all applications as an essential additional layer. This can effectively render a compromised password useless. Often, MFA can be combined with a universal directory and SAML to create an easy way to manage employee access to all company applications with one set of credentials and a secured MFA token.

It is also a very good idea to implement automated throttling or lockout of accounts after a small number of failed logins to prevent brute-force attacks.

Password managers should be required and insecure built in browser password mangers should be disabled by default via company policy. Employees should be required to use company approved password managers to manage long, complex, unique, and random passwords securely. They can even store and manage some traditional MFA tokens

7. Using Obscurity as a security practice. It is still common to think that concealing information offers security. Examples of this would be hiding admin panels with obscure URLs, depending on a proprietary encryption algorithm, or changing the default port number of an already insecure services as a way to secure it.

In the long run, relying on security through obscurity offers minimal protection against determined attackers. A more effective approach is to implement transparent, well-tested security measures and to assume that attackers will find all parts of your system.

Relying heavily on obscurity can lead to a false sense of security, causing organizations to neglect more robust security measures. If you are solely relying on keeping a system secret and it becomes compromised, there may be no other defenses in place. Obscure or secretive systems are also less likely to be scrutinized by the broader security community, which can lead to undiscovered vulnerabilities. Open and transparent security practices benefit from the collective expertise of many, leading to more robust and resilient systems. Also, insiders with knowledge of the system can exploit it more easily if the security relies on obscurity. This leads to insider attacks. If your industry faces strict regulations and compliance requirements that mandate transparent and well-documented security practices, obscurity is not a good tactic.

The real strength in cybersecurity comes from openness, not obscurity. It is best to:

• Assume Breach: Do not pretend you’re invincible. It should already be assumed that attackers will get in, and systems must be designed accordingly.

• Strong Encryption: Protect your data, even if it’s discovered. Encryption is like a lock on your treasure chest; even if someone finds it, they can’t open it without the key.

• Defense in Depth: There should be multiple layers of security, not just one. If one layer fails, others can stop the attack.

• Transparency: Be open about your security practices. This will build trust with users and encourage scrutiny that can help identify weaknesses.

The best way to mitigate risks is to take a more robust approach and build security into the design of all systems from the start. This is called security by design. This means that you are assuming that attackers will eventually learn the details of your system and design it so that even if they do, they cannot easily exploit it.

Additional Reading

John Edwards says that these are his 7 obsolete security practices that should be terminated immediately.

Read what Bryan Wolfe says these are 10 outdated security practices people still swear by.