Breaking bad habits and building better ones is a journey that requires patience, self-awareness, and determination. This is true whether the habit is a personal one or an outdated security practice that has long outlived its need or reliability.
Is your enterprise relying on a security approach or technology that’s long past its expiration date? Here’s a rundown of several obsolete security practices that should be sent into history.
1. Expecting perimeter-only security to be enough
The majority of today’s work environments are cloud-based, often remote, and highly distributed, observes Amit Basu, CIO and CISO at International Seaways, a major tanker operator, providing energy transportation services for crude oil and petroleum products. “The old practice of securing a fixed boundary simply doesn’t apply.”
In a cloud-first, hybrid-work environment, where users and data reside both inside and outside the traditional perimeter, perimeter-only security leaves organizations dangerously exposed to lateral movement attacks, ransomware, and data exfiltration, Basu says. He advises adopting zero trust, never trust, and always verifying, regardless of location.
2. Taking a compliance-driven approach to security
Too many teams let compliance drive their security programs, focusing more on checking boxes than solving actual cybersecurity challenges, says George Gerchow, CSO at data security services firm Bedrock Security. He notes that many enterprises drive to meet compliance standards, yet still suffer serious breaches. The reason? They prioritize regulatory requirements over addressing real security risks, Gerchow says. “This GRC-driven mentality is outdated and dysfunctional.”
Gerchow believes that compliance-driven security creates a false sense of protection while diverting resources from focusing on actual threats.
“I’ve seen large GRC teams spend their days answering customer questionnaires and working on audits rather than protecting data, managing access controls, or monitoring emerging threats,” he says.
According to the Bedrock Security’s 2025 Enterprise Data Security Confidence Index, 82% of security leaders report major visibility gaps, and 65% say it takes days or even weeks to locate sensitive data. “Compliance isn’t solving that,” he says. “It’s often just documenting the problem.”
Gerchow says that enterprises must return to core security principles: data defense in depth, zero trust, and CARTA (continuous adaptive risk and trust assessment) for continuous monitoring.
3. Relying on legacy VPNs
Legacy VPNs can be inefficient and cumbersome, making them difficult to manage and prone to significant downtime. “They don’t meet the demands of the modern workplace, especially as leaders are looking for more seamless and flexible access to resources for their teams, whether they are in-office or working remotely,” says Buck Bell, head of global security strategy at IT services firm CDW.
Relying on legacy VPN technologies presents a significant risk, since they don’t always receive regular updates and patches, potentially exposing the organization to cyberthreats. “There’s also an inability to scale with legacy systems, since [VPNs] struggle to meet the evolving security needs of growing organizations, creating challenges as the attack surface expands,” Bell states.
A far better approach, Bell says, is turning to secure access service edge (SASE) and adopting a zero-trust mindset. “These strategies enhance security by verifying every user and device attempting to access network resources,” he explains. Bell adds that this approach mitigates the guesswork and assumptions that many VPNs rely on. “It facilitates better and more secure access for remote workers, offering a proactive method of safeguarding organizational data.”
4. Assuming EDR provides sufficient protection
While endpoint detection and response (EDR) solutions represent a significant advancement over traditional antivirus protection, relying solely on this approach is inadequate in today’s threat landscape, says Michel Sahyoun, chief solutions architect at cybersecurity technology provider NopalCyber.
EDR excels at monitoring and responding to endpoint-based activities, leveraging behavioral analysis, and using threat hunting to detect sophisticated attacks, he states. However, attackers are increasingly bypassing endpoints entirely, targeting cloud environments, network devices, and embedded systems.
Overreliance on EDR can create critical vulnerabilities, Sahyoun says. “While endpoints may be well-protected, attackers can still operate undetected in cloud environments, network infrastructures, or embedded systems, accessing sensitive data or moving laterally without triggering EDR alerts.” He adds that EDR overreliance can lead to prolonged breaches, data exfiltration, or ransomware attacks, all while the organization remains unaware of the intrusion.
Sahyoun notes that adversaries can exploit OAuth tokens to gain unauthorized access to cloud platforms, such as Microsoft 365, Google Workspace, or AWS, without ever interacting with an EDR-monitored endpoint.
“Similarly, network appliances and IoT devices, which often lack robust monitoring or forensic capabilities, serve as blind spots,” he says. Meanwhile, cloud environments further complicate detection due to limited logging, paywalled visibility features, and a lack of comprehensive detection content. “This shift toward exploiting trust relationships, identities, and APIs renders EDR’s endpoint-centric approach insufficient on its own.”
5. Using SMS text messages for two-factor authentication
SMS-based two-factor authentication was once considered a significant security improvement over password-based authentication alone, but it’s now recognized as vulnerable to several attack vectors, says Aparna Himmatramka, senior security assurance lead at Microsoft Security.
Unfortunately, the telecommunications infrastructure was never designed with security in mind, she notes. “On top of that, even today, cellular networks use outdated protocols that can be exploited, and the process for transferring phone numbers between carriers lacks rigorous identity verification.”
Another cellular-related danger, Himmatramka says, is SIM-swapping attacks, a tactic many criminals use to convince mobile carriers to transfer a victim’s phone number to a device they control, allowing them to intercept authentication codes.
6. Relying on on-prem SIEMs
On-premises security information and event management (SIEM) tools lead to alert fatigue and often aren’t cloud-aware, says Bedrock Security’s Gerchow, who is also a faculty member at security advisory firm IANS Research. This forces organizations to either move and store massive amounts of data at a high cost or risk leaving out critical logs needed to secure cloud deployments.
“If I’m paying an exorbitant amount for logs, I’m forced to pick and choose — gambling with my security posture,” he notes.
Many organizations stick with on-prem SIEMs out of fear of putting sensitive data in the cloud, Gerchow says. “But let’s be honest, that ship has sailed — it’s time to move on.”
7. Allowing end users to be passive participants in your security culture
The reality is that in any security system, the humans are the weakest link, says Kevin Sullivan, principal technology consultant at security, cloud, and collaboration solutions provider XTIUM. “The bad guys only need to get it right one time, and they can target millions of people, processes, and systems in a single attack,” he observes. “The good guys, on the other hand, have to get it right every single time, every single day.”
No one sees themselves as a likely victim of a phishing attack, but people are falling prey to them constantly, Sullivan says. “You only need to catch a user at the wrong time on the wrong day,” he warns. “With advanced social engineering tactics leveraging information readily available through systems like LinkedIn, Facebook, and a variety of other sources, the sophistication of attacks has never been higher.”
Sullivan believes that active security is the answer. Having the right security tools and practices in place is important for any business, but building security awareness training that educates and empowers users to be active participants in defending data, systems, and business operations is crucial.
“Without an ongoing commitment to continuing education, preparation, and participation, companies are setting themselves up for failure despite significant investments into security tools, solutions, and strategies,” he says. “A well-educated, well-prepared userbase is the first and strongest line of defense.”
No Responses