{"id":14450,"date":"2025-07-16T07:05:17","date_gmt":"2025-07-16T07:05:17","guid":{"rendered":"https:\/\/newestek.com\/?p=14450"},"modified":"2025-07-16T07:05:17","modified_gmt":"2025-07-16T07:05:17","slug":"7-obsolete-security-practices-that-should-be-terminated-immediately","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=14450","title":{"rendered":"7 obsolete security practices that should be terminated immediately"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

Breaking bad habits and building better ones is a journey that requires patience, self-awareness, and determination. This is true whether the habit is a personal one or an outdated security practice that has long outlived its need or reliability.<\/p>\n

Is your enterprise relying on a security approach or technology that\u2019s long past its expiration date? Here\u2019s a rundown of several obsolete security practices that should be sent into history.<\/p>\n

1. Expecting perimeter-only security to be enough<\/h2>\n

The majority of today\u2019s work environments are cloud-based, often remote, and highly distributed, observes Amit Basu<\/a>, CIO and CISO at International Seaways, a major tanker operator, providing energy transportation services for crude oil and petroleum products. \u201cThe old practice of securing a fixed boundary simply doesn\u2019t apply.\u201d<\/p>\n

In a cloud-first, hybrid-work environment, where users and data reside both inside and outside the traditional perimeter, perimeter-only security leaves organizations dangerously exposed to lateral movement attacks, ransomware, and data exfiltration, Basu says. He advises adopting zero trust<\/a>, never trust, and always verifying, regardless of location.<\/p>\n

2. Taking a compliance-driven approach to security<\/h2>\n

Too many teams let compliance drive their security programs, focusing more on checking boxes than solving actual cybersecurity challenges, says George Gerchow<\/a>, CSO at data security services firm Bedrock Security. He notes that many enterprises drive to meet compliance standards, yet still suffer serious breaches. The reason? They prioritize regulatory requirements over addressing real security risks, Gerchow says. \u201cThis GRC-driven mentality is outdated and dysfunctional.\u201d<\/p>\n

Gerchow believes that compliance-driven security creates a false sense of protection while diverting resources from focusing on actual threats.<\/p>\n

\u201cI\u2019ve seen large GRC teams spend their days answering customer questionnaires and working on audits rather than protecting data, managing access controls, or monitoring emerging threats,\u201d he says.<\/p>\n

According to the Bedrock Security\u2019s 2025 Enterprise Data Security Confidence Index<\/a>, 82% of security leaders report major visibility gaps, and 65% say it takes days or even weeks to locate sensitive data. \u201cCompliance isn\u2019t solving that,\u201d he says. \u201cIt\u2019s often just documenting the problem.\u201d<\/p>\n

Gerchow says that enterprises must return to core security principles: data defense in depth, zero trust, and CARTA (continuous adaptive risk and trust assessment) for continuous monitoring.<\/p>\n

3. Relying on legacy VPNs<\/h2>\n

Legacy VPNs can be inefficient and cumbersome, making them difficult to manage and prone to significant downtime. \u201cThey don\u2019t meet the demands of the modern workplace, especially as leaders are looking for more seamless and flexible access to resources for their teams, whether they are in-office or working remotely,\u201d says Buck Bell<\/a>, head of global security strategy at IT services firm CDW.<\/p>\n

Relying on legacy VPN technologies presents a significant risk<\/a>, since they don\u2019t always receive regular updates and patches, potentially exposing the organization to cyberthreats. \u201cThere\u2019s also an inability to scale with legacy systems, since [VPNs] struggle to meet the evolving security needs of growing organizations, creating challenges as the attack surface expands,\u201d Bell states.<\/p>\n

A far better approach, Bell says, is turning to secure access service edge (SASE)<\/a> and adopting a zero-trust mindset. \u201cThese strategies enhance security by verifying every user and device attempting to access network resources,\u201d he explains. Bell adds that this approach mitigates the guesswork and assumptions that many VPNs rely on. \u201cIt facilitates better and more secure access for remote workers, offering a proactive method of safeguarding organizational data.\u201d<\/p>\n

4. Assuming EDR provides sufficient protection<\/h2>\n

While endpoint detection and response (EDR)<\/a> solutions represent a significant advancement over traditional antivirus protection, relying solely on this approach is inadequate in today\u2019s threat landscape, says Michel Sahyoun<\/a>, chief solutions architect at cybersecurity technology provider NopalCyber.<\/p>\n

EDR excels at monitoring and responding to endpoint-based activities, leveraging behavioral analysis, and using threat hunting to detect sophisticated attacks, he states. However, attackers are increasingly bypassing endpoints entirely, targeting cloud environments<\/a>, network devices<\/a>, and embedded systems.<\/p>\n

Overreliance on EDR can create critical vulnerabilities, Sahyoun says. \u201cWhile endpoints may be well-protected, attackers can still operate undetected in cloud environments, network infrastructures, or embedded systems, accessing sensitive data or moving laterally without triggering EDR alerts.\u201d He adds that EDR overreliance can lead to prolonged breaches, data exfiltration, or ransomware attacks, all while the organization remains unaware of the intrusion.<\/p>\n

Sahyoun notes that adversaries can exploit OAuth tokens to gain unauthorized access to cloud platforms, such as Microsoft 365, Google Workspace, or AWS, without ever interacting with an EDR-monitored endpoint.<\/p>\n

\u201cSimilarly, network appliances and IoT devices, which often lack robust monitoring or forensic capabilities, serve as blind spots,\u201d he says. Meanwhile, cloud environments further complicate detection due to limited logging, paywalled visibility features, and a lack of comprehensive detection content. \u201cThis shift toward exploiting trust relationships, identities, and APIs renders EDR\u2019s endpoint-centric approach insufficient on its own.\u201d<\/p>\n

5. Using SMS text messages for two-factor authentication<\/h2>\n

SMS-based two-factor authentication was once considered a significant security improvement over password-based authentication alone, but it\u2019s now recognized as vulnerable to several attack vectors, says Aparna Himmatramka<\/a>, senior security assurance lead at Microsoft Security.<\/p>\n

Unfortunately, the telecommunications infrastructure was never designed with security in mind, she notes. \u201cOn top of that, even today, cellular networks use outdated protocols that can be exploited, and the process for transferring phone numbers between carriers lacks rigorous identity verification.\u201d<\/p>\n

Another cellular-related danger, Himmatramka says, is SIM-swapping attacks, a tactic many criminals use to convince mobile carriers to transfer a victim\u2019s phone number to a device they control, allowing them to intercept authentication codes.<\/p>\n

6. Relying on on-prem SIEMs<\/h2>\n

On-premises security information and event management (SIEM)<\/a> tools lead to alert fatigue and often aren\u2019t cloud-aware, says Bedrock Security\u2019s Gerchow, who is also a faculty member at security advisory firm IANS Research. This forces organizations to either move and store massive amounts of data at a high cost or risk leaving out critical logs needed to secure cloud deployments.<\/p>\n

\u201cIf I\u2019m paying an exorbitant amount for logs, I\u2019m forced to pick and choose \u2014 gambling with my security posture,\u201d he notes.<\/p>\n

Many organizations stick with on-prem SIEMs out of fear of putting sensitive data in the cloud, Gerchow says. \u201cBut let\u2019s be honest, that ship has sailed \u2014 it\u2019s time to move on.\u201d<\/p>\n

7. Allowing end users to be passive participants in your security culture<\/h2>\n

The reality is that in any security system, the humans are the weakest link, says Kevin Sullivan<\/a>, principal technology consultant at security, cloud, and collaboration solutions provider XTIUM. \u201cThe bad guys only need to get it right one time, and they can target millions of people, processes, and systems in a single attack,\u201d he observes. \u201cThe good guys, on the other hand, have to get it right every single time, every single day.\u201d<\/p>\n

No one sees themselves as a likely victim of a phishing attack, but people are falling prey to them constantly, Sullivan says. \u201cYou only need to catch a user at the wrong time on the wrong day,\u201d he warns. \u201cWith advanced social engineering tactics leveraging information readily available through systems like LinkedIn, Facebook, and a variety of other sources, the sophistication of attacks has never been higher.\u201d<\/p>\n

Sullivan believes that active security is the answer. Having the right security tools and practices in place is important for any business, but building security awareness training<\/a> that educates and empowers users to be active participants in defending data, systems, and business operations is crucial.<\/p>\n

\u201cWithout an ongoing commitment to continuing education, preparation, and participation, companies are setting themselves up for failure despite significant investments into security tools, solutions, and strategies,\u201d he says. \u201cA well-educated, well-prepared userbase is the first and strongest line of defense.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

Breaking bad habits and building better ones is a journey that requires patience, self-awareness, and determination. This is true whether the habit is a personal one or an outdated security practice that has long outlived its need or reliability. Is your enterprise relying on a security approach or technology that\u2019s long past its expiration date? Here\u2019s a rundown of several obsolete security practices that should… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-14450","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14450","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=14450"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14450\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=14450"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=14450"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=14450"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}