7 Security Practices That Should Be Ditched Immediately
- Justin Medina
- 2 minutes ago
- 4 min read
The digital landscape has changed dramatically in recent years: cloud‑first architectures, remote and hybrid workforces, AI‑powered threats, and regulatory shifts make outdated habits not just ineffective—but dangerous. Inspired by the CSO Online article “7 obsolete security practices that should be terminated immediately”, here are seven practices you should ditch—and smarter alternatives to adopt today.
1. Relying on Perimeter‑Only Security
The idea of a secure, fixed network edge is no longer viable. With users, applications, and data dispersed across cloud and remote environments, perimeter defenses alone leave your organization exposed to lateral movement, ransomware, and data exfiltration. Instead, organizations must adopt Zero Trust / Zero Trust Network Access (ZTNA) models—a “never trust, always verify” approach—along with CARTA (Continuous Adaptive Risk and Trust Assessment) for ongoing risk validation.
2. Treating Compliance as the Goal
A compliance checkbox mentality often creates a false sense of security: organizations may pass audits yet still suffer breaches. Reportedly, 82% of security leaders see visibility gaps, and 65% say locating sensitive data can take days or weeks, despite formal compliance measures. A better strategy embeds security by design, prioritizing real risk mitigation over paperwork—focusing on protecting assets, managing identity, and pioneering real‑time monitoring.
3. Leaning on Legacy VPNs
Traditional VPNs were never built for scale. They often struggle during peak usage, run on outdated protocols, and may go unpatched. Moreover, they create unnecessary friction as organizations grow. The modern alternative? SASE (Secure Access Service Edge) and ZTA architectures, which securely connect remote workforces and cloud services without routing everything through monolithic VPN concentrators.
4. Assuming Endpoint Detection and Response (EDR) Is Sufficient
EDR is a reactive tool—good at detecting and responding to endpoint threats, but ineffective at preventing lateral movement, cloud misconfigurations, identity-based attacks, or insider threats. A comprehensive defensive strategy layers XDR (Extended Detection and Response), network traffic analysis, and behavioral analytics to cover gaps beyond the endpoint.
5. SMS-Based Two-Factor Authentication
SMS-based MFA is highly vulnerable to SIM-swapping, phishing, and network interception. Attackers continue to exploit this gap to bypass accounts. Modern best practices favor app-based authenticators (like TOTP), push-based MFA, or hardware-backed cryptographic tokens. Passkeys are rapidly gaining momentum as an even stronger, phishing-resistant alternative.
6. On-Prem SIEM Without Modern Flexibility
Traditional on-premise SIEM systems struggle with scalability, real-time analysis, and integration with cloud-native logs. Limitations include stale data pipelines, slow incident response, and heavy maintenance. In contrast, cloud-native logging, UEBA (User & Entity Behavior Analytics), and security analytics platforms—often delivered via SaaS or hybrid cloud—provide adaptive, real-time insight into threats across environments.
7. Sticking with Legacy Cryptographic Protocols or Hardcoded Credentials
Though less talked about, the use of weak or deprecated cryptographic algorithms (like MD5, SHA‑1, SSLv2, RC4, WEP) and hardcoded credentials remains surprisingly widespread. These practices massively increase risk. The infamous DROWN attack (which exploited SSLv2 support in TLS-enabled servers) underscores the danger of tolerating legacy crypto support. And embedded, immutable API keys or credentials in source code or device firmware continue to expose critical systems. Instead, enforce crypto-agility (design systems to migrate quickly to stronger algorithms like SHA‑2 or AES), remove deprecated TLS protocols, and use secret management systems for dynamic credential handling.
📈 Why These Practices Persist—and What Happens If You Don’t Change
Despite their obsolescence, these legacy strategies remain prevalent—often due to inertia, complexity concerns, or over-focus on compliance. Yet the cost of not modernizing can be catastrophic:
A fully insured company recently collapsed under ransomware after an attacker guessed a weak password—exposing poor backup and authentication practices.
Financial institutions still run on unwieldy legacy systems, increasing vulnerability to outages or attacks—from Barclays and Citigroup to HSBC—with outdated processes contributing to failures and risk.
✅ What to Do Now: A Roadmap for Modernizing Your Security
Action Area | Recommendation |
Identity & Access | Adopt MFA beyond SMS, implement passkeys, enforce least privilege via identity frameworks |
Network & Infrastructure | Phase out legacy VPNs in favor of ZTNA and SASE; disable obsolete crypto protocols; invest in crypto-agility |
Endpoint & Detection | Implement XDR, incorporate behavioral analytics, integrate cloud and on-prem event streams |
Governance & Compliance | Move from checklist mindset to risk-based planning; embed secure-by-design principles across SDLC |
Secrets & Credentials | Remove hardcoded keys; use secrets management, rotating credentials, and strong hashing/salting of credentials |
Training & Culture | Run regular awareness campaigns; keep staff informed on attack methods and evolving threats |
🔍 Further Context
A recent arXiv study warns that 32% of cyberattacks exploit unpatched software vulnerabilities, highlighting the critical need for automated update strategies and proactive patching.
TechRadar argues that outdated practices—like frequent password rotation, SMS-based MFA and perimeter-only defenses—actually undermine security rather than strengthen it.
Final Thoughts
Many organizations cling to outdated security practices because they believe "it’s how we've always done it." But in 2025, legacy systems and approaches do more harm than good: they blindside detection, inflate administrative overhead, and—most importantly—open doors for sophisticated attackers. Terminate these practices now. Invest in adaptive, risk-aware, and cloud-first defenses that reflect today's realities.
Comentários