Bad habits can be hard to break. Yet when it comes to security, an outdated practice is not only useless, but potentially dangerous.

CSO Online offers insights into cybersecurity, risk management, and IT leadership, providing articles, reports, and expert analysis to help security professionals navigate the evolving threat landscape and protect their organizations from cyber attacks. By exploring CSO Online's curated content, CISOs, security managers, and IT executives can learn about threat intelligence, security frameworks, and incident response strategies for building resilient cybersecurity programs. Whether you're defending against ransomware, phishing attacks, or insider threats, CSO Online offers resources to strengthen your security posture and safeguard your digital assets.

CSO Online

Seven outdated security practices are identified that organizations should abandon: relying solely on perimeter security, taking compliance-driven approaches, using legacy VPNs, depending only on EDR protection, using SMS for two-factor authentication, maintaining on-premises SIEMs, and treating users as passive security participants. Modern alternatives include zero trust architecture, risk-based security approaches, SASE solutions, comprehensive threat detection beyond endpoints, app-based authentication, cloud-native SIEMs, and active security awareness training.

7 obsolete security practices that should be terminated immediately

Forced password changes every X days. Studies show that does more harm than good.

Here’s two security practices that should be outdated but are currently being promoted.
<ol>
<li>The CIS security benchmarks recommend for Windows Server to grant privileges to backup and restore files only to the Administrators group, thereby ensuring that backup programs must run with superuser privileges instead of only the privileges they need to do their job.</li>
</ol>
The CIS benchmark recommend this type of setting for all system privileges thereby overturning another old practice: least privilege.
<ol start="2">
<li>A lot of software vendors, Clearwell and Snow Licence Manager are good examples, still claim that running applications as LocalSystem is actually “best practice”. (I have emails from their support to that effect, exactly claiming that it is “best practice” to run their respective application as LocalSystem rather than an account with exact permissions required.)</li>
</ol>

Number 8: Required password changes sooner than 365 days. Studies have shown its not effective. The sooner a password is required to change, the easier the user tends to make their password to remember often only changing one character. Or writing it down on physical paper, easily seen by passerbys.

Great read!
I’d add that Broken Access Control is now the #1 item on OWASP’s <a href="https://owasp.org/www-project-top-ten/" target="_blank" rel="noopener nofollow">Top 10 Web Application Security Risks</a>.
We wrote a technical blog about <a href="https://www.osohq.com/post/why-llm-authorization-is-hard" target="_blank" rel="noopener nofollow">why LLM authorization is hard</a>, how these apps can be exploited to bypass access controls, and why you should enforce least privilege.