When it comes to counseling businesses on how to improve their cybersecurity posture, the discussion usually revolves around what they should be doing (but aren’t). However, tech experts say there are plenty of things businesses shouldn’t be doing (but often are) that can make a big impact as well.
From neglecting needed training to relying on outdated, ineffective security measures, plenty of unwise practices can put companies in enhanced danger of falling prey to cyberattacks. Below, 15 members of Forbes Technology Council discuss some things companies should stop doing if they want to improve their cybersecurity posture.
1. Relying On Passwords
Ditch passwords and deploy “physical identity” measures that verify presence and identity through biometrics. As the complexity and scale of infrastructure increase, the probability of human error also increases, making companies more vulnerable. A passwordless world based on identity is the best way to prevent attacks, as physical identity cannot be duplicated, lost, stolen or sold. – Ev Kontsevoy, Teleport
2. Thinking The IT Team Is Solely Responsible For Incident Prevention
The most frightening part of cybersecurity violations is that most businesses don’t even realize one has happened until long after it first occurs. Every company should stop and think—cyber incident prevention goes beyond IT, and employee errors are responsible for about 90% of all data breaches. – Cristian Randieri, Intellisystem Technologies Srl
3. Maintaining Security Layers That Are Reliant On Humans
I think full automation and digitization of processes and tools are essential. This means removing or stopping any layers of security—no matter how minor—that are entirely dependent on the human factor. This is where well-meaning and/or unintentional and uninformed breaches and gaps usually start. – Jennifer Esposito, Magic Leap
4. Having An ‘If A Breach Happens’ Mentality
Stop having the “if a breach happens” mentality and adopt the “when the breach happens” mentality. This mindset shift is key to establishing a robust cybersecurity posture. It’s about implementing a comprehensive, proactive defense approach, knowing a breach will happen. – Chris Schueler, Simeio
5. Neglecting Regular Cybersecurity Training
Cybersecurity in an organization is only as strong as the team it employs. Keeping all team members literate on current trends and threats in a fun and informative manner helps all staff be a small part of IT security. We encourage semiannual refreshers and phishing tests to remind everyone of threats. – Adam Bayaa, Heal
6. Leveraging Scare Tactics Around Cybersecurity
Immediately stop with the scare tactics and punitive culture around cybersecurity. Instead of blaming cybersecurity risk on your employees, see them as assets in protecting your company data. Cultures of cyber-readiness come from the top down. Valued, trusted and empowered employees are your best line of defense. – Tara Anderson, Framework Security
7. Buying On-Premises Software
Stop buying on-premises software applications. Use cloud-based software as a service products. A reputable cloud hosting service or application provider will deliver better security than most organizations can implement on premises. And there’s no patching required of your IT team. – Saryu Nayyar, Gurucul
8. Tying Incentives To Growth Metrics
Companies can improve their cybersecurity posture if they stop tying employee incentives to growth metrics. A great deal of cybersecurity hygiene mistakes occur because employees are moving too fast while trying to grow the business. They often cut corners, implement shadow IT and bypass security policies in the process. – Sameer Malhotra, TrueFort, Inc.
9. Focusing On Tools Instead Of On Outcomes
Businesses need to stop thinking that technology and tools can do it all and buying every new “magic bullet.” Focus on buying the “outcomes” to improve security posture, including investing in skilled IT staff with a security focus. Businesses also need to stop believing that multifactor authentication will solve identity. Organizations need a strategic identity plan; zero trust or least privilege identity is critical today. – Lalit Ahluwalia, Inspira Enterprise
10. Storing Unneeded Data
The first thing companies should stop doing is using and storing passwords—instead, use passwordless tech. Doing so would improve cybersecurity and save lots of computing power, as encryption and decryption are no longer needed, thus helping the environment. Companies should also stop storing unnecessary customer and employee data to save time with compliance and reduce the risk of data breaches. – Deepak Gupta, LoginRadius
11. Addressing Distributed Problems With A Centralized Approach
When it comes to modern identity challenges, such as supporting multicloud platforms, stop trying to address distributed problems with a centralized approach. Consider embracing a distributed approach to identity management, made possible by new open standards like the Hexa Policy Orchestrator project from the Cloud Native Computing Foundation. – Eric Olden, Strata Identity
12. Relying On The Perimeter
The sophistication of today’s cyberattacks is outpacing an enterprise’s ability to effectively protect its digital assets. Organizations must stop relying on the perimeter to shield them from threats such as data theft and shift their focus toward absorbing attacks. Data fragmentation and scattering is a great way to devalue data to hackers, eliminating any leverage for extortion. – Greg Salvato, TouchPoint One
13. Looking At Cyberattacks As Individual Events
Companies should stop looking at cyberattacks as a set of individual events. A breach happens because attackers were successful at phishing and stealing passwords and exploiting vulnerabilities and hiding under the radar and exfiltrating data—and so on. The mantra that attackers need to be right just once and defenders have to be right all the time is misleading and wrong! It is the other way around. – Etay Maor, Cato Networks
14. Exposing Vulnerable Systems To The Public Internet
First, stop exposing systems such as remote desktop protocol ports to the public internet—while this tip seems obvious, many companies are still prone to this mistake. Second, stop postponing security updates due to such reasons as possible disruptions to business. Both of these practices are unnecessarily risky. – Mike Walters, Action1
15. Assigning Status-Based Permissions
Stop assigning status-based permissions! It doesn’t matter if Joe is the CEO’s executive assistant; there is no reason he needs admin access to the development environment. Layered cybersecurity best practices such as multifactor authentication and endpoint security automation are futile if permissions aren’t responsibly restricted internally. – Charles Aunger, Health2047 – American Medical Association
Check out our website.