We recently looked at nine security tips that go outside the box of conventional thinking. Along with thinking about security practices creatively, however, we need to be aware of the shortcomings that come with standard defensive and protective measures.

InfoWorld recently published a report, titled “18 Surprising Tips for Security Pros,” that looked at widespread practices and tools that may end up offering a false sense of security. It’s not that these practices are ineffectual — it’s that their effectiveness is limited and they do not fully address the challenges security professionals face.

Nine Security Practices to Reconsider

There are common cybersecurity practices that could potentially lull IT professionals into complacency. Below are nine roadblocks that may speak to security leaders.

1. Antivirus Software Is Limited

Once upon a time, antivirus programs could be counted on to recognize most viruses, worms and other malware. Today, many end users still assume that having antivirus software means they are safe, but malware now evolves and proliferates so quickly that antivirus vendors cannot keep up.

2. Firewalls Are Even More Limited

The goal of firewalls is to block unwanted software, specifically malware. But most malware now relies on social engineering schemes to bust through firewalls. As a result, despite multiple firewall barriers, security teams face more penetrating attacks than ever.

3. Even Patching Is Limited

Security professionals have long pointed to updating software with security patches as the most important measure that users can take. Unfortunately, keeping patches updated is tricky, and patch managers usually fall short. Even more unfortunately, the rise of social engineering attacks has made traditional software vulnerabilities a relatively minor factor, so patching now protects against only 10 to 20 percent of attacks, according to the report.

4. Poor User Education

The security community has been warning end users about unsafe practices since the dawn of time, but users keep engaging in them. In the age of social engineering, user blunders seem more egregious than ever. Better application security and well-designed default prompts will do more to protect people than another lecture about bad security practices.

5. Strong Passwords Won’t Save You

Yes, on the whole, users’ password habits are especially execrable. Multiple studies have shown that people will happily reveal their passwords to almost anyone. But even strong passwords won’t help if attackers trick users, gain admin access, harvest the password hashes and stroll cheerfully through the checkpoints — and unfortunately, this is what a growing number of cybercriminals are doing.

6. Intrusion Detection Can’t Judge Intent

The purpose of an intrusion detection system (IDS) is to warn of suspicious activity. But what counts as suspicious? From the activity that the IDS sees, a fraudster using stolen credentials to access financial data looks just like a legitimate user performing a routine action. Uncertainty and false positives can render these warnings ineffectual.

7. The Public Key Infrastructure Is Broken

The system of public and private encryption keys has become the foundation of our encryption protection. Mathematically, it is the picture of elegance. But in the real world, numerous certification organizations have been breached, resulting in the proliferation of fraudulent keys. Moreover, how many users even care or change their behavior if a website is flagged as untrusted?

8. Appliances Are Easy to Attack

Appliances, in the IT sense, are supposed to enhance security by limiting the functionality of specialized devices such as routers. Yet, in practice, all too many appliances come with malware. Since appliances and their firmware are harder to update, if they can be updated at all, this malware is almost impossible to get rid of. Appliances have their advantages, but security is not one of them.

9. Sandboxes Don’t Stay Sandboxed

The goal of sandboxing is to let applications that may not be trustworthy run in a controlled environment where their access to system resources is limited. Still, cybercriminals regularly penetrate sandboxes and manage to do real-world harm to the systems the sandbox was supposed to protect.

Curtain Call for Security Theater

The unfortunate fact of life, according to the InfoWorld report, is that too many of our security practices can be chalked up to “security theater.” That is, they give the impression of security by flashing badges and imposing some inconveniences but don’t actually provide much protection against threats.

The security practices listed are not wrong, but they are insufficient to address the real security threats teams face today.

More from CISO

How to Solve the People Problem in Cybersecurity

You may think this article is going to discuss how users are one of the biggest challenges to cybersecurity. After all, employees are known to click on unverified links, download malicious files and neglect to change their passwords. And then there are those who use their personal devices for business purposes and put the network at risk. Yes, all those people can cause issues for cybersecurity. But the people who are usually blamed for cybersecurity issues wouldn’t have such an…

The Cyber Battle: Why We Need More Women to Win it

It is a well-known fact that the cybersecurity industry lacks people and is in need of more skilled cyber professionals every day. In 2022, the industry was short of more than 3 million people. This is in the context of workforce growth by almost half a million in 2021 year over year per recent research. Stemming from the lack of professionals, diversity — or as the UN says, “leaving nobody behind” — becomes difficult to realize. In 2021, women made…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…