Speech bubbles with "Facts" and "Myths" in them

There's a problem with most cybersecurity advice: a lot of it hasn't changed since 2003. The threats have completely transformed, but the old rules keep getting passed around like they're gospel. The result? Business owners checking boxes that no longer protect anything — while ignoring the steps that really matter.

Here are ten "best practices" that experts now consider outdated, broken, or just plain wrong — and what you should be doing instead.

❌ Changing Your Password Every 90 Days

The old advice: "Change your passwords regularly — every 60 to 90 days — to stay safe."

Why it's wrong: The guy who literally wrote this rule publicly said he regrets it. Research is clear: when people are forced to change passwords on a schedule, they make tiny, predictable changes — like swapping "Summer2025!" for "Fall2025!" or adding a "2" at the end. That gives hackers exactly the pattern they need.

NIST (the National Institute of Standards and Technology, the organization that sets the gold standard for these guidelines) now explicitly says organizations "shall not" require periodic password resets unless there's actual evidence of a compromise. The UK's National Cyber Security Centre agrees, warning that forced expiry "harms rather than improves security."

What to do instead: Focus on length over complexity. NIST now recommends passwords of at least 15 characters. A passphrase like BlueCarrotFrogSunday is far stronger than P@ssw0rd1!. Use a password manager so your team doesn't have to memorize them. Only change a password when you have reason to believe it was compromised — not because a calendar reminder went off.

❌ Requiring Passwords With Capital Letters, Numbers, and Symbols

The old advice: "Your password must have at least one uppercase letter, one number, and one special character."

Why it's wrong: These composition rules were created in 2003 and are now officially abandoned. NIST's latest guidelines (SP 800-63B, Revision 4) state that organizations "shall not impose arbitrary composition requirements" — meaning no more forced capital letters, numbers, or symbols. Why? Because this requirement leads to completely predictable patterns. People write Password1! and feel like they're compliant. They are. But they're not secure.

What to do instead: Encourage longer passwords and passphrases. A 16-character lowercase passphrase is exponentially harder to crack than an 8-character "complex" password. Let your team use all characters — including spaces — and stop blocking them from creating the long, memorable phrases that actually work.

❌ "Antivirus Software Is Enough"

The old advice: "Install antivirus software and you're covered."

Why it's wrong: Traditional antivirus works by recognizing known threats — it compares files against a database of malware it's already seen. But modern attacks include fileless malware, zero-day exploits, social engineering, and credential harvesting, which bypass signature-based detection entirely. Antivirus alone doesn't stop a hacker who's already inside using a stolen password — because they look like a legitimate user.

What to do instead: Layer your defenses. At minimum, combine antivirus with Endpoint Detection and Response (EDR) tools, which monitor behavior rather than just matching known threats. Add multi-factor authentication, regular backups, and employee training. Security experts call this a "layered security" approach — because no single tool is a silver bullet anymore.

❌ Treating SMS Text Codes as "Real" Two-Factor Authentication

The old advice: "Turn on two-factor authentication by receiving a text message code — you're secure."

Why it's wrong: SMS-based authentication was officially flagged as a restricted authentication method by NIST in its July 2025 update. The FBI and CISA have both urged organizations to move away from it. The reason? SMS codes are vulnerable to SIM swapping, where a criminal calls your mobile carrier pretending to be you, convinces them to transfer your number to their device, and then receives all your authentication codes. Nation-state attackers have even demonstrated the ability to read SMS messages directly off carrier infrastructure.

High-profile exits are accelerating: Google confirmed it is phasing out SMS authentication for Gmail, and the U.S. Patent and Trademark Office discontinued SMS authentication in May 2025.

What to do instead: Use an authenticator app (like Google Authenticator or Microsoft Authenticator) instead of text codes — it's free and takes about five minutes to set up. Even better, explore passkeys — the fingerprint or Face ID login method built into most modern devices — which CISA now recommends as the most secure form of MFA available to small businesses.

❌ Doing Security Training Once a Year

The old advice: "Schedule annual cybersecurity training for your team and check the box."

Why it's wrong: People forget 70% of what they learn within 24 hours. Annual training made sense when phishing emails had obvious typos and generic greetings — but today's attacks are AI-generated and personalized, pulling details from LinkedIn profiles, social media, and company websites. In fact, AI-generated phishing emails now show a 67% higher click-through rate than traditional attempts.

Verizon's 2025 Data Breach Investigations Report found that phishing report rates increased 4x when employees had received training within the past 30 days — compared to those who had not.

What to do instead: Shift to a continuous learning model — short monthly micro-trainings, regular phishing simulations (even simple ones), and role-specific content. A finance employee should see simulations that mimic invoice fraud. An HR manager should see ones mimicking fake job applicants. This doesn't have to be expensive — many tools offer free or low-cost phishing simulation platforms for small businesses.

❌ Relying on a Firewall as Your Main Defense

The old advice: "Set up a firewall and you've protected your perimeter."

Why it's wrong: The "castle-and-moat" security model — where you protect the outside wall and trust everything inside — has been obsolete for years. Today's reality: employees work from home on personal devices, your data lives in cloud apps, and your team logs into SaaS tools from coffee shops. There's no longer a clear "inside" to protect. When a hacker tricks one employee into clicking a phishing link, they're suddenly "inside" — and a firewall does nothing to stop lateral movement from there.

What to do instead: Adopt a Zero Trust mindset: assume no device or user is automatically safe, even if they're on your network. This doesn't require expensive software right away. Start small: require MFA on all accounts, use role-based access (employees can only see what they need to do their job), and audit who has access to what. Zero Trust is a philosophy before it's a technology.

❌ Thinking "We're Too Small to Be Targeted"

The old advice: "Hackers go after big companies. We're not worth their time."

Why it's wrong: This is the most dangerous myth of all. Attackers no longer manually select victims — they run automated campaigns that scan for vulnerabilities regardless of company size. Over 60% of ransomware attacks now hit businesses with fewer than 100 employees, according to FBI IC3 reports. Why? Because small businesses are easier to breach — limited budgets, less formal security processes, and faster decision-making that attackers can exploit through urgency tactics.

A successful breach costs a small business an average of $164,000 in 2025.

What to do instead: You don't need enterprise-level tools — you need the fundamentals done well: MFA on every account, encrypted backups, employee awareness, and an incident response plan (even a one-page one). Small doesn't mean safe — it means you need smarter, not necessarily bigger, defenses.

❌ Backing Up Data on a Weekly Schedule (and Never Testing It)

The old advice: "Back up your files once a week and you'll be fine."

Why it's wrong: A weekly backup means you could lose up to seven days of business data in a ransomware attack or system failure. For most businesses today, that's catastrophic. Worse, many owners back up data but never test whether the backup can actually be restored — discovering the problem only when they desperately need it.

What to do instead: Follow the modern 3-2-1 backup approach: 3 copies of your data, on 2 different types of storage, with 1 copy stored off-site (like in the cloud, just make sure you secure it). For mission-critical data — financials, client records, active projects — back up daily at minimum, or more frequently. Most importantly, test your restore process quarterly. A backup you've never tested is not a backup — it's a hope.

❌ "Cybersecurity Is My IT Person's Job"

The old advice: "Hire an IT person (or IT company), and security is handled."

Why it's wrong: The 2024 Verizon Data Breach Investigations Report found that 74% of breaches involve the human element — phishing, credential misuse, or mistakes. No IT team, no matter how skilled, can protect a business where employees are clicking malicious links, sharing files on personal Gmail accounts, or using unapproved apps without IT's knowledge. This last behavior — called Shadow IT — is rampant: Proofpoint research found that 97% of cloud apps used at companies are unapproved.

IT can set up great defenses and still lose if one person clicks a fake DocuSign link.

What to do instead: Treat cybersecurity as a whole-team responsibility. The owner sets the culture, and every employee — from your virtual assistant to your accountant — should understand the basics: don't click suspicious links, don't use personal email for business files, report anything weird. Create a simple, written policy (one page is fine) and actually talk about it at team meetings.

❌ Thinking Cyber Insurance Replaces Security

The old advice: "We have cyber insurance, so we're covered if something happens."

Why it's wrong: Cyber insurance is a financial recovery tool — not a prevention strategy. Insurers are now actively denying claims when businesses failed to maintain basic security standards. You can't file a claim saying your house burned down if you turned off the smoke detectors. Many Business Owner's Policies (BOPs) also don't include meaningful cyber coverage, leaving owners with a false sense of protection.

Additionally, insurers require proof of security practices before issuing policies — and if you can't demonstrate MFA, backups, and basic controls, you may not be able to get covered (or renew at a reasonable rate) at all.

What to do instead: Think of cyber insurance like car insurance — it helps after an accident, but it's not a substitute for being a safe driver. Get the insurance, but also invest in the fundamentals that both prevent incidents and make you insurable: MFA, regular backups, employee training, and written security policies. These aren't just "nice to haves" — they're increasingly requirements to get coverage at all.

The Bottom Line

The biggest mistake small business owners make isn't ignoring security — it's following outdated security advice that creates a false sense of protection. The threat environment has changed radically. The tools attackers use have changed. The rules have changed.

What hasn't changed: you don't need a Fortune 500 budget to protect your business. You need current information, practical actions, and a team that understands why this matters.

Start with one item from this list. Just one. Then build from there.