How Organizations Can Use Blunders to Level Up Their Security Programs

CYBERSECURITY OPERATIONS Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know. How Organizations Can Use Blunders to Level Up Their Security Programs The industry highlights how organizations repeatedly make common security mistakes but one session during RSAC detailed ways to avoid them. Arielle Waldman,Features Writer,Dark Reading March 26, 2026 5 Min Read RSAC 2026 CONFERENCE — San Francisco — Regardless of sector or size, organizations keep making the same cybersecurity mistakes. Ports exposed to the Internet, passwords that are weak or reused, poor patching practices, and insufficient logging and monitoring are among the most common weaknesses that result in data breaches. In some cases, attackers abuse those security gaps to breach an organization's defenses and cause wider damage. But mistakes also offer organizations a plethora of learning opportunities. Megan Benoit, lead security engineer at Nebraska Medicine, shared eight common mistakes she's observed on the job over the last 20 years; if she had more time, she could highlight even more, she said. Her main takeaway: "Don't trust anything" — whether it's people, processes, or vendors.  Repeat Offenses Everyone wants to reduce risk, but individual developers, analysts, and administrators don't always make "good decisions", Benoit said. One reason is because they want to reduce friction and improve usability — the user may be yelling about needing higher administrator privileges — but that comes with a tradeoff that could be catastrophic if those privileges are .  Related:Software Development Practices Help Enterprises Tackle Real-Life Risks Benoit's goal is to "prevent incidents before they happen."  "I would log in, and I would see the same problems over and over again," Benoit explained, while the song "Dumb Ways to Die" (the RSAC session title) played in the background. "I'm not even talking about MFA [multifactor authentication], everyone's already told you to enable MFA. I'm talking about all the stuff people don't always tell you about."  Loading... Here is an example: Benoit received a phone call from a customer who said their website had been hacked and was now "pointing to a casino in the Philippines." The culprit was a vulnerable CMS that the organization had not patched since 2018, she revealed. But the customer did not see a problem with that practice. "[They said] it's only been hacked once since 2018," she said. "That doesn't matter; you still have to patch it." Vendor transparency presents one challenge. Organizations can't always "trust vendors" to deliver vital information, especially when it comes to vulnerability and patch management. Not every piece of software, including some of the "very big, ugly, public vulnerabilities," is supported by every vendor, which requires organizations to hunt manually before attackers have time to exploit.   We Know the Problem, What's the Fix? Alongside examples of worst best practices and what went wrong, Benoit also outlined how to improve them.    Related:How to Stay on Top of Future Threats With a Cutting-Edge SOC The problem: Organizations can't always rely on firewalls to tell them what is exposed because most threats happen outside the firewall. Benoit has seen "more misconfigured edge devices" than she cared to discuss.  The Fix: Sometimes it pays to run two endpoint response and detection (EDR) tools at once. She's seen it pay off more than once because "one EDR will fail you sooner or later." The problem: Bad password management, which she described as "one of the worst practices." Attackers on the other hand use strong passwords – In one case, Benoit discovered backup accounts and knew they were created by attackers because the passwords were "really good."  The fix: Ensure that people don't use compromised passwords or store them in plaintext which is an "outdated practice". Don't let developers try to write their own hashing or encryption algorithm, she recommended. Plus, two factor authentication goes a long way, even if organizations only apply it to privileged accounts that handle financial, payment, and other sensitive data.  The problem: Users clicking phishing links or getting phished in general. People will click malicious links and attackers are going to win sometimes, warned Benoit.  The Fix: Find email security solutions that stop phishing emails to take the burden off people. It's important to nail down identity protection policies to minimize risks. Users can't make a decision if organizations don't give them the decision in the first, she urged.  The problem: Technical challenges are easy, security cultural challenges are hard, she revealed. Users get upset if organizations tell them they can't check their emails from their personal devices, for example.  The Fix: Restrict access as much as possible. Prioritize keeping identities safe. Related:Cyber Success Trifecta: Education, Certifications & Experience OAuth: An Attacker's Gateway to Sensitive Info  Not locking down OAuth consent for users is one mistake that deserves more attention because Benoit ranked it as her "number one dumb way to die." Microsoft blocked Post Office Protocol and Internet Message Access Protocol by defaults on all Exchange Online tenants over basic authentication. But OAuth is modern authentication, explained Benoit.    If users get phished, attackers could reuse tokens and bypass MFA, register an OAuth application and steal a copy of everything that user has their in their mailbox, she warned. "There are other ways adversaries can trick users into granting full OAuth access request," she said. "It absolutely gets used in malicious phishing campaigns. If you're not blocking it, they'll do it." The fix: hop over to Entra ID and click 'do not allow user consent', she urged. Microsoft's recommendation for this is to only "allow user consent for applications that have been published by verified publishers." Google has the same problem, but it requires a different fix.  "This is a bad recommendation, and they should feel bad for making it," she emphasized. "These are verified applications, some of this is legitimate, has legitimate purposes and you still don't want users using it." If organizations do not register consent, Chatbots could gain full access to sensitive emails and everything in their tenants, for example. She described Oauth consent as a "giant, gaping hole in security" because it's difficult to track or block access to that data. Therefore, administrators should review first. But it should be trusted people as she's seen "admins make bad decisions here."  Be Nice to Developers  Building good relationships with developers is one way to address a myriad of these concerns. Though Benoit discussed ways developers "sabotage" security, being friends with them is "literally one of the best things" organizations can do for their security program.   While developing trust may take time, once it sticks, security becomes a team effort; and developers are a key part.  "If you pass blame, they won't work with you," she said. "If you work and make friends with them, and treat them well, they'll come to you. They'll rat you’re their buddies. They'll rat out themselves."   About the Author Arielle Waldman Features Writer, Dark Reading Arielle spent the last decade working as a reporter, transitioning from human interest stories to covering all things cybersecurity related in 2020. Now, as a features writer for Dark Reading, she delves into the security problems enterprises face daily, hoping to provide context and actionable steps. She looks for stories that go past the initial news to understand where the industry is going. She previously lived in Florida where she wrote for the Tampa Bay Times before returning to Boston where her cybersecurity career took off at SearchSecurity. When she's not writing about cybersecurity, she pursues personal projects that include a mystery novel and poetry collection.     Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Cybersecurity Forecast 2026 The ROI of AI in Security ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like CYBERSECURITY OPERATIONS Women Who 'Hacked the Status Quo' Aim to Inspire Security Careers by Elizabeth Montalbano, Contributing Writer JUL 16, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 CYBERSECURITY OPERATIONS Secure Communications Evolve Beyond End-to-End Encryption by Robert Lemos, Contributing Writer APR 04, 2025 CYBERSECURITY OPERATIONS Bridging the Gap Between the CISO & the Board of Directors by Michael Fanning MAR 31, 2025 Edge Picks APPLICATION SECURITY AI Agents in Browsers Light on Cybersecurity, Bypass Controls CYBER RISK Browser Extensions Pose Heightened, but Manageable, Security Risks CYBERSECURITY OPERATIONS Video Convos: Agentic AI, Apple, EV Chargers; Cybersecurity Peril Abounds ENDPOINT SECURITY Extension Poisoning Campaign Highlights Gaps in Browser Security Latest Articles in The Edge CYBER RISK Why a 'Near-Miss' Database Is Key to Improving Information Sharing MAR 25, 2026 СLOUD SECURITY CSA Launches CSAI Foundation for AI Security MAR 24, 2026 ENDPOINT SECURITY Ransomware's New Era: Moving at AI Speed MAR 23, 2026 CYBER RISK With Government's Role Uncertain, Businesses Unite to Combat Fraud MAR 19, 2026 Read More The Edge Want more Dark Reading stories in your Google search results?