When modern security teams still fall for the ghosts of security past

Cybersecurity has its own folklore. The sector is full of tales that refuse to die. Whispered in boardrooms, repeated by vendors, and occasionally shouted across WhatsApp when a relative asks whether scanning a QR code will summon the dark forces of the internet. For CISOs and security architects, these myths aren’t just amusing. They create blind spots. They convince teams they’re safer, or more at risk, than they actually are. And more often than not, they divert attention from the real problem: corporate identity threats. 

Identity is now the primary attack surface across cloud, SaaS, and hybrid environments [CSA]. Yet many of the most persistent myths stop organizations from seeing what’s in front of them. Here are ten of the biggest security urban legends that still influence decisions, block progress, and keep risk teams awake at night.

Myth 1: “Public Wi-Fi is dangerous. Avoid it at all costs.”

This one survived far longer than it deserved. Ten years ago, open Wi-Fi was a playground for script-kiddies running cheap MITM tools. Today, most applications use TLS 1.2+ with certificate pinning. If your device is patched, encrypted, and monitored, the Wi-Fi isn’t the threat; your device posture is. The real danger is a fleet of unmanaged laptops, not an airport lounge.

Myth 2: “Never scan QR codes. They’re always malicious.”

QR codes don’t hack anything. They’re just square-shaped hyperlinks. The danger lies in what happens after the URL opens: silent logins, OAuth grants, or mobile browsers doing optimistic deep-linking. A QR code is no more dangerous than clicking a link in an email, which is to say, dangerous if you lack the right controls. Trust the browser isolation layer, not the graphics.

Myth 3: “Email filtering catches most dangerous campaigns.”

It doesn’t. Modern attackers don’t rely on dodgy attachments anymore. They target identity flows with adversary-in-the-middle phishing kits, session hijacking, OAuth consent pages, or token theft. The attack never touches the inbox in a way a filter can stop. The myth persists because we like simple solutions. The reality is that protecting email is now an identity problem, not a mail-filtering one, and a call is needed to ensure staff aren’t desensitized to cyberattacks and to provide practical training.

Myth 4: “Zero Trust is a product you can buy.”

You can purchase tools, platforms, dashboards, and enough acronyms to start a small alphabet soup factory, but Zero Trust is not a SKU. It’s a posture built around least privilege, policy enforcement, segmentation, and continuous validation. Teams stall because they expect a tool to “do the Zero Trust for them.” Tools help. Architecture solves it.

Myth 5: “MFA fatigue attacks are solved with number matching.”

Number matching helps, but it doesn’t fix the real problem: once an attacker hijacks a session, MFA is irrelevant. Modern phishing proxies steal tokens, replay sessions, and bypass prompts entirely, so stronger MFA doesn’t stop a compromised identity acting “normally.”

The real defense is continuous identity intelligence: watching how sessions behave, not just how they begin. When you can spot unusual token use, risky elevations, odd OAuth grants, or login patterns that break a user’s baseline, you catch attacks that MFA will always miss. Automated conditional access can cut privilege or kill a session in real time, while on-demand access and clean revocation stop attackers from gaining persistence. MFA locks the door; identity intelligence knows who’s already inside.

Myth 6: “If tokens expire quickly, stolen tokens aren’t a big deal.”

Stolen session tokens are the modern skeleton key. They can be replayed, refreshed through benign-looking OAuth flows, or used to establish long-lived attacker persistence. Expiry is a comfort blanket, not a control. Without identity-level visibility - who has which tokens, what they’re doing, and whether they’re behaving oddly - expiry timers do nothing for you.

Myth 7: “VPNs secure remote access.”

VPNs give a false sense of “secure perimeter.” Once authenticated, the tunnel opens into a broad network that attackers can roam if they’ve compromised the user’s identity. Breaches today rarely hinge on getting into the network — the trouble starts once attackers inherit the over-privileged roles, tokens, or cloud permissions that wait on the other side. The future of remote access is granular and identity-led, not tunnel-shaped.

Myth 8: “Cloud providers encrypt everything, so we’re covered.”

Cloud vendors encrypt data at rest by default. A nice tick-box for auditors, but almost irrelevant in modern breaches. Attackers don’t steal disks. They steal roles, access keys, OAuth grants, and misconfigured IAM policies. Encryption helps compliance, but it doesn’t help you when an attacker assumes the identity of a service account and walks straight into your S3 buckets.

Myth 9: “Monthly patching indicates strong security maturity.”

It’s tidy, predictable, and reassuring. It is also increasingly pointless on its own. Browser exploits, token theft, SaaS misconfigurations, and privilege abuse bypass patching altogether. Attackers compromise identities, not machines. A fully patched but wildly over-privileged service account is still a major incident waiting to happen. Patch, yes, of course, but let’s not pretend it’s the whole picture.

Myth 10: “Unused identities and dormant access are harmless.”

This is the big one and probably the most dangerous myth in modern environments. Attackers love finding dormant admin accounts, abandoned OAuth connections, forgotten service accounts, and stale access keys with god-mode permissions. These identities are unmonitored, unowned, and invisible to most teams. In breach reports, “unused” almost always translates to “unwatched.”

Breaking the Myth Cycle

The real issue with cybersecurity urban legends isn’t that they’re wrong — it’s that they create blind spots. Teams spend energy defending against yesterday’s threats instead of reducing today’s attack paths. The practical fix is to replace inherited assumptions with continuous, identity-centric visibility. That’s where a modern access intelligence and orchestration platform earns its keep.

Here’s how to break the cycle using the kind of capabilities these platforms provide:

1. Make identity risk visible in real time.

Folklore thrives in the dark. When you can see every human and non-human identity across cloud, SaaS, and legacy systems - who they are, what they can actually do, and how that compares to their peers - the myths collapse. Visibility turns into evidence, and evidence turns into decisions.

2. Uncover dormant, unowned, and high-risk access instantly.

The myth that dormant identities are harmless dies fast when you have automated discovery for abandoned roles, stale OAuth grants, shadow access, unused machine identity credentials, zombie tokens, and inherited access you didn’t know existed. Modern tooling surfaces unused privileges before attackers do, and without manual hunting.

3. Replace static permissions with on-demand access that expires cleanly.

A lot of myths exist because access is long-lived and opaque. With request-based access that’s scoped, time-bound, and logged, and with entitlements automatically revoked the moment they’re no longer needed through just-in-time access, you remove the very conditions attackers rely on: standing privilege, forgotten roles, and unmanaged sprawl.

4. Continuously validate behavior, not just credentials.

The industry myth says MFA is the great equalizer. In reality, strong sessions can still be hijacked. Continuous validation (automatically monitoring identity behavior, token use, access patterns, and anomalous elevation) turns authentication from a one-off check into a living control.

5. Automate governance so myths don’t creep back in.

Manually reviewing access is how organizations re-grow privilege like weeds. Automation enforces identity policy the same way every time:

• least privilege by default,
• peer-based baselines,
• right-sizing of roles,
• life-cycle controls that prune risk as systems change.

This stops “temporary access” from becoming “permanently forgotten,” and it prevents the slow drift back into folklore-driven risk decisions.

6. Link people, access, systems, and actions into one understandable inventory.

Cybersecurity myths flourish when teams can’t trace the path from a user to a permission to a resource to an action. A unified identity and access inventory exposes the actual attack surface: the real paths an attacker could take, the identities that matter most, and the privileges that don’t belong.

7. Treat identity as infrastructure, not admin.

When identity data is collected continuously, decisions are made automatically, and access is adapted dynamically, you replace superstition with repeatable engineering. You shift from “we think we’re secure” to “we can prove what every identity can do — and shouldn’t be able to do — at any moment.”

Modern security teams don’t need more folklore worthy of Fortean Times; they need clarity. When you cut through the myths and treat identity as the living system it is, the attack surface finally makes sense. The organizations that thrive are the ones that stop defending ghosts and start managing the real, measurable access pathways that shape their daily risk.

‍