Common Mistakes in Information Security (InfoSec)

Information Security (InfoSec) is the practice of protecting data from unauthorized access, use, disclosure, disruption, modification, or destruction. It's the technical and procedural "how." The biggest mistake? The "knowing-doing gap"—knowing what needs to be done (patch, segment, monitor) but failing to actually do it consistently. Attackers don't need your biggest weakness, just your most ignored one .

At a Glance: The Information Security Trap Matrix

A. The "Technical Debt & Hygiene" Traps

• Mistake 1: Unpatched Security Vulnerabilities

  • Scenario: The Equifax breach in 2017, which led to a $545 million settlement, occurred because a critical web server patch had not been applied for months . Attackers routinely scan for and exploit known, unpatched vulnerabilities .

  • Fix: Implement an automated patch management process. Prioritize high-risk and internet-facing assets . Establish good asset management to maintain an overview of your system landscape and patch status. Operate non-patchable or outdated systems in isolation .

• Mistake 2: Cloud Misconfigurations

  • Scenario: The Capital One 2019 breach, where an attacker exploited a misconfigured web application firewall and overly broad IAM permissions to steal ~100 million customer records . Similarly, the Tea app breach involved a publicly accessible Google Cloud Storage bucket lacking proper authentication .

  • Fix: Use Cloud Security Posture Management (CSPM) tools to audit and correct configurations . Follow the principle of least privilege for all cloud IAM roles. Continuously review your cloud settings, including access control lists, security groups, and storage bucket permissions .

• Mistake 3: Weak Passwords and Lack of MFA

  • Scenario: A domain administrator password with six characters, or a local admin password with only two, provides no obstacle for cybercriminals. Without MFA, a single compromised password can lead to a full network takeover .

  • Fix: Enforce strong password policies. All access points accessible via the internet (especially VPN) must be secured with multi-factor authentication (MFA) . Enforce MFA across all critical systems, especially for privileged users and remote access points .

• Mistake 4: Poor Account Hygiene and Excessive Privileges

  • Scenario: A company in San Marcos had 47 active user accounts for a team of 23 people, including former employees from 2019. Attackers were using one of these "ghost accounts" to access financial data for months . Attackers often use compromised local administrator accounts to escalate privileges and move laterally .

  • Fix: Conduct regular user access audits. Immediately deactivate accounts when employees leave . Implement role-based access control (RBAC) and the principle of least privilege (PoLP), granting only the minimum necessary access rights . Consider Microsoft's "tiering model" for account separation .

• Mistake 5: Default Credentials Still in Use

  • Scenario: It's a basic but shockingly common flaw. Attackers know the default credentials for almost every router, database, and admin panel. Leaving them unchanged is an open invitation .

  • Fix: Enforce strong password policies and change all default credentials during system deployment . Monitor for unauthorized access attempts.

B. The "Architecture & Defense" Traps

• Mistake 6: Lack of Network Segmentation

  • Scenario: In the 2013 Target breach, attackers gained access via an HVAC vendor's credentials and then moved laterally across a flat network to reach point-of-sale systems. Lack of segmentation allowed an isolated incursion to become a full-blown breach .

  • Fix: Implement well-designed network segmentation. Separate server and client networks, strictly regulate necessary connections, and isolate operational technology (OT) from IT networks . This creates significant barriers for attackers, slowing or stopping lateral movement .

• Mistake 7: Inadequate Backups

  • Scenario: A company has backups, but they are connected to the network. In a ransomware attack, cybercriminals find, encrypt, and delete them, increasing pressure to pay the ransom .

  • Fix: Follow the 3-2-1 backup principle: Three separate copies, on two different media (e.g., hard disk & LTO tape), with one copy stored off-site (disconnected from the network) . Regularly test both the functionality and the restoration of your backups.

C. The "Monitoring & Response" Traps

• Mistake 8: Lack of Security Monitoring

  • Scenario: IT forensic analysts repeatedly find clear warning messages in logs that were ignored, overlooked in a flood of noise, or misinterpreted due to lack of expertise. Most incidents could be detected much earlier and stopped .

  • Fix: Implement robust security monitoring. Use SIEM (Security Information and Event Management) or XDR (Extended Detection and Response) platforms to collect, correlate, and analyze logs . Dedicate personnel to IT security, or consider managed security services like a SOC (Security Operation Center) .

• Mistake 9: No Incident Response Plan

  • Scenario: When a serious cyberattack is discovered, employees and management panic and act frantically ("headless chicken mode"). Important decisions are delayed, and the damage increases because no one knows who decides what, who informs whom, or who talks to authorities .

  • Fix: Build and regularly test an incident response plan. This offline plan should specify responsibilities, decision-makers, communication protocols, and escalation paths for emergencies . Define system prioritization—which systems must be checked and restarted first.

• Mistake 10: Failing to Monitor the Dark Web

  • Scenario: Credentials, internal documents, and exploit kits often surface on the dark web long before an attack hits. Organizations unaware of this are blindsided when stolen data is used against them .

  • Fix: Use dark web monitoring services to detect data leaks, impersonation risks, and chatter related to your brand or employees. Set up alerting and takedown processes as needed .

D. The "Third-Party & Supply Chain" Traps

• Mistake 11: Ignoring Third-Party Risks

  • Scenario: The Target breach originated through a third-party HVAC vendor. Attackers target vendors as a weak link to gain access to larger organizations . A weak link in a partner's system becomes your entry point .

  • Fix: Implement a Third-Party Risk Management (TPRM) program. Vet vendors thoroughly, conduct regular security assessments, and enforce security standards in contracts .

• Mistake 12: Poor IT Service Providers

  • Scenario: A company outsources its IT to a provider without the necessary skills or expertise. The provider's poor security practices leave the client's infrastructure vulnerable .

  • Fix: Vet service providers carefully. Define clear Service Level Agreements (SLAs), including response times. Conduct regular penetration tests that include the provider's infrastructure. Perform joint emergency drills to test competencies and reporting chains .

E. The "Culture & Organization" Traps

• Mistake 13: Overworked IT Staff

  • Scenario: "IT" is expected to handle everything from user support and printer drivers to server maintenance and security, often as a side task. This leaves no time for strategic, foundational work like setting up a well-designed network .

  • Fix: Resource IT and security adequately. Experience shows that around five percent of employees in medium-sized companies should be in IT, with dedicated IT security staff . Competitive pay is key in the battle for skilled workers.

• Mistake 14: The "Knowing-Doing Gap" (Paper vs. Reality)

  • Scenario: An organization has all the right policies and compliance certifications (ISO, SOC2) on paper, but fails to validate them in reality. Systems are unpatched, configurations are wrong, and policies are not enforced. This is the "knowing-doing gap" .

  • Fix: Validate your security controls regularly. Conduct periodic technical security validations, including configuration audits, vulnerability scans, and penetration tests . Embed controls into operational tooling so that compliance is a continuous, integrated process, not a periodic scramble .

• Mistake 15: Treating Employees as the Weakest Link

  • Scenario: An organization relies solely on technical tools and fails to train its employees. An accounting department employee nearly wires $75,000 to scammers who spoofed the CEO's email .

  • Fix: Empower employees as cybersecurity defenders through regular, relevant training. Make cybersecurity education part of your company culture, not a once-a-year PowerPoint. Show real examples of threats targeting your industry . An employee who can spot a phishing email is your strongest defense.