Stop settling for check-the-box cybersecurity policies
After every breach, people ask: How did this happen if there were cybersecurity policies in place? The truth is, just having them doesn’t stop attacks. They only work if people know them and follow them when it matters. That’s where things often break down. Policies fail when they don’t match how work gets done, get outdated, or focus too much on rules instead of real risks.
When security rules are full of legal jargon or written for everyone in the same way, employees have a hard time knowing what they mean or how to follow them.
Why cybersecurity policies are still failing
Password complexity
Complex password policies often leads to weak choices, like predictable patterns or users writing passwords down. Although NIST doesn’t recommend frequent password changes, some organizations may still require users to change passwords every 60 to 90 days. These outdated policies can frustrate users and reduce security by encouraging risky habits.
A better approach would be to encourage longer passphrases and avoid resets unless there is evidence of compromise. Providing password managers can also help create and safely store strong passwords without extra hassle.
Looking ahead, many companies are exploring passwordless authentication methods.
“By going passwordless, companies can significantly reduce their risk of breaches, while making signup and login a much lighter lift for their customers,” said Julianna Lamb, Stytch CTO.
MFA isn’t a silver bullet
MFA adds an important layer of security, but poor implementation can undermine its benefits. Relying only on push notifications causes push fatigue. Users, annoyed by constant alerts, may approve login attempts without verifying them, giving attackers an easy way in.
Recent attacks have shown that some threat actors exploit weaknesses in MFA systems to bypass protections and maintain long-term access to accounts.
To address this, organizations should offer multiple MFA options such as hardware tokens, biometrics, or authenticator apps, which reduce reliance on push notifications.
Security training that doesn’t stick
Cybersecurity training programs should keep up with trends and be engaging for employees. If the same format is repeated every year just to check a box, it’s unlikely to have any real impact. The training can become boring, and employees probably won’t remember the important points. Often, the problem isn’t the content itself but how it’s delivered.
What needs to change is the overall approach. Training should be tailored to the specific role each person performs. It should also be more engaging, moving beyond generic quizzes and outdated slides to formats that hold attention and reflect real threats.
“Frequent and engaging training sessions should be provided utilizing a mix of formats: interactive modules, phishing simulations, real-world case studies, in-person and virtual events, and newsletters, to name a few. Developing materials tailored to the audience, including non-technical roles, ensures that the messaging resonates,” explained Emily Wienhold, Cyber Education Specialist at Optiv.
Workarounds that weaken security
Overly strict or outdated policies often drive employees toward risky workarounds. These can include credential sharing to bypass slow access approvals, using unvetted SaaS tools (shadow IT), or adopting AI assistants outside company policy (shadow AI).
CyberArk found that 65% of office workers admit to bypassing cybersecurity policies to get their work done, while 70% of IT decision-makers have detected unauthorized AI use within their organizations.
“Once your AI use has been classified, an acceptable use policy for your entire organization needs to be laid out to ensure all employees know exactly what they can and cannot do when interacting with the approved AI-enabled applications,” noted Steve Tait, CTO at Skyhigh Security.
Security policies work best when they reflect how teams operate. That means gathering feedback from frontline users, running pilot programs, and analyzing where exceptions or noncompliance occur.
Effective security adapts with the business
Cybersecurity policies often fail because they ignore how work is done. When employees routinely bypass the rules, the issue is not a lack of awareness but poor design. Strong policies need to address real risks, evolve with the business, and support productivity rather than get in the way.
Rules created just to meet compliance requirements can backfire. Instead of improving security, they frustrate employees, slow down teams, strain budgets, and offer little real protection in return.
In contrast, practical policies that reflect how teams operate help people make better decisions, avoid risky shortcuts, and develop habits that support long-term security.
Organizations that adopt this approach do more than prevent breaches. They build a culture where security supports progress, where security protocols are viewed as helpful tools, and where protecting the business becomes a shared responsibility.
If we want policies that truly improve security, we need to design them for the people who use them. That is how we move from checking a box to creating real protection.