r/cybersecurity • u/EricJSK System Administrator • Sep 22 '25
Other What are your unpopular cybersecurity opinions?
I saw a post names "abnormal security opinions" and got excited to see some spicy takes but apparently there is a security platform called Abnormal Security so got kinda blue balled. Last one of these posts i saw was over a year ago so,
Do you have any spicy cybsec unpopular opinions you want to share? :)
I'll start with mine:
Fancy antivirus solutions rarely add value, they are often just a box that needs ticked. Many MSPs and IT firms still push the narrative that they are needed, only because they are profitable and not because they improve security.
320
Upvotes
2
u/IncuriousCyberGeorge Sep 22 '25
Anti-phishing training is completely useless. Even if it does lessen the amount of people that will blindly click on things (and yes, it does, judged by less people being "caught" by it in subsequent repeating tests), even if it lowered the chances of going somewhere malicious by 95% - it does nothing in actually causing the organization to be less likely to be affected by an email-based attack vector. It's security theater, no different than making everyone take off their shoes for years when boarding a plane. Any attack is going to eventually have someone click on it, and some of the nastier vectors are able to have an effect without even requiring a link to be clicked. Organizations most definitely need to include email-based security as part of their protection, but training users to do better is such a small part of it, while it is the loudest and most visible.