Some organizations handle their cybersecurity based on an array of myths stemming from a combination of mistrust, misunderstanding, and lack of information. These myths are at the root of common errors made by organizations of all sizes when safeguarding their data and network infrastructure.
Here are some of the most popular myths:
1. You’re Too Small to Be Attacked.
Smaller organizations made up nearly half of 2019’s victims – making them as likely a target as any large enterprise.
The high-profile hacks that make the news involve large enterprises – often tricking small and mid-sized organizations into thinking they won’t be targets of attack. The opposite is true. According to the 2019 Verizon Data Breach Investigations Report, 43% of data breach victims were categorized as small businesses. The truth is most businesses aren’t targeted specifically. Instead they’re victims of automated systems designed to randomly infiltrate any vulnerable network. These attacks are random, so any business can be damaged regardless of size. Targeted attacks tend to focus on small businesses because they’re usually under-protected.
2. Hackers Only Target Certain Industries.
Any organization that has sensitive data, or just data that it can’t operate without, is vulnerable.
Just as some businesses believe they won’t be attacked because of their sizes, other businesses wrongly assume they won’t be attacked because their industries aren’t typical targets. This myth also goes hand-in-hand with the belief that some companies don’t have anything “worth” stealing. The truth is that any sensitive data held – from credit card numbers to payroll information – can make a business a target.
Even if the data targeted doesn’t have resale value on the dark web, it may be critical for the organization to operate. For example, ransomware can lock you out of all your data unless you pay for a decryption key. This type of breach can make attacks very profitable for cybercriminals even if the data is considered “low value.”
3. Using Passwords Is Enough to Keep You Safe.
The kind of information users have access to is just as important as how they access information.
Strong passwords are one part of a foundation of good cybersecurity practices, but implementing and enforcing a strong password policy is just the beginning. Even strong passwords can be easily circumvented by things such as social engineering and complex malware attacks. Password reuse across multiple platforms also contributes to compromise.
One of the most overlooked components of data security isn’t about how people access the information — it’s about what information is available for them to access in the first place. Many companies with password policies don’t have a system in place to monitor basic user or administrator access. This problem creates a lot more risk once users are in the system. So without some form of multi-factor authentication, user access control, and encryption, one password — even if it’s a strong one — isn’t enough.
4. Using Antivirus Software Keeps You Completely Safe.
Antivirus is only the beginning of an effective security plan.
Antivirus/anti-malware software is also another foundational element of sound cybersecurity practices. The quality of the solution you employ is a critical factor. Using a consumer-grade or freeware version of antivirus software makes your network and data vulnerable to attack.
Another common mistake made with antivirus solutions is taking an “install it and forget it” approach. New cyber threats emerge daily, so it’s critical that all servers and user devices (not just some or most of them) have antivirus protection installed and a system to ensure updates are uniformly applied. Antivirus updates contain the latest files needed to recognize and combat new variants of malware. These updates are released daily (sometimes more often) and must be applied as they are released in order to be most effective. But even the best enterprise-quality solution properly configured for updates won’t protect against all threats. Good cybersecurity requires a comprehensive, multi-level approach, including threat detection and response capabilities and cyber awareness training for users.
5. Cybersecurity Is IT’s Responsibility.
All employees play a role in maintaining a strong security posture.
We often hear people say, “It’s IT’s job to handle security. That’s what we have an IT person for.” While an IT person definitely plays a big role in keeping organizations safe, cybersecurity is dependent upon the behavior of all employees.
Today, an extremely high proportion of malware enters networks through email and infected web applications. If your employees aren’t trained on cyber-safe practices such as how to spot and report phishing attempts, any one of them can open up your organization to potential threats. This risk means every employee should be regularly trained and tested to ensure they use good cybersecurity practices.
6. Cybersecurity Threats Come From the Outside.
Threats from inside your organization are just as likely and harder to detect.
While outsider threats should always be carefully monitored, cyber risks are as likely to originate from inside your organization as outside of it. Verizon’s 2019 Data Breach Investigations Report found that 34% of all breaches have happened as a result of insider threats, and incidents have been on the rise for the last four years. Insider threats can occur for a variety of reasons ranging from basic errors and lack of proper training to disgruntled employees. Improving security requires a hard, internal look at staff and policies along with implementing a system to monitor and deter threats from wherever they come.
7. Personal Devices Used for Work Don’t Need to Be Secured.
All smart devices, including wearables, can compromise a network system.
Today, bring your own device (BYOD) policies are popular. They’re viewed by many organizations as a cost-effective way to let employees to use the devices they like, but they also introduce a whole new avenue of risk. The assumption that personal mobile devices used to conduct business are secure is a serious error in judgment.
Apps with personal data, logins, and business-related information are easy to compromise, and every unsecured device is just another potential hole in your cybersecurity shield. Employee devices that have access to company systems and data must follow the same rigorous protocols and guidelines to which corporate-issued devices are subject. This rule shouldn’t be limited to smartphones and laptops; it should cover all devices that access the internet, including wearables and any IoT devices.
8. If Wi-Fi Has a Password, It’s Secure.
All public Wi-Fi can be compromised — even with a password.
If your organization has staff who travel, work remotely, or use shared workspaces, they may incorrectly assume that a password keeps a Wi-Fi network safe. The truth is Wi-Fi passwords don’t ensure security on a public network. These employees should be equipped with a Virtual Private Network (VPN) to keep their data more secure.
A VPN client on a device establishes a secure tunnel with your VPN server – replacing local ISP routing. A VPN encrypts connections and helps secure all of a user’s network traffic.
9. You Don’t Need Security Assessments or Tests.
You can’t reasonably expect your cybersecurity to be effective without actually testing it.
Vulnerability assessments and penetration testing are invaluable in improving security posture. Vulnerability assessments provide a list of known potential vulnerabilities detected in your systems, services, applications, as well as ones attributable to misconfigurations. Vulnerability scans can be performed internally within the network as well as from outside the network.
Penetration testing is another type of security assessment. Compared to a vulnerability assessment, it is a more exhaustive, live examination designed to prove that vulnerabilities found can be exploited. When it comes to cybersecurity, it’s impossible to know if your defenses are actually working without testing them. Therefore, there’s no substitute for regularly performed valuations to effectively identify and remediate security gaps.
10. Total Security Is Possible.
No one can guarantee you are 100% secure. New threats are emerging daily making cyber defense a dynamic, ongoing process.
Cybersecurity is not a one-time task to be checked off and forgotten. Maintaining a strong cybersecurity posture is an ongoing job that requires continual adaptation to keep up with new and emerging threats. As security strategies and tactics adapt to meet those threats, new attack methods are developed to evade them. This means that even if you have the most sophisticated cyber program, 100% security protection is impossible to achieve.
Organizations can never eliminate attacks completely; they can only take a proactive approach toward reducing their probability and impact. You should always anticipate some form of cyberattack and have incident response preparedness and disaster recovery (BDR) measures in place.