There’s quite a bit of misinformation floating around the web where cybersecurity is concerned – and it can cause a great deal of harm to your organization if you aren’t careful.
It’s up to you to cut through the noise to the truth of the matter. Today, we’re going to talk about some of the most prevalent (and most harmful) security myths on the web.
Some myths are entertaining and educational. They give insights into an ancient culture, religion, or society. They’re stories passed down from generation to generation; preserved bits and pieces of knowledge from men and women who once lived.
We aren’t here to talk about that kind of myth.
Instead, our focus today is on something a bit more insidious. See, though the Internet is one of the most powerful informational tools in human history, there’s also never been a greater source of misinformation. A flimsy rumor, a misunderstood explanation, or an outright lie can take on a life of its own.
Nowhere is this more evident than in the cybersecurity space, which has no shortage of its own misconceptions floating about. We’re going to talk about a few of the most common. Some of these have their source in simple ignorance – in assumptions made by business owners. Others are passed back and forth between the highest levels of the enterprise, while still more stem from buzzword-toting journalists.
Whatever their source, these rumors can and will cause harm to your business if you buy into them – and it’s time to stop.
The Basics Are Enough To Protect You
You’ve got a firewall and a VPN. Your employee’s accounts are protected by strong passwords, and your WiFi network is protected by an authentication code. You’ve taken every step necessary to protect your business from cyberattacks, right?
The things I described above are all important, yes. But they’re just table stakes these days. They’re the basics – the things every business should be doing; steps that form the foundation of a comprehensive approach to cybersecurity.
Passwords alone aren’t enough – you need two-factor authentication. Password-protecting your WiFi won’t help if it’s still a public network. An antivirus solution isn’t enough – you also need a means of responding to and mitigating cyber-incidents.
And as more people bring personal devices into the workplace, some form of endpoint management software is critical. And that’s not even getting into the importance of file-level security to protect your data against supply chain attacks. Moreover, there’s also the matter of implement strong security processes and procedures – rules and regulations that your staff both adhere to and understand.
If you subscribe to the belief that cybersecurity exclusively involves purchasing and installing some software, you’re in for a very rude awakening.
All Cyber-Criminals Are Sophisticated Hackers
It’s a common sight in Hollywood. A lone hacker – usually a young man wearing a grungy hoodie – sits in front of a bank of monitors, tapping away at his keyboard. The network he’s targeted is no match for his expertise, and he cuts through their complicated, expensive security systems like a hot knife through butter.
I’m sure there are a few technical geniuses out there that can crack systems as easily as most of us crack eggs. But the truth is that hackers like that are an absolute rarity. The chance of any business being targeted by such an expert – or by a team of such experts – is almost zero.
The truth is that most cyber-criminals are just looking to make a quick buck. They exploit known vulnerabilities, taking the easiest path possible to achieve their goals. And with the rise of cybercrime-as-a-service, we’re seeing a new breed of criminal that doesn’t even fully understand the hacking tools they’re using.
Even before that was a thing, there was a name for hacking troublemakers who only knew the basics of computer science – script kiddies.
There are certainly incredibly skilled hackers out there. State-sponsored black hats, expert hacktivists, and so-on. But they make up only the barest fraction of criminals. Even then, most of them probably aren’t going to want to waste time breaking into your state of the art security system.
They’ll just get Brenda in finance or Tim in human resources to open a phishing email with a malicious payload. Sure, they probably could crack your encryption. But why go to all the effort when they can get the same results by just typing a few sentences and hitting ‘send?’
Small Businesses Are Not A Target
Most of the time, when you hear about a major data breach on the news, it was one that targeted a massive, multinational corporation. I get it – such incidents are big news and impact a lot of people. But the prevalence of such stories have resulted in the problematic idea that hackers don’t target small to mid-sized organizations
Or rather, it’s reinforced that concept in the minds of many unsuspecting business owners.
It makes sense, really. Why would a criminal target your small business if they can gain so much more by going after a mega-corporation? Why would a hacker go after your startup when you’ve nothing worth stealing?
Simply put, because it’s easier. So much so that small businesses are actually becoming the target of choice for many. Imagine a criminal has two options.
They can go after a larger business that has a large, well-funded IT department, powerful cybersecurity infrastructure, and a strong network of partners. Or it can go after a group of smaller organizations in the same industry. Remember that hackers will almost always choose the path of least resistance.
In the time it would take them to break into the larger business, they might be able to compromise an entire swathe of smaller organizations. Ultimately, this would gain them more than if they’d sprung for the bigger fish right away, and for less effort.
“Smaller companies are attractive because they tend to have weaker security,” explains Inc Magazine Contributing Editor John Brandon. “They’re also doing more business than ever online via cloud services that don’t use strong encryption technology. To a hacker, that translates into reams of sensitive data behind a door with an easy lock to pick. If you have any Fortune 500 companies as customers, you’re an even more enticing target–you’re an entry point.”
Cybersecurity Is The Sole Domain Of The IT Department
The IT department still has an important role to play in both cybersecurity and user enablement, but it is no longer the sole gatekeeper of corporate infrastructure, nor the sole guardian of sensitive assets. The very nature of cloud computing and mobile technology means that sort of centralization is no longer possible. End users are more empowered than they’ve ever been.
While that means they can achieve more at work, it also means they have a greater capacity than ever to put corporate data at risk. To counter this, you cannot make cybersecurity IT’s job alone. Everyone needs to be on-board with keeping corporate assets safe and secure.
Unfortunately, there’s no easy way to secure this buy-in. It’s going to take a lot of discussion. A lot of back-and-forth. A lot of creativity and effort poured into training materials that go beyond standard brochures and dry technical documents.
The important thing throughout this process is collaboration. Work together with people from every department in your organization to ensure that, whatever security solutions you deploy, they enable everyone to do the jobs they need to do.
Once You Have A Strong Security Posture, Your Job Is Done
Right. For the sake of argument, let’s say you’ve managed to get your security posture up to par. You’ve got the right policies and processes in place, total buy-in across your organization, strong security infrastructure, and excellent training and education.
You’re done, right?
Not exactly. The cybersecurity industry moves fast – overwhelmingly so. New vulnerabilities, tactics, and attack vectors are constantly being discovered, as are new security solutions and protective techniques.
Sure, you might have a strong security posture today. But miss one patch or get caught unawares by a new type of cyberattack, and that won’t really matter. Cybersecurity should be viewed as an ongoing process rather than a project.
Perform regular security reviews. Bring in a third-party analyst to help you go over your risk profile, crisis response tactics, infrastructure, and security policies. And keep an ear to the ground as far as security news is concerned, particularly as it pertains to your industry.
Be diligent, and be mindful.
Don’t Believe Everything You Read
There’s a lot of misinformation floating around where cybersecurity is concerned, and there are more myths than what we’ve covered here. Hopefully, after reading through this piece, you’ll be just a bit less susceptible to them. Keep a weather eye out, and stay safe – the web can be a dangerous place.
About the Author
Matthew Davis – Matthew works as a writer for Future Hosting, a leading provider of VPS hosting. He focuses on data news, cybersecurity, and web development topics. You can usually find his hiding behind a computer screen, searching for the next breaking news in the tech industry. For more great articles, check out FH’s blog.
Featured image: ©cil86