By Bradley Wolfenden
Myth #1- I Don’t Have Anything Valuable that a Hacker Would Want
To put it simply, yes you do. And if you operate any kind of connected device with a mentality that “it’ll never happen to me”, that’s just the kind of thinking that almost certainly guarantees it will. Not only do hackers want your information to use for identity theft and fraud, but they can also leverage the control over your PC to learn your behaviors, distribute malware, launch DDoS and other attacks, move laterally throughout your network to gain access to other, more “valuable” data/ machines, and more. With the availability of automated attack tools, hackers can go after you even if they don’t know you – you are just part of the wide net that makes them money.
Myth #2- Anti-Virus Is All I Need to Stay Safe
The days of merely downloading and installing an anti-virus software to stay safe in the digital world are long gone. Yes, anti-virus software is a necessary part of protecting your enterprise, but it won’t protect you from everything. Security teams must now account for the entire cybersecurity landscape, factoring in emerging technologies, legacy systems, technology refresh lifecycles, new risks, ransomware, malware, zero-day attacks, compliance, regulations, aligning cybersecurity with broader, enterprise-wide strategies, and of course, those highly sophisticated attackers. This requires a comprehensive cyber strategy, awareness of best practices amongst all organizations within the business, a deep understanding of assets and the potential risk to the business should they be compromised, as well as a well-defined cyber incident response and resiliency plan.
Myth #3- Cybersecurity Threats Only Come from the Outside
There is a countless number of harmful sources that pose a serious threat to your online safety, and they’re not limited to those that will damage your business continuity and/ or cyber posture from the outside. Yes, both accomplished and unsophisticated, external actors threaten your cyber posture, but your employees can (and do), too, oftentimes without even knowing it. Per a 2017 report from Security Intelligence, insider threats (which include mis-configurations) account for nearly 75% of breach incidents. Cybersecurity training and strict policies around technology use/ access are crucial to help minimize internal risks and ensure your employees understand that cybersecurity is everyone’s job.
Myth #4- Cybersecurity is the IT Team’s Job
When the entirety of an enterprise’s cybersecurity effort is left to the IT Team, significant gaps in overall cyber posture exist. Certainly, IT Teams have an important role in terms of implementing and modernizing technologies and policies as they relate to keeping the organization cyber-safe, but your company is only as strong as your weakest link. For example, 49% of malware is installed via malicious e-mail exchange. This statistic, from Verizon, highlights the notion that cybersecurity is truly everyone’s job. If all employees aren’t trained on best practices in cybersecurity, like how to spot a phishing scams and avoid engaging with unsafe links, new threats can be easily introduced into your network environment.
Myth #5- Only Large Businesses Get Targeted By Cyber Criminals
While popular news headlines may have you thinking otherwise, small- and medium-sized businesses are not safe from malicious actors -- particularly with the growth of profitable ransomware attacks. In fact, according to the 2018 Verizon Data Breach Investigation report, 58% of data breach victims are small businesses. The reality is that given their size, lack of skilled staff, budget restrictions, the frequent absence of a response plan, and the nature of “spray and pray” attacks, small and mid-sized businesses are “low hanging fruit” for cyber criminals.
Myth #6- All Careers in Cybersecurity are Technical Roles
This is one of my favorite myths to debunk, and in my opinion, one of the more important. We’ve all heard about the significant workforce gap in cybersecurity, and the only way we have a chance at reversing the trend is by encouraging workers to consider entering into the cyber field. While there are technical roles to be had, cybersecurity is a dynamic, all-encompassing task that requires individuals from all backgrounds to contribute their uniqueness and varied skillsets in order to for the team to be successful. Whether you have an engineering background, come from disciplines such as business, finance, law, psychology/ sociology, or a number of others, obtained a higher educational degree or not, cybersecurity needs you!
Myth #7- Regular Patching/ Maintenance Isn’t Worth My Time
Application and hardware/ software updates don’t just pop up to eat your battery, force you to restart your device, and consume your monthly data allotment. Routine maintenance and patching extend the lifespan of your machines and systems, optimize performance, apply fixes to bugs and gaps in the existing technology, and increase responsiveness to security threats. This simple effort to install updates as they are released, patch systems when vulnerabilities are discovered, and conduct regular maintenance on all assets is critically important to upholding reliability, availability, and security objectives across your organization. This lesson was learned the hard way by the folks at Equifax, as neglecting this as a best practice was a major contributor to their recent breach.
Myth #8- The Shiniest New Product/ Technology will Solve All of My Problems
This myth is just simply not true. And despite the attempts of some vendors to convince you otherwise, there is no blanket-approach or one-size-fits-all remedy to your cyber risk. Cybersecurity best practices are a complex, require a team effort, and integrating a new product or piece of technology will not solve all of your problems. Yes, introducing new products or technologies can certainly help extend your team’s scope or capabilities, better identify priorities, and support your decision-making, but they can also open the door to new risks and threat actors. As such, the folks responsible for implementing these new tools need to be hypercritical about how they complement the overall security strategy and fit in with existing/ legacy systems.
Myth #9- Cybersecurity = Hacking
As cybersecurity becomes more important than ever, it remains largely mysterious to those not directly involved in the field. One result of this can be best captured by the image of hackers in hoodies eating pizza while operating out of a basement; A one (wo)man show with a big brain and a powerful computer taking down big business or sticking it to the man. This is undoubtedly one of the more damaging and limiting depictions to the field of cybersecurity. Cybersecurity is much, much more than this. From secure development of software to infrastructure design, persistent monitoring of network environments and establishing policies, procedures and response plans, cybersecurity has become dynamic and all-encompassing. Think of it more like basketball than football. In football you have an offensive unit and a defensive unit, with neither on the field at the same time. On the basketball court, the same five athletes play both sides of the ball at all times. The latter is an accurate snapshot of cybersecurity.
Myth #10- ZERO-Day Exploits Should Be the Primary Focus of Cyber Teams
If ZERO-day exploits are the “Big Bad Wolf” when it comes to malicious activity, then of course we should give them all of our attention. Wrong! While these do present serious harm to one’s ability to conduct online business reliably, intelligently, and safely, the “smaller,” more likely threats (i.e. phishing, insider activity, pass-the-hash, ransomware, etc.) cannot be ignored. At the end of the day, cyber teams should focus on threats based on the risk assessment and threat model of their organization.