[BreachExchange] 7 common cyber security myths debunked
Audrey McNeil
audrey at riskbasedsecurity.com
Fri May 27 14:29:37 EDT 2016
http://www.itproportal.com/2016/05/26/7-common-cyber-security-myths-debunked/
If we look at the world of cyber security through the eyes of the media,
it’s a pretty frightening view. We hear story after story of security
breaches hitting major companies and the subsequent data leaks that follows
affecting thousands of people. It’s enough to fill any business with
trepidation.
With cyber security such a big talking point, we tend to see a lot of
information floating around – some of which is not in the least bit true.
If a company wants to enhance its IT security it is imperative to be able
to separate facts from fiction.
It’s these fundamental security myths that cause organisations to
incorrectly assess threats, misallocate resources and set inappropriate
goals. Dispelling those myths is key to developing a sophisticated and
appropriate approach to information security.
So, what are these myths exactly?
Cyber security? Just leave it to the IT department
Implementing appropriate technical controls to safeguard the information
that an organisation holds is the first line of defence against security
threats. However, the biggest issue faced by businesses is in regards to
the users of the systems where this information is held. These people
represent the most significant risk either through intentional actions, a
disgruntled staff member for example, or by accident. A 2015 HM Government
Information Security Breaches Survey found that 81 per cent of large
organisations reported some staff involvement in the breaches they suffered.
The most common threat today is ransomware, an attack that is typically
based on sending an email to a member of staff with an attachment. By
opening the file, malware is downloaded onto the computer and the rest is
then history. Educating staff to not open attachments or click on links is
one of the most important areas for organisations to concentrate on.
The risks from cyber-attacks are no longer just a matter for technical
teams. High profile attacks like TalkTalk and Sony have resulted in serious
financial and reputational damage being done. The result is that cyber
security is starting to become an issue that is handled at boardroom level.
Software will sort out your security issues
To deal with most cyber attacks, implementing good software management is
the first stage of the process. It covers two of the five basic controls
that CESG has listed as part of their Cyber Essentials scheme. Whilst it is
effective in limiting the success of an attack and mitigating the effects,
in isolation it simply cannot achieve everything.
Once again, people pose the biggest threat to secure information. Education
regarding exposing their organisations to danger must be implemented.
Businesses must strike a balance here though – introducing technical
solutions that are complex and unusable by staff is counterproductive and
will not protect sufficiently against attack.
It’s not all just a question of keeping the bad guys out
Most organisations that are serious about protecting their information
understand that a successful cyber attack is unfortunately inevitable – we
have to accept that trying to keep the bad guys out may no be possible For
the majority of businesses, implementing the controls set out by CESG would
prevent most straightforward attacks. However, what they are unable to deal
with are the less common but more sophisticated and prolonged attacks.
Well-developed processes across an organisation need to be implemented to
detect unauthorised network activity and initiate appropriate action
quickly. For any organisation holding significant amounts of sensitive or
personal data, they must drive change to get to a stage where their systems
can identify attacks and automatically change themselves to stop the attack
being successful – or minimise the damage that occurs.
It’s just the big businesses that will be attacked
A 2015 HM Government report confirmed that 74 per cent of small and
medium-sized enterprises reported a security breach. However, only 7 per
cent of small businesses expect information security spend to increase in
the next year.
The myth that small and medium-sized businesses don’t face a threat is
actually the very opposite. For a hacker, small and medium sized
organisations are seen as an opportunity as they believe less is being done
to protect data. This data might be information about clients, customer
details, bank details or it might be as a way into one of your customers’
systems where you are linked through e-commerce, by email or in some other
way.
The previously mentioned ransomware affects both SMEs and individuals
alike. Hackers are intelligent – they do not ask for millions from their
victims but instead ask for a sum of money that is significant but
acceptable to most people.
The weak point is the user who clicks on links in emails or opens
attachments. This is when the vicious circle beings. Before paying the
ransom to get back to “normal” operations, just remember there are many
gangs out there who will share your information. The evidence that you are
willing to pay will quickly be passed around to other similar groups.
If the manufacturers made computing safe we wouldn’t need to worry about
cyber security
Things are undoubtedly getting better when it comes to the hardware and
software that is being created – Windows 10 is widely accepted as being one
of the most secure Microsoft operating systems there has ever been for
example. Manufacturers understand the importance of security for users and
are working to improve this. They do face a challenge here though. If a
computer is too secure then users find ways around the security or do not
even use that system at all.
Technology can go so far but it is still often the users themselves who are
unpredictable and unreliable.
I don’t have anything worth stealing
Each and every one of us has personal and sensitive data that we want to
keep to ourselves and not share with anybody. In the Internet age we live
in though, this is becoming increasingly difficult.
One of the primary purposes (if not the only one) of the World Wide Web was
to share information. Once information about us is out in the Internet
domain, it’s no surprise that it can find its way into the hands of bad
people. It is essential to ensure that the more sensitive or personal
information is better protected.
This includes protecting information stored on our local PC, tablet or
smartphone. We need to realise than any device that can connect to the
Internet is an opportunity for hackers.
The Internet of things is a wonderful development
The Internet addressing protocol IPv6 will provide every single
Internet-enabled device in the world with its own unique address so that
they can be individually contacted. Smartphones, tablets, washing machines
and even cars will be included. Whilst our lives are becoming more
connected and convenient, a bigger opportunity for criminals to take
advantage of this has been created.
The hacker of today only needs access to the Internet to initiate an
attack. As connectivity to the Internet continues to grow, so does the
cyber attack surface available to hackers.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160527/56c35687/attachment.html>
More information about the BreachExchange
mailing list