[BreachExchange] These Are 10 Cybersecurity Myths That Must Be Busted

Audrey McNeil audrey at riskbasedsecurity.com
Tue Apr 4 20:28:20 EDT 2017


https://www.forbes.com/sites/williamsaito/2017/04/04/these-
are-10-cybersecurity-myths-that-must-be-busted/#312677d266ea

Cybersecurity was huge in 2016. From ransomware to weaponized Internet of
Things (IoT) devices to foreign hacking of elections – last year saw it
all. But many of these threats aren’t new and will never really go away.
Over the last 25 years, one of the most valuable things I’ve learned in
attending conferences and talking to cybersecurity experts around the world
is that one of the greatest weapons we have to prevent cyber attacks is our
own mindset.

This column has previously touched on the importance of online hygiene and
why you should think of your online activities like eating. This post will
cover some misconceptions about cybersecurity itself. There are many
cybersecurity myths, but an accurate understanding of these 10 is critical
to your cyber posture as an individual, as a business, or as a government.

1. "Cyber risk" is a separate category of risk. There’s no such thing as
“cyber risk” – it’s risk. It’s the same risk that encompasses everything
from protecting intellectual property to competitiveness and safety of
personnel, and needs the same level of attention from the board of
directors and the executive team. The concept of cybersecurity risk isn’t
useful by itself, and treating it as a separate form is a distraction you
can’t afford.

2. Cybersecurity is just an IT issue. Earmarking online threats as
something for the IT department is one of the best ways to help those
threats proliferate. It’s important to remember that cybersecurity cuts
across departments and is the same regardless of the IT implementation or
vertical. Once information is digitized, everything from accuracy, privacy
and availability to integrity needs to be protected. Cybersecurity
requirements are paramount across an organization, from the data center to
the branch office and mobile device.

3. Protecting yourself is good enough. Organizations must be aware of
others in their community and how they’re acting when it comes to
cybersecurity questions. Some of the biggest headline-grabbing breaches of
recent years involved third parties or organizations subordinate to the
entity that was hacked. Everything in your ecosystem, from subcontractors
to subsidiaries, vendors and accounting firms, can be a threat vector.
Security is only as strong as the weakest link, and sometimes that weak
link is beyond your four walls.

4. Digital and physical security are separate systems. In today’s automated
world, more and more devices, such as the elevator in your building and
components in the public transit system, are getting connected and being
controlled digitally. It’s now common for attackers to modify device
software and potentially destroy physical infrastructure – at a minimum,
creating tremendous inconvenience with potential catastrophic consequences.

5. Going back to paper (or disconnecting from the internet) minimizes risk.
The unplugging approach can lead to many problems apart from the potential
damage to efficiency and productivity. Disconnecting, implementing “air
gaps” or going back to paper can actually increase vulnerabilities. One
can’t know if paper copies of data have been illicitly copied or removed.
Meanwhile, air-gapped and disconnected networks are harder to monitor
because of less logging of data that takes place; also, due to the
inconvenience, they’re not updated with security patches as often.
Ironically, increasing your attack surface this way makes it easier for
criminals to find the valuable information and strike unnoticed.

6. Getting hacked is an embarrassment. Many people hesitate to share their
stories about getting hacked. This can be perceived as losing face,
especially in Asian countries.  However, it’s important to understand that
everyone is vulnerable and it’s better to learn from one another by
communicating. Unfortunately, there are only two types of organizations
today: those that have been hacked and those that have been hacked but just
don’t know it yet. Hiding a breach and letting it fester will only worsen
the long-term damage.

7. Using antivirus software is enough. AV might have worked in 1997, but 20
years later it sure won’t. Hackers have found multiple ways to subvert
antivirus software and hide their own attacks in a system, in many cases
for an average of six months. With the advent of ransomware, the timeframe
from infection to damage has become almost instantaneous. In today’s world
of quick and persistent threats, a prevention mindset to mitigate both
known and unknown threats is essential. AV is terribly outdated.

8. Cybersecurity is just a form of defense. Again, this is a shortsighted
view of an essential resource and way of thinking. Security needs to be
positioned as a strategic advantage since it can boost efficiency and save
money. Not only is security by design and by default important for
protection, creating an integrated implementation will enhance usability
products and services and generate a competitive advantage. At a minimum,
it will allow us to take back the many benefits ICT provides, and in a safe
and secure manner. Stop thinking of cybersecurity as merely a cost center
and understand its value as a business enabler.

9. New features of IoT devices trump security. Security by design is
becoming increasingly common in IoT devices. It basically means
implementing features so devices can work and survive in a “zero trust”
environment. Security should be integrated, automatic and transparent.
Usability is key. You can't expect people, especially elderly users, to
jump through technical hoops to ensure security at the expense or
productivity or efficiency.

10. You’ll never get attacked or breached. This kind of thinking – that it
will never happen to me – is almost a guarantee that it will. It’s equally
unwise to have total confidence in the strength of one’s security and
especially one’s security devices. There’s no such thing as perfect
security – the key here is resilience. That’s the ability to take a hit and
keep going, or in certain cases failure, to default to a protected state.
You should architect security with a prevention-first mindset, and also
view attacks as an opportunity to learn about vulnerabilities and grow
stronger based on that knowledge .
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170404/e5ff6528/attachment.html>


More information about the BreachExchange mailing list