[BreachExchange] 8 Cybersecurity Myths Debunked

Destry Winant destry at riskbasedsecurity.com
Mon Feb 4 07:21:40 EST 2019


https://www.darkreading.com/vulnerabilities---threats/8-cybersecurity-myths-debunked/a/d-id/1333746

The last thing any business needs is a swarm of myths and
misunderstandings seeding common and frequent errors organizations of
all sizes make in safeguarding data and infrastructure.

Cybersecurity plays an integral role in the realm of good business
models. You'd be hard pressed to come across an enterprise which
doesn't have some form of cybersecurity policy as part of its
infrastructure. But even cybersecurity programs built with good
intentions can fall short. Why? The best intentions are often based on
an array of myths perpetuated by a combination of mistrust,
misunderstanding, and lack of information. These are the myths of
cybersecurity, and I'm going to break down some of the most common
ones found throughout the tech industry.

Myth 1: You're Too Small to Be Attacked
You read about data breaches all the time. Big companies suffer
penetration attacks with millions of user data compromised by the
nebulous realms of hackers. "Well," you think, "that'll never happen
to my business, there's not enough value, we're too small." And that's
just wrong. In 2016, 43% of all cyberattacks were conducted against
small to medium-sized businesses. This is a growing trend, with
malware and malicious attacks escalating in both complexity and
frequency. You're as likely as a target as any major enterprise, so
don't buy into this line of thinking.

Myth 2: Passwords Are Good Enough
The downfall of any security policy is the lazy "set it and forget it"
mentality. Cultivating this lethargic approach is the adoption of
complex passwords and believing it's good enough. You have your staff
memorize a 12-character login phrase with special characters, caps,
and numbers? That must be enough!

It's not, because a mix of social engineering and complex malware
attacks can circumvent it  with alarming ease. Password reuse across
multiple platforms makes you dependent on the security of other
organizations, where a breach of their password database places
accounts at risk on your systems. Malicious third parties employ a
wide range of bots and auto-attacks to hasten their process, and
without two-factor authentication and a level of encryption
(especially on vulnerable public networks), one password just isn't
sufficient in today's dangerous cyber world.

Myth 3: Antivirus Is Good Enough
Much like the "set it and forget it" password philosophy, this equally
applies to your antivirus setup. It's tempting to believe the fancy
software your enterprise invested so much capital in will thwart any
and all attackers, but again, that's not true. Antivirus is of
foundational importance, but good cybersecurity requires a rigorous
program that includes protection, detection, and response preparation
along with safe practices for user behaviors.

Myth 4: It's IT's Problem
Computers are hard, so let IT handle everything, right? This, again,
is a foolish way to look at cybersecurity. Some businesses lack the
capital to hire experienced staff. And, even with a good IT team, said
staff are limited in what they can handle. If you expect your IT team
to manage every single tech-related problem, from resetting logins to
managing network infrastructure and dealing with potential intrusions,
you're asking for trouble. Every staff member should be familiar with
good cybersecurity practices.

Myth 5: BYOD is Safe
While a BYOD (bring your own device) policy is popular and
cost-effective, it's a whole new avenue of risk for a business.
Assuming smartphones and mobile devices brought by staff are secure is
a serious error in judgment. Apps with personal data, logins, and
business-related info are easy to compromise, and every unsecure
device is just another potential hole in your cybersecurity
foundation. It's important that employees follow rigorous guidelines
when using their own hardware.

Myth 6: Total Security Is Possible
The eternal struggle of cybersecurity is its constant need to adapt to
new threats. As security teams adapt strategies and tactics to meet
those threats, attacks evolve to counter the changes. It's a constant
battleground, meaning total security is impossible to achieve. A
business should always expect some form of cyberattack and should
always have backup, incident and crisis preparedness, and disaster
recovery (BDR) measures in place. You can only take a proactive
approach towards malicious threats, not counter them in their
entirety.

Myth 7: You Don't Need Assessments and Tests
I couldn't think of a more disastrous approach to a cybersecurity
plan. This is like working on a term paper and submitting it with zero
revisions, edits, or extra eyes. You cannot reasonably expect your
current cybersecurity plans to be foolproof without conducting
assessments and penetration tests. These self-evaluations are
invaluable, revealing where you're weakest and strongest.

Myth 8: Threats Are Only External
Competent security requires just as a hard a look at internal staff
and policies as do the various third-party attacks. This is because —
whether from human error or malign intent — cybersecurity risks are as
likely to emerge from your own enterprise as outside of it. More is at
risk, too, considering staff are the pathway to the most sensitive
info.


More information about the BreachExchange mailing list