[BreachExchange] Top Five Common CISO Myths Debunked

[Destry Winant]

https://www.forbes.com/sites/forbestechcouncil/2021/01/11/top-five-common-ciso-myths-debunked/?sh=54ea05123ca7

With millions now working from home and cybercrime at an all-time
high, cybersecurity has become a top priority for most businesses.
Myths and misconceptions can't cloud a CISO’s judgment because one
wrong move can put an entire enterprise at risk. Some common
cybersecurity misbeliefs include:

1. Data Backups Will Save You From Ransomware

One of the most common misconceptions security teams have today is
that if you run regular backups of your data, you will be safe from
ransomware attacks known to encrypt files.

This theory was completely debunked when Maze, a gang of
cybercriminals, introduced a form of ransomware that was capable of
encrypting and exfiltrating data. Maze then used this exfiltrated data
to extort victims into making hefty ransom payments. An estimated half
of all ransomware attacks lead to data exfiltration, raising average
ransom amounts to new highs. The “Ryuk” ransomware raked in $61
million in less than two years.

The latest strains of ransomware are also evasive, and they stay in
victims' machines for months, scouting for crown jewels like
intellectual property, employee credentials, customer data, etc. Once
they have access to the information they need to hold the victim
hostage, they extort the business and its employees, partners and
customers. Ransomware now targets cloud backups, too, so victims are
not entirely safeguarded by storage backups.

2. Complex Passwords Are Safer Than Simple Passwords

This is one myth that probably challenges conventional wisdom and
raises eyebrows of many a security leader. Contrary to popular belief,
research by the National Institute of Standards and Technology (NIST)
confirmed that complex and frequently changed passwords lead to poor
password behavior in the long run.

On average, an individual is required to memorize 70-80 complex
passwords at a time, and this increases the likelihood of recall
failure. This is why users end up storing passwords in an insecure
manner (such as sticky notes and spreadsheets). NIST aims to combat
this behavior by proposing the use of longer, simpler passwords that
should only be changed when they are compromised. The FBI also issued
a similar advisory earlier this year, alerting users that longer
passwords consisting of simpler words are far better than short,
complex passwords with special characters.

3. Running An Obscure OS Keeps Your Network Safer

Another popular belief is that running a lesser-known operating system
(OS) makes you less prone to a cybersecurity breach. For years it was
a common belief that macOS was much safer than Windows. However, in
2019, security threats in Apple’s macOS grew by a staggering 400% year
on year, outpacing Windows by a ratio of 2-to-1.

There’s probably some truth in the myth of obscurity. Because obscure
OSs aren’t used by the masses, the attacker needs to work harder to
find a potential victim. However, if the attacker’s sole aim is to
target a specific business or an individual, they could build custom
malware designed to exploit vulnerabilities of this obscure OS. What’s
more, lesser-known OSs have limited functionality, visibility and
management into the product, so if it does get compromised, you are
less likely to know about it. Another fact contrary to popular belief
is that 90% of all attacks happen via social engineering or phishing.
So regardless of the OS you use, you are still prone to cyberattacks.

4. Firewalls And Antivirus Provide Adequate Protection

While it is largely believed that endpoint security software and
firewalls provide effective coverage against cyberattacks, this is not
true by today’s standards. Recent studies have shown that, globally,
91% of all enterprises that were breached had up-to-date security
protection in place. This is because more people are working from home
during the pandemic and hence employees are no longer behind the
traditional office perimeter. All major business applications are
moving to the cloud, adding another layer of complexity and increasing
the attack surface. Let’s not forget that phishing alone can
compromise an endpoint or expose credentials.

5. Users Can’t Be Trained — Technology Is Your Best Defense

There is a common belief that no matter how hard you try, the attacker
will eventually outsmart you. Let’s not forget that a lot of technical
people would rather deal with objective issues than be subjected to
training people. But you can agree that a hacker or a phisher
shouldn’t be the only people training or testing your employees. Know
that if you don’t test them, someone else is bound to. Would you
rather your employees react in a failsafe environment or wait for a
security event that will surely cost you more?

Research suggests that after 90 days of simulation-based training, the
average phish-prone percentage of those who fall for a scam dropped by
over 60%, from 37.9% to 14.1%. An 87% improvement rate was shown after
12 months of testing.

Cybersecurity is all about risk management, and the only way you can
truly decrease your risk is by upping your overall cybersecurity
awareness. Understand how hackers work. Determine your strengths and
weaknesses. Deploy adequate infrastructure that can evolve at the pace
of technology. Train your people to recognize red flags. And finally,
steer clear of such myths, urban legends and misconceptions.