Summary: Cyberattacks are more sophisticated and frequent than ever. The costs to recover from a data breach are now higher than ever. Yet, many companies remain unprepared for an attack. Why? In many cases, they believe some common cybersecurity myths, which can put their data (and their customer’s data) at risk.
Cyberattacks are on the rise. The problem is only growing worse.
How bad is it? The number of U.S. data breaches reached a record high in 2014, with 43% of companies experiencing a data breach. This year, that number is expected to rise.
How much does a breach harm a business? One study finds that the cost of a data breach has increased to $3.8 million–up from $3.5 million a year ago. This includes all aspects of a breach, like hiring experts to fix it, offering help to your customers, repairing your damaged reputation, and more.
The problem: Many companies are easy targets for a cyberattack, but don’t realize it. Some just don’t take security seriously. Others believe common security myths that place their data at risk.
What are these misconceptions? Today, let’s explore some of the most common myths and explain why they’re false.
Myth #1: We can’t get malware because we have antivirus
A common consumer belief, some businesses also place too much faith in anti-virus software. The fact is, it can’t possibly protect your business from every type of malware.
Why not? Antivirus software protects you against KNOWN vulnerabilities. But, security risks constantly evolve. New vulnerabilities emerge all the time. While antivirus software is important, you must understand that it’s a reactive approach that can’t protect you from everything.
“Traditional reactive measures are no longer sufficient to keep users and endpoints safe,” says Andrew Avanessian, VP at Avecto. “The prolific growth of malware, and the increasingly sophisticated threat landscape, mean that antivirus is unable to detect advanced evasion techniques. With legacy approaches quickly becoming obsolete, leaving companies vulnerable to attack and further infiltration, the first and most important step for making environments more secure is getting rid of end user admin rights. This proactive measure will ensure that complementary defenses like anti-malware, whitelisting and firewalls can actually be effective in tackling ever more complex threats.”
Myth #2: We are safe because we have a firewall
On a similar note, many businesses put far too much faith in their firewall. While firewalls are important, it’s only the first line of defense. What happens if an attacker gets past your firewall? What happens if it’s improperly configured or maintained? It could put your entire network at risk.
“My number one security myth to bust is ‘We are safe because we have a firewall,’” says Oli Thordarson, President, CEO – Alvaka Networks, Inc. “While that is a refrain I hear more often from small businesses rather than enterprises, I still hear variations of that from the enterprise. It is also common to hear that refrain from executives at an enterprise. The variation I hear from enterprise IT staff is their pointing to a lot of additional magical security devices and software in that solutions version of “We are safe because we have this magical device….”
Myth #3: We’re not a target
Maybe your company doesn’t store sensitive data. Maybe you don’t have data that any hacker might want.
Does this mean you’re not a security target? Not at all!
“At the grass roots, when I pitch security to potential customers, somebody always says, “Wait a minute. We’re not keeping national security secrets here. Why should we spend money on all this security.” While you may not be the ultimate target of a cyberattack, you can easily become an unwitting partner in a major cyberattack. Just ask the HVAC contractor in Pennsylvania with access into the Target network about what that’s like,” explains Greg Scott, author of the new security education book, “Bullseye Breach“.
The fact is, every business is a target. Maybe they’re not after your data. Maybe an attacker uses your vulnerabilities to attack the real target. Those who believe they’re aren’t a target are actually better targets for attackers because they have weaker defenses.
“Most attacks are random,” says Frank Bradshaw, President at Ho’ike Technologies. “Attackers send out phishing emails hoping anyone would open them. Yes, there are targeted attacks (OPM, IRS, Sony for example were targeted) where criminals are looking at a specific target for what they have and go directly after them. Most organizations that are breached are breached by a random attack that happens to get through the defenses. As big as Target’s breach was, it was a small HVAC vendor with weak defenses that was the root cause. Many SMBs think they are too small, but they are the right size. You have information or access to information and less resources to protect yourself.”
Myth #4: If we haven’t yet been breached, our IT systems are secure
Why do some business leaders treat security as an afterthought? It’s usually because they’ve never experienced a data breach. They assume this means their systems are secure.
The problem with this assumption: Security constantly changes. Sure, you may be secure today, but what about tomorrow? As explained below, you must always be on guard.
“When you see the systems up and running without any interruption – here comes the peace of mind, which for any cybersecurity pro is a sign that they might be missing something critical,” says Michael Fimin, CEO and co-founder of Netwrix. “How to avoid that? When dealing with cybersecurity, remember that everything is changing. And your main goal is to obtain pervasive and true visibility into any changes made across the entire IT infrastructure. Knowing who changed what, when and where, and who has access to what will provide you with permanent control over your data, and give you precious time to react to any burst of suspicious activity.”
The other problem with assuming your systems are secured because you haven’t experienced a breach: How can you know for sure? Not all breaches are obvious. In fact, the best attackers know how to enter and leave your systems without a trace.
“Perfect security has always been a myth and it’s hard to imagine how anything could be 100 percent safe in the physical world,” says Nathaniel Borenstein, chief scientist at Mimecast. “Unfortunately, Internet-based information attacks are even harder to deal with, in part because one doesn’t necessarily even know when the attack has happened. It would be hard not to notice a hijacked plane flying through the sky, but a clever cyber-attacker has the potential to get into a system, do his dirty work, and get out without being noticed. Thus, while we should put into place the toughest cyber-defenses we can manage, we should also work from the assumption that they will sometimes fail, and institute fallback strategies, or multi-layered defenses.”
“This sounds simple, but it stands a lot of current practice on its head. People tend to assume that what’s on their “internal” network is safe, but it isn’t, and it should always be treated as suspect. This means that even on your internal network, you should be using strong encryption and multi-level access control for sensitive documents, and two-factor authentication for critical actions. That way, someone who has broken into your network is somewhat less likely to be able to read your sensitive documents, or cause something bad to happen in the physical world. In short, you should pay as much attention to securing what’s inside your network as you do to keeping the bad guys out of it.”
Myth #5: Technology can fix our security issues
Imagine your business is a castle. You’ve built the strongest walls, added extra fortifications, and even created an alligator-filled moat. Your defense could not possibly get any better. Then, one of your soldiers leaves the drawbridge down and your enemy walks right through your front door.
This is a great analogy for the modern business. Many companies fortify their systems with the best security products. But, they lack a security plan. They don’t educate their users about proper security practices. Or, they give their users too much data access.
Am I saying that security technology is worthless? Not at all. In fact, it’s necessary. But, no amount of technology will protect you from uninformed users with too much access.
“The biggest single myth about cybersescurity is that the organizations will be safer if only they would deploy more security products,” says Jonathan Gossels, CEO of SystemExperts. “The best products in the world can’t keep you safe if you do not have an overall plan, a coherent architecture built on a comprehensive framework like ISO 27002, security policies to ensure appropriate behavior and handling off sensitive data, and a security-knowledgeable workforce. Technology is secondary – a distant second. 3 P’s – People, Policies, and a Plan matter most.”
Myth #6: Our developers are building secure applications
Let me ask you a question: Are your business applications secure? How do you know?
Many business leaders just assume their developers create secure applications. They check to make sure their applications include the requested features and requirements, without paying thought to its security.
Here’s a statistic that might make you think twice about that approach: 96% of all web applications contain at least one “serious vulnerability.” These vulnerabilities open the door for attackers, and can lead to data loss, complete system takeovers, and much more.
This article sums up the problem nicely: We’re still fighting the same software security battles we fought a decade ago. Despite the importance of security, developers still deliver applications with known vulnerabilities. They’re making the same mistakes that were made 10 years ago.
Why? Why do businesses create insecure applications year after year? The truth is, the blame doesn’t completely fall on developers. In many ways, businesses bring it on themselves. Here are a few ways:
- They provide no incentive for security: Peter Drucker is famously quoted as saying, “What is measured improves.” The problem for many developers: Security isn’t measured. Rather, they get rewarded for features and development speed…not security.
- They impose short deadlines: As businesses place greater importance on application development speed, security suffers. Developers rush through the project—ensuring it meets all the business requirements. But, this often comes at the expense of proper security practices.
- They treat security like a feature: Shortly after the healthcare.gov site went live, a “white hat” hacker testified on Capitol Hill that security was never properly built into the site. Many businesses struggle with this same problem. They treat security like any other feature that they can add to an application. The problem: Security isn’t something a developer can add at the end. You must build security into the application.
If you think about it, developers are placed in a no-win situation. They’re tasked with developing modern applications. They must keep up with ever-evolving application trends. They’re faced with tight deadlines. Unless the business can afford a dedicated security engineer, the developer is in charge of security as well. Are we at all surprised that application development security is suffering?
So, how can you fix it this issue? As a business leader, you must make security a top-down effort. It must be something that is measured constantly. You must instill a “security culture.” Only then will it improve.
Myth #7: We passed our audit, so we are secure
Now, security audits are one way to measure security. But, many companies make the mistake of assuming a passed security audit equals security. As explained below, while audits are helpful, they don’t guarantee security.
“Passing an audit is great,” says Ryan Tappis, Managing Director of Northramp, LLC. “But it doesn’t guarantee security. Think the large retailors didn’t pass their PCI audits prior to being breached? They did. Audits are a point in time assessment of an organization’s security posture. Technologies, vulnerabilities, and attack vectors change by the minute.”
The other myth companies believe about audits: It will give you better security. Some businesses believe that an auditor will come in and fix their broken systems or security habits.
“As an auditor, we are asked to validate what is in place and to asses the risk,” says Carlos Peláez, CISA, PRINCE2, Director and National Practice Leader at Coalfire. “Many companies look to us to go beyond this and change security configurations, for example. Others think that our presence will somehow embed better habits in their IT Security teams. However, the problem most companies face when it comes to cyber security is not a lack of audits. Most companies have plenty of audits and they spent a good amount on security. The challenge that they are trying to solve is heightened security awareness followed by comfort that they are not placing the company at risk. Unfortunately, an audit won’t solve that because the true solution that they are seeking is really a change in their company’s culture. Organizations that view cyber security as a risk and treat it this way have a much healthier dialogue with their employees. Risk of financial losses, theft, or even natural disasters are how cyber security threats should be treated because no risk out there can be reduced to zero. Audits won’t solve this problem, but we still see many companies holding their compliance and audit teams to this unrealistic expectation.”
Myth #8: Credit card compliant vendors make you PCI compliant
PCI compliance must always be an in-house priority. Unfortunately, many businesses wrongly believe that having a merchant services provider handle your credit card processing is all you need to be compliant. As explained below, you’ll still be held liable if customer data is stolen from your business.
“Another big myth has to do with credit card liability,” says Marc Prosser, of Fit Small Business. “Many businesses assume that working with credit card compliant vendors necessarily makes them PCI compliant. But PCI compliance is much more than working with vendors, and you have to make sure that you follow all PCI procedures. Just because your credit card reader and merchant account providers are PCI compliant doesn’t mean you can’t be held liable when customer data gets stolen from your business.”
Myth #9: Encryption is the key to security
Encryption is the process of encoding data in such a way that only authorized parties can read it. In plain terms, encryption scrambles the contents of a message or file. Only those with the encryption key can unscramble the contents and access the data.
However, some make the mistake of believing that implementing strong encryption is all they need to protect their data. The problem is, they focus so much on the encryption, but not on protecting the key.
“One of the biggest challenge in today’s world is that we are constantly inundated by buzzwords like Government grade Encryption, Bank grade Encryption etc etc,” says Mayukh Gon, Founder and CEO of PerfectCloud Inc. “The problem is NOT strong encryption, but how good the keys are managed for the encryption. Encryption is as good as the weakest link. If the foundation of key management is weak, no matter how strong your encryption, it is bound to fail.”
Now, these are just a few cybersecurity myths, but the list could go on. If you would like to add anything to this list, I’d love to hear it. Feel free to share in the comments.
If you enjoyed this article, sign up for email updates
We value your privacy. We will not spam you or share your email address with anyone. You're free to unsubscribe at any time.