{"id":9411,"date":"2015-08-04T08:57:16","date_gmt":"2015-08-04T13:57:16","guid":{"rendered":"http:\/\/www.mrc-productivity.com\/blog\/?p=9411"},"modified":"2022-11-22T16:03:34","modified_gmt":"2022-11-22T22:03:34","slug":"9-common-enterprise-cybersecurity-myths","status":"publish","type":"post","link":"https:\/\/www.mrc-productivity.com\/blog\/2015\/08\/9-common-enterprise-cybersecurity-myths\/","title":{"rendered":"9 common enterprise cybersecurity myths"},"content":{"rendered":"

\"Education\"Summary: Cyberattacks are more sophisticated and frequent than ever. The costs to recover from a data breach are now higher than ever. Yet, many companies remain unprepared for an attack. Why? In many cases, they believe some common cybersecurity myths, which can put their data (and their customer’s data) at risk. <\/em>
<\/span>
\n<\/a><\/p>\n

Cyberattacks are on the rise. The problem is only growing worse. <\/p>\n

How bad is it? The number of U.S. data breaches reached a record high in 2014, with 43% of companies<\/span><\/a> experiencing a data breach. This year, that number is expected to rise.<\/p>\n

How much does a breach harm a business? One study finds that the cost of a data breach has increased to $3.8 million<\/span>–up from $3.5 million a year ago. This includes all aspects of a breach, like hiring experts to fix it, offering help to your customers, repairing your damaged reputation, and more.<\/p>\n

The problem: Many companies are easy targets for a cyberattack, but don\u2019t realize it. Some just don\u2019t take security seriously. Others believe common security myths that place their data at risk. <\/p>\n

What are these misconceptions? Today, let\u2019s explore some of the most common myths and explain why they\u2019re false.<\/p>\n

Myth #1: We can’t get malware because we have antivirus<\/h3>\n

A common consumer belief, some businesses also place too much faith in anti-virus software. The fact is, it can\u2019t possibly protect your business from every type of malware.<\/p>\n

Why not? Antivirus software protects you against KNOWN vulnerabilities. But, security risks constantly evolve. New vulnerabilities emerge all the time. While antivirus software is important, you must understand that it\u2019s a reactive approach that can\u2019t protect you from everything.<\/p>\n

\n

\u201cTraditional reactive measures are no longer sufficient to keep users and endpoints safe,\u201d says Andrew Avanessian, VP at Avecto<\/span><\/a>. \u201cThe prolific growth of malware, and the increasingly sophisticated threat landscape, mean that antivirus is unable to detect advanced evasion techniques. With legacy approaches quickly becoming obsolete, leaving companies vulnerable to attack and further infiltration, the first and most important step for making environments more secure is getting rid of end user admin rights. This proactive measure will ensure that complementary defenses like anti-malware, whitelisting and firewalls can actually be effective in tackling ever more complex threats.\u201d<\/p>\n<\/blockquote>\n

Myth #2: We are safe because we have a firewall<\/h3>\n

On a similar note, many businesses put far too much faith in their firewall. While firewalls are important, it\u2019s only the first line of defense. What happens if an attacker gets past your firewall? What happens if it’s improperly configured or maintained? It could put your entire network at risk.<\/p>\n

\n\u201cMy number one security myth to bust is \u2018We are safe because we have a firewall,\u2019\u201d says Oli Thordarson, President, CEO – Alvaka Networks, Inc<\/span><\/a>. \u201cWhile that is a refrain I hear more often from small businesses rather than enterprises, I still hear variations of that from the enterprise. It is also common to hear that refrain from executives at an enterprise. The variation I hear from enterprise IT staff is their pointing to a lot of additional magical security devices and software in that solutions version of “We are safe because we have this magical device….”\n<\/p><\/blockquote>\n

Myth #3: We’re not a target<\/h3>\n

Maybe your company doesn\u2019t store sensitive data. Maybe you don\u2019t have data that any hacker might want. <\/p>\n

Does this mean you\u2019re not a security target? Not at all!<\/p>\n

\"photo
photo credit: Bogdan Suditu<\/a> via photopin<\/a> cc<\/a><\/figcaption><\/figure>\n

\u201cAt the grass roots, when I pitch security to potential customers, somebody always says, “Wait a minute. We’re not keeping national security secrets here. Why should we spend money on all this security.\u201d While you may not be the ultimate target of a cyberattack, you can easily become an unwitting partner in a major cyberattack. Just ask the HVAC contractor in Pennsylvania with access into the Target network about what that’s like,\u201d explains Greg Scott, author of the new security education book, “Bullseye Breach<\/span><\/a>“.<\/p>\n<\/blockquote>\n

The fact is, every business is a target. Maybe they\u2019re not after your data. Maybe an attacker uses your vulnerabilities to attack the real target. Those who believe they\u2019re aren\u2019t a target are actually better targets for attackers because they have weaker defenses.<\/p>\n

\n\u201cMost attacks are random,\u201d says Frank Bradshaw, President at Ho’ike Technologies<\/span>. \u201cAttackers send out phishing emails hoping anyone would open them. Yes, there are targeted attacks (OPM, IRS, Sony for example were targeted) where criminals are looking at a specific target for what they have and go directly after them. Most organizations that are breached are breached by a random attack that happens to get through the defenses. As big as Target’s breach was, it was a small HVAC vendor with weak defenses that was the root cause. Many SMBs think they are too small, but they are the right size. You have information or access to information and less resources to protect yourself.\u201d\n<\/p><\/blockquote>\n

Myth #4: If we haven’t yet been breached, our IT systems are secure<\/h3>\n

Why do some business leaders treat security as an afterthought? It\u2019s usually because they\u2019ve never experienced a data breach. They assume this means their systems are secure. <\/p>\n

The problem with this assumption: Security constantly changes. Sure, you may be secure today, but what about tomorrow? As explained below, you must always be on guard.<\/p>\n

\n\u201cWhen you see the systems up and running without any interruption – here comes the peace of mind, which for any cybersecurity pro is a sign that they might be missing something critical,\u201d says Michael Fimin, CEO and co-founder of Netwrix<\/span><\/a>. \u201cHow to avoid that? When dealing with cybersecurity, remember that everything is changing. And your main goal is to obtain pervasive and true visibility into any changes made across the entire IT infrastructure. Knowing who changed what, when and where, and who has access to what will provide you with permanent control over your data, and give you precious time to react to any burst of suspicious activity.\u201d\n<\/p><\/blockquote>\n

The other problem with assuming your systems are secured because you haven\u2019t experienced a breach: How can you know for sure? Not all breaches are obvious. In fact, the best attackers know how to enter and leave your systems without a trace.<\/p>\n

\n

\u201cPerfect security has always been a myth and it’s hard to imagine how anything could be 100 percent safe in the physical world,\u201d says Nathaniel Borenstein, chief scientist at Mimecast<\/span><\/a>. \u201cUnfortunately, Internet-based information attacks are even harder to deal with, in part because one doesn’t necessarily even know when the attack has happened. It would be hard not to notice a hijacked plane flying through the sky, but a clever cyber-attacker has the potential to get into a system, do his dirty work, and get out without being noticed. Thus, while we should put into place the toughest cyber-defenses we can manage, we should also work from the assumption that they will sometimes fail, and institute fallback strategies, or multi-layered defenses.\u201d<\/p>\n

\u201cThis sounds simple, but it stands a lot of current practice on its head. People tend to assume that what’s on their “internal” network is safe, but it isn’t, and it should always be treated as suspect. This means that even on your internal network, you should be using strong encryption and multi-level access control for sensitive documents, and two-factor authentication for critical actions. That way, someone who has broken into your network is somewhat less likely to be able to read your sensitive documents, or cause something bad to happen in the physical world. In short, you should pay as much attention to securing what’s inside your network as you do to keeping the bad guys out of it.\u201d\n<\/p><\/blockquote>\n

Myth #5: Technology can fix our security issues<\/h3>\n

Imagine your business is a castle. You\u2019ve built the strongest walls, added extra fortifications, and even created an alligator-filled moat. Your defense could not possibly get any better. Then, one of your soldiers leaves the drawbridge down and your enemy walks right through your front door.<\/p>\n

This is a great analogy for the modern business. Many companies fortify their systems with the best security products. But, they lack a security plan. They don\u2019t educate their users about proper security practices. Or, they give their users too much data access. <\/p>\n

Am I saying that security technology is worthless? Not at all. In fact, it\u2019s necessary. But, no amount of technology will protect you from uninformed users with too much access.<\/p>\n

\n\u201cThe biggest single myth about cybersescurity is that the organizations will be safer if only they would deploy more security products,\u201d says Jonathan Gossels, CEO of SystemExperts<\/span><\/a>. \u201cThe best products in the world can\u2019t keep you safe if you do not have an overall plan, a coherent architecture built on a comprehensive framework like ISO 27002, security policies to ensure appropriate behavior and handling off sensitive data, and a security-knowledgeable workforce. Technology is secondary \u2013 a distant second. 3 P\u2019s \u2013 People, Policies, and a Plan matter most.\u200b\u201d\n<\/p><\/blockquote>\n

Myth #6: Our developers are building secure applications<\/h3>\n
\"photo
photo credit: geralt<\/a> via pixabay<\/a> cc<\/a><\/figcaption><\/figure>\n

Let me ask you a question: Are your business applications secure? How do you know?<\/p>\n

Many business leaders just assume their developers create secure applications. They check to make sure their applications include the requested features and requirements, without paying thought to its security.<\/p>\n

Here\u2019s a statistic that might make you think twice about that approach: 96% of all web applications<\/span><\/a> contain at least one \u201cserious vulnerability.\u201d These vulnerabilities open the door for attackers, and can lead to data loss, complete system takeovers, and much more.<\/p>\n

This article<\/span><\/a> sums up the problem nicely: We\u2019re still fighting the same software security battles we fought a decade ago.<\/strong> Despite the importance of security, developers still deliver applications with known vulnerabilities. They\u2019re making the same mistakes that were made 10 years ago.<\/p>\n

Why? Why do businesses create insecure applications year after year? The truth is, the blame doesn\u2019t completely fall on developers. In many ways, businesses bring it on themselves. Here are a few ways:<\/p>\n