Debunking the top seven cybersecurity myths

2/11/20, 9:10 am

Here are my top seven cybersecurity myths to help your business create a more secure digital environment (inspired by Paul Asadoorian and his co-hosts)

Myth #1: The cybersecurity team is going to protect the company

Many employees argue that it is the sole responsibility of the cybersecurity team to keep the business’ digital environment safe and secure. Often the main justification is that members of the business are not technically trained enough to hold any responsibility. Sometimes, the existence of a cybersecurity team creates a mindset for others to neglect securing the digital environment.

The human factor is one of the most crucial aspects in securing the digital environment. Employees, particularly those in non-IT divisions, can be a business’ most vulnerable aspect. How employees share data, update applications, and download programs on company computers all affect the security of the business’ digital environment.

Cybersecurity is a collective responsibility. It is for everyone and not limited to a person or team. Without everyone coming together, it is not possible to protect an organisation.

Myth #2: Cyberattacks are confined to the digital world

There is a widespread and common misconception that cybersecurity is limited to the digital world. People often forget that physical security is a vital part of the cybersecurity umbrella. If any organisation can be physically breached then it’s almost child’s play to own their digital network.

The Stuxnet worm was spread by a single infected USB flash drive. This virus damaged the nuclear programme for Iran and they paid a massive cost because of neglecting their physical security.

Myth #3: We spend a lot of money on our security devices and technology, so we are secure

This is a common misconception among business executives. They think that spending a fortune on the latest technology ensures security.

Having cutting edge technology and the latest security device model is a good thing. But, if these devices and technologies are not configured properly they are not doing the organisation much good.

Vendor or security providers are there to provide your business’ devices and technology with generic configuration. Every organisation needs to understand their specific requirements and fine tune the devices to fit their own needs. If devices and security policies are not configured to organisational needs, then it is a walk in the park for breaches to occur.

Myth #4: Our applications are in the cloud, so we are compliant now

This is still a common misconception amongst may companies. Companies believe that since their applications are in the cloud, they comply with the required standards. A manager I worked with was under the assumption that since AWS was ISO-certified, the application hosted by AWS was also certified.

People forget (or perhaps do not know) that the cloud is certified for the cloud infrastructure, but the hosted application owner needs to think about their application and its own certifications.

Myth #5: Cybercriminals only target big organisations. We are small so we are safe.

This is a misconception that cybersecurity professionals see in the SME industry. SME leaders believe that because they are not as well known or don’t hold the volumes of data that larger organisations do, that they would not be a big enough target for security breaches. They assume they are immune to cyberattacks because they don’t think their data and information is valuable enough to hackers.

Small and middle market companies may be more vulnerable to cyberattacks. Criminals know these businesses do not take substantial preventative measures. Companies with 250 or fewer employees accounted for 43% of cyber-attacks last year.

Myth #6: Our system requires the user to set a complex password, so we are safe from password attacks

This is widely spread misconception and is costing organisations millions of dollars across the globe. While a strong password is a good option, there is no alternative for multifactor authentication.

Two-Factor Authentication (2FA) makes life much harder for attackers. It is a lot more difficult to acquire both someone's password and a second authentication token at the same time.

In my professional opinion, the combination of a weak password plus two-factor authentication might still be safer than a strong password alone. With 2FA, data is protected not only by the password but also with the second factor. Even if your weak password is cracked through brute force, a hacker would still not have access to your account due to the protection of the second factor.

Myth #7: IT professionals don’t fall for cyberattacks:

When organisations spend time and money to train their IT employees it is assumed that IT professionals wouldn’t pose any risk to the organisation’s digital environment. However, IT employees are human. They too can make mistakes. There is a chance that these well-trained IT employees can also create a small vulnerability within the company.

People, including IT professionals, will always look for shortcuts and try to find the easiest ways of doing things. This human trait can come at a cost to security.

There are also times when employees are multitasking, or their workload has increased. It can be during these times that we see security not getting an IT professional’s full attention.

We cannot build strong cybersecurity platforms on myths and clichés. Today's cyber threats often use an organisation’s assumptions to breach their digital environments. We need to accept this daunting reality and adopt proper security practices for organisations and individuals. Every year, hundreds of thousands of organisations are breached across the globe. By adopting the best practice, you can stop your business from becoming another statistic.

Chirag Goswami - NEC Australia Senior Security Engineer


Chirag Goswami
Senior Security Engineer
chirag.goswami@nec.com.au