The massive data breaches that dominate the headlines are enough to fill any business executive with trepidation.
They should be equally concerned about all the security myths floating around out there, because these misconceptions cause organizations to incorrectly assess threats, misallocate resources, and overlook necessary goals.
So today we want to dispel five common cybersecurity myths making the rounds:
1. Just let the IT department handle cybersecurity.
Making sure appropriate technical controls are implemented to protect an organization’s information is certainly the first line of defense against security threats. But it’s nowhere close to being enough. An actively managed and maintained comprehensive security solution – one that includes advanced firewall management, real-time intrusion prevention with event correlation, and the ability to inspect encrypted traffic at the packet level – is an important safeguard.
Employee awareness and training is every bit as critical. More than two-thirds of successful cyberattacks occur because a staff member inadvertently clicks on a mail attachment or a malicious link. It’s hard to accuse them of negligence if you’ve never invested in giving them the proper training.
This education initiative needs to start at the top. Cybersecurity, privacy, and data breach response must be a priority at the highest level of the organization. And because the entire operation is at risk of a data breach, consider pulling together the budget for fighting cybercrime from other functional areas of the organization (HR, Accounting, and Risk Management come to mind) — not just IT.
2. Software will solve everything.
Implementing adequate software controls and management is an important step in the security process, as they tend to reduce the likelihood of a successful attack and can mitigate the effects. But just as your IT department alone can’t protect your company, software alone won’t do it, either.
And be careful about swinging too far in the other direction. Too many technical controls and a heavy-handed approach to InfoSec can throttle the productivity of your employees and render legitimate work tools inoperable. A balance must be struck, and input from all functional groups within the company can guide your IT professionals on how to limit exposure without hindering getting in the way of fulfilling your mission.
3. The right security solution will guarantee protection.
If you’ve been keeping up with the latest in cybersecurity, you already know it’s not a matter of IF you become an attack victim, but WHEN. An incident response plan needs to be readied now. Companies operating in regulated industries likely already have one, but the absence of compliance requirements is no excuse for delay.
Your plan should keep an eye on your data in all its states – mission critical or archivable, active or static, local or centralized, on hand or in the cloud. It should delineate the steps required to identify and investigate a data breach, outline multiple recovery scenarios, and include clear guidelines for notification. And a robust, secure, and tested backup and recovery strategy is a must.
The chaos generated by a cyber attack cannot be overstated. The last thing you want is to improvise a response plan in the middle of a crisis.
4. Attackers are only targeting large enterprise businesses.
According to Symantec’s 2016 Internet Security Threat Report, almost half of all cyber attacks target small businesses. For a hacker, attacks on small and medium sized organizations offer low risk and high returns – especially because many non-enterprise businesses leave their guard down. Their networks are unprepared to thwart sophisticated attacks, which makes them easier targets than the big guys. Their data (ie – client information, banking details, e-commerce data) is every bit as valuable. Smaller organizations are often breached to find back doors into the larger companies they do business with. And cyber criminals have been known to try out and tweak new exploits on smaller targets before turning their attention to the bigger guys,
Most important, the cost of data breaches can devastate a small or medium sized business.
Ransomware is one of the most common attacks affecting SMBs. Employee education is just as important at that level as it is for large enterprises.
5. I don’t have anything worth stealing.
You sure do. At the least you have employee information which includes addresses, Social Security numbers, perhaps medical information. (Medical records are the most sought after records traded in cyber crime’s dark market.) Every employee record is a potential identity theft waiting to happen.
Beyond employee data, small businesses maintain often sensitive customer information, bank account information, access to the business’s finances, and intellectual property.
There is no shortage of misconceptions about data security. The key is to see clearly through the fog of uncertainty, and make prudent choices before it hits the fan. We can help. Call us.
Categories: Data Security
Leave a Reply