Hackers love it when businesses believe in these common cybersecurity myths. Let’s debunk them.
Like other criminals, hackers take advantage of people’s misconceptions regarding their risk of being victimized. Here are six common cybersecurity myths that could be putting your enterprise at risk.
Security Myth #1: Compliance Equals Cybersecurity
Compliance with regulatory and industry standards such as HIPAA and PCI DSS can be complex, time-consuming, and costly, especially if companies must comply with multiple standards. Many organizations focus nearly exclusively on compliance, thinking that if they are compliant, they have done enough to protect against cyber attacks. This is a cybersecurity myth. Compliance standards outline only a minimum set of baseline procedures and protocols that provide a starting point for enterprise data security. They are not a substitute for comprehensive, proactive cybersecurity and integrated risk management.
Security Myth #2: Hackers Don’t Target Small Companies
Sometimes, small enterprises will skimp on cybersecurity, thinking that hackers are interested only in breaching very large companies. This cybersecurity myth is easily debunked: Nearly 60% of data breach victims are small businesses. There are several reasons for this, including:
- Hackers know that many small businesses don’t have robust cybersecurity and view them as easy targets.
- Many small businesses provide B2B services to large organizations, and hackers specifically target these third-party vendors to steal data belonging to their much larger business partners.
- Orchestrating a cyber attack no longer requires a great deal of skill or money. Inexpensive, easy-to-use malware-as-a-service and cybercrime-as-a-service offerings are a booming business. For example, DDoS attacks can be purchased for as little as $10.00. This low entry barrier means that cyber criminals don’t have to go after high-value targets to turn a profit.
Security Myth #3: “HTTPS” Means That a Website Is Legitimate
The HTTPS URL prefix, which some browsers denote with a green padlock, simply means that the site owner has procured an SSL certificate, and any data transmitted between your browser and the site is encrypted. Anyone can buy an SSL certificate or get one for free. Just because a site has an SSL certificate does not mean it is a legitimate website, or even that it’s secure. Unfortunately, many people don’t realize this (the green padlock doesn’t help), and hackers are capitalizing on the confusion: Half of all phishing sites now sport SSL certificates, up from only 25% just a year ago.
An SSL certificate is also not a guarantee of cybersecurity. HTTPS is much safer than HTTP, but it can still be hacked. Additionally, just like there’s a lot more to securing an enterprise than achieving compliance, there’s a lot more to securing a website than getting an SSL certificate.
Security Myth #4: Not All Employees Need Cybersecurity Training
The average employee’s knowledge of basic cyber hygiene is severely lacking. Over 60% of working adults don’t know what ransomware is, and over half of workers whose employers provide them with IoT devices allow friends and family to use them.
Some organizations think that only certain employees need to be trained on cyber hygiene, such as IT employees or privileged users. The reality is that hackers frequently target lower-level employees, usually through social engineering schemes, to get a beachhead into a system, then work their way up to privileged users. Any employee who accesses a computer or an IoT device at work needs to be trained on basic cyber hygiene. In today’s digital world, that’s nearly everyone; even retail and food-service cashiers use POS systems.
Security Myth #5: Strong Passwords Provide Adequate Security Against Credential Theft
A major topic at tech giant Microsoft’s 2018 Ignite conference was getting rid of passwords; the company used the occasion to introduce a new tool to allow passwordless logins to Azure AD-connected apps. Passwords, even strong ones, are no longer enough to ensure enterprise cybersecurity. One-quarter of employees admit to using the same password for all their accounts, at home and at work, and stolen account credentials are hackers’ preferred way to break into enterprise systems. Enterprises need to switch to multi-factor authentication (MFA) whenever possible.
Security Myth #6: Air-Gapped Systems Don’t Need Additional Cybersecurity
Air gapping, also known as “security by isolation,” is common in manufacturing facilities, other industrial environments, utilities, and critical infrastructure. Some compliance frameworks require operational technology (OT) systems to be air-gapped. However, air gapping alone does not sufficiently secure systems; the infamous Stuxnet virus is only one example of an air-gapped system being breached.
The cybersecurity experts at Continuum GRC have deep knowledge of the cybersecurity field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cybersecurity programs.
Continuum GRC is proactive cybersecurity®. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.
Related Posts