With cyber crime being a key challenge for organisations of all sizes, there are a number of cyber security misconceptions that can put your business at a greater risk. In this blog post we take a look at the most common cyber myths:
- Anti-virus and anti-malware is all the protection we will need: Whilst they are a good starting point, they won’t keep your entire infrastructure safe from all cyber attacks. Businesses need a comprehensive cyber security approach that includes as a minimum; risk assessments, staff training, threat detection, testing, and incident response plans.
- We don’t have any data that’s of value to hackers: Cyber criminals seek to exploit human or security vulnerabilities in order to steal passwords, data or money directly. Whilst financial gain almost certainly remains the key driver for cyber crime, the human factors of power, ego and kudos should not be underestimated.
- We have a robust password policy: How strong? And is it embraced across the whole organisation? Businesses must ensure they have a multi-layered approach to password security – from password generator and manager tools to multi-factor authentication, that reaches across the entire organisation. And what about access rights? How do you control who has access to relevant systems and information?
- We are a small business, nobody would want to target us: Think again. According to Hiscox, every 19 seconds a small UK business is successfully hacked. The majority of small businesses do not have sufficient cyber defence in place, making them an easy target for cyber criminals. Size doesn’t matter, security does.
- The IT department is responsible for cyber security: Whilst those within the business who have responsibility for IT may be significant in the implementation of cyber security measures, they may not be cyber experts, in fact a recent study showed that 75% of organisations lack a cyber security expert on their staff. And it’s worth noting, cyber security is a business wide responsibility. Every single employee, partner and supplier needs to have a high awareness of cyber security risks, measures and processes, all have a responsibility in keeping your business safe so ongoing training and communication is essential.
- We’ve never had a breach so we are doing everything right, we are cyber strong: Almost half of businesses report having cyber security breaches or attacks in the last 12 months, so it’s a case of not if but when you may experience a breach. Cyberthreats are continually growing in sophistication and complexity, and the threat landscape is constantly changing. Take the global Covid Pandemic, according to Hiscox almost half of the respondents said they felt their organisation had become more vulnerable to cyber attacks since the start of the pandemic. A culture of being prepared is essential. Cyber Attack Readiness Assessments help organisations really understand how prepared (or otherwise) they are to protect against and respond to cyber attacks. Moving onto our next myth… how do you know you haven’t had a breach?
- We would know instantly if there has been a compromise: But would you? According to IBM, on average companies take about 197 days to identify and 69 days to contain a breach. Preparation is a key factor in a company’s response timeliness. Businesses with dedicated, trained teams, automated or managed security support and tested response plans respond faster, and suffer lower financial impact and reputational damage..
- We have followed a compliance framework, so our business is safe: Achieving and maintaining compliance is essential for business operations and avoiding any legal consequences, however being compliant doesn’t necessarily mean that your business is cyber secure. Compliance is viewed as the minimum level of security, there are many more steps you can take to improve your secure posture.
- Our Managed Services Provider secures everything: A Managed Service Provider (MSP) operates in the world of IT network management, offering a range of services to provide you with easy access to your IT infrastructure. Whilst they may have some security credentials, as a rule they are not cybersecurity experts. Managed Security Service Providers (MSSP’s) provide a much higher level of security than MSPs. Take a look at our blog post explaining the differences between an MSP and MSSP. Regardless of your provider’s capabilities and credentials, you have a legal and ethical responsibility to secure critical assets, so it’s important that you understand all the risks and the steps being taken to address.
- Cyber threats only come from outside of the organisation: Over 90% of security incidents are caused by staff. Humans are far more vulnerable than technology, that’s why cybercriminals will target employees. One mistake can make or break you. Employee negligence, ignorance, and malicious behaviour make insider threats a higher security risk than outsider threats. Building a Human Firewall is the biggest and most effective defence against cybercrime. Staff training, ongoing awareness programmes, robust monitoring and reporting are all essential to mitigate the risk of insider threats.
- We perform regular cyber security testing: Testing is only one part of the cyber security jigsaw. There is still much more that organisations can do on a range to improve their security posture – risk audits, cyber training, incident response plans, and breach reporting just for starters.
- Staff can safely use their own devices for work: 2020/21 saw a huge increase in the number of personal devices being used for work, increasing the threat landscape within businesses. Own devices must be subject to the same security measures and protocols as in place for company provided devices. And don’t forget wearables, they are just as vulnerable as smartphones, tablets and laptops. BYOD policies should cover all devices that access the internet, including wearables and any IoT devices.
- Cyber attackers only target business emails: The lines between work and home life have never been so blurred, providing perfect opportunities for attackers to target individuals personally and professionally across a wide number of channels. Hackers don’t discriminate. Personal and work emails, social media profiles, gaming accounts, text messages, landline and mobile telephone calls, attackers will target everyone via everything, in the knowledge that they will strike lucky somewhere along the line.
- A single AI / machine learning solution can provide all the protection we need: Whilst AI network analytics tools are good at spotting anomalies and are useful in a portfolio of controls, those that rely only on a single alerting system of this type are frequently breached.
- Effective cyber security is expensive to deploy and maintain: We believe that complete cyber security can never be achieved, new threats emerge every single day, it’s an ongoing battle. The allocation of continuous resources (budget, staff, management focus) is a must, as is ongoing testing, risk assessments, monitoring and training. Sounds expensive? But can you afford to ignore the threats? With the average data breach running into millions, you simply have to allocate resources to keep your business cyber safe.
Contact the Infosec Partners team if you would like to chat about how we can protect your organisation from emerging cyber threats.