Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

1/31/2019
02:30 PM
Brian Engle
Brian Engle
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

8 Cybersecurity Myths Debunked

The last thing any business needs is a swarm of myths and misunderstandings seeding common and frequent errors organizations of all sizes make in safeguarding data and infrastructure.

Cybersecurity plays an integral role in the realm of good business models. You'd be hard pressed to come across an enterprise which doesn't have some form of cybersecurity policy as part of its infrastructure. But even cybersecurity programs built with good intentions can fall short. Why? The best intentions are often based on an array of myths perpetuated by a combination of mistrust, misunderstanding, and lack of information. These are the myths of cybersecurity, and I'm going to break down some of the most common ones found throughout the tech industry.

Myth 1: You're Too Small to Be Attacked
You read about data breaches all the time. Big companies suffer penetration attacks with millions of user data compromised by the nebulous realms of hackers. "Well," you think, "that'll never happen to my business, there's not enough value, we're too small." And that's just wrong. In 2016, 43% of all cyberattacks were conducted against small to medium-sized businesses. This is a growing trend, with malware and malicious attacks escalating in both complexity and frequency. You're as likely as a target as any major enterprise, so don't buy into this line of thinking.

Myth 2: Passwords Are Good Enough
The downfall of any security policy is the lazy "set it and forget it" mentality. Cultivating this lethargic approach is the adoption of complex passwords and believing it's good enough. You have your staff memorize a 12-character login phrase with special characters, caps, and numbers? That must be enough!

It's not, because a mix of social engineering and complex malware attacks can circumvent it  with alarming ease. Password reuse across multiple platforms makes you dependent on the security of other organizations, where a breach of their password database places accounts at risk on your systems. Malicious third parties employ a wide range of bots and auto-attacks to hasten their process, and without two-factor authentication and a level of encryption (especially on vulnerable public networks), one password just isn't sufficient in today's dangerous cyber world.

Myth 3: Antivirus Is Good Enough
Much like the "set it and forget it" password philosophy, this equally applies to your antivirus setup. It's tempting to believe the fancy software your enterprise invested so much capital in will thwart any and all attackers, but again, that's not true. Antivirus is of foundational importance, but good cybersecurity requires a rigorous program that includes protection, detection, and response preparation along with safe practices for user behaviors.

Myth 4: It's IT's Problem
Computers are hard, so let IT handle everything, right? This, again, is a foolish way to look at cybersecurity. Some businesses lack the capital to hire experienced staff. And, even with a good IT team, said staff are limited in what they can handle. If you expect your IT team to manage every single tech-related problem, from resetting logins to managing network infrastructure and dealing with potential intrusions, you're asking for trouble. Every staff member should be familiar with good cybersecurity practices.

Myth 5: BYOD is Safe
While a BYOD (bring your own device) policy is popular and cost-effective, it's a whole new avenue of risk for a business. Assuming smartphones and mobile devices brought by staff are secure is a serious error in judgment. Apps with personal data, logins, and business-related info are easy to compromise, and every unsecure device is just another potential hole in your cybersecurity foundation. It's important that employees follow rigorous guidelines when using their own hardware.

Myth 6: Total Security Is Possible
The eternal struggle of cybersecurity is its constant need to adapt to new threats. As security teams adapt strategies and tactics to meet those threats, attacks evolve to counter the changes. It's a constant battleground, meaning total security is impossible to achieve. A business should always expect some form of cyberattack and should always have backup, incident and crisis preparedness, and disaster recovery (BDR) measures in place. You can only take a proactive approach towards malicious threats, not counter them in their entirety.

Myth 7: You Don't Need Assessments and Tests
I couldn't think of a more disastrous approach to a cybersecurity plan. This is like working on a term paper and submitting it with zero revisions, edits, or extra eyes. You cannot reasonably expect your current cybersecurity plans to be foolproof without conducting assessments and penetration tests. These self-evaluations are invaluable, revealing where you're weakest and strongest.

Myth 8: Threats Are Only External
Competent security requires just as a hard a look at internal staff and policies as do the various third-party attacks. This is because — whether from human error or malign intent — cybersecurity risks are as likely to emerge from your own enterprise as outside of it. More is at risk, too, considering staff are the pathway to the most sensitive info.

Related Content:

Brian Engle's role as CISO/Director of Advisory Services allows him to lead the delivery of strategic consulting services for CyberDefenses' growing client base with risk management support, information security program assessment, and cybersecurity program maturity ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
StephenGiderson
50%
50%
StephenGiderson,
User Rank: Strategist
2/13/2019 | 11:58:01 PM
Better safe than sorry
We should never take security for granted! At the end of the day, all it takes is some guy to target you, and there goes all of your data and privacy! If you can afford to implement better security systems in your networks, do it! It will be better than the alternative.
markgrogan
50%
50%
markgrogan,
User Rank: Apprentice
2/13/2019 | 1:39:18 AM
Be on your best guard
It is highly dangerous to base your beliefs on a set of myths which have yet to be proven by experts. If you are managing a huge account, this situation simply means that you just have a lot more to handle as a lot more is at stake. You cannot simply remain complacent when security is concerned even if you are handling a small firm. You have to be put your best front forward before any security lapses even have the opportunity to occur.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
2/1/2019 | 12:19:29 PM
Almost all have one trait in common
Discussed this last night at my A.A. meeting - COMPLACENCY.  The trust that because things seem OK they really are OK and, therefore, fine and dandy.  Most Malware cannot be seen by the average user save something obvious like ransomware or adware.  Google Redirectors are common but the real invasive stuff that hides and steals data is very hard to jus SEE off the bat.  So if it is part of IT and the server is up and staff is working - well then.  My clients would have said SO, WTF IS WRONG????/   
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
Black Hat Q&A: Hacking a '90s Sports Car
Black Hat Staff, ,  11/7/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5230
PUBLISHED: 2019-11-13
P20 Pro, P20, Mate RS smartphones with versions earlier than Charlotte-AL00A 9.1.0.321(C00E320R1P1T8), versions earlier than Emily-AL00A 9.1.0.321(C00E320R1P1T8), versions earlier than NEO-AL00D NEO-AL00 9.1.0.321(C786E320R1P1T8) have an improper validation vulnerability. The system does not perform...
CVE-2019-5231
PUBLISHED: 2019-11-13
P30 smartphones with versions earlier than ELLE-AL00B 9.1.0.186(C00E180R2P1) have an improper authorization vulnerability. The software incorrectly performs an authorization check when a user attempts to perform certain action. Successful exploit could allow the attacker to update a crafted package.
CVE-2019-5233
PUBLISHED: 2019-11-13
Huawei smartphones with versions earlier than Taurus-AL00B 10.0.0.41(SP2C00E41R3P2) have an improper authentication vulnerability. Successful exploitation may cause the attacker to access specific components.
CVE-2019-5246
PUBLISHED: 2019-11-13
Smartphones with software of ELLE-AL00B 9.1.0.109(C00E106R1P21), 9.1.0.113(C00E110R1P21), 9.1.0.125(C00E120R1P21), 9.1.0.135(C00E130R1P21), 9.1.0.153(C00E150R1P21), 9.1.0.155(C00E150R1P21), 9.1.0.162(C00E160R2P1) have an insufficient verification vulnerability. The system does not verify certain par...
CVE-2010-4177
PUBLISHED: 2019-11-12
mysql-gui-tools (mysql-query-browser and mysql-admin) before 5.0r14+openSUSE-2.3 exposes the password of a user connected to the MySQL server in clear text form via the list of running processes.