Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/18/2020
10:00 AM
Zack Schuler
Zack Schuler
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

The 3 Top Cybersecurity Myths & What You Should Know

With millions of employees now attempting to work from home, it's vital to challenge misconceptions about cybersecurity.

Imagine you're working at the front desk of a tech company when a woman walks through the front door and tells you she was just in a car accident. You ask if there's anything you can do to help, but she says it wasn't serious and asks if you could direct her to a restroom.

You later discover that the woman inserted a flash drive into an unattended computer and infected your company's entire system with a destructive form of malware. Or at least that's what she could have done if the malware was real — this strange scenario was actually an elaborate demonstration (arranged by a cybersecurity professional I know) designed to show employees that not all cyberattacks are carried out remotely.

The idea that cybercriminals never interact with their targets is one of many cybersecurity myths that need to be debunked. With millions of employees now attempting to work from home for the first time due to the COVID-19 pandemic — which increases their vulnerability more than ever — it's vital to challenge stubborn misconceptions about cybersecurity.

Myth No. 1: The security team is going to protect me.
Many employees argue that they aren't particularly technical, so they simply delegate the job of keeping themselves and the company safe to someone else. But at a time when every employee uses multiple connected devices and hackers are increasingly targeting people across entire companies, there's no excuse for leaving cybersecurity up to someone else.

Andy Boldin is the solutions delivery chief at SAIC, and he told me the complacent idea that "the security team is going to protect me" is one of the most consequential cybersecurity myths there is: "People think the security team will take care of everything," he says, "while they can do whatever they want." This isn't just wrong — it's the opposite of the truth. Social engineering — the deception and manipulation of human beings to infiltrate a company — is the most common and costly type of cyberattack. And anyone can be a target, from a CEO to a receptionist.

According to a 2018 survey conducted by the Ponemon Institute, companies cite their "inability to hire and retain expert staff" as one of the biggest cybersecurity problems they face. Meanwhile, they rank "human factors" as one of their most serious vulnerabilities. Both of these issues point to a single solution: empowering employees to be cybersecurity defenders at every level of the company.

Myth No. 2: IT professionals don't fall for cyberattacks.
Many companies think a well-trained IT team is all the protection they need against cyberattacks, but this is another harmful myth. As Boldin explains: "Even professionals fall for social engineering attacks. People will always look for the easy way of doing things — including IT pros. Everyone multitasks and security doesn't always get our full attention."

This is why Boldin recommends "continual training" across the entire company — and not just annual compliance training, which he describes as the "new normal." He argues that frequent and consistent "hands-on awareness training" is the most effective way for companies to keep themselves safe. This is particularly important for the small and medium-sized businesses (SMBs) that make up the core of the U.S. economy. Many SMBs can't afford dedicated IT security teams, which makes companywide cybersecurity training all the more important for them. According to Verizon's 2019 "Data Breach Investigations Report," 43% of breaches "involved small business victims."

Even if IT professionals were capable of spotting and thwarting every cyberattack — which certainly isn't the case — many companies would still be left with no defenses, as most companies don't have the resources to build their own IT teams. This is just one more reason why effective cybersecurity platforms have to include everyone.

Myth No. 3: Cyberattacks are confined to the digital world.
Granted, the scenario at the beginning of this article is fairly implausible. But once we finally return to the office, it's essential to remember that physical security is, in fact, a crucial element of any robust cybersecurity platform. Many major breaches have been caused by a strategically placed flash drive, a stolen laptop, or some other form of physical infiltration.

As Boldin observes, "Security is not just cybersecurity. Remember that physical access can play a vital role." In the summer of 2017, a Russian worm called NotPetya swept around the world, damaging critical infrastructure, cutting off international shipping operations, and causing $10 billion in damage. For the global shipping giant Maersk, one infected computer ended up spreading the worm across the entire company.

This is a stark reminder that a single physical entry point can crash a massive network and cripple the largest shipping company in the world. There are other examples, too — the Stuxnet worm that ravaged Iran's Natanz nuclear facility was delivered via a flash drive that was plugged straight into one of the facility's computers. Infected flash drives have even been handed out at tech conferences. Physical security is cybersecurity.

Strong cybersecurity platforms can't be built on myths and clichés. There are many ways in which today's cyberthreats defy our assumptions, but the most destructive myth is the notion that cybersecurity is someone else's responsibility. Every employee has to be armed against cyberattacks, and while this may sound a little daunting at first, employees who are capable of keeping themselves and their companies safe will discover that it's also empowering.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Cyber Subterfuge and Curious Sharks Threaten the World’s Subsea Fiber-Optic Cables."

 

Zack Schuler is the CEO/founder of NINJIO, an IT security awareness company that empowers individuals and organizations to become defenders against cyber threats. He is driven by the idea of a "security awareness mindset," in which online safety becomes part of who someone is ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Look Beyond the 'Big 5' in Cyberattacks
Robert Lemos, Contributing Writer,  11/25/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: We are really excited about our new two tone authentication system!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29440
PUBLISHED: 2020-11-30
Tesla Model X vehicles before 2020-11-23 do not perform certificate validation during an attempt to pair a new key fob with the body control module (BCM). This allows an attacker (who is inside a vehicle, or is otherwise able to send data over the CAN bus) to start and drive the vehicle with a spoof...
CVE-2020-29441
PUBLISHED: 2020-11-30
An issue was discovered in the Upload Widget in OutSystems Platform 10 before 10.0.1019.0. An unauthenticated attacker can upload arbitrary files. In some cases, this attack may consume the available database space (Denial of Service), corrupt legitimate data if files are being processed asynchronou...
CVE-2020-4127
PUBLISHED: 2020-11-30
HCL Domino is susceptible to a Login CSRF vulnerability. With a valid credential, an attacker could trick a user into accessing a system under another ID or use an intranet user's system to access internal systems from the internet. Fixes are available in HCL Domino versions 9.0.1 FP10 IF6, 10.0.1 F...
CVE-2020-11867
PUBLISHED: 2020-11-30
Audacity through 2.3.3 saves temporary files to /var/tmp/audacity-$USER by default. After Audacity creates the temporary directory, it sets its permissions to 755. Any user on the system can read and play the temporary audio .au files located there.
CVE-2020-16849
PUBLISHED: 2020-11-30
An issue was discovered on Canon MF237w 06.07 devices. An "Improper Handling of Length Parameter Inconsistency" issue in the IPv4/ICMPv4 component, when handling a packet sent by an unauthenticated network attacker, may expose Sensitive Information.