Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/18/2020
10:00 AM
Zack Schuler
Zack Schuler
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

The 3 Top Cybersecurity Myths & What You Should Know

With millions of employees now attempting to work from home, it's vital to challenge misconceptions about cybersecurity.

Imagine you're working at the front desk of a tech company when a woman walks through the front door and tells you she was just in a car accident. You ask if there's anything you can do to help, but she says it wasn't serious and asks if you could direct her to a restroom.

You later discover that the woman inserted a flash drive into an unattended computer and infected your company's entire system with a destructive form of malware. Or at least that's what she could have done if the malware was real — this strange scenario was actually an elaborate demonstration (arranged by a cybersecurity professional I know) designed to show employees that not all cyberattacks are carried out remotely.

The idea that cybercriminals never interact with their targets is one of many cybersecurity myths that need to be debunked. With millions of employees now attempting to work from home for the first time due to the COVID-19 pandemic — which increases their vulnerability more than ever — it's vital to challenge stubborn misconceptions about cybersecurity.

Myth No. 1: The security team is going to protect me.
Many employees argue that they aren't particularly technical, so they simply delegate the job of keeping themselves and the company safe to someone else. But at a time when every employee uses multiple connected devices and hackers are increasingly targeting people across entire companies, there's no excuse for leaving cybersecurity up to someone else.

Andy Boldin is the solutions delivery chief at SAIC, and he told me the complacent idea that "the security team is going to protect me" is one of the most consequential cybersecurity myths there is: "People think the security team will take care of everything," he says, "while they can do whatever they want." This isn't just wrong — it's the opposite of the truth. Social engineering — the deception and manipulation of human beings to infiltrate a company — is the most common and costly type of cyberattack. And anyone can be a target, from a CEO to a receptionist.

According to a 2018 survey conducted by the Ponemon Institute, companies cite their "inability to hire and retain expert staff" as one of the biggest cybersecurity problems they face. Meanwhile, they rank "human factors" as one of their most serious vulnerabilities. Both of these issues point to a single solution: empowering employees to be cybersecurity defenders at every level of the company.

Myth No. 2: IT professionals don't fall for cyberattacks.
Many companies think a well-trained IT team is all the protection they need against cyberattacks, but this is another harmful myth. As Boldin explains: "Even professionals fall for social engineering attacks. People will always look for the easy way of doing things — including IT pros. Everyone multitasks and security doesn't always get our full attention."

This is why Boldin recommends "continual training" across the entire company — and not just annual compliance training, which he describes as the "new normal." He argues that frequent and consistent "hands-on awareness training" is the most effective way for companies to keep themselves safe. This is particularly important for the small and medium-sized businesses (SMBs) that make up the core of the U.S. economy. Many SMBs can't afford dedicated IT security teams, which makes companywide cybersecurity training all the more important for them. According to Verizon's 2019 "Data Breach Investigations Report," 43% of breaches "involved small business victims."

Even if IT professionals were capable of spotting and thwarting every cyberattack — which certainly isn't the case — many companies would still be left with no defenses, as most companies don't have the resources to build their own IT teams. This is just one more reason why effective cybersecurity platforms have to include everyone.

Myth No. 3: Cyberattacks are confined to the digital world.
Granted, the scenario at the beginning of this article is fairly implausible. But once we finally return to the office, it's essential to remember that physical security is, in fact, a crucial element of any robust cybersecurity platform. Many major breaches have been caused by a strategically placed flash drive, a stolen laptop, or some other form of physical infiltration.

As Boldin observes, "Security is not just cybersecurity. Remember that physical access can play a vital role." In the summer of 2017, a Russian worm called NotPetya swept around the world, damaging critical infrastructure, cutting off international shipping operations, and causing $10 billion in damage. For the global shipping giant Maersk, one infected computer ended up spreading the worm across the entire company.

This is a stark reminder that a single physical entry point can crash a massive network and cripple the largest shipping company in the world. There are other examples, too — the Stuxnet worm that ravaged Iran's Natanz nuclear facility was delivered via a flash drive that was plugged straight into one of the facility's computers. Infected flash drives have even been handed out at tech conferences. Physical security is cybersecurity.

Strong cybersecurity platforms can't be built on myths and clichés. There are many ways in which today's cyberthreats defy our assumptions, but the most destructive myth is the notion that cybersecurity is someone else's responsibility. Every employee has to be armed against cyberattacks, and while this may sound a little daunting at first, employees who are capable of keeping themselves and their companies safe will discover that it's also empowering.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Cyber Subterfuge and Curious Sharks Threaten the World’s Subsea Fiber-Optic Cables."

 

Zack Schuler is the CEO/founder of NINJIO, an IT security awareness company that empowers individuals and organizations to become defenders against cyber threats. He is driven by the idea of a "security awareness mindset," in which online safety becomes part of who someone is ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31664
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-33185
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
CVE-2021-33186
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-31272
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.
CVE-2021-31660
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 85da504d2dc30188b89f44c3276fc5a25b31251f contains a buffer overflow which could allow attackers to obtain sensitive information.