Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/18/2020
10:00 AM
Zack Schuler
Zack Schuler
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

The 3 Top Cybersecurity Myths & What You Should Know

With millions of employees now attempting to work from home, it's vital to challenge misconceptions about cybersecurity.

Imagine you're working at the front desk of a tech company when a woman walks through the front door and tells you she was just in a car accident. You ask if there's anything you can do to help, but she says it wasn't serious and asks if you could direct her to a restroom.

You later discover that the woman inserted a flash drive into an unattended computer and infected your company's entire system with a destructive form of malware. Or at least that's what she could have done if the malware was real — this strange scenario was actually an elaborate demonstration (arranged by a cybersecurity professional I know) designed to show employees that not all cyberattacks are carried out remotely.

The idea that cybercriminals never interact with their targets is one of many cybersecurity myths that need to be debunked. With millions of employees now attempting to work from home for the first time due to the COVID-19 pandemic — which increases their vulnerability more than ever — it's vital to challenge stubborn misconceptions about cybersecurity.

Myth No. 1: The security team is going to protect me.
Many employees argue that they aren't particularly technical, so they simply delegate the job of keeping themselves and the company safe to someone else. But at a time when every employee uses multiple connected devices and hackers are increasingly targeting people across entire companies, there's no excuse for leaving cybersecurity up to someone else.

Andy Boldin is the solutions delivery chief at SAIC, and he told me the complacent idea that "the security team is going to protect me" is one of the most consequential cybersecurity myths there is: "People think the security team will take care of everything," he says, "while they can do whatever they want." This isn't just wrong — it's the opposite of the truth. Social engineering — the deception and manipulation of human beings to infiltrate a company — is the most common and costly type of cyberattack. And anyone can be a target, from a CEO to a receptionist.

According to a 2018 survey conducted by the Ponemon Institute, companies cite their "inability to hire and retain expert staff" as one of the biggest cybersecurity problems they face. Meanwhile, they rank "human factors" as one of their most serious vulnerabilities. Both of these issues point to a single solution: empowering employees to be cybersecurity defenders at every level of the company.

Myth No. 2: IT professionals don't fall for cyberattacks.
Many companies think a well-trained IT team is all the protection they need against cyberattacks, but this is another harmful myth. As Boldin explains: "Even professionals fall for social engineering attacks. People will always look for the easy way of doing things — including IT pros. Everyone multitasks and security doesn't always get our full attention."

This is why Boldin recommends "continual training" across the entire company — and not just annual compliance training, which he describes as the "new normal." He argues that frequent and consistent "hands-on awareness training" is the most effective way for companies to keep themselves safe. This is particularly important for the small and medium-sized businesses (SMBs) that make up the core of the U.S. economy. Many SMBs can't afford dedicated IT security teams, which makes companywide cybersecurity training all the more important for them. According to Verizon's 2019 "Data Breach Investigations Report," 43% of breaches "involved small business victims."

Even if IT professionals were capable of spotting and thwarting every cyberattack — which certainly isn't the case — many companies would still be left with no defenses, as most companies don't have the resources to build their own IT teams. This is just one more reason why effective cybersecurity platforms have to include everyone.

Myth No. 3: Cyberattacks are confined to the digital world.
Granted, the scenario at the beginning of this article is fairly implausible. But once we finally return to the office, it's essential to remember that physical security is, in fact, a crucial element of any robust cybersecurity platform. Many major breaches have been caused by a strategically placed flash drive, a stolen laptop, or some other form of physical infiltration.

As Boldin observes, "Security is not just cybersecurity. Remember that physical access can play a vital role." In the summer of 2017, a Russian worm called NotPetya swept around the world, damaging critical infrastructure, cutting off international shipping operations, and causing $10 billion in damage. For the global shipping giant Maersk, one infected computer ended up spreading the worm across the entire company.

This is a stark reminder that a single physical entry point can crash a massive network and cripple the largest shipping company in the world. There are other examples, too — the Stuxnet worm that ravaged Iran's Natanz nuclear facility was delivered via a flash drive that was plugged straight into one of the facility's computers. Infected flash drives have even been handed out at tech conferences. Physical security is cybersecurity.

Strong cybersecurity platforms can't be built on myths and clichés. There are many ways in which today's cyberthreats defy our assumptions, but the most destructive myth is the notion that cybersecurity is someone else's responsibility. Every employee has to be armed against cyberattacks, and while this may sound a little daunting at first, employees who are capable of keeping themselves and their companies safe will discover that it's also empowering.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Cyber Subterfuge and Curious Sharks Threaten the World’s Subsea Fiber-Optic Cables."

 

Zack Schuler is the CEO/founder of NINJIO, an IT security awareness company that empowers individuals and organizations to become defenders against cyber threats. He is driven by the idea of a "security awareness mindset," in which online safety becomes part of who someone is ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Introducing 'Secure Access Service Edge'
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  7/3/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15001
PUBLISHED: 2020-07-09
An information leak was discovered on Yubico YubiKey 5 NFC devices 5.0.0 to 5.2.6 and 5.3.0 to 5.3.1. The OTP application allows a user to set optional access codes on OTP slots. This access code is intended to prevent unauthorized changes to OTP configurations. The access code is not checked when u...
CVE-2020-15092
PUBLISHED: 2020-07-09
In TimelineJS before version 3.7.0, some user data renders as HTML. An attacker could implement an XSS exploit with maliciously crafted content in a number of data fields. This risk is present whether the source data for the timeline is stored on Google Sheets or in a JSON configuration file. Most T...
CVE-2020-15093
PUBLISHED: 2020-07-09
The tough library (Rust/crates.io) prior to version 0.7.1 does not properly verify the threshold of cryptographic signatures. It allows an attacker to duplicate a valid signature in order to circumvent TUF requiring a minimum threshold of unique signatures before the metadata is considered valid. A ...
CVE-2020-15299
PUBLISHED: 2020-07-09
A reflected Cross-Site Scripting (XSS) Vulnerability in the KingComposer plugin through 2.9.4 for WordPress allows remote attackers to trick a victim into submitting an install_online_preset AJAX request containing base64-encoded JavaScript (in the kc-online-preset-data POST parameter) that is execu...
CVE-2020-4173
PUBLISHED: 2020-07-09
IBM Guardium Activity Insights 10.6 and 11.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure l...