Imagine you're working at the front desk of a tech company when a woman walks through the front door and tells you she was just in a car accident. You ask if there's anything you can do to help, but she says it wasn't serious and asks if you could direct her to a restroom.
You later discover that the woman inserted a flash drive into an unattended computer and infected your company's entire system with a destructive form of malware. Or at least that's what she could have done if the malware was real — this strange scenario was actually an elaborate demonstration (arranged by a cybersecurity professional I know) designed to show employees that not all cyberattacks are carried out remotely.
The idea that cybercriminals never interact with their targets is one of many cybersecurity myths that need to be debunked. With millions of employees now attempting to work from home for the first time due to the COVID-19 pandemic — which increases their vulnerability more than ever — it's vital to challenge stubborn misconceptions about cybersecurity.
Myth No. 1: The security team is going to protect me.
Many employees argue that they aren't particularly technical, so they simply delegate the job of keeping themselves and the company safe to someone else. But at a time when every employee uses multiple connected devices and hackers are increasingly targeting people across entire companies, there's no excuse for leaving cybersecurity up to someone else.
Andy Boldin is the solutions delivery chief at SAIC, and he told me the complacent idea that "the security team is going to protect me" is one of the most consequential cybersecurity myths there is: "People think the security team will take care of everything," he says, "while they can do whatever they want." This isn't just wrong — it's the opposite of the truth. Social engineering — the deception and manipulation of human beings to infiltrate a company — is the most common and costly type of cyberattack. And anyone can be a target, from a CEO to a receptionist.
According to a 2018 survey conducted by the Ponemon Institute, companies cite their "inability to hire and retain expert staff" as one of the biggest cybersecurity problems they face. Meanwhile, they rank "human factors" as one of their most serious vulnerabilities. Both of these issues point to a single solution: empowering employees to be cybersecurity defenders at every level of the company.
Myth No. 2: IT professionals don't fall for cyberattacks.
Many companies think a well-trained IT team is all the protection they need against cyberattacks, but this is another harmful myth. As Boldin explains: "Even professionals fall for social engineering attacks. People will always look for the easy way of doing things — including IT pros. Everyone multitasks and security doesn't always get our full attention."
This is why Boldin recommends "continual training" across the entire company — and not just annual compliance training, which he describes as the "new normal." He argues that frequent and consistent "hands-on awareness training" is the most effective way for companies to keep themselves safe. This is particularly important for the small and medium-sized businesses (SMBs) that make up the core of the U.S. economy. Many SMBs can't afford dedicated IT security teams, which makes companywide cybersecurity training all the more important for them. According to Verizon's 2019 "Data Breach Investigations Report," 43% of breaches "involved small business victims."
Even if IT professionals were capable of spotting and thwarting every cyberattack — which certainly isn't the case — many companies would still be left with no defenses, as most companies don't have the resources to build their own IT teams. This is just one more reason why effective cybersecurity platforms have to include everyone.
Myth No. 3: Cyberattacks are confined to the digital world.
Granted, the scenario at the beginning of this article is fairly implausible. But once we finally return to the office, it's essential to remember that physical security is, in fact, a crucial element of any robust cybersecurity platform. Many major breaches have been caused by a strategically placed flash drive, a stolen laptop, or some other form of physical infiltration.
As Boldin observes, "Security is not just cybersecurity. Remember that physical access can play a vital role." In the summer of 2017, a Russian worm called NotPetya swept around the world, damaging critical infrastructure, cutting off international shipping operations, and causing $10 billion in damage. For the global shipping giant Maersk, one infected computer ended up spreading the worm across the entire company.
This is a stark reminder that a single physical entry point can crash a massive network and cripple the largest shipping company in the world. There are other examples, too — the Stuxnet worm that ravaged Iran's Natanz nuclear facility was delivered via a flash drive that was plugged straight into one of the facility's computers. Infected flash drives have even been handed out at tech conferences. Physical security is cybersecurity.
Strong cybersecurity platforms can't be built on myths and clichés. There are many ways in which today's cyberthreats defy our assumptions, but the most destructive myth is the notion that cybersecurity is someone else's responsibility. Every employee has to be armed against cyberattacks, and while this may sound a little daunting at first, employees who are capable of keeping themselves and their companies safe will discover that it's also empowering.
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Cyber Subterfuge and Curious Sharks Threaten the World’s Subsea Fiber-Optic Cables."