5 Misconceptions CEO's need to Address for Better Cyber Security

Cyber-crimes are at an all-time high and will continue to rise in popularity for as long as organizations adopt a passive approach to online security.

While some CEOs look at cyber security as a "back burner", the hacking industry is evolving to the point where anyone can become a successful hacker. An aspiring cyber-criminal can buy a full-fledged exploit kit for as little as $3,000. A kit like this does most of the work automatically—deploying various breaching tactics until it finds a vulnerability. The more experienced hackers are more creative in their approach, using social engineering, trickery, and other breaching technology to get hold of your company's data.

Most small-to-medium businesses (SMBs) need a clearer understanding of current security threats and vulnerabilities. Some organizations deploy general security countermeasures and move on, but this strategy is often ineffective because  it typically fails to identify underlying vulnerabilities.

Cyber security remains mired in mystery, and there are misconceptions about how hackers manage to breach supposedly secure environments. In reality, most high-profile security breaches are facilitated by gross employee negligence and could have been easily avoided by sticking to a simple yet effective "don't do" list.

Here are five of the most alarming mistakes that organizations make when protecting their data:

1. We are a small company. We have nothing to worry about.

Unfortunately, hackers look at SMBs as low hanging fruit. The average hacker will almost always prefer an easy target instead of spending months taking swings at something that is surrounded by firewalls. Large companies have invested heavily in improving their defense against malicious cyber-attacks, so hackers tend to target SMBs and frequently use them as an entry point to access high-profile targets. In fact, nine out of 10 U.S. businesses were victims of at least one hacking incident in the past year, according to a survey in 2016 and this number is expected to rise significantly in the next few years spurred by further SMB adoption of cloud computing and the huge amount of personal information that is being stored online.

Our security team is great and runs a tight ship.

 No matter how robust your security apparatus, it only takes a single non-technical employee to infect an entire network. Careless or poorly trained employees are the biggest vulnerability a security system could have. A big percent of security breaches last year were the result of an employee innocently downloading an infected file on their work computer or by falling for a phishing scam received via an infected email. Once a hacker has gained entry to a network, it’s fairly easy to use that person’s email/login details to infect all other PCs that share the same network.

It’s extremely important for management to train their employees on the best practices against cybersecurity threats. A proactive leadership should always put an emphasis on employee education prior to implementing an in-depth level of cyber-defense.

Everything is password protected, so what’s the big deal?

Relying solely on passwords for your organization’s security is a practice that’s been frowned upon by security experts for years. Computers can process huge amounts of data in a small amount of time, and a hacker can run more than 420 billion password combinations per minute. Brute force attacks, hybrid attacks and dictionary attacks are just a few of the various methods used by hackers to crack a password.

A strong password is a string of at least 20 characters. It should contain upper, lower and special characters with a decent amount of gibberish instead of real words as most password hacking scripts often use databases that contain the most popular words. In password theft, the biggest problem isn’t human error but the technology behind it. Security experts all agree that the best protection against password cracking is to deploy multi-factor authentication and to properly train employees on safe password habits.

Our executives would never fall for an obvious scam.

A popular misconception is that social engineering--the “art” of manipulating people into giving up confidential information--is restricted to small, obvious scams that involve stealing some housewife’s  credit card details; False. Almost 30 percent of all business related security breaches have some form of social engineering at heart. In 2009, hackers posed as Coca-Cola’s CEO, persuading an important executive to open an infected email, and the malware ended up infiltrating the whole network. All it takes for a complex security chain to fall is one employee that accepts a scenario at face value.

A recent study shows that most breaches were successful because employees were unfamiliar with the company’s security processes and policies rather than employees simply being careless. Organizations need to simplify security training and to provide a system that enables unambiguous identification. Other best practices include providing employees with a security checklist that is applicable to various situations and initiate them in the basics of social engineering and cyber security. It’s also important to encourage employees to report if they had done something accidental, so security teams can proactively check and stop the malicious activity quickly before it causes more damage.  

We back up everything, so we can just restore operations.

Ransomware has been around for a couple of years now but has popped up in the mainstream media recently when Wannacry infected more than 230,000 computers in over 150 countries in a single day. This malicious software encrypts the victims’ files with the threat of deleting them unless a ransom is paid. Superior ransomwares make use of a technique called cryptoviral extortion, which makes it impossible for anyone to recover the files or use the computer unless the decryption key is provided—even if backup is available. Organizations affected by this malware experience partial or even complete paralysis within operations while the attack is happening.

Fortunately, ransomware is much easier to prevent than to deal with an infection in progress. A first step would be to provide a fully updated ransomware solution across all organization endpoints. Security campaigns that promote awareness about the dangers of clicking on unknown links or email attachments are also a good idea. You can also apply pre-set rules that prevent employees from clicking on invalidated links or from running executables from attachments.

Hacking is a very real threat, and there are many ways for a hacker to breach an apparently secure environment—regardless of how well you’ve cordoned off your corporate networks. There’s no “cure-all” that will prevent every cyber breach from happening, but the best way to prevent and mitigate an infection is to take a community approach to preventative care, putting the responsibility of protecting the organization on every individual. Leaders who prevent rather than fix will always lead a safer organization in the cyber world.

If you want to learn more about preventing hackers from entering your business, read my article 7 Steps to Keep Hackers Out of Your Business.

Munawar Abadullah is the CEO of the ImpTrax Corporation, a NYC-based IT/Software company that provides scalable solutions for complex and legacy software systems. You can reach out to him directly at [email protected] or learn more about ImpTrax at www.ImpTrax.com