Top 7 Cybersecurity Myths & acts

Yesterday, I was listening to Paul’s security weekly ( Few week old episode, I still need to catch up with them ) where genius Paul Asadoorian and his co-hosts are discussing the top cybersecurity myths. Along with myths they highlighted, I added some more based on my experience.

Here are my Top 7 cybersecurity myths which are present into the industry:

Myth No 1: "Cyber Security team is going to protect company"

• Many employees argue that its “only” cybersecurity team’s responsibility to keep the environment safe and secure. The justification they will use is either we are not particularly technical enough or as we have separate team why should we have to take the extra burden on us.

• As per this report from Kaspersky ( Link: https://www.kaspersky.com/blog/the-human-factor-in-it-security/ ), the human factor is one of the most critical vulnerability for any organisation and it can be exploited very easily. Social engineering is one of the wildly popular methods and it targets directly one of the most vulnerable components of the organisation “Humans”.
• Cybersecurity is the collective responsibility for everyone not limited to a person or team. And honestly, without everyone coming together it is not possible to protect an organisation.

Myth No 2: "Cyber attacks are confined to the only digital world"

• This one is a very widespread and very common misconception that cybersecurity is limited to the digital world. People often forget that physical security is a vital part of the cybersecurity umbrella. And if any organisation can breach physically then its almost child’s play to own their digital network.

• Just to give one of the famous example: The famous Stuxnet worm has been spread by a single infected USB flash drive. This virus significantly damaged the nuclear programme for Iran. Iran paid the massive cost to neglect physical security. ( Link: https://en.wikipedia.org/wiki/Stuxnet )

Myth No 3: "We spend a lot of money on our security devices and technology so we are secure":

• This is a common misconnection for business executives. They think that as we have to spend a fortune on organisation security posture and purchased some latest technology we are secure now.

• Having the cutting edge technology and latest security device model is a good thing. But, if these devices and technology are not configured properly they are kind of waste.
• Vendor or security provider provide device or technology with generic configuration, Every organisation need to understand their requirement and fine-tune the devices and security policies according to it. If it's not done properly then rest is a cakewalk for bad guys.

Myth no 4: "Our applications are in the cloud so we are compliant now"

• Many of the companies have this misconception ( Still…!!! ) that as their applications are in the cloud so they are compliant by the various standards. Just to give a personal example, one of the managers for whom I worked in distance past was under assumption as AWS was ISO certified, the application hosted on them is certified inherited.        
• People forget that the cloud is certified for their infrastructure and applications but the hosted application owner needs to think about their application.

Myth no 5: "Cybercriminals only target big organisation and we are comparatively small so we are safe"

• This misconception we see into the small and medium organisation. Where people believe that what will bad people will get by targeting them. So they are immune to all cyber attacks.

• Reality is that small and middle-market companies may be more vulnerable to the cyber attack because criminals know these businesses do not take substantial preventative measures.
• Companies with 250 or fewer employees accounted for 43 per cent of cyber-attacks last year.

Myth no 6: "Our system requires the user to set a complex password so we are safe from password attacks"

• This is widely spread misconception and still costing millions of dollars to organisations across the globe.

While a strong password is a good option but there is no alternative for Multifactor authentication.

• 2FA makes life much harder for attackers, as it is a lot more difficult to acquire both someone's password and second authentication token same time.
• Personally, I think that weak password + two-factor authentication combo might still be safer than a strong password alone. Because in 2FA, data is protected not only by the password but also with the second factor. Even if your weak password is cracked through brute force, a hacker would still not have access to your account due to the protection of the second factor.

Myth no 7: "IT professionals don’t fall for cyberattacks"

• In current time, when organisations are spending the fortune to train their IT employees this is the bitter truth. There are chances of these well-trained IT employees can fall for cyber attacks.

• People – including IT professionals - will always look for shortcuts and easy way of doing things and that cost security sometimes.
• Once in while everyone does multitask or they come under the huge workload and at that time security doesn’t get IT professional’s full attention.

We can not build strong cybersecurity platforms on myths and clichés. There are many ways in which today's cyberthreats can not withstand our assumptions. We need to accept this daunting reality and adopt proper security practice for organisation and individual. Every year hundreds of thousands organisations are getting breach across the globe. Let's adopt the best practice so ours will not be one of them.