1) High-end security tools are enough to keep you safe.
Sophisticated cybersecurity solutions are certainly an essential part of keeping your business secure, but they don’t solve every problem. As the story in this book’s introduction illustrates, regardless of how solid defenses are, there are always gaps and vulnerabilities. It’s important that security tools don’t lead to a false sense of security.
Security solutions are only fully effective if they are properly configured, monitored, maintained, and integrated into a layered security plan that minimizes gaps.
2) Penetration tests are proof of security.
Though it seems logical that passing regular penetration tests is a good sign of security, organizations should avoid putting too much stock in them.
First off, penetration tests are only indicators. The organization must address any vulnerabilities in their security posture discovered during the test, otherwise they’re moot. Remediation of this type must be directed at the root cause of the vulnerability, as well.
One must also take into account the scope of the test to determine its overall worth. Does it cover the whole network, and replicate the most common cyber threats?
3) Industry regulations are a marker for security.
In 99% of cases, industry data regulations are bare minimal security practices that, at best, will keep an organization from incurring legal consequences and fines. Regulatory guidelines are typically focused on one aspect of data protection and are not updated consistently enough to keep up with changing cyberthreats.
4) A third-party security provider can handle everything.
Outsourcing security to a dedicated firm is often the best choice an organization can make, but there are still other considerations to be made.
First and foremost, one must always consider that not all cybersecurity firms are created equally. There is an epidemic in the information technology sector of small, underequipped, undertrained IT companies claiming to be cybersecurity experts. I would recommend always working with security providers with credentials — ideally, those with third-party certifications of their own that prove their capabilities. One example is the TISC-2020 certification issued by a private security firm that focuses on auditing and testing IT industry companies.
Once you choose a security provider, you still have a legal and ethical responsibility to secure your critical assets. You should still maintain due diligence and oversight of their work. Make sure that the security provider keeps you informed of their security roles, responsibilities, and capabilities, and any breaches.
5) We’ve never experienced a cyberattack, so we probably never will.
It’s easy to think that if you’re safe now, your security posture must be sufficient to keep you safe forever. Unfortunately, the tenacity of cybercriminals can’t be underestimated. Attacks grow more complex and sophisticated by the day, and defensive strategies that worked a week ago will often be obsolete within a few months. Your defense must remain dynamic and adaptive to the realities of the cyber threat landscape.
6) Security is the sole responsibility of the IT department.
Cybersecurity is a focal point for the IT team, but they should not — and can not — be solely responsible for security. Cybersecurity preparedness is the responsibility of every member of the staff, every vendor, and every organizational leader.
7) There’s such a thing as “complete cybersecurity”.
Cybersecurity is an ongoing process, not an outcome. Critical assets must be monitored. Internal audits should be regularly conducted. Security policies should be reviewed and updated. Cyberthreats evolve, and so must every organization’s plan to repel them.
8) Some businesses or organizations are less likely to be attacked.
Many organizations assume that they are unlikely cyberthreat targets because of their size or industry. This assumption is false because it fails to recognize the true nature of modern cyberattacks.
The most prolific attacks in recent history have not been “targeted”. They were effective because they were spread wide, indiscriminately, and affected any organization they came across. As we like to say, most cyberattacks are not cruise missiles; they’re minefields. They do damage regardless of who triggers them.
9) Strong passwords are enough to prevent data breaches.
Password hygiene, including strong passwords that are regularly changed, is only the beginning of thorough data protection. A multi-layered defense strategy is always required. Organizations need to employ two-factor authentication and regular data monitoring to close the gaps.
10) Cybercriminals don’t target smaller businesses.
Most Small and Medium-sized Businesses (SMBs) often think that they are immune to cyberattacks and data breaches, but this assumption is based on flawed logic.
Again, most cyberattacks aren’t specifically targeted in the first place, so the size of your organization isn’t even a factor. What is a factor is the depth and strength of your security posture — something that usually makes smaller organizations more threatened, not less.
11) Cyberthreats always come from the outside.
Don’t fall into the misconception that cybersecurity is all about creating a wall between your network and the public internet. While breaches from outsider threats are the most significant concern, insider threats are equally dangerous. Awareness of these threats must be raised if we are ever to approach something close to “complete” security. I was asked to write this book for that very reason.
Employee negligence, ignorance, espionage, and malicious intent make insider threats particularly dangerous. Referring back to the story at the beginning of this book, you know that someone on the inside has far more potential to bring down an organization than someone on the outside.
These types of attacks are not rare. In a recent Cyber Security Intelligence Index, IBM revealed that insiders carried out 60% of all cyber attacks.
12) Anti-virus and anti-malware software are enough to keep business safe.
Anti-virus and anti-malware software are a small part of a larger cybersecurity plan. Sadly, there are still IT professionals and IT providers out there claiming that antivirus and firewalls are “a complete security stack”. This is not true.
A mature cybersecurity posture includes a comprehensive cybersecurity plan that encompasses everything from incident response planning to insider threat detection and employee training. Anything less than this is a gamble with poor odds.
14) A password-protected Wi-Fi network is secure.
In remote working or shared workspace environments, users typically rely on the password to keep their data and devices secure. All public Wi-Fi networks can be compromised, even with a password. Users in the network — even unauthorized users — can still gain access to the sensitive data that’s being transmitted. Virtual Private Networks (VPNs) should be used to secure the data that’s being carried on wireless networks.
15) You will know right away if you’re hacked or compromised.
Many cyberattacks or intrusions have taken months, even years, to be discovered. It took four years for Marriott to notice the massive data breach that disclosed the personal and financial information of their 500 million guests. Malware is designed to be stealthy, and newer variants are becoming harder and harder to detect.
I’ve worked with Security Operations Centers (SOCs) that have true horror stories about this. In fact, one SOC analyst told me that nearly every time they begin monitoring a new network, they immediately discover malicious software on the system that had gone completely unnoticed by the client’s cybersecurity protection software.
16) Bring Your Own Device (BYOD) security is not our responsibility.
BYOD policies have become the norm in business IT. They are a cost-effective approach and many employees prefer using their own devices at work. Unfortunately, this trend comes with a whole new set of risks. When employees connect their personal devices to the company’s network, they increase the threat profile exponentially.
All personal devices, including smartphones, laptops, tablets, wearables, and IoT devices, should be subjected to the security protocols put in place on the company’s computers.