1. “Cybersecurity is solely about technology.”
Today’s businesses are almost entirely dependent on data and more importantly, the security and accessibility of this data. Cybersecurity involves both the correct implementation of technology as well as the thorough education and threat awareness of employees. Your organization can purchase and configure a defense for your IT network, but if your employees are unaware of tactics such as social engineering, they can easily allow a cybercriminal to bypass these defenses and gain access to your business-critical information. For example, your managed IT services provider or internal IT department may have implemented a Next-Generation Firewall as well as the other technology defenses your business needs, but consider this scenario. Your financial controller receives an email that appears to be from the CEO of the company. The email address and signature emulate the sender’s information and the message addresses the recipient directly. The employee knows the CEO is out of town, and their request for an emergency wire transfer appears to make sense considering the conditions. The controller wants to help the CEO as soon as possible, panics, and transfers the money without consulting with anyone in the organization. Unfortunately, the email was a phishing attempt by a cybercriminal that utilized social engineering to their advantage and the employee took the bait. This is only one example of how security involves both technology and employee training to develop a culture of cybersecurity awareness to effectively protect your organization’s network. To help build this culture of healthy suspicion, take the following steps:
- Hold regular training sessions that inform employees regarding the latest cybersecurity threats and infiltration methods in a way that will engage your staff.
- Send regular emails and bulletins that outline the latest threats “in the wild”, how to mitigate them, and what they look like.
- Hold live demos during training sessions.
- Show employees, with their consent, how much a cybercriminal can learn about them via social engineering and how such information can be used in a cyberattack.
- Use faux phishing attacks to identify vulnerable employees that are a risk to your company and provide additional education to these individuals.
- Establish security guidelines for employees such as restricting the use of public Wi-Fi networks.
2. “My business is compliant, so we must be secure.”
It’s a common, but risky mistake when businesses mistake compliance for the end-all-be-all of security. Yes, it’s necessary that your organization meet its compliance standards, but doing so won’t ensure your business is protected from a cyber-attack. Compliance regulators cannot always keep up with the latest developments in the cybersecurity landscape and may not recognize risk as a compliance violation until multiple businesses have been affected. Therefore, your organization should be looking at its IT team or advisor to mitigate malicious threats, not its compliance standards. For example, your company may meet its compliance expectations, but what if a cybercriminal is using social engineering or phishing to infiltrate your network? Such an attack cannot be prevented by technology or security alone and your business must have a custom strategy to change the culture of your organization to one that’s vigilant and aware of the latest security threats.
3. “We have yet to suffer a network breach, so we must be secure.”
This myth is likely one of the most dangerous misconceptions your organization can hold. Just because your company has not experienced a breach, doesn’t mean your network is impenetrable or that it hasn’t already been compromised. On average, it takes an organization 205 days to detect a cyberattack. Imagine if you didn’t go to the doctor for a checkup simply because you hadn’t experienced any life-threatening diseases thus far. You may be unaware of a serious heart condition, or terminal cancer that could have been mitigated had you taken the time to assess the state of your health on a regular basis. The same goes for your network. Just because you don’t feel the impact of a security risk, doesn’t mean you haven’t already been affected, or will not be affected in the future.
4. “We bought the latest and greatest cybersecurity technology. We’re set.”
Another myth regarding cybersecurity is the perception that by having the most recent and expensive security technology, an organization is safe from cyber threats. Your business can have the most cutting-edge tools and services, but as stated earlier in this article, security is about more than just the technology your business decides to use. How will you implement the technology? Who will oversee managing updates and patches? What processes are in place regarding the implementation and use of the service/tool? These are only a few of the questions your organization needs to consider when creating a comprehensive security solution. For example, you wouldn’t install expensive security cameras in your home and forget about them. You would configure the technology to suit your security goals, point the cameras at access points, and monitor footage for any suspicious activity. Similarly, your company should have processes, roles, and protocols established around a security solution to ensure its effectiveness.
5. “Cybercriminals only target big businesses.”
This is one of the most common cybersecurity myths we hear from businesses we work with. Many small to medium size companies are under the impression their business is safe from cyber-attacks because hackers primarily target large corporations. While cybercriminals do occasionally infiltrate the network of companies like Yahoo and Target, these attacks are less common than those inflicted on smaller organizations. For example, approximately fifty percent of small to medium size businesses surveyed by the Ponemon Institute and Keeper Technology experienced either a data breach or cybersecurity attack in 2016. Small to medium-sized businesses are more at risk than larger corporations because cybercriminals know they are less likely to have advanced security measures in place to protect their network. Hackers also use smaller organizations as a pivot point to access the data of larger corporations. Cybersecurity is a multifaceted, high-maintenance aspect of your business that’s necessary to your success. You wouldn’t put your health in the hands of an amateur doctor, so don’t put the well-being of your business in the hands of someone without the IT expertise to manage each facet of your cybersecurity solution in a strategic, proactive manner. At Aldridge, our IT professionals have worked with a variety of businesses with complex, ever-changing security needs. However, this is normal for us because we understand both your business and the cybersecurity landscape are always changing, and we know how to manage the chaos this can create. Let us build up your IT security so you can save time and money and focus on running your business.