One of the greatest challenges for organisations attempting to address cyber security risks is the number of fundamental security myths that cause organisations to incorrectly assess threats, misallocate resources and set inappropriate goals.
Dispelling those myths is key to developing a sophisticated, appropriate approach to information security. Here are the top seven cyber security myths busted.
1. Cyber security is an issue for the IT department
There is no doubt that cyber security comes largely from implementing appropriate technical controls to safeguard information held within an organisation. However, the biggest issue today is in regard to the users of the systems where this information is held.
They represent the biggest risk either through intentional actions (a disillusioned member of staff for example) or by accidentally doing something unwise.
The recent Verizon report on data breach investigations found that 63% of confirmed data breaches involved weak, default or stolen passwords. In another study by CompTIA, human error accounted for 52% of the root cause of security breaches.
The most common threat today is ransomware; the encrypting of files by an attacker who then demands a ransom to release them.
The way this attack happens is usually based on sending an email to a member of staff with an attachment – perhaps a Word or Excel file of a supposed invoice or order acknowledgment. The staff member opens the attachment and looks at the file before realising it is rubbish. The act of opening the file downloads the malware onto the computer and the rest is then history.
Educating staff to not open attachments or to not click on links within emails is one of the most important areas for organisations to concentrate on today. Whilst it is possible to put technical controls in place to stop attachments or links being accessed, it tends to be at a high cost to the efficiency of staff and so is often not appropriate.
The risks from cyber attacks are no longer just a technical problem. The recent attacks on TalkTalk, Sony, Target and others have resulted in serious financial damage being done to the company itself, and so the problem is now a boardroom issue that has to be managed at that level just like any other risk to the business.
2. Software is the key to solving this issue
Good software management is the number one process required to deal with most cyber-attacks. It covers two of the five basic controls that CESG has listed as part of its Cyber Essentials scheme. It is effective in reducing the likelihood of a successful attack and in mitigating the effects.
However, in isolation it cannot achieve everything. People are the biggest threat to secure information processing and they must be educated sufficiently regarding exposing their organisations to danger.
Technical solutions for cyber attacks can be implemented but there is a fine balance between imposing controls to create a safe IT system and making it unusable as a work tool for the staff.
3. It’s not all just a question of keeping the bad guys out
It is now widely understood that there are only two types of organisation – those that know how to deal with a cyber attack and those that don’t even know that they have been breached.
Whilst this seemingly cynical view may be slightly overstating the problem, there is no doubt that most organisations that are serious about protecting their information understand that a successful attack, insofar as a successful attack gets someone unauthorised inside the organisation’s network, is inevitable.
For most organisations, the basic implementation of the five controls identified by CESG as Cyber Essentials basics would prevent the vast majority of all straightforward attacks. They will not deal with the very sophisticated or prolonged, targeted attacks but most organisations (particularly smaller ones) are not facing these types of threats.
These five controls implemented effectively, then regularly monitored and updated, are the ones everyone should be doing, and Cyber Essentials should be a basic starting point for all security.
Businesses have to accept that simply trying to keep the bad guys out is no longer good enough – although still very important. They need to work towards a much more proactive defence whereby unauthorised activity within a network is quickly identified and appropriate actions taken to deal with it.
This proactive defence needs well-developed and implemented processes throughout all areas of the organisation – from the management of hardware through to software patching and user education.
In all cases, these processes need to be able to respond rapidly to change, to different unforeseen threats, to aggressive attackers, and to be able to make changes in the way systems deal with the attack.