- Security TWENTY
- Women in Security Awards
Nick Bianco, Senior Solutions Architect at IT services firm Sungard AS, suggests some cybersecurity myths you should stop telling yourself.
Cybersecurity preparedness is one of the major obstacles facing businesses today, and due to its importance, it can be a magnet for myths. Attacks emerge and cripple systems availability or swipe data quickly and unexpectedly. It happens so fast that the myths so many businesses hold onto as facts are only apparent in the aftermath of an attack. While many cybersecurity myths persist, some are more damaging than others, here are four common cybersecurity myths and their impact on risk.
Myth 1: Small organisations are low-value targets for hackers.
Thinking you’re not a target is one of the biggest mistakes a company can make. According to data collected from more than 2,200 confirmed data breaches, 58 percent of security event victims were small businesses. But why would malicious actors target small companies?
Compute resources are valuable – malicious actors seek out available computing resources as network nodes to expand their bot networks, which they use to initiate DDoS attacks, for crypto-jacking, to propagate ransomware and spam or for numerous other crimes. Malicious actors build their networks by leveraging free resources, and your systems might be among them.
No matter the size of an organisation, data is valuable and power. Every organisation stores some data that’s critical to its business but holds little value to others. Malicious actors exploit this by unleashing ransomware that cuts off data access, availability, or both, crippling the organisation. Malicious actors then generate revenue through ransom payments.
Small businesses can be an indirect victim and used as a stepping stone into other targets. Malicious actors might target seemingly innocent, low-risk third-party vendors to get to those vendors’ customers. This has been evidenced by the cyber-espionage group known as Dragonfly, which successfully “trojanised” legitimate industrial control system (ICS) software. To do so, the group first compromised the websites of the ICS software suppliers and replaced legitimate files in their repositories with their own malware infected versions. Subsequently, when the ICS software was downloaded from the suppliers’ websites it would install malware alongside legitimate ICS software.
Myth 2: There’s no reason to invest in security when organisations with tight security controls still experience security breaches.
Some organisations rationalise a small cybersecurity budget by arguing that investing in security is a losing game. They hear about security breaches at large organisations, with presumably large cybersecurity budgets, and assume if these organisations can fall victim, then what chance does their organisation have? Tools are just one pillar of a solid security strategy, people and process are equally important. An organisation allocating budget toward security might not be focussing it to the most effective areas. An organisation can have a big budget for tools but if it lacks the right cybersecurity talent or its processes are faulty, it can still get hit.
Research has illustrated how long it can take before an intrusion is detected. The time taken by firms to detect breaches increased by 40% from 2016 to 175 days on average in 2017, according to the latest M-Trends report by security firm FireEye. Organisations that invest in reactive security controls, in combination with proactive security controls such as Intrusion Prevention Systems (IPS), may identify suspicious behaviours earlier and limit the damage.
Organisations that shrug off tight security controls are focusing solely on the immediate effects of infiltration, not on the total cost of the security incident. Granted, security controls are not 100% effective at detection and prevention, but they can save significant time and money during each of the subsequent incident response stages: analysis, containment, eradication, recovery and post-incident activities.
Myth 3: Our organisation has not been breached before, so we’re still safe.
Often, organisations incorrectly assume their security risks remain relatively static, when they don’t have a way to effectively evaluate those risks. Projecting risks based on historical events can be dangerous. Defining the scope of what to secure requires identifying exactly how many applications, servers, network devices, storage devices and more are within an organisation. When faced with either insufficient or overwhelming amounts of data, the scope may be simplified, and assumptions drawn that can lead to vulnerabilities.
Organisations might assume a particular server doesn’t contain sensitive data and is less likely to be the target of an attack. But it might not be data that malicious actors are after, as mentioned; servers might be valuable as a foothold into another environment. Lastly, people often underestimate risk due to future aversion – the problem of assuming that because the future is unknown it cannot be tested.
Myth 4: Security is an expense, not a revenue generator.
Organisations prioritise investment in services that generate revenue, especially when budgets are tight. This can leave cybersecurity, viewed as an expense, on the back burner, when it should be considered a revenue generator. Data breaches continue to rise globally, and cyber security will influence buying decisions. Organisations that store personal, financial and other sensitive data need to ensure that it is secure. So, businesses can influence customers’ perception of security by proactively marketing the high level of security they adhere to, differentiating their company from their competitors.
Data breaches are only one impact from an adverse security incident. Another is downtime. Consumers can’t purchase products or pay for services if a web site, or the infrastructure that supports web transactions, is unavailable. When the global ransomware WannaCry attack crippled the NHS, hit international shipper FedEx and infected computers in 150 countries in 2016, NHS staff in the UK were forced to revert to pen and paper and use their own mobiles after the attack affected key systems, including telephones.
During the same attack, operations of FedEx’s TNT Express unit in Europe were disrupted by the attack and the company’s following published earnings revealed the cost of falling victim to the attack to be an estimated $300 million in lost earnings.
Whether it’s assuming that an organisation is not a target or that security spend is only ever an expense, buying into these common cybersecurity myths can set a business up for serious disruption, unhappy customers, a tarnished reputation, not to mention the cost of recovery.