Cyber professionals are an analytical bunch.
Given the amount of data we have at our fingertips from network audits, threat reports and news media, it can be tempting to think of cybersecurity as a wholly rational, scientific discipline. Information goes in and – budgets permitting – solutions come out.
If only it were that simple. CISOs are just as prone to bias as anyone else. Cyber news must gallop ahead to keep up with shifting threats and, like most media, mixes hard facts with a fair bit of hot air and sensationalism. If we are to see our threat landscape objectively and find workable, cost-effective solutions, we need to regularly re-evaluate the clichés and misconceptions around cyber.
Let’s explore some of the most dangerous cybersecurity myths, and uncover the reality behind them.
Myth 1: Our organisation is safe
The biggest myth of them all, and one that afflicts many employees and executives, particularly those without a technical background. They simply assume that their company won’t get hit. Among the reasons for complacency:
A lack of knowledge
They’ve not been attacked yet, and believe that means their organisation is cybersecure
The company has just spent big on high-end security tools, and they think the organisation is ready to repel any threat
They believe their company is too small to be of interest to cybercriminals
They partner with a respected third-party security provider, and think the job’s done
Because the business uses a less well-known operating system, they imagine that hackers won’t bother attacking
That complacency usually ends in one of two ways: either the organisation gets hit by a damaging cyberattack, or their CISO helps them see why believing these myths is exposing them to danger. The number of cyber incidents rises every year, and was up 13% in 2021.
Even the most sophisticated cybersecurity solutions still have gaps, notably for human error, and are only effective if they’re kept up-to-date. Small businesses may be targeted less often, but they will still be hit by indiscriminate attacks. Most security partners will have blind spots, and to get the best performance out of them, you’ll first need to understand your own priorities and vulnerabilities.
Using niche technology is no guarantee of safety either. Articles refuting the whole “Macs can’t get viruses” idea have been circulating for years. If your colleagues believe these myths, don’t despair: puncturing their bubble in an engaging way can help executives see the security risks and get on board with your cyber strategy.
Myth 2: You need to be perfect all the time, they only have to get lucky once
The first myth may be an unwelcome truth, so how about some optimism? This cliché says that a cyberattack only needs one knockout punch to wreck your organisation, so your defence must always be rock-solid. The reality is a bit more complicated. Every attack has more than one step: typically, a human or technological weakness must be exploited and access acquired to a low-hanging asset before valuable data or processes can be exploited.
Each of these points is an opportunity to detect, block or respond. Automated monitoring, well-trained staff and effective access policies all make it harder for criminals to move undetected, over the course of an attack that may take days or even weeks. This also means that if even one of the steps in the lead up to the attack are disrupted, the attack will be effectively blocked. So do you need an impenetrable defence? Not necessarily. Do you need a system of checks and balances that can flag unusual behaviour in your systems? Absolutely.
Myth 3: Ransomware is the biggest threat
Ransomware is a real danger, and 64% of Australian businesses suffered disruption from it in 2021. But the Australian Cyber Security Centre (ACSC) received less than 500 reports of ransomware over the last year, a figure dwarfed by threats such as eCommerce scams and business email compromise attacks. What is true is that when ransomware hits, it can cause serious damage, especially when it targets government, healthcare or other critical services.
Sadly, another myth about ransomware – that backups will safeguard your organisation – has been punctured in recent years. In reality, backups may ensure you don’t lose access to your data, but they won’t stop criminals exfiltrating your data and threatening to release it. Ransomware and extortionware are just one type of threats, and businesses need to put them in context and decide where their priorities lie.
Myth 4: More technology is the only answer
Technology is a vital tool for cyberattackers, and a crucial defence against their assaults. But it’s not the be-all and end-all. Many attacks begin not with advanced breaching techniques, but with a simple attack on people. Indeed, 30% of data breaches are the direct result of human error.
Some experts will tell you that this is a good reason not to trust people at all and that the use of data protection, secure applications and automated monitoring can take risk out of the employee equation. But attackers will target workers, and many of the most serious attacks have begun with a social engineering emails. Staff training will never negate that risk, but it can definitely limit it.
Trying to buy your way out of danger by adding security products is not an answer either. Analysts’ effectiveness is compromised when they have to keep hopping between dashboards because an organisation has numerous products that aren’t fully integrated. A McKinsey report notes that there is “no direct correlation between spending on cybersecurity (as a proportion of total IT spending) and success of a company’s cybersecurity program”. Rather, what makes companies cybersecure is having a firm understanding of threats, and using technology and training in the right way to manage them.
Busting cybersecurity’s biggest myths
Sifting fact from fiction is crucial if you want to counter cyber threats. The biggest myths in cyber all contain a kernel of truth but are ultimately misleading. Rely too much on technology and you will waste budget and leave blind spots. Focus too much on ransomware and you may neglect other pressing threats. Throw up your hands at the idea that an attacker only needs one lucky break and you’ll miss making the incremental gains that can limit their chances.
Cybersecurity is about understanding threats and risks as they relate to your organisation. That means upping your cybersecurity awareness, evaluating your strengths and weaknesses and being nimble enough to respond to changing circumstances. And it means treating myths with the skepticism they deserve.