As we celebrate the 2021 National Cybersecurity Awareness Month, SWICKtech wants to help businesses learn to be safer and more secure online. Employees empowered with the resources and knowledge to protect organizations from cyber threats are one of the best lines of defense. Part of that training should involve breaking down often-quoted cybersecurity misconceptions. Employers and employees who believe any of the myths below could be opening their businesses to unknown risk.
1. Cybercriminals don’t target small or medium-sized businesses
Many small and medium-sized business (SMB) leaders often believe that they are immune to cyber-attacks and data breaches because they are too small, or don’t have significant data. The truth is, while SMBs may not be explicitly targeted, they are often the victims of spray-and-pray operations that assault multiple organizations at an unprecedented rate. Since many small businesses often lack advanced security software, or skilled security teams, they become easier targets for cybercriminals.
2. Security is the sole responsibility of the IT department
Undeniably, IT plays a significant role in managing the cybersecurity of an organization. However, it’s not solely responsible for security. Security breaches can have potential long-lasting effects on an entire business. Thus, it is up to leadership to address this in a real and meaningful way, while it is the responsibility of every employee to participate in cybersecurity preparedness. This may include incorporating Multifactor Authentication into daily practices, locking computers while away from the desk, participating in phishing campaign simulation, and more.
3. Cyberthreats only come from external actors/ Hackers are mysterious, scary figures
Outside threats are undoubtedly the most significant concern of an organization, and should be monitored thoroughly. However, insider threats are equally as dangerous. Employee negligence, ignorance, and malicious behavior often make insider threats a higher-security risk than outsider threats. Prospective employees should pass a background check before starting at an organization, and employee activity should be monitored closely.
4. A password is enough to keep a Wi-Fi network secure
In remote working or shared workspace environments, employees often think that a password keeps their Wi-Fi network safe and secure. But all public and private Wi-Fi networks can be compromised, even with a password. While passwords limit users access to a Wi-Fi network, the users in the network can potentially gain access to sensitive data being transmitted. At a minimum, employees should employ Virtual Private Networks (VPNs) to secure their connections. Organizations should also require the appropriate SSL certificates to be installed on all company devices.
5. We’ve never experienced a cyberattack, so our security posture must be strong enough
Cyberthreats are continually growing in sophistication and complexity, and organizations must strive to stay ahead of this ever changing landscape. The aim isn’t to achieve “perfect” security (which in and of itself is unattainable), but rather to have a strategic security posture that addresses the primary failure points, and then helps you react quickly to and mitigate a security incident before it causes significant damage.
6. Phishing scams are easy to spot
Phishing scams are becoming more sophisticated as hackers infiltrate companies, CEO’s personal accounts, and even government agencies. Even worse, phishing scams have skyrocketed during the COVID-19 pandemic as very realistic looking extortion scams are making the rounds. It’s not always as simple as an unfamiliar account reaching out to you with a bizarre message trying to get you to click on a link. Sometimes, they use familiar faces against you by posing as friends, family, or coworkers. Other times they are threatening legal action for using copyrighted images on a website, posing as password resets to social media accounts, or sending you tracking links to packages you may have ordered.
7. My data (or the data I have access to) isn’t valuable
Many people think their data isn’t worth anything because they’re just regular people. Similarly, many people think that since they have nothing to hide, there’s no point in protecting their identity or information. While this is a myth on a personal level, it is also a myth on a professional level. Organizations of all sizes maintain or have access to valuable data worth protecting. Such data may include but is not limited to employment records, tax information, confidential correspondence, point of sale systems, and business contracts. All data is valuable.
8. Cybersecurity requires a large financial investment
Unfortunately, it’s not a myth that robust cybersecurity strategy does require a financial commitment if you are serious about protecting your organization. However, there are many steps you can take towards tighter cybersecurity practices that require little or no financial investment. Several examples include creating and enforcing cybersecurity policies and procedures, restricting administrative and access privileges, enabling multi-factor or 2-factor authentication, training employees to spot malicious emails, and creating backup manual procedures to keep critical business processes in operation during a potential cyber incident.
9. Cyber breaches are covered by general liability insurance
Many standard business liability insurance policies do not cover cyber incidents or data breaches. In addition, as of May 2021 it has been made clear that companies seeking cyber insurance must add MFA to logins in order to receive coverage due to increasing ransomware outbreaks.
10. Only certain industries are vulnerable to cyber attacks
Much like some businesses believe they won’t be attacked because of their size, other businesses wrongly assume that they won’t be attacked because of the industry they’re in. This myth also goes hand-in-hand with the belief that some companies don’t have anything “worth” stealing. The reality is that any sensitive data, from credit card numbers to addresses and personal information, can make a business a target. What is more, even if the data being targeted doesn’t have resale value on the dark web, it may be imperative for the business to function. Ransomware, for example, can render data unusable unless you pay for a decryption key. This can make attacks very profitable for cyber criminals, even if the data is deemed “low value.”
Cybersecurity myths are a real threat in the present digital realm as they tend to allow organizations to deny real threats by letting their guard down. Knowing that cybersecurity myths are merely illusions is the first step towards developing the appropriate cybersecurity maturity level needed to protect an organization.
At SWICKtech, we highly recommend becoming cybersafe by starting with a strong cybersecurity foundation upon which all-important IT and business-related decisions are made. SWICKtech recommends the NIST framework to all of our clients.
Keeping a business cybersafe is a continuous effort, and one that requires every employee’s participation. If your company has fallen victim to any of the myths above, contact SWICKtech today, as it may be time to rethink your cybersecurity training and assess your risk.