Cybersecurity isn’t something to be taken for granted (here are just a few reasons why it’s so important) but it’s often overlooked, seen as someone else’s responsibility or an expensive inconvenience that organizations can manage without. But for businesses (and individuals, too), the importance of cybersecurity only continues to increase with each new threat that emerges or each new technology we adopt.
While there’s a wealth of information about cybersecurity out there, not all of it is going to be reliable; often, it can be rife with misleading ‘facts’ or based on outdated misconceptions. These aren’t just inconvenient; they can be highly dangerous, as a lack of up-to-date (and accurate) cybersecurity awareness can leave us exposed to a range of threats posed by increasingly sophisticated hackers and cyber criminals.
To help you avoid misinformation when it comes to the protection of your devices and your data, we’ve uncloaked 7 of the most commonly-held myths about cybersecurity.
1. Cybersecurity isn’t my responsibility
In many organizations, employees assume it’s the IT department’s job to maintain the security of networks and servers. But in truth, the responsibility for cybersecurity lies with all of us, not just the IT professionals. In any business, it’s the employees that are often the first line of defense (and its biggest attack surface), with cyber criminals deploying social engineering attacks like phishing in an attempt to exploit a lack of security awareness.
To make sure everyone is aware of their responsibilities around cybersecurity, education and training are essential (this should be done at least once annually so knowledge is fresh and up-to-date), as is ensuring robust policies and procedures are in place for maintaining the security of systems and data. Otherwise, one careless employee could lead to a compromised user account, which could in turn put the entire organization at risk.
2. My password is strong enough
Password strength is a hot topic, but there are many misconceptions about what constitutes a strong password, both for organizations managing access to systems and files and for individuals protecting their own devices and information. For one thing, it’s often length (more so than complexity) that is the true measure of password strength.
Adding capital letters and special characters might make your password more difficult to crack using brute-force techniques, but using a passphrase of 15 or more letters will offer significantly more protection against unauthorized access. For businesses, enforcing the use of strong passphrases is good practice, while using a password manager like Bitwarden (while not without risks) will help to secure your passwords and your sensitive information.
3. We’re on the cloud, so we’re fully protected
Cloud computing comes with a raft of benefits for modern businesses (reduced operating costs and increased flexibility are just a couple of examples), while there are also advantages when it comes to cloud security. Most well-known cloud providers (Microsoft Azure, for example) come replete with in-built security features, while cloud-based hosting solutions like Cloudways typically include firewalls, login controls, SSL certificates and end-to-end encryption (among other features) as part of their standard service.
But while moving your infrastructure to the cloud will offer increased peace of mind when it comes to the security of your data, it won’t offer a cast-iron guarantee of impenetrable protection (because nothing can). Even with the defense-in-depth approach to security employed by most cloud solutions, a move to the cloud theoretically increases the attack surface, meaning vigilance is still very much required. Furthermore, the cloud can’t protect against a lack of individual security awareness or an insufficient password policy.
4. Scams are easy to spot
Most of us (often wrongly) assume we could spot a scam attempt a mile off. Phishing emails, for example, are generally assumed to include poor grammar, misspelled domains and suspicious-looking links (and it wouldn’t take a cybersecurity expert to spot those glaring red flags), but as attackers employ more sophisticated phishing tactics, it can be increasingly difficult to discern phishing attempts from legitimate requests.
For example, when targeting employees within organizations via social engineering techniques, cyber criminals are now reportedly aiming for the “mid-afternoon slump” (the hours between 2pm and 6pm) to take advantage of waning energy and, subsequently, diminished levels of alertness. And while most social engineering attacks are still delivered by email, attackers are increasingly targeting other services (such as video conferencing tools and work-based messaging platforms) to hoodwink users.
5. Small businesses are not at risk
When we hear of cyber attacks in the news, it’s always those major corporations that take the hit (infamous cases include a 15-year old shutting down NASA’s computer systems in 1999 and the compromise of 500 million Yahoo accounts in 2014). So, doesn’t that mean small businesses are safer than their globally-known counterparts, since hackers are only interested in going after the major-league players?
Well, no. While attacks against large enterprises are newsworthy (after all, they’re often household names and attacks typically result in eye-watering losses), it’s suggested that small businesses are in fact three times more likely to be targeted by a cyber criminal. What’s more, a major corporation can usually recover from a significant attack, while a breach could be irreparable for a smaller business.
6. Our data isn’t worth stealing
Organizations who don’t overly concern themselves with cybersecurity might assume they’re not holding on to any data that would be valuable to an attacker. However, the truth is that all data is valuable to someone, and it can often be monetized for financial gain or materialized for criminal purposes. Data mined from company databases can often be sold on for large amounts, particularly if that data pertains to personally identifiable information.
What’s more, not all cyber attacks are carried out with the aim of stealing data. A denial-of-service (DoS) attack, for example, is designed to overwhelm servers to the point where a resource (such as a website) becomes unavailable. If your business sells products or services online, your website going down during peak trading hours might result in a significant loss of revenue (even if your data remains untouched).
7. We’ve fixed all the bugs, so we’re totally secure now
You’ll often hear this from organizations after conducting a penetration test of their systems (or even after recovering from a cyber attack): a full system review has taken place, with vulnerabilities addressed, bugs fixed and mitigations against future attacks put in place, so doesn’t that mean we can relax, safe in the knowledge that we’re well protected against potential future threats?
You’d like to think so, but cyber criminals are constantly evolving their approaches, with new, more sophisticated attacks emerging at alarming rates. Add to that the continual adoption of newer technologies (which introduce new potential issues) and it’s impossible to cover every angle: cybersecurity can never be crossed off the to-do list. Luckily, a cloud-based network solution like Cloudflare is constantly monitoring for new threats and adapting its cybersecurity capabilities, so (theoretically, at least) your protection is always up-to-date.
When it comes to cybersecurity, it’s often easy to get lost in a sea of misinformation and misconceptions. To ensure you’re armed with the most up-to-date and accurate information, it’s important to keep an eye on current trends and ensure you’re practicing good security hygiene, whether you’re an individual hoping to keep your personal data safe or a business leader trying to ensure your workforce is security-aware.