One of the hurdles facing businesses who are attempting to secure themselves, and minimise cyber security risks, is a number of basic security myths that cause them to set inappropriate goals and allocate their resources ineffectively.
Understanding what the real facts are, and laying waste to those myths is the first step to developing a solid, effective approach to cyber security, says Jayson O’Reilly, director of sales and innovation at DRS.
One common belief which is just not true, says O’Reilly, is that all threat actors are technologically adept and advanced individuals. “These days you don’t need to be a technological genius to commit cybercrime. Malicious toolkits and software are freely available on the Web, costing as little as a hundred dollars. Some of these Websites even offer customer support and service to would-be cyber crooks. No real hacking knowledge is needed, simply plug and play.”
He says in addition, too often, cyber security is viewed as being a means of making sure information cannot be used or accessed for purposes it is not intended for, or by users who are not authorised to do so. “While this is a valid worry, it is far from the only one. The network, infrastructure and systems upon which the information is housed, must be protected too. Not all attacks aim at stealing data, some attacks, such as distributed denial of service (DDoS) attacks, are aimed at preventing outsiders, be they clients or third-party partners, from accessing that information.”
According to O’Reilly, another myth is that cyber security is only necessary when protecting data that is personally identifiable. “Of course privacy matters and is top of mind, however, there are many types of data assets that also need to be secured. This will include proprietary business data, source code, intellectual property and information that is competitive, such as supplier lists, pricing, marketing information, company financials and suchlike.”
However, it is also not just about protecting privacy and company data, he says. “Businesses also need to ensure that data integrity is maintained. What this means is that a business needs to be sure that its data is accurate and hasn’t been tampered with. There have been many cases where disgruntled employees have corrupted business databases in an attempt to harm the organisation. All they would need to do to cause serious damage or disruption would be to change customer addresses, contact numbers or invoices. The fallout could be catastrophic.”
Lastly, he says, never underestimate the power of social engineering. “Many of the notorious breaches that have littered the headlines in the past few years have been a direct result of this tactic. All a cybercriminal needs is confidence and an understanding of what makes people tick. Don’t fall into the ‘this can’t happen to me’ trap. Trust me, professionals are very skilful and clever, and will send e-mails that would defy all but the very closest scrutiny.”
At the end of the day, no security is perfect, or 100% effective. “Businesses must do the best they can, with the resources they have available. Identify the most important data and secure that first. Enforce principles of least privilege and educate your staff to discourage them from clicking on links in e-mails willy-nilly.”