Cybersecurity was huge in 2016. From ransomware to weaponized Internet of Things (IoT) devices to foreign hacking of elections – last year saw it all. But many of these threats aren’t new and will never really go away. Over the last 25 years, one of the most valuable things I’ve learned in attending conferences and talking to cybersecurity experts around the world is that one of the greatest weapons we have to prevent cyber attacks is our own mindset.
This column has previously touched on the importance of online hygiene and why you should think of your online activities like eating. This post will cover some misconceptions about cybersecurity itself. There are many cybersecurity myths, but an accurate understanding of these 10 is critical to your cyber posture as an individual, as a business, or as a government.
1. “Cyber risk” is a separate category of risk. There’s no such thing as “cyber risk” – it’s risk. It’s the same risk that encompasses everything from protecting intellectual property to competitiveness and safety of personnel, and needs the same level of attention from the board of directors and the executive team. The concept of cybersecurity risk isn’t useful by itself, and treating it as a separate form is a distraction you can’t afford.
2. Cybersecurity is just an IT issue. Earmarking online threats as something for the IT department is one of the best ways to help those threats proliferate. It’s important to remember that cybersecurity cuts across departments and is the same regardless of the IT implementation or vertical. Once information is digitized, everything from accuracy, privacy and availability to integrity needs to be protected. Cybersecurity requirements are paramount across an organization, from the data center to the branch office and mobile device.
3. Protecting yourself is good enough. Organizations must be aware of others in their community and how they’re acting when it comes to cybersecurity questions. Some of the biggest headline-grabbing breaches of recent years involved third parties or organizations subordinate to the entity that was hacked. Everything in your ecosystem, from subcontractors to subsidiaries, vendors and accounting firms, can be a threat vector. Security is only as strong as the weakest link, and sometimes that weak link is beyond your four walls.
4. Digital and physical security are separate systems. In today’s automated world, more and more devices, such as the elevator in your building and components in the public transit system, are getting connected and being controlled digitally. It’s now common for attackers to modify device software and potentially destroy physical infrastructure – at a minimum, creating tremendous inconvenience with potential catastrophic consequences.
5. Going back to paper (or disconnecting from the Internet) minimizes risk. The unplugging approach can lead to many problems apart from the potential damage to efficiency and productivity. Disconnecting, implementing “air gaps” or going back to paper can actually increase vulnerabilities. One can’t know if paper copies of data have been illicitly copied or removed. Meanwhile, air-gapped and disconnected networks are harder to monitor because of less logging of data that takes place; also, due to the inconvenience, they’re not updated with security patches as often. Ironically, increasing your attack surface this way makes it easier for criminals to find the valuable information and strike unnoticed.
6. Getting hacked is an embarrassment. Many people hesitate to share their stories about getting hacked. This can be perceived as losing face, especially in Asian countries. However, it’s important to understand that everyone is vulnerable and it’s better to learn from one another by communicating. Unfortunately, there are only two types of organizations today: those that have been hacked and those that have been hacked but just don’t know it yet. Hiding a breach and letting it fester will only worsen the long-term damage.
7. Using antivirus software is enough. AV might have worked in 1997, but 20 years later it sure won’t. Hackers have found multiple ways to subvert antivirus software and hide their own attacks in a system, in many cases for an average of six months. With the advent of ransomware, the timeframe from infection to damage has become almost instantaneous. In today’s world of quick and persistent threats, a prevention mindset to mitigate both known and unknown threats is essential. AV is terribly outdated.
8. Cybersecurity is just a form of defense. Again, this is a shortsighted view of an essential resource and way of thinking. Security needs to be positioned as a strategic advantage since it can boost efficiency and save money. Not only is security by design and by default important for protection, creating an integrated implementation will enhance usability products and services and generate a competitive advantage. At a minimum, it will allow us to take back the many benefits ICT provides, and in a safe and secure manner. Stop thinking of cybersecurity as merely a cost center and understand its value as a business enabler.
9. New features of IoT devices trump security. Security by design is becoming increasingly common in IoT devices. It basically means implementing features so devices can work and survive in a “zero trust” environment. Security should be integrated, automatic and transparent. Usability is key. You can’t expect people, especially elderly users, to jump through technical hoops to ensure security at the expense or productivity or efficiency.
10. You’ll never get attacked or breached. This kind of thinking – that it will never happen to me – is almost a guarantee that it will. It’s equally unwise to have total confidence in the strength of one’s security and especially one’s security devices. There’s no such thing as perfect security – the key here is resilience. That’s the ability to take a hit and keep going, or in certain cases failure, to default to a protected state. You should architect security with a prevention-first mindset, and also view attacks as an opportunity to learn about vulnerabilities and grow stronger based on that knowledge.
This article was originally posted at InHomelandSecurity.com.