Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/18/2020
10:00 AM
Zack Schuler
Zack Schuler
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

The 3 Top Cybersecurity Myths & What You Should Know

With millions of employees now attempting to work from home, it's vital to challenge misconceptions about cybersecurity.

Imagine you're working at the front desk of a tech company when a woman walks through the front door and tells you she was just in a car accident. You ask if there's anything you can do to help, but she says it wasn't serious and asks if you could direct her to a restroom.

You later discover that the woman inserted a flash drive into an unattended computer and infected your company's entire system with a destructive form of malware. Or at least that's what she could have done if the malware was real — this strange scenario was actually an elaborate demonstration (arranged by a cybersecurity professional I know) designed to show employees that not all cyberattacks are carried out remotely.

The idea that cybercriminals never interact with their targets is one of many cybersecurity myths that need to be debunked. With millions of employees now attempting to work from home for the first time due to the COVID-19 pandemic — which increases their vulnerability more than ever — it's vital to challenge stubborn misconceptions about cybersecurity.

Myth No. 1: The security team is going to protect me.
Many employees argue that they aren't particularly technical, so they simply delegate the job of keeping themselves and the company safe to someone else. But at a time when every employee uses multiple connected devices and hackers are increasingly targeting people across entire companies, there's no excuse for leaving cybersecurity up to someone else.

Andy Boldin is the solutions delivery chief at SAIC, and he told me the complacent idea that "the security team is going to protect me" is one of the most consequential cybersecurity myths there is: "People think the security team will take care of everything," he says, "while they can do whatever they want." This isn't just wrong — it's the opposite of the truth. Social engineering — the deception and manipulation of human beings to infiltrate a company — is the most common and costly type of cyberattack. And anyone can be a target, from a CEO to a receptionist.

According to a 2018 survey conducted by the Ponemon Institute, companies cite their "inability to hire and retain expert staff" as one of the biggest cybersecurity problems they face. Meanwhile, they rank "human factors" as one of their most serious vulnerabilities. Both of these issues point to a single solution: empowering employees to be cybersecurity defenders at every level of the company.

Myth No. 2: IT professionals don't fall for cyberattacks.
Many companies think a well-trained IT team is all the protection they need against cyberattacks, but this is another harmful myth. As Boldin explains: "Even professionals fall for social engineering attacks. People will always look for the easy way of doing things — including IT pros. Everyone multitasks and security doesn't always get our full attention."

This is why Boldin recommends "continual training" across the entire company — and not just annual compliance training, which he describes as the "new normal." He argues that frequent and consistent "hands-on awareness training" is the most effective way for companies to keep themselves safe. This is particularly important for the small and medium-sized businesses (SMBs) that make up the core of the U.S. economy. Many SMBs can't afford dedicated IT security teams, which makes companywide cybersecurity training all the more important for them. According to Verizon's 2019 "Data Breach Investigations Report," 43% of breaches "involved small business victims."

Even if IT professionals were capable of spotting and thwarting every cyberattack — which certainly isn't the case — many companies would still be left with no defenses, as most companies don't have the resources to build their own IT teams. This is just one more reason why effective cybersecurity platforms have to include everyone.

Myth No. 3: Cyberattacks are confined to the digital world.
Granted, the scenario at the beginning of this article is fairly implausible. But once we finally return to the office, it's essential to remember that physical security is, in fact, a crucial element of any robust cybersecurity platform. Many major breaches have been caused by a strategically placed flash drive, a stolen laptop, or some other form of physical infiltration.

As Boldin observes, "Security is not just cybersecurity. Remember that physical access can play a vital role." In the summer of 2017, a Russian worm called NotPetya swept around the world, damaging critical infrastructure, cutting off international shipping operations, and causing $10 billion in damage. For the global shipping giant Maersk, one infected computer ended up spreading the worm across the entire company.

This is a stark reminder that a single physical entry point can crash a massive network and cripple the largest shipping company in the world. There are other examples, too — the Stuxnet worm that ravaged Iran's Natanz nuclear facility was delivered via a flash drive that was plugged straight into one of the facility's computers. Infected flash drives have even been handed out at tech conferences. Physical security is cybersecurity.

Strong cybersecurity platforms can't be built on myths and clichés. There are many ways in which today's cyberthreats defy our assumptions, but the most destructive myth is the notion that cybersecurity is someone else's responsibility. Every employee has to be armed against cyberattacks, and while this may sound a little daunting at first, employees who are capable of keeping themselves and their companies safe will discover that it's also empowering.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Cyber Subterfuge and Curious Sharks Threaten the World’s Subsea Fiber-Optic Cables."

 

Zack Schuler is the CEO/founder of NINJIO, an IT security awareness company that empowers individuals and organizations to become defenders against cyber threats. He is driven by the idea of a "security awareness mindset," in which online safety becomes part of who someone is ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Another COVID-19 Side Effect: Rising Nation-State Cyber Activity
Stephen Ward, VP, ThreatConnect,  7/1/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15600
PUBLISHED: 2020-07-07
An issue was discovered in CMSUno before 1.6.1. uno.php allows CSRF to change the admin password.
CVE-2020-15599
PUBLISHED: 2020-07-07
Victor CMS through 2019-02-28 allows XSS via the register.php user_firstname or user_lastname field.
CVE-2020-8916
PUBLISHED: 2020-07-07
A memory leak in Openthread's wpantund versions up to commit 0e5d1601febb869f583e944785e5685c6c747be7, when used in an environment where wpanctl is directly interfacing with the control driver (eg: debug environments) can allow an attacker to crash the service (DoS). We recommend updating, or to res...
CVE-2020-12821
PUBLISHED: 2020-07-07
Gossipsub 1.0 does not properly resist invalid message spam, such as an eclipse attack or a sybil attack.
CVE-2020-15008
PUBLISHED: 2020-07-07
A SQLi exists in the probe code of all Connectwise Automate versions before 2020.7 or 2019.12. A SQL Injection in the probe implementation to save data to a custom table exists due to inadequate server side validation. As the code creates dynamic SQL for the insert statement and utilizes the user su...