By Sonia McPherson on Oct 2, 2018 2:05:11 PM
Are you frustrated that your company isn't taking the issue of cyber security seriously?
Chances are high that those resistant to purchasing still believe the common myths that have led to many companies falling victim to cybercrime.
In this article, we will address the most common myths and do our best to dispel them. If you can prove to your boss that these misconceptions are just as dangerous as any cybercriminal then perhaps they will be more receptive to your cybersecurity purchases and favour using automated tools for pen testing..
This is probably the most common cyber myth that you’ll come across and frustratingly it seems as though the message that everyone is a target just isn’t getting through to people.
If a you don't think you're important enough to be a target for cybercrime you're very much mistaken. Just having a presence online means that you're a potential target.
You need to explain to those in charge that it doesn’t matter how small your business is, if you have something to sell or store customer data then you have something to steal.
Intellectual property and even business connections all have value for cybercriminals. Share this stat with the management team if they don’t believe you – ‘43% of all cybercrime occurs against small businesses and around half of all global cyber-attacks are reportedly against organisations with fewer than 250 employees.’
With the increase in the use of automated hacking tools, no business is safe. A machine doesn’t discriminate but instead will seek out any vulnerable network regardless of size. Hacking by hand is increasingly less common due to the rise of Exploit Kits and cybercrime as a service.
Most of the users of these services aren’t geniuses or making millions from hacking big corporations. In reality, they use Exploit Kits and rented attack services at random in the hopes of getting lucky by making some cash from as many victims as possible. They can scan huge numbers of connected devices and servers as they seek a vulnerability that they can exploit.
With smaller organisations often being part of a supply chain, they are a prime target for hackers seeking an easier way to attack a much bigger target. Smaller businesses tend to have less ability to implement effective cybersecurity either due to a lack of knowledge, lack of skills, resource and/or a small budget.
The ‘You're powerless to do anything myth’
Once you’ve explained the need for cybersecurity by demystifying one myth there’s a chance you’ll then run into another, which is; ‘There’s nothing we can do’.
This attitude of feeling powerless is understandable due to the cybersecurity sector at times being its own worst enemy. A combination of poor communication and scaremongering by the industry and the mainstream media has done significant harm to people’s perception of cybersecurity.
Often, they will feel helpless in the face of the cyber threat; believing that it is beyond the realm of comprehension by non-technical experts. This attitude is perfectly understandable, especially as hackers and the cybercrime industry are often perceived as evil masterminds that can only be stopped by security geniuses.
To dispel this myth, you need to get across that in reality, cybercriminals are just like any other in that they seek out the easiest targets and tend to avoid the hard to crack places. By implementing cybersecurity basics such as implementing software updates and using good password hygiene, they’ll be in way better shape and less likely to be exposed to the cyber attacker's radar.
Check out some great password advice at - https://www.ncsc.gov.uk/guidance/password-guidance-simplifying-your-approach
Once the myth has been busted that you are not powerless you can then convince them to at least take a look at our solutions.
The next hurdle you may then encounter is the common myth; ‘As long as we protect ourselves we will be fine’. Ensuring that your organisation is protected against cyber threats is all well and good but what about the other businesses in your supply chain or the third-party assets you use?
Even if you have all the cybersecurity tools in place and claim to have the best cybersecurity in the world, you should know that if you're part of someone's supply chain or use third-party assets you are still vulnerable.
You should be aware of all the other organisations in your community and how those are acting when it comes to cybersecurity.
Some of the biggest headline-grabbing breaches of recent years have involved third parties or organisations subordinate to an entity that suffered a breach.
Use real-world examples
Probably the most infamous instance of an organisation being attacked via a third party is the Target breach. Hackers breached the company by stealing credentials from a 3rd party heating company who had access to Target’s networks to monitor their systems.
The company fell victim to a phishing attack a few months before the main attack on Target. The hacker used malware which should have been detected but wasn’t (because they didn’t have a properly configured Anti-Virus). The attacker then used a different type of bespoke malware on Target’s point of sale systems that stole customer credit card details and sent them to a compromised Target server. The data was then sent overseas. Overall 1-3 million credit card details were stolen costing the business hundreds of millions of Dollars in damages and reparations as well as the negative impact on its reputation.
Emphasising that everything in your ecosystems, customers, subcontractors, subsidiaries, vendors, accounting firms and even the third-party apps used by your web dev team for your company website can be a threat vector. Security is only as strong as the weakest link, and often that weak link is outside of your immediate control.
The main message you need to get across is that just like other criminals, cybercriminals are opportunists on the lookout for weaknesses and easy prey. All businesses are a target no matter their size or budget. In this increasingly connected world, the need for cybersecurity has never been greater.