Can we trust what we “know” about cybersecurity?
Organisations are becoming more enlightened about the threats that cyberattacks provide. According to the 2017 State of Endpoint Security Risk Report by Ponemon Institute, 7 out of 10 organisations feel that the risks have increased during the previous year. Despite the positive fact that awareness is increasing, organisations now seem to believe too much of what they hear. When misconceptions (or rather myths) about cybersecurity are circulating freely, how do we know what to trust?
Myth #1: All attacks are noticeable
The notion that a user will automatically notice an attack is no longer accurate. Cyberattacks are becoming more sophisticated and the notion that there will appear a clear signal on your screen is no longer true.
That we will always notice an attack is based on another misconception – that we know what we are looking for. If we haven’t been previously exposed to a certain threat, we may not recognize it as one.
Myth #2: Software is the solution
Installing anti-virus or anti-malware software is a step in the right direction to keep threats out. The problem with anti-virus software is that it will only protect against previously known virus signatures. With the increasing sophistication of attacks and development in new techniques, this is no longer considered sufficient protection. Fileless attack techniques is just one example. These attacks don’t rely on malicious executables, which is what the software analyses to detect a virus.
Thankfully the belief in this myth already seems to be declining. The 2017 State of Endpoint Security Risk Report also showed that almost 70% of organisations feel that antivirus software isn’t enough protection against potential threats anymore.
70% of organisations feel that antivirus software isn’t enough protection against potential threats
If software isn’t enough, then can we automatically say that the more expensive and highly technological solutions you have, the safer your data is? Sadly, this is another misconception. If your organisation lacks understanding of the system’s function, the overall purpose, sufficient protocols or a trained system administrator, the price tag will become irrelevant.
Read more about too much faith in technology in our previously published blog post "Are we taking cybersecurity seriously enough?"
Myth #3: 100 % cybersecurity is achievable
If we can agree on the fact that we won’t always notice an attack and that antivirus software or even more complex technology on its’ own isn’t the answer, than what is?
If we take all the previous factors in consideration, will this ensure us complete security? This brings us to yet a misconception – that there is such a thing as 100% cybersecurity.
100 % protection may currently not be achievable due to the fast pace of change in attack techniques, but it doesn’t mean that organisations can’t keep their information safe.
Avoiding myths with the right resilience
There are many more myths to uncover about cybersecurity and it is important to turn them inside out before deciding what to believe. Organisations should keep a holistic mindset, which means that cybersecurity needs to be a strategic decision, not just a defense mechanism.
Cybersecurity needs to be a strategic decision, not just a defense mechanism
Unfortunately, today’s organisations do not seem to feel this way. NTT Security’s survey showed that a third of the participating organisations would rather pay a ransom to a cybercriminal, than to invest in cybersecurity.
Reacting once an attack has been detected (if it is detected) is not the key, prevention and resilience is. This is something we should make sure isn’t considered a myth.