Posted on 24 September 2018 at 1:59 PM by Ger van Hees
Information security is often in the news. Spectacular and frightening stories of breaches are commonplace. Recently, 300 universities worldwide were targeted in a security breach. Hackers managed to access 8000 login credentials; in total they stole 3 billion USD worth of data. Their method was simple and familiar: they sent out emails with malicious links. Professors were prompted to click on the links to log in to their University accounts. They were then directed to fake login pages, set up to harvest their credentials. It seems hard to believe that even with all the news stories, breaches keep happening. Thanks to our built-in “optimism bias” people tend to think that bad things only happen to others. But denial is much more costly than facing the facts. In reality, every institution and organization is susceptible to these attacks. There are 5 dangerous myths that can make your organization an easy target for a security breach. These beliefs are common, and we’re going to dispel them one-by-one.
Myth #1: Information security is IT’s responsibility
The truth: Yes, IT should safeguard the computer systems that process and store data. But that only accounts for a small piece of the information security puzzle. In an organization, there are employees who have access to sensitive information. Data is often transferred outside of the company on portable devices or USB sticks. Even worse: employees generally have a low awareness of IT security. They’re unaware of the risks of using their birthday as a password, or clicking on a link in an email. Hackers can gain access to the company network by taking advantage of employees’ ignorance.
The nature of company data can range from customer information to trade secrets. Information security threats are a risk to the company as a whole, and should be managed as such. This includes allocating a budget for information security hardware, software and training. Without buy-in from the company leadership, a company is at a very high risk of a catastrophic breach.
Myth #2: It’s only something large organizations need to worry about
The truth: Yes, we usually hear about massive breaches involving large corporations where millions of user credentials are leaked. The news reports are biased to share the most sensational stories. But that doesn’t mean that information breaches are limited to large corporations.
The 2018 Verizon Data Breach Investigations Report presents an in-depth analysis of over 2000 data breaches. More than half (58%) of the affected organizations are categorized as small businesses. But small businesses mistakenly assume they’re at a lower risk. They may set aside less of a budget to protect themselves; exactly the opposite of what they should be doing.
Here’s some really scary news: for small businesses, a security attack can mean the end of their business. 60% of impacted small businesses will go out of business. Yes, it’s THAT serious.
Myth #3: Information security is a goal to be achieved or a box to be checked
The truth: You can’t be information security “compliant” by taking some tests and proving your knowledge. Information security must be an ongoing, evolving process. Here’s why:
1. New vulnerabilities are discovered on a regular basis. Hackers come up with new exploits that will work until someone detects the issue. Even the best firewalls and antivirus software won’t catch undocumented new vulnerabilities. Monitoring your network’s behavior analytics will help you notice any unusual behavior.
2. Employees are the top cause of breaches. Hackers are adept at getting employees to unknowingly sabotage their organization’s security. They use psychological manipulations (social engineering) that can be very hard to discern. The only way to combat social engineering? Recurring real-time simulations. One simulation isn’t enough. With practice, more employees will know what to recognize. They’ll be able to catch themselves (or others) before it’s too late.
Myth #4: We only need to worry about our organization
The truth: If only it were as simple as worrying about your own organization. Almost 63% of security breaches involved third parties such as contractors or vendors. Recently, a number of large US retailers including Costco and Sam’s Club halted their photo printing services. The reason? A possible breach on the third-party site they used to host their photos. The infamous Target breach of 2013 was also carried out via a third-party contractor.
Managing third-party access can be complex. But it’s a risk that can’t be ignored.
Myth # 5: It’s too expensive to implement a information security awareness program
The truth: The opposite is true. A breach is much more expensive and the damage extends beyond the monetary costs. Reputations can be tarnished overnight after a breach. Some numbers to back this up: on average (worldwide) a breach costs $3.6 million USD. 58 data records are stolen EVERY second. It’s happening all the time. And 75-90% of businesses have experienced a breach.
Knowing these numbers, the evidence demonstrates that breaches are both likely and expensive. It makes sense to invest in an information security awareness program. It will save your company millions of dollars and preserve the reputation you’ve worked so hard to build.
Former hacker Kevin Mitnick says it best: “Businesses should absolutely set aside funding in their budgets for security consultants. Unless there is an expert on staff, and there usually is not, it needs to be outsourced.”
Information security risks apply to everyone. Individuals, small businesses and mega corporations are all susceptible. Information security isn’t something that can be delegated to IT. On the contrary, information security awareness needs to be a priority for company leaders. With strong leadership and a good information security awareness program, your company can reduce the risk of a damaging breach.