It’s important that we address one of the greatest challenges for us in reducing cyber security risks. That is the number of fundamental security myths that cause people and businesses to assess threats incorrectly, misallocate resources, and make poor risk choices.
Dispelling those myths is key to developing a sophisticated, risk-based approach to cyber security. So lets start myth busting!
#1 Small or medium sized businesses have nothing of value to an attacker
Many small businesses think they have nothing of value to an attacker, but it is the very opposite. I hear the “we have nothing of value to an attacker, why would they attack us?” question so often that it drives me bananas. Small organizations are in fact perfect targets for attacks because they have weak defenses, and therefore are easily compromised.
A 2016 Government report confirms that 74% of small and medium-sized businesses (SMBs) reported a security breach and that only 7% of small businesses expect information security spend to increase in the next year. Ransomware is the weapon of choice to attack small businesses indiscriminately, using it to encrypt the victim systems and files. Only when a ransom is paid are the files unencrypted. All small businesses have something of value to themselves and it’s their own files and systems, which can be held for ransom.
Ransomware affects both SMBs and individuals alike. The attackers are now tailoring the amount of money demanded. They do not ask for a large sum from victims they know cannot pay. To decrypt the files, they ask for a sum of money that is significant but “acceptable” to the victim. In the case of an individual, it might be $100. For a small organization, perhaps $500 is big enough to make a nice income for the attackers and small enough that their victims are likely to pay. Using ransomware to attack soft targets like small to medium sized businesses is becoming more and more prevalent. So not only is this a myth, it’s an extremely dangerous myth to believe and the one that is commonly held by management.
#2 Cyber security is an IT problem
This is another very dangerous myth if an organizations executives believe it. IT staff should not be making risk decisions that can affect the success or failure of an organization. That is the role of the executives. There is no doubt that cyber security comes largely from implementing appropriate information technical based controls to safeguard information held within an organization. Therefore, IT are responsible for implementing and recommending security controls. But the final choice on if risks should be mitigated or taken should be down to the executives who understand the strategy objectives of the business.
Most organizations are not in the business of security. Security is just an enabler for the business to function within acceptable levels of risk. How much risk an organization should take cannot be determined by IT as they simply don’t have this level of understanding about the business. It is for executives to set the level of risk tolerance. For example, it could make good business sense to launch a product so it can reach market in time and forgo some of the security. But an IT person would not be able to make this sort of call.
Security is not an absolute. Its job is to inform the business and protect it to the level that is acceptable. Some organizations need to run with high levels of cyber risk in order to be viable as a business.The risks from cyber attacks are not a technical problem. The recent attacks on TalkTalk, Sony, Target and others have resulted in serious financial damage being done to the company itself, and so the problem is now a boardroom issue that has to be managed at that level just like any other risk to the business.
#3 “Make my system 100% secure”
One of the most frustrating requests you can get as a security expert is being asked to “make the system 100% secure”. There cannot be 100% security so the requester must define what “secure” means to them and they often have no clue. People believe that complete security can be achieved and that complete security is required by law or industry practice. Neither is correct. Both laws and industry practices require businesses to do what is “reasonable.” Complete security is not required or even realistic.
Studies show that it would require businesses to increase overall security budgets nine-fold to address just 95 percent of the threats. That increase would, in most cases, exceed the overall budget for the entire business. There is a fundamental paradox with regard to security efforts: As security protections increase, usability of the secured systems often decreases. That is, the greater the security, the less useful the thing secured will be.
It is, for example, possible to completely secure a mobile device, such as a smartphone. All that is necessary is to:
1. Put the device into airplane mode
2. Place in a Faraday case
3. Lock the device in a secure safe
While complete security has been achieved, usability has been reduced to zero. A balance must always be struck between effective security measures and usability of the data or system being secured. There are many misconceptions in cyber security that we need to overcome and what we need to always concentrate on is reducing risk.