Today, the world is flooded with cybersecurity news. Whether it’s a headline splashed across the media about your favorite retailer being hit by hackers or your local council falling victim to ransomware, there is no escaping the “cybercrime pandemic.”
Even despite this recent surge in cyberattacks, there are still a worrying number of organizations that don’t see themselves as a target. These organizations have a false sense of security that they are of no value or interest to cybercriminals — they are too small, too unknown or even too secure to be hit.
However, this misconception just makes them easier to hit. Overconfidence in security or not seeing yourself as a target leads to companies letting their guard down, which in turn creates opportunities for hackers. So, what are other most common security misconceptions we hear about from organizations, how do they put them in danger and, most importantly, how can they be resolved?
1. We are not a target for cybercriminals.
First and foremost, everyone is a target for cybercriminals. It doesn’t matter how big or small you are or how much or how little data you hold; cybercriminals will still see you as a target. This is an issue we hear about a lot when approaching new customers. However, once we have carried out an open-source background check, they are often surprised by the results.
We find fake social media accounts where CEOs and brands are being impersonated, often sending out malicious links in their posts. We also find a lot of other content online that shows the company has already been hit by attackers.
This demonstrates that every company is a target. Impersonation scams are widely used by cybercriminals to trick consumers into following fake social media accounts and sending out malicious content.
To protect against these attacks, companies must sweep the web regularly, identifying these malicious accounts and then getting them taken down either through a security partner or by contacting the social provider directly.
2. Cybersecurity is an issue for IT; it doesn’t concern the CEO.
This is something we hear all too often, and it demonstrates how little an organization knows about cyberattacks. A successful attack is far more than just a technical setback; it can damage your reputation, ruin customer trust, cost millions in fines, damage share prices and, even in some cases, bring a business down entirely. All these issues make cybersecurity a critical concern for the CEO and for the whole company.
Regular training for all staff is essential. This not only means educating them on malicious links and attachments on emails but also teaching them about threats like ransomware and social media dos and don’ts.
Employee oversharing on social media is one of the easiest ways for cybercriminals to gain intelligence on an organization. Teaching them about the risks of oversharing is the best way to prevent it.
3. We have everything covered.
Having everything covered is a mirage because it is impossible to cover the things you can’t actually see, and that is the reality for most organizations. As more and more employees bring personal devices into the workplace, security becomes a very complex problem.
Organizations will also very often have weaknesses in their infrastructure that they are not aware exist. However, by working with a security company that has the ability to scan your network for weaknesses and inventory all the devices connected to it, you can significantly improve security.
4. Security is not a product; it’s a practice.
When many businesses address cybersecurity, they do it for compliance. They buy products to address compliance issues and tick boxes believing this will make them secure. This is not true. Ticking a compliance check box is only one side of security, and it should also be paired with employee awareness training and building a cyber-security-conscious culture.
Most cyberattacks today are caused by curious employees clicking on malicious links or opening attachments. Deploying security products and combining them with security awareness training is the best defense against attacks.
5. Cybercrime will never have a physical impact.
This is another misconception we hear often that can put organizations at risk. Today, cybercrime is not just a digital issue; it regularly spills out into the physical world. Whether it be a ransomware attack impacting the supplies of essential goods or chat in hacking forums about physical demonstrations taking place outside an organization’s office, there is no limit to just how physical cyber can get today.
Organizations must therefore start to think about cyber-physical attacks, as well. What would be the physical impact of an attack on our operations? Are we monitoring the internet for physical demonstrations or protests that could have an impact on our offices and staff? By considering these issues within an organization’s overall security program, you can prepare for all forms of attacks.
These are just some of the common misconceptions we hear about when approaching new customers that could put them at risk. However, by carrying out monitoring online or working with a trusted security partner, they can be addressed before putting your organization in danger.