Like almost everything that interacts with the internet, cybersecurity has a whole lot of misconceptions rolling around.
And since October is National Cybersecurity Awareness Month, it's the perfect time to do some mythbusting.
Top 10 cybersecurity myths
The National Cyber Security Alliance recently listed the top 10 cybersecurity misconceptions for organizations. Here they are, along with related insights from security leaders.
1. Security myth: My data (or the data I have access to) isn’t valuable.
Reality: All data is valuable.
2. Security myth: Cybersecurity is a technology issue.
Reality: Cybersecurity is best approached with a mix of employee training; clear, accepted policies and procedures and implementation of current technologies.
And, as Fred Kwong, Delta Dental's Chief Information Security Officer, told us, cybersecurity requires developing advocates within your organization and networking outside of it:
"If you think about security as a space, it's still very young. In the 80s we were pretty much just firewall guys, or controls folks from a GRC perspective. But this space is ever-evolving and ever-changing, and it's hard for everyone to keep up with everything. So in order to be successful in this role as security leaders or practitioners, we have to share information, we have to collaborate, we have to understand from each other: what are they seeing, what has worked, what hasn't?"
3. Security myth: Cybersecurity requires a huge financial investment.
Reality: Many efforts to protect your data require little or no financial investment.
4. Security myth: Outsourcing to a vendor washes your hands of liability during a cyber incident.
Reality: You have a legal and ethical responsibility to protect sensitive data.
5. Security myth: Cyber breaches are covered by general liability insurance.
Reality: Many standard insurance policies do not cover cyber incidents or data breaches. And you must be a careful consumer of cyber specific policies, as well.
Jason Witty was CISO at U.S. Bank when we interviewed him before his keynote at SecureWorld:
"You need to understand your responsibility to the insurer when you are buying this policy because you are committing that you have a certain level of controls and a baseline of best practices," Witty said.
6. Cyberattacks always come from external actors.
Reality: Succinctly put, cyberattacks do not always come from external actors. Your cyberattack could be from someone working at your organization right now or from someone working at one of your vendors right now.
SecureWorld News interviewed Dr. Larry Ponemon of the Ponemon Institute about the insider threat issue. He says many companies actually make a decision to discount red flags involving current employees and insider threats.
"We found that companies err on the side of goodness. They don't want to accuse somebody without full evidence of a crime, so they write it off as negligence," Ponemon said.
"And we discovered insider threats are not viewed as seriously as external threats, like a cyber attack. But when companies had an insider threat, in general, they were much more costly than external incidents. This was largely because the insider that is smart has the skills to hide the crime, for months, for years, sometimes forever."
7. Security myth: Younger people are better at cybersecurity than others.
Reality: Age is not directly correlated to better cybersecurity practices.
In fact, during a recent SecureWorld web conference, Proofpoint's "State of the Phish" report revealed that younger workers are more comfortable with technology but not more secure.
8. Security myth: Compliance with industry standards is sufficient for a security strategy.
Reality: Simply complying with industry standards does not equate to a robust cybersecurity strategy for an organization.
In fact, when it comes to limiting liability following a cyber incident, courts and counsel are often able to detect whether your organization's cybersecurity was a sincere effort.
Nationally known cybersecurity and privacy attorney Shawn Tuma told us about this at a SecureWorld conference:
"One of the things I've seen in my experience of walking companies through incidents is that you can really see a difference between those that act like they really care and those that are just going through the motions and checking off the boxes.
Being able to demonstrate that you did your best and it wasn't quite good enough is much different from saying, you know, it just wasn't that important. And when you can't demonstrate your efforts, what you're really showing is that 'to me, to my company, it just wasn't that important.' And people are not sympathetic to that."
9. Security myth: Digital and physical security are separate things altogether.
Reality: Do not discount the importance of physical security.
Many pentesting firms offer physical security testing as part of their analysis of your overall cybersecurity.
Famous hacker Kevin Mitnick wrote in his book, "Ghost in the Wires," about a number of times he socially engineered his way into buildings to get at computer terminals and networks.
"We walked in. The guard was a young guy, the kind who looked like he might enjoy a toke pretty often. I said, 'Hey, how you doing? We're out late, I work here, I wanted to show my friends where I work.' 'Sure,' he said. 'Just sign in.'"
What he and his hacker friends then found inside room 108 was what he called, "The mother lode. The jackpot."
10. Security myth: New software and devices are secure when I buy them.
Reality: Just because something is new, does not mean it is secure.
The CEO of the Privacy Professor, Rebecca Herold, wrote in a recent SecureWorld featured article about the challenges posed by Internet of Things (IoT) devices, which almost every organization is using:
"IoT devices create new pathways into a business's digital environments. These devices open new doorways to unauthorized access, often unknown to the IT and cybersecurity teams. This can lead to security incidents that can bring down the business activities, and lead to huge privacy breaches."
So there you have it: the 10 top cybersecurity myths. What other common misconceptions are you seeing? Let us know in the comments below.