5 Cybersecurity Myths & Truths
1. Hackers Don’t Target Small Organizations
If the media was anything to go by, it would appear that only large organizations like AT&T, Apple and Uber suffered from attacks. In fact, according to the 2018 Verizon Data Breach Investigations Report, 58 percent of data breach victims were small businesses.
This myth is particularly persistent because of mainstream news and the fact that hackers can potentially extort higher sums of money from these businesses. While the financial gain from targeting enterprises is more lucrative, the stakes are higher for small businesses. Cybercriminals know that a cyber-attack could destroy a small business and force it to close.
There are widespread weak security procedures in small businesses, including a lack of formal password policies, not installing updates and not using security software.
Most small businesses lack a contingency plan to deal with active attacks such as ransomware. In addition, it is imperative to have an active data management backup plan that is hidden from attacks.
Hackers don’t discriminate when it comes to their victims so don’t let the size of your business determine how valuable your data is or how secure your assets are.
2. Cybersecurity is Too Expensive
The cost of a good cybersecurity solution is nothing compared to the cost of a successful attack. Even as malicious cyberattacks continue to make headlines and cost businesses millions, companies still wonder if cybersecurity investments are worth it. Data security is frequently overlooked and is only an afterthought for many enterprises. The average cost of a data breach in 2021 was $4.24 million, the highest in the last 17 years. This figure does not include the damage that comes with the crippling reputational losses and customer losses from a breach.
Apart from the costs of obtaining access to your data, there are often regulatory fines for an organization for which they may be liable.
Compliance with mandates, such as the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) are two of the most important regulations. Explicitly written on the official GDPR website, “GDPR fines are designed to make non-compliance a costly mistake for both large and small businesses.”
The GDPR explicitly states that some violations are more severe than others. These less severe infringements could result in a fine of up to $11,899,550 (€10,000,000) or 2% of an organization’s worldwide annual revenue from the preceding financial year, whichever amount is higher. More serious GDPR infringements — those going against the right to privacy and right to be forgotten — could result in a fine of up to $23,799,100 (€20,000,000) or 4% of an organization’s worldwide annual revenue from the preceding financial year, whichever amount is higher.
Last year, a new set of regulations, the California Consumer Privacy Act were created. The CCPA fines are just as intimidating as GDPR. Each time a business is found to have an intentional violation, they can be fined up to $7,500. Even unintentional violations come with a price tag of $2,500. Violations can also stack up on one another. For example, if a business’s website is using third-party cookies without leveraging a cookie banner for awareness and opt-in, that organization could be committing thousands (or more) of violations per day.
The cybersecurity company, Trusted Partner, Bergerode Consulting, explains that “effective cybersecurity, in my view, is first and foremost a set of positive behaviors which put cybersecurity on a solid footing. Just now, knowing what threats your business faces determines what choices you make about meeting these threats.”
They continue “If a business faces a malware risk from staff using personal USBs in company workstations, some security companies will try to sell software to that business which controls the use of USBs, but such software can be expensive and it will certainly not address the reason why staff are using USBs, to begin with. Rather than buy such software, companies should seek to address why staff are using personal USBs and take ownership of the issue by updating the staff handbook to make use of personal USBs not permissible and also look to using existing software, e.g. Active Directory, to manage the use of USBs. This is more likely to address the root cause of the issue and deal with any risks than just buying a solution and being locked into an expensive support contract.”
Moreover, there are many precautionary measures that you can take with absolutely no additional cost to your business, such as strong passwords, multi-factor authentication, access management, and employee training.
3. Cybersecurity is Solely the IT’s Department
IT security is still viewed as the IT team’s problem when that’s not the case. All employees have a responsibility to ensure the security of their business. Every employee is part of the frontline of an organization’s defense and represents its biggest attack pool. They are the people hackers are targeting with phishing campaigns because they’re banking on a lack of security knowledge.
This myth can have serious consequences if employees don’t practise basic cybersecurity hygiene. If they don’t take care when clicking links in emails or downloading software, they could compromise your business’ security. Training is critical because your employees need to understand why cybersecurity is so important and that they have a role to play. This will also equip them with the skills to spot threats and change their behavior for the better.
As a security breach can have potential and long-lasting effects on the entire business, the culture change needed to address this in a real and meaningful way comes from leadership while real cybersecurity preparedness is the responsibility of every employee.
While IT has a big responsibility when it comes to implementing and reviewing policies to keep companies cybersafe, true cybersecurity preparedness falls on the shoulders of every employee, not just those within the information technology department.
4. Cyberattacks are Only Caused by External Actors
While insider threats can be accidental or negligent, they can sometimes be malicious. Though protecting devices and servers is necessary, organizations should not overlook the importance of protecting against personnel and contractors and consider employee monitoring.
Did a disgruntled employee who was recently fired extract sensitive data on their way out with the intent to sell it or release it publicly? When it comes to cybersecurity, an ounce of protection goes a long way.
“The threat of insiders is real and what can happen is you have amazing defenses to protect your intellectual property and other secrets from those who are trying to obtain them from outside your company’s walls, but you forget sometimes to have a program where you are watching those who you trust,” said Assistant Attorney General for National Security John Carlin after the FBI arrested and charged an individual with theft of government secrets. In addition, you can never be fully aware of where these attacks can originate from, and traditional security solutions are largely ineffective when it comes to these threats. This makes them much harder to detect and contain than external threats.
5. Not Needing to Monitor Remote Employees
Employers are concerned that in the event of a security breach, they won’t be able to see what was happening on users’ desktops when the breach occurred. With more employees working from home, companies are seeking ways of monitoring remote sessions. One compelling case can be made for recording remote sessions for later playback and review.
Another reason for recording remote sessions is to maintain compliance, as required for medical and financial institutions or auditing for business protocols, etc.
TSFactory’s RecordTS v6 will record Windows remote sessions reliably and securely for Microsoft RDS, Citrix and VMware systems as well as cloud environments such as Azure and AWS. Scalable from small offices with one server to enterprise networks with tens of thousands of desktops and servers, RecordTS integrates seamlessly with the native environment.