10 common myths about cyber security
October is Cyber Security Awareness month and so a good opportunity to think about how to improve cyber security in your organisation. There are still a number of prevalent myths about cyber security that can hamper organisations’ efforts to improve in this area. In this blog I am going to briefly outline what these are and explain why they represent misguided thinking.
1. Installing security software will interfere with productivity by slowing down or interrupting workflow
It is fair to say that this can sometimes be the case but it’s generally due to poor implementation of security tools and protocols rather than the limitations of the tools themselves. We have all experienced tools that continually request every more complex new passwords, for instance, or where it can feel as though the security measures effectively make it impossible to log in and get any work done. It does not have to be this way. Effective security measures can be deployed in such a way that they do not interfere with staff productivity – it is about striking the right balance. This is something that we can help you with if you’re concerned about how security tools are deployed within your organisation.
2. Just having a strong password is enough to keep you safe
Whilst having a strong password is a necessity, unfortunately it isn’t enough on its own. A strong password is not enough to protect users from social engineering attacks where they are persuaded by fraudsters to either hand over their passwords or to log in themselves as directed by fraudsters. This means that user education is just as important (if not more so) than having a password policy in place. Strong passwords alone also don’t help in the event of a data breach where a list of usernames and passwords is compromised. You can guard against this by adding multi-factor authentication (MFA) as an additional level of security, requiring users to authenticate themselves via a second method such as their phone or an app like Google Authenticator. With MFA in place, even if criminals do manage to get hold of usernames and passwords, they still won’t be able log in without the ‘second factor’.
3. Security costs too much
We do occasionally talk to companies that consider the costs of implementing effective security measures to be prohibitive (although many fewer nowadays than used to be the case). This can sometimes be the case for small companies who think that their size means they won’t be targeted. These are two errors here. Firstly, it’s a big mistake to think that just because you’re small that means you won’t be targeted. Companies of all sizes are vulnerable to being hacked. Secondly, it’s a mistake to underestimate the potential cost associated with a data breach. A data breach will almost certainly end up being much costlier to your business than making sure you have dedicated security solutions in place to prevent it from happening in the first place. The cost of detecting and escalating a breach, notifying those affected and the regulatory authorities, lost business and reputational damage, and paying fines, legal fees and other costs associated with making things right can easily run into the millions.
4. I will know straight away if my business is attacked
This rarely the case these days. There used to be some easy signs (pop up ads or slow loading browsers) but scammers have become stealthier. Hacking is a silent crime and it is in criminals’ best interest to remain unnoticed for as long as possible. The longer they have access to your systems, the more data they can steal.
5. Cybersecurity is solely the IT department’s responsibility
The most common cause of cyber security breaches is careless (or sometimes malicious) actions by employees – clicking on links, inadvertently giving their details away or being victims of social engineering. This means that you can’t rely just on the IT department to keep your organisation secure – everyone has a role to play. You need to ensure that your staff are educated about the risks and understand what they need to do in order to avoid being responsible for a breach.
6. Cybersecurity threats only come from outside sources
This is also a common myth and one that is sadly untrue. By far the biggest danger to your organisation’s cyber security comes from your own staff, whether this is disgruntled employees looking for revenge or (more likely) staff who have not been given proper security training or are not following your security protocols.
7. My data isn’t important, it’s not a big deal if I am hacked
This is an illusion. Even if hackers gain only usernames and passwords, this can still result in very bad outcomes for anyone who’s data was compromised, as many people use the same credentials for most of their services, including for their online banking. Additionally you need to think about what the disruption to your business would be if you were hacked. Perhaps you don’t have any client data or other personal details that are stored in the backend of your website but that doesn’t mean it wouldn’t be hugely disruptive and damaging to your business if your website were hacked. What would it mean for your business if your website was down for any significant period of time? Even if there is no client data breach the loss of access to mission critical systems is likely to be a very significant problem for almost all organisations these days.
8. We use Apple devices because they can’t be hacked
There is a belief that Apple products are immune to cyber threats – this isn’t the case. Apple products can and do get hacked and users who think their devices are invulnerable are more susceptible to data loss because they can be more complacent about how they behave.
9. It is easy to spot phishing or social engineering attacks
Phishing is one of the most common ways of stealing people’s personal data or gaining access to a system and usually involves a replica of a known service. There has been a huge increase in phishing attacks during the pandemic – for example most people will have received text messages purporting to be from a delivery company with a parcel on which a fee needs to be paid, or a message apparently from the NHS about a covid vaccine that takes you to a page that requires payment. We all like to think that we will spot these straight away and that we are too clever to fall foul of them but sadly that isn’t the case. The reality is that scammers are incredibly sophisticated these days and anyone can fall victim no matter how tech savvy they consider themselves to be. Always be wary of the links you open, and never think that you couldn’t be caught out. Make sure that your staff are aware of the risk of phishing. Training can help them to understand how sophisticated such scams can be and how easy it is to get caught out.
10. I don’t have a computer, I can’t be hacked
In this day and age, computers are not the only targets for hackers and scammers as so many of our devices connect to the internet. Scammers go after phones, routers and even smart TVs. We must make sure we are protecting all end points.
A good way to add another level of security is to use multi-factor authentication (MFA), requiring users to authenticate themselves via a second method such as their phone or an app like Google Authenticator. With MFA in place, even if criminals do manage to get hold of usernames and passwords, they still won’t be able log in without the ‘second factor’
How we can help you
If you have any concerns about your current security set up or would like any help with any aspect of your cyber security then please don’t hesitate to get in touch – we’d love to help!