By Wade Billotte, Fortify —
Cyber threat actors, who attack organizations with seeming impunity, have become the boogie man of the technology world. Fear pulls us in a direction that seeks solutions and protection, but, we are always drawn to a natural state of comfort and calmness that everything will be okay. This state of comfort is how fallacies or limiting beliefs set in, which can create a false sense of security. The following is not an exhaustive list of fallacies about cybersecurity; however, they can be the most devastating if held too long.
Fallacy 1: My data is not valuable to hackers
When ransomware first appeared, the strategy to ensure the ability to recover data became paramount to avoid paying ransom. Then stories of large organizations suffering security breaches leading to sensitive data being stolen created a false narrative that hackers were only interested in the data of large organizations. Perhaps a business owner may not be able to see the value their data has to a potential threat actor, but, the threat actor is certainly aware of the value the data has to the business owner. Aside from demanding ransom to unlock the business’s data, threat actors can extort money by threatening to publicize the breach, contact their clients directly, or make the data publicly accessible on the Internet. Threat actors can also exploit access to networks to learn the flow of information and communications to intercept or redirect money. How valuable is data to your business? What would you pay, in an event like this, to protect it?
Fallacy 2: We are just a small business, so we are less likely to be targeted
It is certainly less likely that a small business may be ‘targeted’ specifically. However, it is more likely that a breach in a small business is the result of threat actors casting nets to see who gets caught. Ransomware and other attack strategies are huge ‘business’ on the dark web. It is increasingly easier for threat actors with a decent understanding of computers to benefit from the proceeds of ransomware and other attacks. Threat actors can practically ‘set-it-and-forget-it’ until a business has clicked on the link or opened the attachment which delivers the payload. It matters not how large the business is, it matters only if they will pay. In some cases, smaller businesses may be more likely to pay due to lack of backups, lower tolerance for down time, or simply fear.
Fallacy 3: We have antivirus/antimalware software installed on EVERY device
Installing antivirus/antimalware software is an absolute must for every technology strategy. However, what is often misunderstood about Endpoint Protection (antivirus/antimalware) is the software can only detect what it knows about. It is the same as security personnel at an entrance comparing photos of known suspects to each and every person that enters. This strategy does NOT capture the new (unknown) threats as they enter. Seemingly legitimate links and attachments can still bypass any and all protection solutions in place and be clicked on or opened. Further, viruses and malware are not the sole delivery mechanism of threats. Threats can enter a network via many avenues that may not be protected by antivirus/antimalware. Further, Endpoint Protection is no longer enough…businesses must invest in Endpoint Detection and Response (EDR) and other solutions that monitor actual suspicious behaviour on a network.
Fallacy 4: Our IT Department is very security conscious
Jeremy Gutsche is quoted as saying “Complacency will be the architecture of your downfall.” I think Jeremy was saying, the moment you let complacency set in, is the moment you stop thinking about possibilities outside of what you know…it is the moment that everything you don’t know starts to conspire against you. Saying you are ‘security conscious’ is not the same as ‘putting security first.’ Being security conscious means you think about it often and perhaps even resist doing risky things. This is good, however, ‘security first’ means that security is part of the conversation at every step. Security is the first thing you think about when planning your technology. You and your team learn what to look for to avoid taking risks in the first place. Sometimes, partnering with an service provider that thrives by putting security first is what is needed.
Fallacy 5: We have cybersecurity insurance if anything goes wrong
You have auto insurance that protects you from having to be completely financially responsible for either an accident that you have caused or been the victim of. You still do not want to have to go through the devastating task of having to recover from an accident. Further, what you are covered for after a cyber incident is increasingly narrowing or becoming more expensive the more often insurers have to fund claims. Every policy is different in coverage, however, they are all the same in that they will all have a limit to what you can be paid. Further, cyber insurance does not protect a business from possible long-term or permanent damage to operation or reputation.
Fallacy 6: We have really good backups, so, we can recover
Just like the fallacy about the value of the data to a threat actor, backups may not always be enough to protect against ransomware, theft or other threats. Backup recovery may not protect against the threat to release the data to the public if it is stolen. Solid backups of the data itself also do not protect against the encryption of entire systems. Recovery may also include having to restage servers and workstations. Backup solutions which include virtualized versions of devices (servers, workstations, etc.) must also include the ability to easily recover those devices or the capacity to run those virtualized devices within the cloud. There is still the time and cost to recovery which needs to be considered. Recoveries can take a long time and will still contribute to the overall downtime an business can experience.
Fallacy 7: We are in the cloud, so, we are well protected
While cloud service providers will likely have a solid backup strategy in place, the backup strategy is optimized to protect the service provider and not necessarily the customer. It is important to fully understand the service provider’s conditions of use related to backups and recovery. If using a cloud service provider for some of your data (i.e. synchronization or files, email, etc.), it is important to investigate any additional services that may be available to back up cloud services as well. This is important because often the access to these cloud services will be tied to the device that is connected to these services (i.e. workstation, server, mobile, etc.) and if the threat has access to the device, it stands to reason there is a good chance the threat has access to any cloud services connected to that device.
So, now what?
What these fallacies teach us is there are multiple aspects to successful cybersecurity which deserve as much attention in your business’ technology strategy as do the applications and tools which are implemented. Cybersecurity is a multi-layered approach that requires planning, guidance and cultural attention within your business. Find a service provider that preaches security first and can easily demonstrate what they do to embed security first in their products and solutions.
About The Author
Wade Billotte is an Account Manager at Fortify. A client of Fortify before becoming a staff member, Wade takes the stance that proactive measures by the team will help clients resolve potential issues before they arise. He believes there is always room for improvement and prides himself on the ability to come up with more efficient solutions.
At Fortify Network Solutions, we appreciate the importance of your network, the impact it has on your business, and what it takes to ensure things work the way you expect them to. We have spent almost two decades deploying technology solutions and support to small and medium businesses across Canada, where we enable our clients to be free from network and system concerns so they can focus their time and energy on what matters – their business. For more information, visit fortify.ca.