Common cybersecurity myths debunked

One of the greatest challenges for organizations attempting to address cybersecurity risks is the number of fundamental security myths that cause organizations to incorrectly assess threats, misallocate resources, and set inappropriate goals. Dispelling those myths is key to developing a sophisticated, appropriate approach to information security.

MYTH #1: "IT'S ALL ABOUT THE DATA."

All too frequently, "security" is thought of as ensuring data cannot be accessed or used for unauthorized purposes or by unauthorized users. While this is certainly a key concern, the systems and networks on which the data resides must also be protected against attack. For example, a Denial of Service (DoS) attack is not aimed at gaining access to a business' sensitive data, but at preventing others, such as the business' customers and business partners, from accessing and using that data.

MYTH #2: "IT'S ALL ABOUT PRIVACY."

Another common misconception is that security only relates to the protection of personally identifiable information. While protecting personal information is clearly of critical importance, other types of information assets must also be protected. Additional information assets include trade secrets and other intellectual property (such as source code for a company's software products), competitive information (such as customer and supplier lists), pricing and marketing data, company financial information, and more. It is particularly important to ensure all forms of confidential and proprietary information are protected in entering into relationships with vendors and business partners.

MYTH #3: "IT'S ALL ABOUT CONFIDENTIALITY."

When talking about security, the tendency is to focus on the most obvious element: ensuring data is held in confidence (i.e., the data is not used by unauthorized individuals or for unauthorized purposes). For data to be truly secure, it must be confidential, its integrity must be maintained, and it must be available when needed. These are the three prongs of the well-known information security acronym "CIA."

"Confidentiality" means the data is protected from unauthorized access and disclosure.

"Integrity" means the data can be relied upon as accurate and has not been subject to unauthorized alteration. A few years ago, a well-known hacker magazine ran an article designed to educate employees who thought they were going to be laid off how to harm their employers. In particular, the article suggested ways employees could easily corrupt company databases to render them unreliable (e.g., changing account numbers for key suppliers, changing invoice addresses, etc.).

"Availability" means the data is available for access and use when required. It does no good to have data that is confidential and the integrity maintained, but the data is not actually available when a user requires it. For example, DoS attacks are specifically designed to prevent availability of key systems and data, instead of compromising confidentiality or integrity.

MYTH #4: "TO BE A HACKER, YOU MUST BE A TECHNOLOGICAL GENIUS."

It is a common error for businesses to focus security measures on the professional hacker, or protecting against individuals or entities that are highly skilled in programming and technology. Such skills are, however, no longer a pre-requisite to hacking. Today, someone with little or no knowledge of technology can find online, easy-to-use hacking tools capable of causing substantial harm to a business. These individuals are sometimes referred to in the hacking community as "script kiddies," because they require no real hacking knowledge. There are also a wide range of readily available books that can quickly educate technological neophytes regarding hacking. One popular book even includes a chapter entitled, "how to be a hacker in thirty minutes."

[ ALSO ON CSO: Five myths about mobile security and their realities ]

Finally, one of the most effective means of hacking in use today -- social engineering -- requires no technological skills whatsoever. Rather, to be an effective social engineer, all that is required is self-assurance and a knowledge of human nature. One prevalent form of social engineering is phishing -- a hacker sending fake emails soliciting sensitive information or including attachments that install malware that can infect a company's network. Phishing attacks and other social engineering techniques were used recently to conduct a concerted attack on banking institutions worldwide, causing losses of $300 million -- or possibly as high as $1 billion.

MYTH #5: "I CAN ACHIEVE 100 PERCENT SECURITY."

Finally, one of the most common misconceptions about security is that complete security can be achieved and that complete security is required by law or industry practice. Neither is correct. Both laws and industry practices require businesses to do what is "reasonable." Complete security is not required or even realistic. Studies show that it would require businesses to increase overall security budgets nine-fold to address just 95 percent of the threats. That increase would, in most cases, exceed the overall budget for the entire business.

There is a fundamental paradox with regard to security efforts: As security protections increase, usability of the secured systems decreases. That is, the greater the security, the less useful the thing secured will be. It is, for example, possible to completely secure a mobile device, such as smartphone. All that is necessary is to (i) put the device into airplane mode and (ii) lock the device in a secure safe. While complete security has been achieved, usability has been reduced to zero. A balance must always be struck between effective security measures and usability of the data or system being secured.

Lessons learned

While protecting a business' data is key, a well-crafted approach to security requires protection of the systems on which that data resides and the networks through which the data is accessed. In most instances, a practice known as "security in depth" should be employed. That practice recommends the use of multiple layers of protection from threats. For example, to address phishing attacks, a company can begin employee education on opening unidentified emails. As a further measure of security, the business could combine that training with anti-virus software and, possibly, software specifically designed to detect phishing.

All sensitive and proprietary information, not just subsets of that data, must be accounted for in addressing and mitigating cybersecurity threats. Protection of those information assets must be addressed not only within the company, but also with its external vendors, contractors, and other partners. The headlines are replete with security breaches that resulted from a business entrusting its data to a third-party vendor that had inadequately protected its systems.

When assessing security measures, the concept of CIA should be a foundational requirement. Specifically, security controls must be designed to address not only the confidentiality of data, but the integrity and availability of that data. Hackers know all the tricks. If they cannot get access to data, they may target denying others that access or finding ways to corrupt the integrity of that data.

Never underestimate the effectiveness of social engineering and other similar "non-technical" attacks. Every business experiences these attacks on a daily basis through phishing and other means. Appropriate, repeated training for employees is one of the most important steps in mitigating this substantial threat.

Applicable laws and standards require businesses to do what is reasonable to address threats. That means devoting an appropriate level of investment that balances usability against security. Striking an adequate balance is key to designing a successful cybersecurity approach.

Michael R. Overly is a technology attorney at Foley & Lardner LLP where he counsels clients on technology transactions, privacy and cybersecurity. Chanley T. Howell is a Foley technology and IP attorney focusing on data privacy and security law requirements, including federal privacy laws and FTC privacy requirements. Overly and Howell recently co-authored "Taking Control of Cybersecurity A Practical Guide for Officers and Directors," a white paper breaking down complex cybersecurity issues, including checklists decision makers can follow to navigate and prevent them. Visit foley.com/intelligence to access the full white paper or contact the authors directly at moverly@foley.com or chowell@foley.com.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsno companysoftwaredata protectioncyber security

More about CSOFTCHowell

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By Michael R. Overly and Chanley T. Howell

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place