Business Insights
5 Cybersecurity Myths Debunked

Article

Cybercrime can impact your customers, your employees and your bottom line. Separating fact from fiction is the first line of defense.

Cyberattacks and threats often make headlines—not only because of the size of the attacks, but also the massive effect that some breaches can have. When a popular file transfer platform was compromised in early 2023, for example, it exposed the data of thousands of organizations and millions of people across the globe.

Take another example: In September 2023, a cyberattack shut down the network at a Las Vegas-based resort chain. Hotel rooms, which relied on key cards, were inaccessible. Casino floors emptied. The attack began with fraudulent calls to the company’s help desk, during which attackers phished for—and captured—employee login credentials.

Cybercriminals’ methods can be wide reaching and technically complex, or they can be focused on deceiving a single employee. Large, headline-grabbing attacks serve as cautionary tales for companies of all sizes and in all sectors. What are some effective ways to get a grip on your business’s cybersecurity risks and responsibilities?

An important first step is dispelling some of the most persistent myths about online security. Here are five.

Myth No. 1: Cybercriminals Target Only Large Corporations

There are actually many strategic reasons to attack small companies. “Small and midsize businesses may be more susceptible to cyberattacks because they typically don’t have dedicated cybersecurity staff and resources,” says Adam Perino, Regions Vice President for Cybersecurity. “And as large enterprises invest in more comprehensive and sophisticated security controls, it’s logical that bad actors will pivot to organizations that can’t yet invest in cutting-edge protection.”

Obscurity will not protect your organization from cybercrime either. Cybercriminals often use software programs known as bots to automatically scour the web for vulnerable systems, regardless of the size or type of company. Cybercriminals then review the compromised systems and data to determine how much the victim will likely pay if extorted. Data may be hidden or traded on the so-called dark web, which is accessible only to certain internet browsers.

“The criminals may not get a multimillion-dollar payoff, but it can be enough to justify their effort,” says Perino. “And more than enough to cripple a business.”

Myth No. 2: You Need to Secure Only Your Own Network

Small and midsize businesses are increasingly reliant on vendors for data sharing and services, which has changed organizations’ exposure to potential cyberthreats.

More businesses, for example, are moving operations to cloud-based environments that depend on third-party software products. Some are allowing employees to use personal devices to conduct business. For cybercriminals, these changes expose new paths into proprietary networks.

Supply chain vulnerabilities in business development software can affect thousands of customers on a worldwide scale. “Your business won’t have visibility into all the backdoors in the software it uses,” says Perino. “But what it can do is stay current on software updates and make sure it’s using only the latest versions.” Why? Software companies often add new protections to their newest releases.

Third-party risk management (TPRM) has gained importance as companies try to establish standards of operation that include cybersecurity best practices. “Cyber risk is just one facet of TPRM, but it’s essential,” says Perino. He also advises careful assessment of bring-your-own-device policies and setting controls on device usage that reflect the company’s risk tolerance.

Myth No. 3: Security Tools Alone Are Enough to Keep Adversaries Out

Historically, organizations were overly reliant on antivirus software to protect their networks. That attitude has changed now that firewalls, VPNs, encryption and other security tools have become common. But relying on technology alone for cybersecurity is still a mistake.

All organizations should consider other aspects of cyber defense to ensure their controls are effective. That includes people, processes, training, remediation and layers of defense.

The National Institute of Standards and Technology has published cybersecurity frameworks that provide insights into how organizations should understand and improve their specific management of cybersecurity risks.

Testing cybersecurity controls is especially important. “Routinely testing the effectiveness of your cybersecurity controls will help ensure all aspects of your defense posture are aligned,” says Perino. “Then responding to cyber threats becomes muscle memory.”

Myth No. 4: Multifactor Authentication Is Sufficient for Identity Management

While strong passwords and multifactor authentication will harden your network and make unapproved access more difficult, a determined adversary may still be able to compromise your network. Social engineering tactics, like those used in the Las Vegas-based resort attacks, are still highly effective because of the possibility of human error.

As identity has become the new perimeter for organizations, all aspects of authentication, adding devices to your network and resetting employee credentials will need extra scrutiny. “Establish ongoing testing practices to ensure your organization can effectively detect and mitigate social engineering attacks on your employees’ accounts,” says Perino, adding that “automated and possibly manual controls may be needed to review and validate any changes to especially privileged accounts.”

Myth No. 5: Cybersecurity Is IT’s Responsibility Alone

All employees and your vendors must work together to prevent cyber incidents. Routine oversights and errors—for example, opening a suspicious email attachment, clicking an untrusted web link or responding to a malicious text message—are responsible for the vast majority of cyberattacks against businesses.

“Every employee has a role in cybersecurity,” says Perino, adding that businesses should require mandatory cybersecurity training for all employees so they know how to identify, evaluate, and report suspicious people, emails, texts, calls and websites. “Not everyone needs technical training, but everybody with access to your network needs cybersecurity awareness training.”

Establish Industry-Suggested Practices

Many best practices for cybersecurity—such as scheduling regular data backups to enable quick recovery in the event of ransomware—will require the buy-in of business leadership. Another good practice is to use “least privileged access,” which means that you only provide system access to employees based on their job requirements. By doing so, the company limits exposure. By prioritizing cyber preparedness and training, leadership can align these objectives with business outcomes.