Joe Stangarone, writer,  MRCs Cup of Joe Blog, August 4, 2015

Summary: Cyberattacks are more sophisticated and frequent than ever. The costs to recover from a data breach are now higher than ever. Yet, many companies remain unprepared for an attack. Why? In many cases, they believe some common cybersecurity myths, which can put their data (and their customer’s data) at risk.

Cyberattacks are on the rise. The problem is only growing worse.

How bad is it? The number of U.S. data breaches reached a record high in 2014, with 43% of companies experiencing a data breach. This year, that number is expected to rise.

How much does a breach harm a business? One study finds that the cost of a data breach has increased to $3.8 million–up from $3.5 million a year ago. This includes all aspects of a breach, like hiring experts to fix it, offering help to your customers, repairing your damaged reputation, and more.

The problem: Many companies are easy targets for a cyberattack, but don’t realize it. Some just don’t take security seriously. Others believe common security myths that place their data at risk.

What are these misconceptions? Today, let’s explore some of the most common myths and explain why they’re false.

Myth #1: We can’t get malware because we have antivirus

A common consumer belief, some businesses also place too much faith in anti-virus software. The fact is, it can’t possibly protect your business from every type of malware.

Why not? Antivirus software protects you against KNOWN vulnerabilities. But, security risks constantly evolve. New vulnerabilities emerge all the time. While antivirus software is important, you must understand that it’s a reactive approach that can’t protect you from everything.

Myth #2: We are safe because we have a firewall

On a similar note, many businesses put far too much faith in their firewall. While firewalls are important, it’s only the first line of defense. What happens if an attacker gets past your firewall? What happens if it’s improperly configured or maintained? It could put your entire network at risk.

Myth #3: We’re not a target

Maybe your company doesn’t store sensitive data. Maybe you don’t have data that any hacker might want. Does this mean you’re not a security target? Not at all!

The fact is, every business is a target. Maybe they’re not after your data. Maybe an attacker uses your vulnerabilities to attack the real target. Those who believe they’re aren’t a target are actually better targets for attackers because they have weaker defenses.

Myth #4: If we haven’t yet been breached, our IT systems are secure

Why do some business leaders treat security as an afterthought? It’s usually because they’ve never experienced a data breach. They assume this means their systems are secure.

The problem with this assumption: Security constantly changes. Sure, you may be secure today, but what about tomorrow? As explained below, you must always be on guard.

The other problem with assuming your systems are secured because you haven’t experienced a breach: How can you know for sure? Not all breaches are obvious. In fact, the best attackers know how to enter and leave your systems without a trace.

Myth #5: Technology can fix our security issues

Imagine your business is a castle. You’ve built the strongest walls, added extra fortifications, and even created an alligator-filled moat. Your defense could not possibly get any better. Then, one of your soldiers leaves the drawbridge down and your enemy walks right through your front door.

This is a great analogy for the modern business. Many companies fortify their systems with the best security products. But, they lack a security plan. They don’t educate their users about proper security practices. Or, they give their users too much data access.

Am I saying that security technology is worthless? Not at all. In fact, it’s necessary. But, no amount of technology will protect you from uninformed users with too much access.

“The biggest single myth about cybersescurity is that the organizations will be safer if only they would deploy more security products,” says Jonathan Gossels, CEO of SystemExperts. “The best products in the world can’t keep you safe if you do not have an overall plan, a coherent architecture built on a comprehensive framework like ISO 27002, security policies to ensure appropriate behavior and handling off sensitive data, and a security-knowledgeable workforce. Technology is secondary – a distant second. 3 P’s – People, Policies, and a Plan matter most.​”

Myth #6: Our developers are building secure applications

Let me ask you a question: Are your business applications secure? How do you know?

Many business leaders just assume their developers create secure applications. They check to make sure their applications include the requested features and requirements, without paying thought to its security.

Here’s a statistic that might make you think twice about that approach: 96% of all web applications contain at least one “serious vulnerability.” These vulnerabilities open the door for attackers, and can lead to data loss, complete system takeovers, and much more.

This article sums up the problem nicely: We’re still fighting the same software security battles we fought a decade ago. Despite the importance of security, developers still deliver applications with known vulnerabilities. They’re making the same mistakes that were made 10 years ago.

Why? Why do businesses create insecure applications year after year? The truth is, the blame doesn’t completely fall on developers. In many ways, businesses bring it on themselves. Here are a few ways:

  • They provide no incentive for security: Peter Drucker is famously quoted as saying, “What is measured improves.” The problem for many developers: Security isn’t measured. Rather, they get rewarded for features and development speed…not security.
  • They impose short deadlines: As businesses place greater importance on application development speed, security suffers. Developers rush through the project—ensuring it meets all the business requirements. But, this often comes at the expense of proper security practices.
  • They treat security like a feature: Shortly after the healthcare.gov site went live, a “white hat” hacker testified on Capitol Hill that security was never properly built into the site. Many businesses struggle with this same problem. They treat security like any other feature that they can add to an application. The problem: Security isn’t something a developer can add at the end. You must build security into the application.

If you think about it, developers are placed in a no-win situation. They’re tasked with developing modern applications. They must keep up with ever-evolving application trends. They’re faced with tight deadlines. Unless the business can afford a dedicated security engineer, the developer is in charge of security as well. Are we at all surprised that application development security is suffering?

So, how can you fix it this issue? As a business leader, you must make security a top-down effort. It must be something that is measured constantly. You must instill a “security culture.” Only then will it improve.

Myth #7: We passed our audit, so we are secure

Now, security audits are one way to measure security. But, many companies make the mistake of assuming a passed security audit equals security. As explained below, while audits are helpful, they don’t guarantee security.

The other myth companies believe about audits: It will give you better security. Some businesses believe that an auditor will come in and fix their broken systems or security habits.

Myth #8: Credit card compliant vendors make you PCI compliant

PCI compliance must always be an in-house priority. Unfortunately, many businesses wrongly believe that having a merchant services provider handle your credit card processing is all you need to be compliant. As explained below, you’ll still be held liable if customer data is stolen from your business.

Myth #9: Encryption is the key to security

Encryption is the process of encoding data in such a way that only authorized parties can read it. In plain terms, encryption scrambles the contents of a message or file. Only those with the encryption key can unscramble the contents and access the data.

However, some make the mistake of believing that implementing strong encryption is all they need to protect their data. The problem is, they focus so much on the encryption, but not on protecting the key.

To see what all the experts have to say go to: mrc’s Cup of Joe Blog.