Five cybersecurity myths that are compromising your data

Photo courtesy Unsplash

As the importance of cybersecurity has increased, so has our awareness of it, according to Barry O’Donnell is the Chief Operating Officer at TSG. Poor cybersecurity has been identified as the most pressing threat to businesses today. Issues with cybersecurity often stem from a lack of cybersecurity awareness. In fact, according to the 2020 Cyberthreat Defense Report, a lack of cybersecurity awareness was identified as the biggest detriment to an organisation’s cyber-defences.

O’Donnell  tells Digital Journal the reasons for this lack of awareness include no training on cybersecurity and persistent misinformation. Despite more media attention than ever, there are still some common misconceptions about cybersecurity that put businesses at risk.

O’Donnell sets out to bust the top myths around cybersecurity and to inform businesses leaders on how they can address them.

Cybersecurity isn’t my responsibility

O’Donnell  says: “IT security is still viewed as the IT team’s problem when that’s not the case at all. All employees have a responsibility to ensure the security of their business. Your people are the frontline of your defence and represent its biggest attack surface. They are the people hackers are targeting with phishing campaigns because they’re banking on a lack of security knowledge.”

O’Donnell  adds: “This myth can have serious consequences if your people don’t practise basic cybersecurity hygiene. If they don’t take care when clicking links in emails or downloading software, they could compromise your business’ security. Education is critical because your employees need to understand why cybersecurity is so important and that they have a role to play. Training will also equip them with the skills to spot threats and change their behaviour for the better.”

Hackers don’t target small businesses

O’Donnell  cautions small enterprises: “If media coverage is anything to go by, only large organisations like Yahoo, Uber and Marriott get attacked, right?…Wrong.”

Here O’Donnell finds: “This myth is particularly persistent because of mainstream news and the fact that hackers can potentially extort higher sums of money from these businesses. But the Federation of Small Businesses (FSB) reports that UK small businesses are targeted with over 10,000 cyber-attacks a day. The same report highlights widespread weak security procedures in small businesses, including a lack of formal password policies, not installing updates and not using security software.”

Furthermore, he adds: “While the financial gain from targeting enterprises is more lucrative, the stakes are higher for small businesses. Cybercriminals know this. A cyber-attack could destroy a small business and force it to close, and that’s why one small business is successfully hacked every 19 seconds in the UK. Small businesses which have a limited cybersecurity budget should tap into the knowledge of an IT support service, who can advise on the most suitable defences.”

My passwords will keep me safe

O’Donnell  notes “there are still two long-held misconceptions around passwords. The first is that adding capital letters, numbers or special characters to your one-word password will make it uncrackable.”

As he explains: “This myth is perpetuated by a lot of business accounts which have these requirements. However, the real measure of password security is length. Software can crack short passwords, no matter how “complex”, in a matter of days. But the longer a password is, the more time it takes to crack. The recommendation is using a memorable phrase—from a book or song, for example—that doesn’t include special characters.”

O’Donnell further advises: “But determining a strong, (almost certainly) uncrackable password is only the first step. If the service you’re using is hacked and criminals gain access to your password, you’re still vulnerable. That’s where two-factor authentication (2FA) and multi-factor authentication (MFA) come in. These methods require you to set up an extra verification step. When you log in, you’ll be prompted to enter a security code which will be sent to your phone or even accessed via a dedicated verification app. That means if a hacker ever gets their hands on your password, they’ll still be thwarted.”

A basic anti-virus will be enough to protect my business

O’Donnell  also warns about standard security software: “Gone are the days where your McAfee or Avast anti-virus solution will be enough to protect your business. Now, there are dedicated tools to fight against specific threats like ransomware. A synchronised approach to security, whereby your solutions all interact with one another, is generally accepted as the most robust. Your security solutions should cover your endpoint, firewall, network connections, email and more. In addition, backup and disaster recovery solutions are recommended to mitigate any potential incidents.”

We only need to protect against hackers

O’Donnell  final myth-busting action is: “While hackers pose an enormous threat to your business, you can’t ignore the possibility of malicious insiders or even staff accidents. One of the most highly-publicised accidental breaches was a Heathrow Airport staff member losing a USB stick with sensitive data on it. Luckily, the person who found it handed it in rather than using it maliciously. The company was still fined £120,000 for its “serious” failings in data protection. It’s also all-too-easy for an employee to accidentally email a spreadsheet with sensitive data outside of the company.”

O’Donnell adds: “Equally, a disgruntled employee who has access to sensitive employee or customer information could willingly steal or share it. Locking down access to your core systems and ensuring fewer employees have access to them can help you protect against this. For accidental breaches, implement policies that state removable devices must be encrypted. You can also configure your email settings to block certain attachments from being shared outside of your organisation.”

Social causes and social media are the top targets for cybersecurity

Image: © AFP/File Fred TANNEAU

Looking into the cyber-crystal ball, Nick Tausek, Security Solutions Architect, foresees that cyberattacks on companies engaged in social justice will increase in 2022. This could be to the extent that attempts increase by a double-digit percentage. He responds to questions posed by Digital Journal.

The reason why Tausek is making this prediction is based on trends discerned from 2021 data, as he observes: “This year we have seen an increase in both internal and external actors breaching companies such as Epic and Twitch for “ethical” reasons versus purely financial intentions.”

So, what is next? Tausek says that in 2022: There will be a significant increase in hacking for a political or social cause. Most organizations in this position will fail to adequately respond to the threat of exposure by focusing only on “clamping down” internally to prevent leakage rather than addressing problematic business cultures that make employees want to go rogue.”

To address these issues more regulation is likely to be required. Tausek predicts further that the U.S. government will attempt to regulate but this may not be successful, given the moving target.

Another area of regulation that could emerge is against social media companies. Again, this brings with it multiple challenges.

The appetite for this is based on recent events, explains Tausek. For example: “Facebook whistleblower Frances Haugen’s testimony before Congress in October cast a spotlight on the need for social media regulations. Many see the latest allegations of widespread negligence as the final straw.”

Some action is required, given the size of the social networks. Tausek notes: “Social media companies like Facebook that carry large fractions of the world’s communications, from personal messaging to business traffic, can no longer be trusted to self-regulate.”

This means “the need for greater transparency into social media companies’ moderation practices has been clearly highlighted to Congress and the general public.”

Other measures required, Tausek argues include the need for the personal “insurance that they are not being influenced by entities hostile to the United States, such as when Facebook sold political ads to accounts that paid in Russian rubles leading up to the 2016 election.”

However, despite the desire, Tausek sees political appetite waning: “Although numerous pieces of legislation will be proposed in the House and Senate after the conversation was reignited, the flame will quickly die out in 2022 as political gridlock keeps Congress from officially taking the oversight process into their own hands to curb disinformation tactics.”

The public backlash could be severe, however. Tausek  cautions: “This will have the effect of further sowing distrust, anti-vaccine information, and social discord, as misinformation and disinformation run rampant on the most popular platforms.”

Thanksgiving: ‘Tis the season for a cyberattack

HSBC had already announced earlier this year that it intended to restructure its US retail and small business operations – Copyright GETTY IMAGES NORTH AMERICA/AFP/File Andrew Burton

Cybersecurity risks are becoming more sophisticated, and this includes focusing on specific events, often those that resonate with the public, targeted around public holidays.

A case in point is when the company Ferrara Candy Company (a subsidiary of the Ferrero Group) suffered a ransomware attack this month that led to delays for sweet (‘candy’) delivery leading up to Halloween.

With the attack, “Upon discovery, we immediately responded to secure all systems and commence an investigation into the nature and scope of this incident,” the sweet treat firm said in a statement. “Ferrara is cooperating with law enforcement and our technical team is working closely with third-party specialists to fully restore impacted systems as expeditiously and as safely as possible.”

However, what is more interesting is the form and timing of the cyberattack. With this particular attack, Gary Ogasawara, CTO, Cloudian explains that this type of attack shows that rogue actors are moving toward shaving specific firms in their site and they have a seasonal calendar in mind when planning their attacks.

Here v explains: “Cybercriminals are getting smarter about whom they target and when. For businesses that rely on certain seasons for a big portion of their sales, an attack like this could have a huge negative impact because of the limited time they have to recover.”

Not all of tech has caught onto the changing landscape. Ogasawara says: “Unfortunately, many security experts continue to focus on increased perimeter security and other traditional defenses as the solution, despite these measures having proven ineffective time and time again.”

This means a new way of working is needed, in the form of a “comprehensive cybersecurity strategy”. According to Ogasawara this is a strategy “That should assume that ransomware will get in and put greater attention on being able to recover quickly and easily without paying the ransom.”

As to what should be at the heart of a robust strategy, Ogasawara states: “The best way to ensure such recovery is having an immutable (unchangeable) data backup copy.”

In doing so, the Chief Technology Officer notes: “This prevents cybercriminals from altering or deleting the data, enabling victims to quickly restore an uninfected copy of their data and resume operations. In addition, data should be encrypted so that criminals can’t read or publish sensitive data in any intelligible form, thereby eliminating the other aspect of ransomware extortion.”

Ogasawara’s advice is timely as the next round of public holidays approaches, especially the Thanksgiving and Christmas periods.