Are these cybersecurity myths putting businesses at risk?

Article submitted by Diana Gayri, Business Manager, Security at Tech Data

Cybersecurity myths can be dangerous for companies if taken too lightly. In an industry where making a mistake could be catastrophic for organisations large or small, the existence of such myths and their propagation makes it difficult for those responsible to know where to direct their focus and how to protect themselves. According to the recent Cybersecurity Breaches Survey 2022, in the last 12 months, 39 percent of UK businesses identified a cyberattack. Even more troubling, just over half of businesses have acted in the past 12 months to identify cybersecurity risks. As organisations grapple with the actions they need to take to protect themselves, here are three myths that need debunking to ensure businesses do not make common mistakes.

Phishing attacks won’t happen to us

True or false? Tech-savvy businesses and employees are able to reliably spot phishing attempts. Not true. Many people believe they would not make the mistake of falling for a phishing attack. However, the sophistication of such attacks has increased dramatically; we are no longer talking about far-fetched emails offering millions of pounds from spurious sources. Phishing attacks are also now ubiquitous. Of the 39 percent of businesses who identified a cyberattack, 83 percent reported that it was a phishing attempt.

Fraudsters are changing their strategies and becoming shrewder in their attempts. For many, even experts, it is difficult to determine at first look whether a sophisticated phishing email is genuine or not. A common tactic now is to trawl social media and other publicly available information to build highly personalised phishing campaigns that are harder to spot. Indeed, some fraudsters are even extending this to tactics such as creating fake LinkedIn profiles to build rapport with high value targets before delivering the malicious payload. If the emails look legitimate and are in the right tone, it increases the chances of the recipient clicking on the link. This can lead to a range of harmful activities for the businesses and the individual, from stealing data to monetary losses to deploying malware.

Another misconception amongst employees is that the protection strategies, tools, and policies their employer has in place will protect them from all malicious activity. This is not true as emails can slip through the gaps, and fraudsters are now using public cloud services to add another layer of secrecy. As fraudsters continue to evolve their methods of attack, organisations are struggling to enact the proper policies and educate their employees on new phishing tactics. At a time when email is still the main route hackers use into organisations, correcting this is critical. Every employee needs to understand the threats they face and understand their responsibility for cybersecurity.

Small companies are big business for fraudsters

A common misconception amongst small businesses is that they are not important enough for hackers to target. There is this belief that fraudsters patiently hand pick their targets, investing lots of time and energy into scoping out their victims. There may be an element of truth in this for high value targets, but for the most part hackers run automated tools that scan the internet for vulnerable systems. Research published by Barracuda in March 2022 cites that employees at small businesses with under 100 employees are 350 percent more likely to be a target of an attack than those at medium and large businesses.

It is worth noting that an attack on a small business is much more devastating as they are more financially vulnerable. The European Union Agency for Cybersecurity, ENISA published a report in June 2021, citing that 80 percent of SMEs across Europe stated that cybersecurity issues would have serious negative consequences on their business within a week of the attack. Of this, 57 percent believed they are likely to go out of business or bankrupt from an attack. Further, IBM’s Cost of a Data Breach Report 2021 noted that small businesses experienced an average loss per attack of $2.98 million in 2021, a 26.8 percent increase since 2020. This makes small businesses a fruitful target for hackers and fraudsters, yet many do not have adequate or any cyber security practices in place. Small businesses should rethink their cybersecurity strategies as they are likely to have greater chances of being attacked.

Zero trust means zero effort

Zero trust does not solve a technology problem, nor is it a product, nor is it difficult to implement. Zero trust is not a one size fits all solution, but rather a strategy for businesses to implement cybersecurity practices. You do not simply install Zero Trust and then sit back and relax. The strategy is built upon best cyber hygiene practices, which include vulnerability management, proactive patching, and continuous monitoring for potential attacks.

Implementing a zero-trust approach also lowers the average cost of a breach for businesses. According to the IBM Cost of Data Breach Report, the average cost of a data breach for organisations that had implemented a mature zero trust strategy was $1.76 million lower than in those that had not deployed a zero-trust approach. This is because zero trust works to identify each user in the network and provides end-to-end network visibility. This is beneficial for IT security teams to understand how information flows within an organisation, so identifying critical assets becomes easier, and what needs to be secured becomes clear. As such, if access is questioned, it is likely to reduce attack pathways and monitoring for an attack becomes less complex. This is due to full system visibility, so vulnerabilities can be identified, and gaps can be closed.

What is the way forward towards a cyber secure future?

What is true is that every employee wants to stay vigilant and stay protected online. But part of effective protection is knowing which threats serious and which ones are exaggerated, so that you put your time and effort into the right places. To futureproof your business, continued collaboration between partners is needed in order to deal with the cybersecurity vulnerabilities and to close the cybersecurity gap, which continues to exist across many organisations. The channel is able to provide support to businesses looking to improve their cybersecurity methods, through training for staff, testing and offering ready built solutions.

This is an ongoing challenge for the entire industry, but one that can be faced with confidence if we work to dispel the cybersecurity myths that are getting in the way of some organisations taking the steps, they need to protect themselves.