Six common misconceptions about cybersecurity
Cybersecurity in the legal and financial industry is a growing topic of interest. We all now know someone that has become a victim of a hack or data breach.
People now use the phrase “my account has been hacked” as an excuse to protect themselves from the fallout. But this phrase has massive ramifications for any individual. The loss of personally identifiable data creates opportunities for continuing frauds that can impact the victims for years to come.
This leaves us thinking we are “either immune to attack or we need do something to protect ourselves to not be like them”. The closer the attack victims relationship to us, the more likely we are to take action.
The sad reality is that vulnerabilities are baked into all the software we use on a daily basis. A significant source of attacks are because humans shortcut the protocols we have in place. Hackers are exploiting human behavior shortcomings rather that your firewalls and infrastructure.
Malicious actors can and do steal, lock and destroy confidential data in bulk or small but devastating caches. Ransomware and extortion attacks are in the increase. Just think about that, how much would you pay to get access to your phone or computers?
That accidental error of clicking on that email has resulted in a massive confidential data leak with costly regulatory, litigation and business fallout.
Before you can embrace cybersecurity you need to understand the six common misconceptions so you can make an informed decision. Avoiding these common pitfalls can prevent you from major mistakes.
Here are the six common misconceptions (1) understanding cyber-risks, (2) protecting critical infrastructure, (3) detecting incidents (4) incident response, (5) recovering from incidents, (6) We’re not regulated by NYDFS so why bother?
1. I don’t face the same risk as [Name of Fortune 500 Company]
If you have data, then you are at risk of a cyber-attack. Yet, many organizations are reluctant to take action to protect themselves because “it hasn’t happened to me yet”.
Just because you consider yourself small or not a major player doesn’t mean you aren’t storing the same valuable data of larger companies. There is a new trend for hackers to attack small vendors to gain access to larger companies. Hackers have realized that using social engineering to exploit trust is easier when small businesses have existing relationships with larger companies. Hackers also know that smaller companies are easier to attack because of their lack of cybersecurity culture.
Smaller companies have a lack of cybersecurity culture because they have a belief it does not apply to them, or they are immune. “We don’t have much”. This assumption is flawed because you may not be the intended victim. It’s who you have access to and how they can exploit your trust to gain access to someone else.
You also need to consider who your clients are: are they high net worth individuals or companies. Your clients can become targets because of their own exposure. You might just be the vulnerability for hackers to gain access to them. This creates new issues for legal liability with case law not being on your side, which opens you up to further damages and liabilities.
Hackers think about gaining access to data 3 dimensionally, not just lateral. This is the fall out domino effect from a data breach.
Even small leaks of data which can include Personal Identifiable Information (PII) like social security numbers, emails, contract data can trigger breach notifications and or remedial obligations under more than one state law. States are swinging towards consumer data privacy laws which you need to be aware.
The point is that any company, of any size, is vulnerable to cybercrime attacks. The typical result of these attacks is a fraud occurring. Company leadership needs to understand the ramifications of cybersecurity and implement a cybersecurity aware culture that is proactive rather than reactive. Attacks will happen, it’s how you recover from the attack that matters.
2. “We can’t afford new technology”
Cybersecurity prevention has a cost, but mistaking assuming that it’s cost is prohibiting you from taking action is a misconception. Cybersecurity does not require you to replace existing IT hardware or software. It requires you to assess how you use the hardware and software and how you can protect yourself from attack weaknesses.
Years of buying and layering off the shelf technology, along with the growing mobile devices and smart devices use has created gaps in protection. It’s these gaps that are exploited without your knowledge.
Just because you can buy hardware off the shelf or use a “cloud service” does not mean you are protected or immune from attacks. It’s your responsibility to understand the consequences of the technologies you use.
Just because you are using a piece of software does not mean you are securely transmitting or storing data. That software does not mean you are capturing or storing that data internally correctly. Many cybercrimes and frauds occur because humans take a photo of a file on a desk with PII or store credit card information on a notepad. Humans are move vulnerable than you think to these frauds.
I heard stories where the cleaner was paid $50 to plug in a device into the network from the “pretend IT guy” and this resulted in hackers getting access to the company data. It’s not just you who can be exploited, but the people who service your company.
Hackers are more likely to breach a person rather than breach your network.
3. Our IT Person handles our cybersecurity…
This is a fantastic delegation response that poses much bigger questions. Why have leadership not taken an active roll in cybersecurity systems? The assumption that your IT team are managing your security protections is fundamentally flawed.
When was the last time you reviewed your job task list or contract with your IT Vendors?
When was the last time you validated they are delivering on all of your cybersecurity protections? Just because you have a person doesn’t mean they are doing anything about it.
For example, a quick validation:
- How often does your system require you to change your password?
- Are you using Two-Factor Authentication (2FA)?
- How often does your system get backed up and when did you last check that is happening and the backups work?
Because we lump cybersecurity together with IT doesn’t mean IT are handing it. There’s a major difference between network setup and management (IT Person Work) and security protection of the network. That’s like walking into 7–11 to see your doctor. I can’t remember the last time your Doctor diagnosed a Slurpee.
Most IT People don’t like Cybersecurity consultants because they visually display what’s not being done.
We live in a society when feedback is not always appreciated. Cybersecurity consultants provide continuous feedback for improvement. This is what IT people hate. This feedback results in companies often blaming IT for not doing enough. When the real issue is that cybersecurity is treated as “some-day” task, rather than a core system to keeping the business operational.
It’s amazing how many companies don’t have a backup of their data. Computers break. But what happens to and where is your data?
You need to also think about the liabilities created around where your data is stored. What country does that cloud service provider use to store your data?
Ask yourself how well trained is my IT person in the art of social engineering? Because hackers attack your employees to extract compounding data. How are you protecting yourself from these so-called “human errors”? We hear about these attacks in the headlines from phishing emails, vishing phone calls and even Smsishing text messages. Hackers are now even using our social media accounts to gain access to our systems.
4. “We have a manual for that”
Many companies have taken the position of buying or printing from the web a manual. It’s common to see in many of these manuals for cybersecurity procedures still with [insert name here]. Just because you have the manual does not mean it’s being implemented.
Meeting compliance regulations like FCP, AML Laws, SEC and FINRA rules does not protect you from attackers and data breaches. The minimum in compliance standards does not protect you. Many companies are shortcutting these protocols because there is an easier way, or will get it later. Hackers don’t care about the compliance requirements; they care about exploiting your data. Compliance standards only create a minimum threshold for protection which is certainly not enough within today’s attack landscape.
What you need to be reviewing is your risk vectors and what you can do, and ARE doing to mitigate these risk vectors. Once a data breach has happened reading the manual is really a waste of time.
5. *“What do I do now?”
Do you know what the procedure is for a data breach? What happens, when and who is responsible?
Do you know if and who you need to report a breach to insurance or a government agency?
Does your team know how to respond and the steps to take to protect evidence but also protect themselves and the company?
How are you testing and validating these procedures within your business regularly?
The question of what do I do now should not be part of your vocabulary once a breach has occurred. If your computers suffered a ransomware today who would you call?
It’s disappointing how many companies don’t effectively train their employee’s and contractors on how to detect and respond to threats. Attacks evolve every month, so if you only review these attacks yearly, you are exposing yourself to increased risk.
60% of companies close their doors six months after a breach occurs.
A data breach causes multiple problems for a company. At the root of the problems is loss of trust and reputation. This is why a lot of businesses close their doors after an attack.
6. We’re not regulated.. yet
If you are waiting for regulations to change you are going to be a world of hurt. Even the SEC has been tightening requirements. Even though this relates to public company cybersecurity disclosures the pendulum is swinging with consumer privacy rights. Just review GDPR and New York and California have applied their own versions.
Regulatory bodies are adopting the NIST Framework for Cybersecurity. This means ensuring your company adopts this framework as it’s own standard for implementing and monitoring cybersecurity will position your company for success. If your IT Vendors don’t understand the NIST Framework or know how to apply it, you need to assess our options.
Agencies like the New York Department of Financial Services (NYDFS) are applying the broadest sweeping changes than any other organization. You could expect other agencies and states to follow suit with changes to their policies. By waiting for the change, you are likely to increase the cost of adoption significantly. Cybersecurity changes take time to implement into any company regardless on size. If you need to retrain your employees, this increases the time it takes to implement cybersecurity protocols.
What’s clear with the cybersecurity protection laws and data privacy laws, change is happening. These changes will impact your company big or small with new requirements for compliance. Regardless if your industry enforces compliance, your company is vulnerable to cyber-attacks and data breaches internal and externally. Becoming proactive with your cybersecurity culture will only protect your and your company from risk.
ChatFortress is a leading cybersecurity company that is helping small and medium-size companies protect themselves from hacking attempts. Using Cybersecurity AI, Gamified cybersecurity awareness programs and providing virtual security analysts.
