Chief Information Security Officers (CISOs) and Chief Information Officers (CIOs) everywhere will know just how volatile and unpredictable the current cyber security threat landscape is.
For anyone working in the cyber security sector, tech sector - or, come to that post, media and an increasing multitude of others - it’s fair to say that the rising sophistication and frequency of cybercrime is not something to laugh at.
According to research compiled by the IT Governance blog, there were 277.6 million data records leaked or breached worldwide in January 2023,, with only 104 security incidents publicly disclosed. This shows that cybercrime is not only becoming more common but also increasingly hidden.
The grim reality is that many people are still harbouring ineffective and outdated practices that do not hold up in 2023.
Most people aren’t as protected as they should be
Today, where data protection, security and automation are growing increasingly important, there are too many misconceptions about correct cyber security strategies.
Sadly, these misconceptions hold significant weight. People commonly fall victim to cyber-attacks due to not taking the minimum steps necessary to safeguard their sensitive information. A recent guide from Managed Services Provider AAG revealed that in 2022 the UK alone had the highest number of cybercrime victims per million users, at 4738, a 40% increase from 2020.
To ensure your cyber security policies and procedures are watertight across your organisation, it's essential to educate everyone on the most up-to-date recommended best practices and dispel any pervasive myths. By doing so, you will be improving the overall resilience of your company’s security and hopefully those you educate may take practical advice outside the workplace, helping others remain safe and secure.
In this article, we’ll look at five common cyber security inaccuracies before providing you with updated and easy-to-action advice to ensure optimum protection of your company’s systems, networks and people from hackers and their plethora of cyber attacks and scams such as ransomware, malware, and phishing.
The common cyber security misunderstandings
- Strong passwords keep me safe
While strong passwords are essential, they can still be compromised by cybercriminals. Keeping your data safe requires multiple layers, and your password should only be the first.
Not only should you use a unique, sophisticated password for each account or log-in, but you should regularly update them and implement multi-factor authentication (MFA) that requires you to verify yourself before you access each account. This multi-layered approach will give you and your data a more robust level of protection. Consider using a password management tool to make this easier for you.
- Free antivirus software is sufficient protection
Antivirus software is crucial, and while some free versions offer surprisingly broad protection, this is only sometimes the case. Often free antivirus software can’t be solely relied upon to protect a company and its assets. The best, most professional antivirus solutions have built-in firewalls, endpoint protection, network security, backups, disaster recovery options and more.
Companies that don’t prioritise the security of their systems, networks and hardware are not considering the long-term implications of what would happen if those data were breached. With the global average cost of a data breach at £3.62 million ($4.35 million), according to IBM’s 2022 report, it’s well worth paying for a top-notch antivirus software package to mitigate potential disasters of this scale.
- Hackers don’t target small companies
Many companies wrongly believe that if they fall into the bracket of a small or medium-sized enterprise (SME), they are not a prime target for hackers. As a result, they can invest less heavily in cyber security protection. In fact, according to recent headlines, it’s the opposite that’s true, with companies defined as SMEs (i.e. with less than 250 employees) increasingly falling victim to cyber-attacks.
In a report publicised last year from the ransomware recovery specialists Coveware, SMEs are suffering from a “tactical shift” by cybercrime groups that make a “deliberate attempt to extort companies that are large enough to pay a ‘big game’ ransom amount but small enough to keep attack operating costs and resulting media and Law Enforcement attention low.”
Whether it’s this specific targeting, less defined and cohesive security measures, or just being the victim of circumstance, it’s important to stress that small companies need to take cyber security seriously.
- Cyber security is the IT team’s problem
It’s true that IT professionals, whether in-house or outsourced, are more equipped with the knowledge, expertise, and tools to protect an organisation’s data. However, to suggest that it is purely their responsibility to deal with cyber threats is false.
According to a global report conducted by the Ponemon Institute in 2022, insider threats, whether accidental due to some form of human error or deliberate, continue to increase in frequency at a massive cost to businesses worldwide.
Research has also shown that cyber breaches inside an organisation can be particularly severe and harmful and most commonly occur due to employees lacking sufficient direction on security.
Due to this, it’s essential that a company invests in regular training, both to empower employees to understand the importance of protecting company devices and to educate them on avoiding seemingly innocuous activities that can have broader security implications. This includes leaving computer screens unlocked, ignoring security patches and updates, transferring files between devices, and sharing sensitive data accidentally.
Considering how vast the potential implications can be, creating a holistic companywide cyber security mandate is as integral as continually refining the internal security processes of an organisation and, when done correctly, will go a long way to creating the kind of multi-level protection required to combat external and internal risks.
While IT departments will rightly do all they can to protect data, their work should be supplemented by wider company strategies and procedures to enhance security.
- It’s easy to spot attacks
The fact is that with the increasing sophistication of cyber-attacks, their detection is getting more and more difficult. In IBM’s Cost of a Data Breach 2022 Report, it noted that “it took an average of 277 days—about nine months—to identify and contain a breach.” It added that over $1 million could be saved on average if a data breach is contained in 200 days or less.
As hackers could be present in a company’s system or network for many days before any intrusion is known, it’s vital to learn the common signs of a cyber attack.
Hackers only need a short amount of time to compromise sensitive data once they’ve gained initial access. Therefore organisations must be proactive, using practical steps and regular training to ensure all staff are aware of the signs of a breach and the risks of missing one.
Whether it’s a malicious-looking phishing email or a covert and discreet threat actor lurking within the network, training can help everyone understand the severity of such attacks and why staying alert is important.
The best way forward
Now that some of these misconceptions have been dispelled, what must you do next? Well, it’s important to note that establishing robust cyber security across your organisation won’t happen overnight. You will have to invest in multiple solutions to ensure adequate protection.
Firstly – for UK organisations – the government-backed scheme Cyber Essentials aligns with five technical controls that protect against 80% of common internet-based attacks.
Beyond this, having the right software in place helps battle against cybercrime with solid firewalls and good-quality antivirus software. It’s also wise to use proactive security technologies such as network and endpoint monitoring and a security information and event management (SIEM) system to analyse your network operations and flag issues.
Another critical step is to consult a cyber security professional and use risk assessments and regular vulnerability scans to assess your estate’s robustness. Progressing to utilising penetration tests that explore the tactics and techniques cybercriminals could use in a potential attack and heightening their complexity over time will gradually further the sophistication of a system and your confidence in its strength.
Overall, consistently assess and establish your current procedures’ strength and cohesion. How likely is it that your company could be hacked today?