Together with the National Cyber Security Alliance, we are expelling the top 10 cybersecurity myths that businesses need to overcome.
As we celebrate the 2019 National Cybersecurity Awareness Month, we want to help businesses learn to be safer and more secure online.
At Cybriant, we highly recommend starting with a strong foundation – a cybersecurity framework. A framework will help you base all-important IT and business-related decisions.
The NIST framework is the framework we recommend to all of our clients and is how the National Cyber Security Alliance has framed its guidelines for businesses to stay secure online.
NIST consists of 5 functions – Identify, Protect, Detect, Respond, and Recover. We help our clients with each phase of this framework. We even have a service called PREtect that is an all-in-one service that will help you cover the first 4 functions of NIST. PREtect helps organizations make cybersecurity as easy as possible.
The Official 2019 Presidential Cybersecurity Proclamation
The US Government is taking a larger responsibility in protecting individuals and businesses. The National Cyber Security Alliance was created to help small and medium-sized businesses find resources and guidelines to help protect themselves.
Here are some snippets for the official Presidential Proclamation.
As technology advances, so do the tactics used by malicious cyber actors to obtain personal information and threaten our networks. To maximize our Nation’s cybersecurity and mitigate risks, all levels of government must strengthen their partnerships with the private sector to better exchange information, build greater trust, and enhance the resilience of our country’s cyber infrastructure.
In May of 2019, I issued an Executive Order on America’s Cybersecurity Workforce to provide more access to cybersecurity skills training, identify the most-skilled cybersecurity workers, and advance career opportunities in the public and private sectors. This action also established the annual President’s Cup Cybersecurity Competition. The goal of this competition is to identify and encourage outstanding cybersecurity talent within the Federal workforce.
My Administration is also placing a renewed focus on Science, Technology, Engineering, and Mathematics (STEM) curriculums that embrace courses such as computer science, so that the next generation will have the technical skills needed to defend our critical infrastructure and fellow citizens.
Top 10 Cybersecurity Myths for Business
Once your organization has a strong framework in place, your first line of defense should be your employees.
Employees empowered with the resources and knowledge to protect your organization from cyber threats is one of the best lines of defense you can have. Part of that training should involve breaking down often-quoted cybersecurity misconceptions.
Cybersecurity Myth #1: My data (or the data I have access to) isn’t valuable
Organizations of all sizes maintain or have access to, valuable data worth protecting. Such data may include but is not limited to employment records, tax information, confidential correspondence, point of sale systems, business contracts. All data is valuable.
Take Action: Assess the data you create, collect, store, access, transmit and then classify that data by its level of sensitivity so you can take appropriate steps to protect it. Learn more about how to do this.
Cybersecurity Myth #2: Cybersecurity is a technology issue.
Organizations cannot rely on technology to secure their data. Cybersecurity is best approached with a mix of employee training, clear and accepted policies and procedures, and implementation of up to date technologies such as antivirus and anti-malware software. Cybersecuring an organization is the responsibility of the entire workforce, not just the IT staff.
Take Action: Educate every single employee (in every function and at every level of the organization) on their responsibility to help protect all business information. Learn more about how to do this with the National Institute for Standards and Technology guide.
Cybersecurity Myth #3: Cybersecurity requires a large financial investment
A robust cybersecurity strategy does require a financial commitment if you are serious about protecting your organization. However, there are many steps you can take that require little or no financial investment.
Take Action: Create and institute cybersecurity policies and procedures; restrict administrative and access privileges; enable multi-factor or 2-factor authentication; train employees to spot malicious emails and create backup manual procedures to keep critical business processes in operation during a cyber incident. Such procedures may include processing payments in the case a third party vendor or website is not operational.
Cybersecurity Myth #4: Outsourcing work to a vendor will wash your hands of security liability in the case of a cyber incident
It makes complete sense to outsource some of your work to others, but it does not mean you relinquish responsibility for protecting the data a vendor has access to. The data is yours and you have a legal and ethical responsibility to keep it safe and secure.
Take Action: Make sure you have thorough agreements in place with all vendors, including how company data is handled, who owns the data and has access to it, how long the data is retained and what happens to data once a contract is terminated. You should also have a lawyer review any vendor agreements. Learn more about how to do this with this American Bar Association list.
Cybersecurity Myth #5: Cyber breaches are covered by general liability insurance
Many standard business liability insurance policies do not cover cyber incidents or data breaches.
Take Action: Speak with your insurance representative to understand if you have any existing cybersecurity insurance and what type of policy would best ﬁt your company’s needs. Learn more about how to do this with the Federal Trade Commission’s (FTC) Small Business Center.
Cybersecurity Myth #6: Cyberattacks always come from external actors
Succinctly put, cyberattacks do not always come from external actors. Some cybersecurity incidents are caused accidentally by an employee – such as when they copy and paste sensitive information into an email and send it to the wrong recipient. Other times, a disgruntled (or former) employee might take revenge by launching an attack on the organization.
Take Action: When considering your threat landscape, it is important not to overlook potential cybersecurity incidents that can come from within the organization and develop strategies to minimize those threats. Learn more about how to do this using this Cybersecurity and Critical Infrastructure Agency resource.
Cybersecurity Myth #7: Young people are better at cybersecurity than others
Oftentimes, the youngest person in the organization becomes the default “IT” person. Age is not directly correlated to better cybersecurity practices.
Take Action: Before giving someone the responsibility to manage your social media, website, network, etc., educate them on your expectations of use and cybersecurity best practices. Learn more about how different generations behave online.
Cybersecurity Myth #8: Compliance with industry standards is enough for a security program
Complying with the Health Insurance Portability & Accountability Act (HIPAA) or Payment Card Industry (PCI), for example, is a critical component to securing sensitive information, but simply complying with these standards does not equate to a robust cybersecurity strategy for an organization.
Take Action: Use a robust framework, such as the NIST Cybersecurity Framework, to manage cybersecurity-related risk. Learn more about the NIST Cybersecurity Framework.
Cybersecurity Myth # 9: Digital and physical security are separate
Many people narrowly associate cybersecurity with only software and code. However, when protecting your sensitive assets you should not discount physical security.
Take Action: Include an assessment of your office’s layout and how easy it is to gain unauthorized physical access to sensitive information and assets (e.g. servers, computers, paper records) in your planning. Once your assessment is completed, implement strategies and policies to prevent unauthorized physical access. Policies may include controlling who can access certain areas of the office and appropriately securing laptops and phones while traveling. Learn more about physical security on the FTC’s website.
Cybersecurity Myth #10: New software and devices are automatically secure when I buy them
Just because something is new, doesn’t mean it’s secure.
Take Action: The moment you purchase new technology, make sure it is operating with the most current software and immediately change the manufacturer’s default password to a secure passphrase. When creating a new passphrase, use a lengthy, unique phrase for the account or device. Sign up for a new online account? Be sure to immediately configure your privacy settings before you begin using the service. Find information on securing new devices.
View and download a condensed version of this content you can share around your business and with your networks.