Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Common cybersecurity myths debunked

Michael R. Overly and Chanley T. Howell | June 26, 2015
One of the greatest challenges for organizations attempting to address cybersecurity risks is the number of fundamental security myths that cause organizations to incorrectly assess threats, misallocate resources, and set inappropriate goals. Dispelling those myths is key to developing a sophisticated, appropriate approach to information security.


It is a common error for businesses to focus security measures on the professional hacker, or protecting against individuals or entities that are highly skilled in programming and technology. Such skills are, however, no longer a pre-requisite to hacking. Today, someone with little or no knowledge of technology can find online, easy-to-use hacking tools capable of causing substantial harm to a business. These individuals are sometimes referred to in the hacking community as "script kiddies," because they require no real hacking knowledge. There are also a wide range of readily available books that can quickly educate technological neophytes regarding hacking. One popular book even includes a chapter entitled, "how to be a hacker in thirty minutes."

Finally, one of the most effective means of hacking in use today -- social engineering -- requires no technological skills whatsoever. Rather, to be an effective social engineer, all that is required is self-assurance and a knowledge of human nature. One prevalent form of social engineering is phishing -- a hacker sending fake emails soliciting sensitive information or including attachments that install malware that can infect a company's network. Phishing attacks and other social engineering techniques were used recently to conduct a concerted attack on banking institutions worldwide, causing losses of $300 million -- or possibly as high as $1 billion.


Finally, one of the most common misconceptions about security is that complete security can be achieved and that complete security is required by law or industry practice. Neither is correct. Both laws and industry practices require businesses to do what is "reasonable." Complete security is not required or even realistic. Studies show that it would require businesses to increase overall security budgets nine-fold to address just 95 percent of the threats. That increase would, in most cases, exceed the overall budget for the entire business.

There is a fundamental paradox with regard to security efforts: As security protections increase, usability of the secured systems decreases. That is, the greater the security, the less useful the thing secured will be. It is, for example, possible to completely secure a mobile device, such as smartphone. All that is necessary is to (i) put the device into airplane mode and (ii) lock the device in a secure safe. While complete security has been achieved, usability has been reduced to zero. A balance must always be struck between effective security measures and usability of the data or system being secured.

Lessons learned

While protecting a business' data is key, a well-crafted approach to security requires protection of the systems on which that data resides and the networks through which the data is accessed. In most instances, a practice known as "security in depth" should be employed. That practice recommends the use of multiple layers of protection from threats. For example, to address phishing attacks, a company can begin employee education on opening unidentified emails. As a further measure of security, the business could combine that training with anti-virus software and, possibly, software specifically designed to detect phishing.


Previous Page  1  2  3  Next Page 

Sign up for MIS Asia eNewsletters.