Most businesses are now aware of the crucial need to protect their networks and systems against intruders and cybercriminals. However, many business leaders are still operating under IT security misconceptions that could put their organisation at risk.
There are nine IT security misconceptions that can create risk for businesses:
1. Compliance and security are the same thing
Businesses often assume that, because they’ve ticked the boxes regarding compliance with industry or privacy standards, their organisation is secure. The truth is that compliance only offers a very basic modicum of security and it takes more than simple compliance to be truly secure.
2. Anti-virus is all the organisation needs
Viruses aren’t the only threats businesses face. The increasingly complex threat landscape means businesses need a comprehensive set of cybersecurity tools to keep them safe from threats ranging from viruses and malware to advanced persistent threats.
3. A strong password will keep the network secure
Even if the business can rely on its employees to use strong passwords that aren’t shared or re-used for other applications, this still isn’t enough. Instead, organisations should consider beefing up their security by using multi-factor authentication and biometrics.
4. Strong cybersecurity tools will completely protect the organisation
Phishing attacks and other social engineer scams can take employees by surprise, tricking them into divulging passwords or otherwise giving cybercriminals access to the network. It’s essential to combine strong tools with effective and consistent education programs that let staff members know what role they play in keeping the business safe.
5. The business is too small to be a target
Cybercriminals will attack small businesses in the knowledge that their skills and resources are likely to be limited compared with larger organisations. By gaining entry to the networks of smaller businesses, cyberattackers may be able to work their way into the networks of those businesses’ larger partners. Small businesses are definitely a target and should protect themselves accordingly.
6. Cybercriminals work alone, often from someone’s basement
Cybercriminals are now highly professional groups of people who are well-funded, highly intelligent and sophisticated, and highly motivated to successfully breach organisations’ defences. If an organisation is not dedicating sufficient resources to combatting them, it will eventually become a victim.
7. The IT department manages security so the rest of the team doesn’t have to worry
Cybercriminals can find plenty of ways into the organisation such as lazy use of passwords, lost or stolen devices, and social engineering scams. Each employee is responsible for taking a proactive approach to security and flagging any potential issues with the IT department or security team.
8. If a computer is infected, it will be immediately obvious
Many cybercriminals are using stealthy intrusion methods that can let them access a network undetected, then maraud through that network for months or longer, or lay dormant until required. The mean time to detection is getting longer as cybercriminals come up with new ways to move around networks without triggering security tools’ red flags.
9. There’s no need to patch the apps people use on BYOD or corporate devices because the organisation has anti-malware and anti-virus installed
It’s absolutely essential to regularly patch all apps and operating systems because these patches address vulnerability issues that can’t necessarily be detected by standard cybersecurity tools.
Overall, businesses should take a zero-trust approach to security. This is about defining what are the key assets the organisation wants to protect, addressing who, what, where, how and when data/systems should be accessed to prevent lateral movement within the network, mitigating many of the risks they face.
Sean Duca, Vice President & Regional Chief Security Officer – Asia Pacific, Palo Alto Networks