- To stay secure in today’s digital landscape, we need to embrace modern best practices and adopt a holistic approach to cybersecurity.
- We should educate ourselves and others, collaborate across all levels of our organisations, and continuously adapt to the ever-changing threat landscape.
In the fast-paced world of cybersecurity, old myths and misconceptions can be as dangerous as the threats themselves.
Outdated advice often lingers, well past its “sell-by date,” and can lead to false notions about digital security. Here are ten common cybersecurity myths that need to be debunked.
Regular password changes are good
This advice dates back to at least 1989 when Clifford Stoll wrote in The Cuckoo’s Egg “Treat your password like your toothbrush.
Don’t let anyone else use it and get a new one every six months”. The reason for this seems obvious, so why is it wrong? Forced regular password rotation has several outcomes; passwords become more predictable as people are more likely to increment a number at the end of the password than to change the whole thing.
Passwords are more likely to be used for several different systems, as memorising an array of constantly changing passwords is impossible. For the same reasons, they are more likely to be written down, either digitally or physically.
Paradoxically, they are more likely to be memorable (as opposed to complex), and at the same time more likely to be forgotten.
Today’s cybersecurity experts, including organisations such as NIST and the NCSC recommend strong, unique passwords that don’t need constant changes, backed by robust security measures like multi-factor authentication.
Having a good antivirus is sufficient
Many still believe that a dependable antivirus program is all you need for digital protection. But as cyber threats become increasingly complex, relying solely on antivirus software is outdated. Even the best antirust in the world, even one with zero false positives and a 100% detection rate will not keep you safe.
So many other routes into the modern home or business exist; phishing, SMiShing, Vishing, social engineering, vulnerabilities, misconfigurations, insecurity by design, IoT and other unmanaged and unagentable devices.
Modern cybersecurity demands a layered approach, based on full visibility of the network including firewalls, intrusion detection systems, XDR, and comprehensive user education.
People are the weakest link
The age-old belief that users are the weakest link in cybersecurity neglects the importance of empowering individuals as the first line of defence.
Today, education and user awareness are key components in the fight against cyber threats. If a person clicking on a link, executing an attachment or being socially engineered out of their password is enough to take down your entire organisation.
The problem is not with the person, it’s with the architecture and processes. Is the network properly segmented? Is data encrypted?
Have you applied principles of least privilege and need to know? Are your business processes secure and robust, for example, Is one person empowered to make large financial transfers without a second approval?
Properly prepared and empowered people are your strongest asset rather than your weakest link. Blaming users is outdated; educating them is the future.
Cybersecurity is the job of infosec
Cybersecurity was often believed to be the sole domain of IT departments or security professionals. Everyone has a responsibility today.
We should all be concerned about cyber risks, so it is crucial to promote cybersecurity knowledge within an organisation.
Everyone is accountable for exercising caution and learning about best practices and safety. Cybersecurity must be a cornerstone of corporate strategy in the boardroom.
Equally fundamentally, all employees—not just the select few who are interested in cybersecurity—should be aware of the significance of common cybersecurity practices, such as avoiding phishing scams, using strong passwords, and keeping data secure both on and off the network.
It is all about computers and data
Cybersecurity is no longer limited to protecting computers and data. In our interconnected world, it encompasses safeguarding critical infrastructure, IoT devices, and even your digital identity. As technology evolves, so does the scope of cybersecurity, requiring us to think beyond data and devices.
Of course, your “traditional” technology estate is important to your business and attractive to cybercriminals, but the truth is that our networks are becoming ever more distributed, ever more diverse and ever more unmanageable.
Attackers are increasingly focusing on IoT devices such as cameras and NAS, unpatentable devices like VPN concentrators and routers, and less visible network segments containing OT as both initial routes into your organisation and as attack targets.
Don’t forget, that cybersecurity is as much about processes as it is about technology. A vulnerability is not a phenomenon restricted to software; it is equally possible for a process to be vulnerable.
Backups will save you from everything
Backups are a crucial part of a cybersecurity strategy, but they won’t protect you from every threat. Ransomware already looks for backups to encrypt if they are connected to your network.
Backups are an essential part of cybersecurity, but they are not the only part. Ransomware threat actors have got wise to the increased focus on effective backup strategies in recent years, as a response to the boom in ransomware attacks.
They are switching their tactics. Rather than encrypting your data and holding it to ransom, they now simply steal it and threaten to leak it. Backups won’t save you here.
You will know if you are breached
In the past, detecting a cyber breach might have been easier. Today’s attackers are more sophisticated and stealthier, often remaining undetected for extended periods. The “assume breach” mentality is now standard, emphasizing continuous monitoring, incident response plans, and proactive threat hunting.
Small businesses don’t need to worry
Many still believe that small businesses are less likely to be targeted by cybercriminals. In reality, they are often seen as easier prey due to weaker security measures. So a relatively smaller payout is balanced by the lower investment of criminal effort.
Additionally, small businesses often serve as links in the supply chain to larger organizations. According to the US National Cyber Security Alliance, 60 per cent of small businesses that suffer a cyber-attack go out of business within half a year.
SMBs must prioritize cybersecurity just as much as large enterprises because the consequences of a breach can be equally, if not more, devastating.
Securing internet-facing systems is enough
Otherwise known as “crispy on the outside with a soft chewy centre”. Outdated advice suggests that securing external-facing systems, such as websites or email, was sufficient.
There are plenty of ways into an organisation that do not involve breaking through the perimeter, social engineering, phishing, telephone calls, physical access, misconfiguration, zero-days and more.
Once inside that soft chewy centre, attackers can freely move laterally within your network. A comprehensive cybersecurity strategy involves securing all aspects of your infrastructure, from external to internal systems.
Penetration testing, compliance ensure security
While penetration testing and compliance are valuable components of cybersecurity, they do not guarantee overall security.
This snapshot mentality relying on point-in-time measures has already been shown to be insufficient to ensure security in the world of vehicle safety. In addition, penetration tests may not uncover all vulnerabilities and compliance standards can lag emerging threats.
A robust security posture goes beyond mere compliance to proactively address evolving risks. Compliance lays out minimum security requirements; it is emphatically not the same thing as security.
The world of cybersecurity and the threat landscape continues to evolve every day, and this renders well-meaning advice and received wisdom obsolete regularly.
The greatest enemy of security is complacency. To stay secure in today’s digital landscape, we need to embrace modern best practices and adopt a holistic approach to cybersecurity.
We should educate ourselves and others, collaborate across all levels of our organisations, and continuously adapt to the ever-changing threat landscape.
It’s not about sticking to outdated wisdom; it’s about staying vigilant and responsive in the face of new challenges.
- Rik Ferguson is the Vice President of Security Intelligence at Forescout.
Discover more from TechChannel News
Subscribe to get the latest posts to your email.