Dejan Kosutic

Commentary

6 greatest cybersecurity myths and why you should not trust them

Cybersecurity is, without a doubt, becoming one of the dominant security topics (and concerns), not only for security professionals, but also for any executives or managers who want to protect their organizations.

The Defense Department, of course, is no stranger to this feeling, whether their concerns were prompted by a malicious key drive, compromised Common Access Cards or the disclosures by Edward Snowden.

But, let’s be honest: not many people really understand what cybersecurity is, and this lack of understanding has brought up some well-entrenched myths about cybersecurity. And, unfortunately, this wrong perception is now one of the biggest obstacles preventing companies from dealing with cybersecurity in the proper way.

So, here is what cybersecurity is not:

Myth No. 1:  It's all about IT

Imagine this scenario: A disgruntled system administrator intentionally disables your core application and deletes your most important databases.

Is this an IT issue? No, this is hardly an IT issue; more like an HR issue. Could this have been prevented by IT safeguards? No. The person in this position is required to have direct access to all of your systems.

So, the way to prevent this type of scenario falls outside the technology area and comes down to how to select your employees, how to supervise them, which kind of documents have been signed, how this person is treated within the organization, and so on. 

Don't get me wrong – information technology and IT safeguards are extremely important in cybersecurity, but they alone are not enough. The point is that these measures must be combined with other types of safeguards to be effective.

Myth No. 2: Top management has nothing to do with cybersecurity

You are probably aware that safeguards cannot be implemented without money and employee work time. But if the managers in your agency are not convinced this protection is worth the investment, they are not going to provide the required resources. Hence, the project will fail.

Further, if top officials do not comply with security rules and, for instance, leave the laptop (with its list of personnel or details about key initiatives) unprotected at the airport, all other security efforts will be in vain.

So, your top managers are a very important part of cybersecurity.

Myth No. 3:  Most of the investment will be in technology

False. Most of the organizations I have worked with already had most of the technology in place. What they did not have were rules on how to use that technology in a secure fashion. This is like purchasing a fancy new BMW and only using such a luxury car for delivering pizzas.

The information will be protected if everyone with access knows what is allowed and what is not, and who is responsible for every piece of information or for every piece of equipment. This is achieved by defining clear rules, usually in the form of policies and procedures.

As a rule of the thumb, I would say investment in technology is usually less than half of the required investment. In some cases, it may even be less than 10 percent. The majority of the investment is usually in developing the policies and procedures, training and awareness, etc.

Myth #No. 4: There is no ROI in security

Yes, security costs money, and it’s hard to quantify the savings from an attack that didn’t happen.
But the whole idea of cybersecurity is to decrease the costs related to security problems (i.e., incidents). If you manage to decrease the number and/or extent of security incidents, you will save money. In most cases the savings achieved are far greater than the cost of the safeguards; so, you will "profit" with cybersecurity.

Myth No. 5 Cybersecurity is a one-time project

False. Cybersecurity is an ongoing process. For instance, if you develop an Incident Response procedure that requires personnel to notify the Chief Information Security Officer on his or her cell phone about each incident, but then this person leaves your agency, you obviously no longer want these calls to go to him or her if you want your system to be functional. You have to update your procedures and policies, but also software, equipment, agreements, etc. And this is the job that never ends.

Myth No. 6: The documentation myth

Writing a pile of policies and procedures does not mean your employees or service people will automatically start complying with them.

Security is normally quite a big change and, frankly speaking, no one likes to change established practices. For example, instead of your good old “1234” password, you suddenly have to change your password every 90 days to something with eight characters, out of which at least one must be a number and one a special character.

What this means is that your personnel will resist change, and will try to find ways in which to avoid these new rules. So you have to find a way to overcome this resistance.

People are the key

So, the point here is the following: when thinking about cybersecurity, you shouldn’t jump right into the project without setting the stage. And, setting the stage must also include convincing your leaders (and many others) about what cybersecurity is not. So, if you are working as a cybersecurity professional, you shouldn’t only deal with the technical aspects – you have to deal first with humans and their perceptions in order to set your project on the right track.

In other words, cybersecurity is more about working with people and less about dealing with machines.

About the Author

Dejan Kosutic is an expert in ISO 27001 and ISO 22301 and author of the free book: "9 Steps to Cybersecurity," available at http://www.iso27001standard.com/en/free-ebooks/9-steps-to-cybersecurity-managers-information-security-manual

Reader Comments

Mon, Mar 24, 2014

> A disgruntled system administrator intentionally disables your core application and deletes your most important databases. > Is this an IT issue? No, this is hardly an IT issue; Of course it's an IT issue. The question that needs to be asked is : Why does your administrator require write access to all your systems all the time ? The answer is "she doesn't" .. So why do you grant that access ? This is mostly preventable by stronger IT barriers. - Need to make a destructive change - unlock the system first. - Want to make that second unplanned change in the day then you have to get your managers approval to unlock the system Your systems aren't lockable ? Now THAT's an IT problem. The idea that one set of credentials is able to wreak havok across an entire infrastructure is a flawed outcome and 1990's thinking. If your solution isn't able to do granular, authenticated permissions controls - then you need a new solution. If your solution can't rate limit users without approvals - you need a new solution.

Mon, Mar 24, 2014

Informative article. The threats from cyber criminals are well known and organizations need to do well in deploying suitable methods to check the possible threats on your IT infrastructure. I work with McGladrey and there's a whitepaper on our website which offers very good information on common security concerns for business and ways to mitigate them @ http://bit.ly/1c0f35M readers will find it helpful

Wed, Mar 19, 2014

A myth held by many of the cyber security idea/high level people is that all those fancy and constantly changing passwords tend to be helpful when in reality they are usually counter productive. Let alone the time wasted on having to create something new every 3 months, when you have to use (and constantly change) multiple passwords they tend to get lost. People have to resort to writing them down (a security issue) on a list that can be lost or stolen. At one time I had well over a dozen of these passwords to keep tract of (naturally I had to write them down on a constantly changing list) and still had problems. The end result is that now the cyber security people, as well as the users, are wasting time on resetting lost or expired passwords so the users can get access to their systems to do their real work that produces the real product of their organization. Combined with the added burden on the systems from the extra security software, the loss in productivity may be a much bigger cost than the technology and added manpower put into the cybersecurity. These costs are often not considered in the cybersecurity equation. This notion is not just theory, but actual experience many of us at the working level have had to put up with.

Wed, Mar 19, 2014

I'd quibble whether some of those six are un-examined assumptions instead of myths. However, I think most of the cybersecurity initiatives are paperwork processes concerned more with _reporting_ on compliance than with actually being more secure about likely actions. The hiring of the sysadmin is a good example. Passwords are another example. We don't want employees to write them down yet we mandate they come up with * 24 distinct (because you can't reuse old ones) * complicated (12 chars long include each of 4 char sets and do not repeat any 3-char sequence) passwords. Yet those articles about the common passwords found in hacked lists don't mention that the hack itself had nothing to do with anybody's personal password--the thieves stole the actual password file. With our fancy computer reporting and enforcement, we can actually verify the implementation of policies about passwords so that's what the focus goes to, not to actual cyber-security--which the author correctly stated has little to do with IT itself.

Tue, Mar 18, 2014

You left out telling what cybersecurity really is. All you talked about has been part of information security all the time and it includes even more and more. Information Security including IT Security as one part of it is mostly about people, processes, behaviour, governance within company and partners/subcontractors, agreements, roles and responsibilities, requirements and the most of all risk management and cost effective choices based on you business and the willingness to take risks. Etc. Could you open only the term cybersecurity as a separate area and why it is not part of information security?

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above