6 greatest cybersecurity myths and why you should not trust them
Cybersecurity is, without a doubt, becoming one of the dominant security topics (and concerns), not only for security professionals, but also for any executives or managers who want to protect their organizations.
The Defense Department, of course, is no stranger to this feeling, whether their concerns were prompted by a malicious key drive, compromised Common Access Cards or the disclosures by Edward Snowden.
But, let’s be honest: not many people really understand what cybersecurity is, and this lack of understanding has brought up some well-entrenched myths about cybersecurity. And, unfortunately, this wrong perception is now one of the biggest obstacles preventing companies from dealing with cybersecurity in the proper way.
So, here is what cybersecurity is not:
Myth No. 1: It's all about IT
Imagine this scenario: A disgruntled system administrator intentionally disables your core application and deletes your most important databases.
Is this an IT issue? No, this is hardly an IT issue; more like an HR issue. Could this have been prevented by IT safeguards? No. The person in this position is required to have direct access to all of your systems.
So, the way to prevent this type of scenario falls outside the technology area and comes down to how to select your employees, how to supervise them, which kind of documents have been signed, how this person is treated within the organization, and so on.
Don't get me wrong – information technology and IT safeguards are extremely important in cybersecurity, but they alone are not enough. The point is that these measures must be combined with other types of safeguards to be effective.
Myth No. 2: Top management has nothing to do with cybersecurity
You are probably aware that safeguards cannot be implemented without money and employee work time. But if the managers in your agency are not convinced this protection is worth the investment, they are not going to provide the required resources. Hence, the project will fail.
Further, if top officials do not comply with security rules and, for instance, leave the laptop (with its list of personnel or details about key initiatives) unprotected at the airport, all other security efforts will be in vain.
So, your top managers are a very important part of cybersecurity.
Myth No. 3: Most of the investment will be in technology
False. Most of the organizations I have worked with already had most of the technology in place. What they did not have were rules on how to use that technology in a secure fashion. This is like purchasing a fancy new BMW and only using such a luxury car for delivering pizzas.
The information will be protected if everyone with access knows what is allowed and what is not, and who is responsible for every piece of information or for every piece of equipment. This is achieved by defining clear rules, usually in the form of policies and procedures.
As a rule of the thumb, I would say investment in technology is usually less than half of the required investment. In some cases, it may even be less than 10 percent. The majority of the investment is usually in developing the policies and procedures, training and awareness, etc.
Myth #No. 4: There is no ROI in security
Yes, security costs money, and it’s hard to quantify the savings from an attack that didn’t happen.
But the whole idea of cybersecurity is to decrease the costs related to security problems (i.e., incidents). If you manage to decrease the number and/or extent of security incidents, you will save money. In most cases the savings achieved are far greater than the cost of the safeguards; so, you will "profit" with cybersecurity.
Myth No. 5 Cybersecurity is a one-time project
False. Cybersecurity is an ongoing process. For instance, if you develop an Incident Response procedure that requires personnel to notify the Chief Information Security Officer on his or her cell phone about each incident, but then this person leaves your agency, you obviously no longer want these calls to go to him or her if you want your system to be functional. You have to update your procedures and policies, but also software, equipment, agreements, etc. And this is the job that never ends.
Myth No. 6: The documentation myth
Writing a pile of policies and procedures does not mean your employees or service people will automatically start complying with them.
Security is normally quite a big change and, frankly speaking, no one likes to change established practices. For example, instead of your good old “1234” password, you suddenly have to change your password every 90 days to something with eight characters, out of which at least one must be a number and one a special character.
What this means is that your personnel will resist change, and will try to find ways in which to avoid these new rules. So you have to find a way to overcome this resistance.
People are the key
So, the point here is the following: when thinking about cybersecurity, you shouldn’t jump right into the project without setting the stage. And, setting the stage must also include convincing your leaders (and many others) about what cybersecurity is not. So, if you are working as a cybersecurity professional, you shouldn’t only deal with the technical aspects – you have to deal first with humans and their perceptions in order to set your project on the right track.
In other words, cybersecurity is more about working with people and less about dealing with machines.
Dejan Kosutic is an expert in ISO 27001 and ISO 22301 and author of the free book: "9 Steps to Cybersecurity," available at http://www.iso27001standard.com/en/free-ebooks/9-steps-to-cybersecurity-managers-information-security-manual