In the wake of the pandemic, cyber crimes have evolved rapidly. It’s not just the hackers who have stepped up by launching sophisticated attacks, IT security myths and obsolete ideas in the industry are equally contributing to their success.
According to an Accenture report, the number of cyberattacks on companies has increased from 206 times to 270 times within a year. Apart from the number of attacks, cybercrime damages have shot up exponentially as well. A Cisco/Cybersecurity Ventures study reports that cybercrimes will cost $10.5 trillion by 2025. Companies, especially SMBs cannot afford to ignore IT security and they surely cannot allow assumptions to determine their strategies. If you’re worried about cyberattacks, start by understanding the security myths and how to avoid them.
1. My passwords are strong
It’s important to mandate the use of strong passwords across the organization but that’s just one part of a bigger step. Businesses often equate special characters, exclamation marks, and upper case letters to be the only markers of a strong password. But it’s not just how complex a password is, it’s also about making sure it’s longer than average. Today’s password cracking systems are so advanced that they can guess a fairly complex 8-character alphanumeric password within seconds. To prevent a brute force attack in your organization, follow these steps:
- Always go for 12 characters while creating passwords. It’s even better if you can use 15-18 characters. The longer it is, the harder it is to crack
- Always use a combination of uppercase and lowercase letters, special characters, and numbers
- Do not recycle old passwords. Always create unique and new passwords
- Do not use personal phrases or nicknames, popular terms, and quotes
- Use a random password generator tool to create strong passwords based on custom criteria. This way you’ll save a lot of time
Here’s what a strong password looks like: *;2a{?k7=9BQ=#’
The type of weak password you should avoid: maTT@Hr
Ticking all of the above boxes does not guarantee you complete security. You should always use multi-factor authentication (MFA) to add an extra layer of security.
2. Cyber threats are only external
While determining threat actors, businesses often look outside. But not all cyberattacks come from third-party agents, some are triggered from within. According to a Ponemon study, the cost per insider threat has risen 33% to $15.38 million in 2022. Internal security attacks can be attributed to two factors:
- Lack of IT security training: Employees need to be cognizant of security issues and the consequences of exposing critical data. Regular training and education can help you mitigate the security ignorance
- Paid or disgruntled internal agents: Unhappy ex-employees can leverage their knowledge to expose the company to cybercriminals. It’s also possible that people with knowledge of sensitive data are paid to willingly compromise a company’s security protocols or hand over credentials to third-party agents. Even though this is an extreme step, you cannot rule out the existence of malicious intent.
To prevent internal agents from compromising the company, conduct regular security assessments and training. You should also evaluate employee privileges and account access while enabling 24/7 endpoint monitoring. Look for session activities at odd hours and unusually high traffic to narrow down on issues. Robustly documenting SOPs and enforcing policies are also effective ways to weed out internal threats.
3. You will know if you have been hacked immediately
According to an IBM report, security teams take 287 days to identify and neutralize a data breach. If you are immediately informed of an attempted cyberattack on your company, consider yourself lucky! Cyberattacks such as DDoS and ransomware attacks are designed to overwhelm systems immediately and force you to take impulsive decisions. Contrary to popular belief, this is not how all cyberattacks function.
Most criminals would look to enter your system and silently collect all the critical information over weeks and months. During this period they’ll monitor access data, and employee usage and spread their net as much as they can.
You can detect a possible attack if you find unusually high network traffic, large file downloads, frequent network connection requests, location anomalies, and unidentified notifications over a period of time. Knowing that cybercriminals can stay hidden within your system for a long time before dealing a heavy blow is crucial. You can expedite theft detection by constantly monitoring network access, emails, and support tickets.
4. Compliance means meeting security needs
Due to privacy and security threats, global compliance has become a popular metric to judge a company’s security. But making your business compliant is merely the first step—you cannot afford to be content and think that compliance equals security.
For example, PCI DSS is a popular compliance metric for payment gateways. But PCI only covers MasterCard, Visa, Discover, JCB International, and American Express cards, leaving other transactions and entities that don’t store card data without any regulations. If you’re only following PCI compliance, you’re exposing your customer data to be exploited by malicious agents.
There’s a huge gap between compliance and security standards, something that can be bridged by making policies and infrastructure secure by design. Instead of sprinkling IT security later, build products to run compliance securely. If you’re working with large amounts of data, consider retaining only essential bits to reduce the chances of cyberattacks. Along with this, properly evaluate cloud partners and third-party vendors, understand their policies, how they handle data, and the impact of a data breach on your business.
Compliance should be due diligence but it’s important to be proactive and purposefully build solutions to mitigate threats.
5. My IT partner has security covered
Most businesses are hiring managed IT security services providers to handle their data backup and security. Judging by the increasing level of threats, it’s only reasonable to take help from industry experts. But you cannot afford to assume that your IT partner will solve all of your security woes—some issues are fundamentally built into a business.
Security-aware employees are assets to companies so your workforce must be trained with security best practices. Make sure your employees are trained to identify malicious links, phishing scams, malware attacks, and brute force attempts. They should protect their identity online to prevent social engineering and keep their personal devices secure to prevent data leaks. Being vigilant about security is one of the best steps you can take toward protecting business and consumer data.
The above myths are undermining security steps taken by various organizations in 2022, which have been greatly exploited by threat agents. Only robust education can help businesses to tighten their security going forward.