Cyber Security Myths for 2019 (Part 1 of 2)
There is a lot of information out there on what cybersecurity is, but the eventuality of it all is that someone somewhere is trying to get something. With enough effort, it is possible for anyone to get hacked, but there are somethings you can do to make it not worth the effort. In this article series, we will take a look at common ideas people have, debunk those myths, and then see what your organization can do to protect itself. The first myth we need to debunk is:
1. It won’t (or can’t) happen to me. This is a big one. Due to the rapid advancement of cybercriminal activities, it’s almost like our brains just won’t accept the risk. For example, would you say: “Well, I’ve never gotten into a car accident, so I don’t need to wear a seatbelt” Chances are you would never say that, and your trained response would be to refute the logic of such a statement. As a society we’ve been conditioned over decades to wear our seat belts when traveling. Yet, people and organizations feel: “well, we’ve never been attacked, so we don’t need to do xyz”.
2. I’m safe because I use a strong password. A strong password is good, but not infallible- the service that is storing it may one day be comprised. Worse yet is using that same “strong” password across all or even some other accounts. Why is that dangerous? Because attackers know that people are lazy, and don’t want to have to remember more than a few passwords. So when they break into a weak website\database where usernames and passwords are stored, they simply use those same usernames and passwords on other websites in an effort to login to an account that you own.
3. I never browse dangerous websites, so I won’t get infected. Unfortunately, even well known websites can fall victim to displaying 3rd party ads that have been infected with malware. Any visitor to that web page can fall victim to such an attack.
4. Security costs too much. While it is true that there is a cost to security products and services, this must be compared to the downside costs of a successful attack\breach. Losing data, productivity, and reputation is usually much more expensive than standard security solutions. As an example, how much money does it cost to pay the entire staff for a whole day if all of the machines\systems become unavailable due to an attack? The average ransomware recovery takes 7 days, or ~$13000 to pay the ransom. Even after the ransom is paid, the attackers may possess copies of all the data and communications of your clients. Will your clients stay with you when they find out you’ve had an incident?
5. It doesn’t matter if I get hacked, the data isn’t important. We sometimes can underestimate the value of our data. But just think how long it will take to re-create it! Having regular server backups will recover pre-determined items stored on the server, but is there anything of importance that is stored on local desktops\laptops?
6. I have antivirus, so I don’t need anything else. Just a short while ago, that may have been the case; but those times are long gone. The complexity of attacks require solutions and services that surpass the traditional antivirus. Modern attackers are not interested in necessarily destroying or corrupting data, but more so in observing and manipulating data so as to launch a targeted and financially successful assault on the network. Phishing attempts rely on social engineering and the human error\factor; traditional antivirus is unable to help.
7. I could tell if my machine\network was infected. Compromised equipment will not usually show any symptoms at first glance. For example, if an attacker gained control of your webcam, they would disable any notifications and\or LED lights indicating the webcam is activated- and now can just watch uninterrupted. Or, in another instance, an attacker loads a special piece of software on a machine that uses less than 1% of your internet connection to attack other machines.
8. Phishing emails are easy to detect. Again, not too long ago it was easy to spot the spelling mistakes and grammatical errors that often plague spam emails. However attackers are financially motivated to penetrate your company’s defenses. In a simple attack, they may copy word for word and every image in a normal email from PayPal, UPS, or some other company you regularly do business with, and replace the links with servers under their control. Or an attacker may have compromised the email account of someone you communicate with regularly and request data, money, or something else that is designed to deceive into complying with the request.
ICS wants your business to be aware of the constantly changing landscape. Knowing these myths can be a first step in staying safe online. Don’t discount how important it is to secure your environment … starting with staff. If just one person falls victim it can mean an attacker will have a presence in all other systems. Please contact us regarding the following products & services that go towards securing your environment:
Managed Detection and Response
Data Loss Prevention \ Employee Monitoring Software
Written Security Policies for Employees
Firewall, Server, and Network Hardening Procedures
Our Credentials and IT Services:
- Award Winning (MSP Mentor) Managed Services Provider
- Microsoft Silver Certified Partner & Small Business Specialist
- Managed IT Security Services Bundled into Support Plans
- Your Local and Reliable New Jersey IT Consultants