One of the greatest challenges for organizations attempting to address cybersecurity risks is the number of fundamental security myths that cause organizations to incorrectly assess threats, misallocate resources, and set inappropriate goals. Dispelling those myths is key to developing a sophisticated, appropriate approach to information security.
MYTH #1: “IT’S ALL ABOUT THE DATA.”
All too frequently, “security” is thought of as ensuring data cannot be accessed or used for unauthorized purposes or by unauthorized users. While this is certainly a key concern, the systems and networks on which the data resides must also be protected against attack. For example, a Denial of Service (DoS) attack is not aimed at gaining access to a business’ sensitive data, but at preventing others, such as the business’ customers and business partners, from accessing and using that data.
MYTH #2: “IT’S ALL ABOUT PRIVACY.”
Another common misconception is that security only relates to the protection of personally identifiable information. While protecting personal information is clearly of critical importance, other types of information assets must also be protected. Additional information assets include trade secrets and other intellectual property (such as source code for a company’s software products), competitive information (such as customer and supplier lists), pricing and marketing data, company financial information, and more. It is particularly important to ensure all forms of confidential and proprietary information are protected in entering into relationships with vendors and business partners.
MYTH #3: “IT’S ALL ABOUT CONFIDENTIALITY.”
When talking about security, the tendency is to focus on the most obvious element: ensuring data is held in confidence (i.e., the data is not used by unauthorized individuals or for unauthorized purposes). For data to be truly secure, it must be confidential, its integrity must be maintained, and it must be available when needed. These are the three prongs of the well-known information security acronym “CIA.”
“Confidentiality” means the data is protected from unauthorized access and disclosure.
“Integrity” means the data can be relied upon as accurate and has not been subject to unauthorized alteration. A few years ago, a well-known hacker magazine ran an article designed to educate employees who thought they were going to be laid off how to harm their employers. In particular, the article suggested ways employees could easily corrupt company databases to render them unreliable (e.g., changing account numbers for key suppliers, changing invoice addresses, etc.).
“Availability” means the data is available for access and use when required. It does no good to have data that is confidential and the integrity maintained, but the data is not actually available when a user requires it. For example, DoS attacks are specifically designed to prevent availability of key systems and data, instead of compromising confidentiality or integrity.
MYTH #4: “TO BE A HACKER, YOU MUST BE A TECHNOLOGICAL GENIUS.”
It is a common error for businesses to focus security measures on the professional hacker, or protecting against individuals or entities that are highly skilled in programming and technology. Such skills are, however, no longer a pre-requisite to hacking. Today, someone with little or no knowledge of technology can find online, easy-to-use hacking tools capable of causing substantial harm to a business. These individuals are sometimes referred to in the hacking community as “script kiddies,” because they require no real hacking knowledge. There are also a wide range of readily available books that can quickly educate technological neophytes regarding hacking. One popular book even includes a chapter entitled, “how to be a hacker in thirty minutes.”
Finally, one of the most effective means of hacking in use today — social engineering — requires no technological skills whatsoever. Rather, to be an effective social engineer, all that is required is self-assurance and a knowledge of human nature. One prevalent form of social engineering is phishing — a hacker sending fake emails soliciting sensitive information or including attachments that install malware that can infect a company’s network. Phishing attacks and other social engineering techniques were used recently to conduct a concerted attack on banking institutions worldwide, causing losses of $300 million — or possibly as high as $1 billion.
MYTH #5: “I CAN ACHIEVE 100 PERCENT SECURITY.”
Finally, one of the most common misconceptions about security is that complete security can be achieved and that complete security is required by law or industry practice. Neither is correct. Both laws and industry practices require businesses to do what is “reasonable.” Complete security is not required or even realistic. Studies show that it would require businesses to increase overall security budgets nine-fold to address just 95 percent of the threats. That increase would, in most cases, exceed the overall budget for the entire business.
There is a fundamental paradox with regard to security efforts: As security protections increase, usability of the secured systems decreases. That is, the greater the security, the less useful the thing secured will be. It is, for example, possible to completely secure a mobile device, such as smartphone. All that is necessary is to (i) put the device into airplane mode and (ii) lock the device in a secure safe. While complete security has been achieved, usability has been reduced to zero. A balance must always be struck between effective security measures and usability of the data or system being secured.
While protecting a business’ data is key, a well-crafted approach to security requires protection of the systems on which that data resides and the networks through which the data is accessed. In most instances, a practice known as “security in depth” should be employed. That practice recommends the use of multiple layers of protection from threats. For example, to address phishing attacks, a company can begin employee education on opening unidentified emails. As a further measure of security, the business could combine that training with anti-virus software and, possibly, software specifically designed to detect phishing.
All sensitive and proprietary information, not just subsets of that data, must be accounted for in addressing and mitigating cybersecurity threats. Protection of those information assets must be addressed not only within the company, but also with its external vendors, contractors, and other partners. The headlines are replete with security breaches that resulted from a business entrusting its data to a third-party vendor that had inadequately protected its systems.
When assessing security measures, the concept of CIA should be a foundational requirement. Specifically, security controls must be designed to address not only the confidentiality of data, but the integrity and availability of that data. Hackers know all the tricks. If they cannot get access to data, they may target denying others that access or finding ways to corrupt the integrity of that data.
Never underestimate the effectiveness of social engineering and other similar “non-technical” attacks. Every business experiences these attacks on a daily basis through phishing and other means. Appropriate, repeated training for employees is one of the most important steps in mitigating this substantial threat.
Applicable laws and standards require businesses to do what is reasonable to address threats. That means devoting an appropriate level of investment that balances usability against security. Striking an adequate balance is key to designing a successful cybersecurity approach.