6 Misconceptions About Cyberattacks6 Misconceptions About Cyberattacks
Discussions with potential clients start with the nature of cybercrime agents, and the liability businesses may face.
October 3, 2019
By Tony Spurlin, Chief Information Security Officer, Windstream
It seems like every few months we hear about a major hack or data breach affecting millions of people. This summer, it was Capital One and some 100 million Americans whose personal data was harvested. Increasingly, it’s small and midsize businesses who are the target of cyberattacks, and because these attacks are growing in number and sophistication, many businesses face an existential threat in light of the consequences.
Each October, the U.S. Department of Homeland Security marks National Cybersecurity Awareness Month. It’s a time for government and public-private partnerships to encourage business data security, and at home, cyberattack defenses that begin by recognizing you have digital assets.
Data breaches, denial-of-service attacks, ransomware, phishing and other digital dangers may not feel urgent to anyone who is as yet unhurt, but cyberattacks are almost exponentially more numerous in the United States than in any other country. And, almost two-thirds of the victims aren’t the Wall Street credit card companies we hear about, but the Main Street businesses we drive past.
In counselling business data security, the discussion often begins with misconceptions around vulnerability, the nature of cybercrime agents, and the liability businesses may face in the event of a cyberattack.
Misconception #1: My data (or the data I can access) isn’t that valuable. Begin with the premise that all data is valuable. Do an assessment of the data on hand – routinely collected, filed, accessed and transmitted – and inventory it, giving weight to its sensitivity. Most companies have client and customer business data assets that, if compromised, would impact trust and future business.
Misconception #2: Cyberattacks arrive without anyone’s permission or knowledge. A cyberattack can occur over any internet connection, but increasingly, it begins with a correspondence. Phishing – and Vishing and SMishing – is a request for access that requires an initial response. Spear phishing, in which a communication arrives ostensibly from a customer, friend or contact, is particularly insidious.
A first-line cyberattack defense is managers’ choice to train around these introductions.
Misconception #3: Cybersecurity is an advanced technology game. True, the average IT specialist can’t write effective antivirus software exclusive to the small-to-midsize business any more than the average motorist builds her own car. What is also true is that security is best approached as a mix of business solutions and employee training, along with clear policies and protocols guiding company culture.
Training should emphasize small security thresholds employees can meet at any time:
Use strong passphrases and multistep authentication to protect access.
Limit access to data or systems to staff who need it to perform core duties.
Keep a clean machine — clearly promulgate acceptable (if any) internet downloads.
Communicate — with supervisors, with colleagues, with professional associates. Not talking about security is a security risk.
Employees should be shown what phishing scams and other opening gambits look like. Be suspicious of …
… unexpected requests, especially when they include attachments. When in doubt, throw it out!
Misconception #4: Digital and physical security are altogether separate matters. Develop policies and talk about unauthorized physical access to hardware or sensitive assets. Is a staff member where he shouldn’t be, acting suspiciously? Discuss this openly. Just as crimes often happen within friend groups and family members, business data security may be breached internally just as it would externally.
Cybersecurity for small businesses on a budget begins with employees having a stake in it.
Misconception #5: Outsourcing to a vendor washes a company’s hands of liability. While it’s true a vendor may be liable, any business or corporation itself has a legal – not to mention an ethical – responsibility to demonstrate cybersecurity awareness and protect clients’ and customers’ data. Put data sharing agreements in place with vendors and have a trusted lawyer review it.
Additionally, many standard commercial liability policies do not cover cyberattacks and data breaches. Speak with an insurance expert to adequately cover your investment in the event of an attack.
Finally, don’t rest on compliance with “industry standards” when it comes to business data security. This Cybersecurity Awareness Month, aim for a dedicated cybersecurity planning and recovery. The National Institute of Standards and Technology’s Cybersecurity Framework is robust.
Misconception #6: Cybersecurity is a big investment, and a drag to boot!
Along with employee empowerment, one of the pennywise ways offices small and big can build their cyberattack defenses is to keep all systems and apps current and automate updates. Having the latest software, web browser and operating system is free, effortless, and the best defense against viruses, malware and other online threats.
All of this doesn’t have to be a drag. It can pay off immediately!
Security can be just the exercise needed to prompt upgrades in blazing fast speeds and amazing technologies. Optical fiber internet is powering immersive new workplace experiences, such as near-instantaneous file uploads, and virtual and augmented reality training. Unified communications-as-a-service platforms – next-generation VoIP – allows employees to host virtual meetings and get out of the office while still being totally keyed into clients’ needs and coworkers’ requests. The cloud is business continuity and work mobility in one.
If you’re convinced your business’s – and your clients’ – security is worth it, but you don’t want to picture disaster, then picture better internet and a host of new tech coming in over this fortified network, and be assured you’re getting both.
Tony Spurlin is a vice president at Windstream and chief information security officer. For more than 20 years as an IT security expert he’s advised staff and clients on information security and compliance, incident response, disaster risk, vulnerability management and other network security improvements.
Read more about:Agents
You May Also Like