National Cybersecurity Awareness month is upon us. And, so is the opportunity to look at what common C-suite misconceptions could be handcuffing security awareness efforts.
As we enter the back half of 2020, now is the time to look at myths and highlight their relevancy in this chaotic year. Which myths are in the modern threat landscape? And, have any been proven true?
Let’s take a look at six possible cybersecurity myths and what you can do to prevent them.
Bringing Cybersecurity Awareness to the C-Suite
First, it’s critical to reiterate that we need to be thinking about the whole enterprise when discussing cybersecurity awareness. The focus of cybersecurity awareness is often on frontline employees. That segment of the corporate hierarchy is crucial. But without buy-in from the top of the hierarchy, any awareness efforts are at risk of being stonewalled.
Despite all the progress we’ve made at the C-suite level, common myths about the world of cybersecurity awareness still exist. In today’s new normal, priorities have changed and security has undoubtedly made a shift to top-of-mind for many executives. But with so much to think about amidst all the changes we’ve witnessed in the last six months, balancing security with productivity is increasingly difficult.
As a former security analyst for private and public sectors, I’ve had experience as a middle person of sorts between the IT department and C-suite. Far too often, the disconnect over cybersecurity awareness-related decisions was palpable. Between my hands-on experience and years speaking with many CEOs and IT decision makers, I’ve concluded there’s a direct correlation between an organization’s security posture and the level of buy-in from executives.
Still, myths exist.
Myth 1: IT is More Affordable In House
More IT executives seem to be on board with the many cloud and security-as-a-service (SaaS) options available to shift the cybersecurity awareness burden away from the IT department. SaaS is still growing, and many companies are leveraging the expertise from a managed security services provider.
Despite the potential cost savings, cloud adoption has its challenges. Flexera’s Rightscale 2019 State of the Cloud Report, which surveyed 786 technology professionals from various enterprise sizes and industries, states the top priority in 2019 was cloud cost optimization.
Optimizing costs in 2020 is going to be even more crucial.
Myth 2: Updates Are Under Control
Unfortunately, this myth is common in 2020. It can haunt your organization, because complacency and security don’t go well together. If the C-suite is under the false impression that everything is under control, the potential for an attack can skyrocket.
There are more endpoints connecting to corporate networks than ever before, especially in today’s work-from-home era. Making sure all those desktops, laptops, smartphones, tablets, firewalls, appliances, routers, servers and new Internet of Things (IoT) devices are patched and up-to-date is a massive undertaking.
Patch management should not and cannot be overlooked by any IT decision maker. Testing is also key. Without proper assessments and penetration tests, how do you know if your endpoints and networks are secure? Self-evaluations will tell you, and give you the knowledge to fix it.
Myth 3: Cybersecurity Awareness Programs are Good Enough
The complacency theme continues. Even though most in the C-suite can agree that cybersecurity awareness is important, I’m still hearing and reading far too many examples of organizations that conduct training perhaps once per year and call it a day. In some cases, no training is offered at all.
I’m not suggesting all companies aim for monthly cybersecurity awareness training (though it certainly wouldn’t hurt), but quarterly should be the minimum. If your employees — including the C-suite — are not invested in protecting your network and resources, it probably won’t matter how much you spend on security hardware and software.
Myth 4: Threat Actors Can’t Be Stopped
The mindset behind this logic has changed in the past few years. Instead of surmising that threat actors cannot be thwarted, the myth has morphed into the unfounded theory that ‘no one would be interested in hacking our company.’
When we read about data breaches, most victims named are big companies. It’s easy to be lulled into a false sense of ease thinking that your company is too small to be targeted. The fact is, almost half of the reported data breaches happened at small- and medium-sized businesses (SMBs). According to Verizon’s Data Breach Investigation Report, 43% of all data breaches target SMBs.
The proverbial target on your back is no smaller or less red than a large corporation’s. The home robbery analogy is fitting: in a neighborhood full of houses with no lights on, the house with lights shining is less likely to get robbed.
Myth 5: If We’re Compliant, We’re Done With Cybersecurity Awareness
Here’s a myth that is as relevant today as it was in previous years. I recently had a chat with a virtual chief information security officer about the false assumption that somehow compliance is equivalent to cybersecurity awareness. For some organizations, this line of thinking still exists.
Yes, meeting or exceeding government or industry regulations is a must, he says. But when it comes to your cybersecurity awareness posture, compliance is just a starting point.
Myth 6: We Have BYOD Totally Under Control
Bring-your-own-device (BYOD) policies are more popular than ever, and some may argue that it’s the norm. But even armed with a robust mobile device management solution, the sheer number of potential devices, including IoT, that can appear on your network may become overwhelming. Each insecure device represents another hole in your cybersecurity wall.
To confidently get BYOD under control, look for a capable unified endpoint management solution and ensure employees are aware of the policies, risks and ramifications for bringing their own devices.
If your C-suite believes any or all of these myths, your security awareness program can suffer. Security awareness should be about much more than preventing phishing attacks. On the other hand, if everyone across the enterprise has the right mindset about each topic, the chances of a successful security awareness program skyrocket.
The opinions expressed in this publication are those of the author. They do not purport to reflect the opinions or views of IBM or its members.