Like other criminals, hackers take advantage of people’s misconceptions regarding their risk of being victimized. Here are six common cyber security myths that could be putting your enterprise at risk.

Security Myth #1: Compliance Equals Cyber Security

Compliance with regulatory and industry standards such as HIPAA and PCI DSS can be complex, time-consuming, and costly, especially if companies must comply with multiple standards. Many organizations focus nearly exclusively on compliance, thinking that if they are compliant, they have done enough to protect against cyber attacks. But compliance standards outline only a minimum set of baseline procedures and protocols that provide a starting point for enterprise data security. They are not a substitute for comprehensive, proactive cyber security and integrated risk management.

Security Myth #2: Hackers Don’t Target Small Companies

Sometimes, small enterprises will skimp on cyber security, thinking that hackers are interested only in breaching very large companies. This myth is easily debunked: Nearly 60% of data breach victims are small businesses. There are several reasons for this, including:

* Hackers know that many small businesses don’t have robust cyber security and view them as easy targets.
* Many small businesses provide B2B services to large organizations, and hackers specifically target these third-party vendors to steal data belonging to their much larger business partners.
* Orchestrating a cyber attack no longer requires a great deal of skill or money. Inexpensive, easy-to-use malware-as-a-service and cybercrime-as-a-service offerings are a booming business. For example, DDoS attacks can be purchased for as little as $10.00. This low entry barrier means that cyber criminals don’t have to go after high-value targets to turn a profit.

Security Myth #3: “HTTPS” Means That a Website Is Legitimate

The HTTPS URL prefix, which some browsers denote with a green padlock, simply means that the site owner has procured an SSL certificate, and any data transmitted between your browser and the site is encrypted. Anyone can buy an SSL certificate or get one for free. Just because a site has an SSL certificate does not mean it is a legitimate website, or even that it’s secure. Unfortunately, many people don’t realize this (the green padlock doesn’t help), and hackers are capitalizing on the confusion: Half of all phishing sites now sport SSL certificates, up from only 25% just a year ago.

An SSL certificate is also not a guarantee of cyber security. HTTPS is much safer than HTTP, but it can still be hacked. Additionally, just like there’s a lot more to securing an enterprise than achieving compliance, there’s a lot more to securing a website than getting an SSL certificate.

Security Myth #4: Not All Employees Need Cyber Security Training

The average employee’s knowledge of basic cyber hygiene is severely lacking. Over 60% of working adults don’t know what ransomware is, and over half of workers whose employers provide them with IoT devices allow friends and family to use them.

Some organizations think that only certain employees need to be trained on cyber hygiene, such as IT employees or privileged users. The reality is that hackers frequently target lower-level employees, usually through social engineering schemes, to get a beachhead into a system, then work their way up to privileged users. Any employee who accesses a computer or an IoT device at work needs to be trained on basic cyber hygiene. In today’s digital world, that’s nearly everyone; even retail and food-service cashiers use POS systems.

Security Myth #5: Strong Passwords Provide Adequate Security Against Credential Theft

A major topic at tech giant Microsoft’s 2018 Ignite conference was getting rid of passwords; the company used the occasion to introduce a new tool to allow passwordless logins to Azure AD-connected apps. Passwords, even strong ones, are no longer enough to ensure enterprise cyber security. One-quarter of employees admit to using the same password for all their accounts, at home and at work, and stolen account credentials are hackers’ preferred way to break into enterprise systems. Enterprises need to switch to multi-factor authentication (MFA) whenever possible.

Security Myth #6: Air-Gapped Systems Don’t Need Additional Cyber Security

Air gapping, also known as “security by isolation,” is common in manufacturing facilities, other industrial environments, utilities, and critical infrastructure. Some compliance frameworks require operational technology (OT) systems to be air-gapped. However, air gapping alone does not sufficiently secure systems; the infamous Stuxnet virus is only one example of an air-gapped system being breached.

Author's Bio: 

Michael Peters is the CEO of Lazarus Alliance, Inc., the Proactive Cyber Security™ firm, and Continuum GRC. He has served as an independent information security consultant, executive, researcher, and author. He is an internationally recognized and awarded security expert with years of IT and business leadership experience and many previous executive leadership positions.

He has contributed significantly to curriculum development for graduate degree programs in information security, advanced technology, cyberspace law, and privacy, and to industry standard professional certifications. He has been featured in many publications and broadcast media outlets as the “Go-to Guy” for executive leadership, information security, cyberspace law, and governance.