10 Common Cybersecurity Myths

Which of these 10 common cybersecurity myths have you fallen prey to in the past?

In our increasingly digital world, cybersecurity has become a crucial concern for individuals and organizations. While most people know the importance of protecting their digital assets, there are still many misconceptions and myths surrounding cybersecurity. These myths can lead to a false sense of security and make individuals and businesses vulnerable to cyberattacks.

In today's blog, our ethical hackers explore 10 of the most common cybersecurity myths and debunk them to help you better understand the realities of staying safe in the digital age. Let's get started:

Myth #1: "My Organization is Too Small to Be Considered a Hacking Target."

Many small and medium-sized businesses (SMBs) erroneously believe they are too small to be targeted by hackers. SMBs often need more resources and expertise to adequately protect themselves, making them an attractive target for cybercriminals.

In fact, according to the National Cyber Security Alliance, 43% of attacks target small businesses... and, in 2023 alone, reports showed that:

• 61% of small-to-medium-sized businesses have been the target of a cyberattack

• Small business employees experience a 350% higher likelihood of being targeted by social engineering attacks vs. employees working at medium-sized or large enterprises

• 87% of SMBs report that they store customer data that an attack could compromise

• Malware is the most common type of cyberattack directed at small businesses

• 27% of SMBs that collect customer credit card information state that they have little to no cybersecurity protection

• Nearly 95% of cybersecurity incidents involving SMBs cost between USD 826 and $653,587 in 2023

• 50% of small organizations said that it took over 24 hours to start to recover from a cyberattack

• Almost 40% of small businesses reported that they lost critical, unretrievable data as the result of a cyberattack

• 51% of small businesses said their website was down for 8 - 24 hours in the wake of an attack

• Only 17% of small businesses globally have cyber insurance, with 48% not purchasing it until after their first cyberattack

• 95% of cybersecurity breaches are attributed to human error

• 64% of small business owners are not familiar with the regulatory standards pertaining to cyber insurance

• The next five years are due to see a 15% increase in cybercrime costs, reaching 10.5 trillion by 2025

• Small organizations (those with fewer than 500 employees) spend an average of nearly $3 million USD per cyber incident

Myth #2: "Antivirus Software Alone Can Protect My Organization From Common Threats."

While antivirus software is valuable in protecting against viruses and other malicious software, more is needed. Antivirus software can detect and remove known threats. However, they cannot handle more sophisticated attacks like phishing scams, social engineering, and zero-day exploits.

By definition, antiviruses are utility software that protects a system or multiple systems/computers from computer viruses, worms, or Trojans. They protect computers by scanning, detecting, removing, or quarantining infected files or malicious programs. Modern antivirus runs in the background to continuously check files and external drives for malicious codes. Many antiviruses have additional features like website blocking, averting hostile code execution, and blocking attachments with malicious signatures.

Companies must adopt a comprehensive security approach, including firewalls, intrusion detection systems, and employee training for well-rounded preventative measures.

Myth #3: "Changing Passwords is Enough to Protect My Account."

While periodic password changes can help project employee accounts, they are not enough to ward off successful breaches. Passwords can be easily compromised through phishing scams, social engineering, and brute-force attacks.

Instead of password expiration policies, the NIST points to a better alternative: enforcing a password list. Also known as a password deny list, banned password list, or password dictionary, such a list contains password values known to be commonly used or compromised. Organizations can use this list to block weak, insecure and vulnerable passwords and their variants from being used by employees and, more importantly, from being hacked by cybercriminals.

The NIST recommends adding all the below to a banned password list:

• Dictionary words

• Repetitive characters (e.g. 999)

• Sequential characters (e.g. 1234 or abcd)

• Context-specific words (e.g. username)

• Passwords from previous breaches

With password lists like Azure AD Password Protection, security teams can create a custom banned password list to block organization-specific weak terms that may lead to a compromise of their networks or systems.

Employers should also strongly consider multi-factor authentication, which provides an additional layer of protection for accounts and motivates employees to employ distinct passwords with a password manager.

Myth #4: "Backups Are Not Necessary; My Organization Can Always Restore From the Cloud."

Cloud backups (also known as online backups or remote backups) are the act of sending a copy of a physical or virtual file or database to a secondary off-site location for preservation in case of equipment failure, site catastrophe, or hack. The backup server and data storage systems are usually hosted by a third-party cloud or SaaS provider that charges the backup customer a recurring fee based on storage space or capacity used, data transmission bandwidth, number of users, number of servers or times data is retrieved.

Although commonly used, cloud backups can be vulnerable to cyberattacks, and restoring data from the cloud takes time and resources. Many cloud providers don't guarantee data safety or utilize a shared responsibility model.

Organizations must understand the shared responsibility model and should implement regular backups, both on-premises and in the cloud, and regularly test their process to ensure that they can quickly and effectively restore their data. 

Myth #5: "Meeting Minimum Cybersecurity Compliance is Enough.:

While compliance ensures you meet the minimum security standards, an individualized strategy is essential to defend your data against advanced security threats. Organizations should look beyond compliance and develop a comprehensive security program that includes regular employee training, access control policies, strong passwords, and risk assessment.

For example, all Packetlabs pentesters must have a minimum of OSCP (a globally recognized and industry-leading ethical hacking certificate offered by Offensive Security) to guarantee that they are qualified to find weaknesses in systems that other professionals may overlook.

Other certifications that we recommend organizations seek in ethical hackers (that our team possesses) also includes, but are not limited to:

• CISSP

• GWAPT

• GXPN

• GMOB

• GSNA

• OSCE

• OSWP

• CISA

In 2023 alone, 40% of Canadian organizations have faced over 250 security-related threats, 73% claim that it takes over a week to recover from a cyberattack, and 62% say gaps in their in-house IT team's security skills reduce their ability to prevent cyber-related incidents. These statistics point to a rising trend where organizations of all sizes (and across all industries) are suffering avoidable financial losses as the result of preventable cyber breaches.

By investing in a quality team, you ensure that:

• Cyber insurance requirements are not just met but surpassed

• Threats are prevented before they occur, saving millions in financial and reputation-related damages

• Quick engagement starts with steady communication is guaranteed

• No outsourcing is being paid for: instead, highly specialized ethical hackers are providing the most thorough pentest for your organization

• There are no false positives found

Myth 6# “Encrypted Data Alone Will Safeguard My Organization From Breaches."

Cryptography often gives a false sense of security. However, as cyberattacks become increasingly sophisticated, it is crucial not wholly to rely on encryption alone. Diversifying key storage, using the zero-trust model, one-way hash functions, and more are also essential.

To prevent cryptography attacks, it is essential to have a strong cryptographic system in place. Some of the ways to achieve this are:

• Regularly update the cryptographic algorithms and protocols to ensure they are not obsolete

• Ensure that the data is appropriately encrypted so that, even if it falls into the wrong hands, it will be unreadable

• Use strong and unique keys for encryption

• Store the keys in a secure location

• Ensure that the cryptographic system is implemented correctly

• Regularly test the system for vulnerabilities

• Educate employees about cryptography attacks and how to prevent them

Myth #7: "Only the IT Team is Responsible for Upholding Security Best Practices."

IT teams are equipped to create the security infrastructure, identify the risk, and minimize the damage. However, cybersecurity isn't the IT team's responsibility alone. The success of cybersecurity processes and policies depends on all stakeholders. Thus, regular security training for employees across all levels becomes even more crucial.

There are several initiatives that an organization can start today to help mitigate their organization’s cyber risk profile:

• Address Internal Cybersecurity Concerns: Monthly internal newsletters or training sessions may be employed to share tips and techniques to help employees protect themselves, and your organization’s data. Two-factor authentication (2FA) is also a core part of many organizations’ defences against phishing involving the theft/reuse of employee passwords. Most importantly, the annual use of a skilled and dedicated penetration testing team, such as Packetlabs, will indicate, in order of priority, your company’s cybersecurity vulnerabilities

• Conduct Periodic Phishing Campaigns: Often, Packetlabs is engaged in the execution of phishing campaigns to evaluate internal user awareness. Such campaigns allow an organization to test and measure their employee’s resistance to phishing, ideally, without their awareness; similar to a fire drill. Our founder, Richard Rogerson, estimates that as many as 1 in 4 employees across most organizations open links, inadvertently access malicious documents, or supply credentials to such campaigns... all of which reinforces the requirements for more thorough trainin

Employee Awareness Training regarding cybersecurity risks has never been more critical. With threat actors easily mimicking key stakeholders, executives, or other employees through easily-findable online information, keeping all stakeholders informed on security best practices is non-negotiable. 

Myth #8: "Only External Sources Pose Security Threats."

Not all cyber threats come from external sources. Security breaches can often happen due to an ignorant user, unnecessary accesses, employees clicking on phishing links, and more. Data suggests that 43% of all violations are insider threats, either intentional or unintentional.

A survey found over 55% of employees – who shared company data against the rules – claimed their employers did not provide them with tools to share sensitive data securely.

Security policies and practices are vital for any organization, but they're essential when it comes to insider threats. Here are some steps that IT security teams can take:

• Build a robust background check process: A robust background check process is crucial to safeguarding business-critical data. Background checks for full-time employees and contractors or vendors can help the company onboard trustworthy people. If an organization lacks the resources and tools to do a background check, it can hire third parties to carry out the verification process

• Making security training a priority during employee onboarding: New employees often lack the requisite skills or training to gel with security best practices seamlessly. Security training during onboarding is critical to help them learn new security protocols and adjust to the new environment. The IT teams must follow the least-privilege principle with new employees while giving them access to resources needed to carry out their duties 

• Ensuring continuous mandatory training for all employees: Security threats have evolved with every advancement in technology. Against this backdrop, any organization that does not invest in its employees' continuous upskilling and training invites trouble. Security training should not be a one-time activity. Security training helps employees understand the importance of their actions. It drives home the point on security threats, reiterates the necessity of maintaining the confidentiality of company data, and warns them of the penal or punitive actions that intentional or unintentional data exfiltration could invite. Organizations can automate security training sessions to manage continuous training across all teams. While most employees scowl at mandatory training, gamifying security sessions can be an excellent motivator for ensuring employees do not treat it as a chekbox

• Establish stringent Bring Your Own Device (BYOD) policies: The percolation of the remote work culture has resulted in people using their devices to get official work done. While a convenient feature, using personal devices is replete with pitfalls. IT departments may not extend the same security standards to personal devices compared to company-issued equipment. Further, using personal devices increases the security touchpoints, which hackers could exploit to breach the organization's perimeter. The chances of employees storing critical information on their systems spike, resulting in increased opportunities for data exfiltration. Companies must create strict standards and rules for BYOD to ensure all employees adhere to the security norms to maintain data sanctity. Ensure outgoing employees hand over data to the company before exiting

Myth 9: "Only Large Cybersecurity Threats Are a Cause For Concern."

While staying informed about the latest threats is important, organizations should recognize older, well-known threats such as malware and unpatched software. These threats can still cause significant harm, especially if they are actioned within a longer lifecycle.

When it comes to how long the average cyberattack lasts in 2023, the average across North America is an estimated 24 days. However, this is highly dependent on an organization's cybersecurity efforts. Other critical statistics surrounding the length of cyberattacks in 2023 include, but aren't limited to:

• On average, companies take about 197 days to identify and 69 days to contain a breach according to IBM

• Ahead of the year's close, there have already been 5 billion cyberattacks in 2023 around the globe

• The average cost of a cyberattack has risen by 15% over the past three years, now sitting at a staggering USD $4.45 million

Ensuring that an organization's cybersecurity is up to regulatory standards can help diminish both the risk of an attack and the financial and reputational losses that may be faced in the wake of a successful one.

Myth #10: "Penetration Testing is Inherently Outside of Our Budget."

While implementing a comprehensive cybersecurity strategy can be costly, the cost of a cyberattack is even higher: On average, the cost of a data breach in 2022 is $4.35M. Not only will a successful attack cause a financial loss, but it can also result in the loss of sensitive information and harm the company's reputation.

The average cost of a penetration test in Canada in 2023 generally ranges from $5,000 to over $150,000; various factors such as the scope of the given project, the size of the company and IT, and pentester experience all play a role. suggest cybercrime will cost companies an estimated $10.5 trillion annually by 2025. As such, cybersecurity needs to be viewed as more of an investment rather than a cost.

When it comes to determining the average cost of a penetration test, the scope and complexity of any given project must also be factored in.

For example, projects with larger scope or higher complexity generally require more time and resources to assess, resulting in increased costs. This could include:

• The presence of custom codes

• Legacy systems

• Unique integrations within the organization's networks

• Multiple types of penetration testing being performed in a bundle

• Ongoing consultation or remediation efforts

Conclusion

Cybersecurity continues to be one of the top challenges today. The current economic and geopolitical landscape, hybrid work model, and technological advances further escalate cybersecurity threats as cybercriminals use increasingly sophisticated ways to breach data. The best defence against these threats is knowledge and having an actionable security plan in place.

Get your free, zero-obligation quote today (or download our Buyer's Guide to get started.)