Common Cyber-Security Misconceptions
Written by Chris Thornton, 17 March 2016
Misconceptions about cyber-security can lead to disaster: make sure your small to medium business doesn't underestimate the threats it faces...
When we read about sophisticated hacking attacks on big business targets (like TalkTalk and Sony Pictures) it's easy to be lulled into a false sense of security. These high profile cyber-attacks generate sensational headlines and seem a million miles from the concerns of small business - after all, why would hackers want to target us?
The reality however, is that malicious cyber-threats are affecting SMEs with increasing frequency - a trend which may be traced to incorrect assumptions, by business owners and managers, that smaller organisations are somehow 'safer' than larger ones. To help you focus your organisation's defence, we're examining some of the greatest misconceptions which affect small businesses' cyber-security strategies...
Smaller business = 'Low value target'
While enterprise organisations have vast amounts of data to protect, that data isn't necessarily more valuable than that held within a small business' servers. The value of data is no longer a fixed quantity: information can be used by cyber-criminals in a variety of incredibly enterprising ways - from extrapolating bank details, to perpetrating further phishing attacks.
Don't assume you're not a target: if you think the information within your servers is too 'small' to interest cyber-criminals, think again. And, regardless of the 'value' of your secure data, consider this: the reputational loss associated with a breach can end up being just as devastating to your business.
If your IT deployment incorporates cloud services, you may assume it is the responsibility of your provider to handle cyber-security. In principle, this makes sense: cloud service providers do offer levels of protection for data stored on their servers, but not always in a comprehensive way - and even then, that protection is only effective when integrated correctly with your business' network.
As an owner or manager, it is your responsibility to ensure your cloud platform is configured for your security needs. While security strategies may vary across public and private cloud services, your provider can only ensure the infrastructure is functioning correctly. Hybrid cloud platforms will also complicate matters - ensure every part of your cloud set-up is configured to eliminate weak points.
We constantly stress the importance of keeping software patched and updated to ensure hackers cannot take advantage of obvious vulnerabilities. This is standard best practice, but it isn't a catch-all: a significant proportion of cyber-attacks target software which is already patched and up-to-date, exploiting it in novel ways and with non-conventional approaches, such as phishing an employee's login details.
Remember, updates are not, in and of themselves, a cyber-security solution: your business still needs employees to observe security best-practice and be aware of current threats. Updates also do not address 'zero day vulnerabilities': security 'blind-spots' that developers have missed, or that emerge with the latest update itself.
Firewalls and antivirus
Although essential to cyber-security, antivirus software and firewalls represent the bare minimum components of your defensive strategy. Hackers are constantly introducing innovative ways to exploit the base-vulnerabilities of firewalls and escape the detection of antivirus (via phishing attacks, Trojans, ransomware and other data-harvesting techniques). Complicating matters further, firewalls and antivirus may sometimes flag benign entities as threats and vice-versa - with the resulting confusion snarling up your IT resources.
Treat your company's firewall and antivirus as a defensive foundation, and build more specific layers upon it - ideally, with the capacity to analyse incoming data and filter out threats efficiently.
More security = Better security
Companies which pile cyber-defence upon cyber-defence may believe their network is better protected against malicious threats... but these defences can only be effective if they address a known weakness. Beyond your own network's internal vulnerabilities, many new and unpredictable risks come from unexpected angles, not least via third-party devices - in other words: your employees own devices.
Your cyber-security strategy should be able to handle a spectrum of threats - including those introduced by a BYOD policy. Ensure your network is configured to not only protect itself from malicious threats, but from threats which may sneak in under the radar on an employee's mobile phone, tablet or laptop.
Conclusion: The Importance of Evolution
Understand that your security strategy is never 'finished', nor is there a 'magic bullet' solution - other than learning to evolve with the threat landscape. If you want to keep your company and your employees safe, you'll need to remain constantly vigilant, building on or replacing defensive components, updating software, and always scanning the horizon for emerging threats.
Are you underestimating cyber-security threats? Is your defensive strategy ready for anything? Contact us for security advice...
Understanding Cyber-Security: Shackleton's Thoughts
Cyber-security is more important than ever to small businesses. To help you build your defensive strategy, we look back on our recent cyber-security discussions.
Cyber Security Disasters: 5 Companies That Weren't Prepared
How do businesses become the victims of a cyber-attack? We explore high profile examples of what happens when businesses fail to prepare for an attack...