Cyber Security Today: Separating Myth from Fact
The cyber security landscape is rapidly changing, with evolving threats appearing in new and unexpected ways and leaving many business leaders scrambling to fix the damage. Much of the press focuses on data breaches in large corporations, like Target’s massive attack in 2013 affecting 70 million customers, but companies of all sizes suffer breaches—often catastrophically. Even when smaller companies are not the target of attacks, they frequently become the victims, with 60% of them closing within six months of a breach. Unknown, sophisticated threats and gaps in security protocols leave businesses of all sizes vulnerable. Luckily, a solid understanding of the myths and facts surrounding cyber security can help companies take steps to mitigate risks. The following are some of the most common cyber security myths:
Myth: Cyberattacks target specific businesses and entry points with pinpoint accuracy.
Fact: Cyberattacks and threats take many forms and are generally much more broad and wide-reaching than most businesses believe. In fact, all IT users are under a near constant barrage of general attacks that typically go unnoticed. This is of particular interest to small businesses, who often think they aren’t worth an attacker’s time; in reality, 43% of cyberattacks are against small businesses with less than 250 employees. The Target cyberattack was traced to a breach with Fazio Mechanical Services, a company that provided refrigeration services to the big box giant. Attackers stole Fazio credentials and were able to access Target point-of-sale systems, resulting in massive data loss that impacted over 70 million customers and ultimately cost Target millions of dollars.
Myth: Firewalls and virus protection software protect companies from attacks.
Fact: While basic systems such as firewalls and virus protection are a good first line of defense, they can be easily exploited by most attackers. They provide some security for your network, but they are only reactive, not proactive. Most firewalls and virus protections are only updated after an attack has occurred somewhere. Someone must be successfully breached before the threat is known, and that someone does not have to be a large corporation.
Myth: Boundary protections are enough to prevent major breaches.
Fact: Perimeter firewalls between internal and external networks are rarely robust enough to prevent all attacks. Many threats originate inside an organization, often by employee duplicitousness or simple misguided choices. A Midwestern company recently discovered this when an employee opened an innocuous-looking email. The Denver Post reported that the company’s system was infected with Cryptowall malware with one click, exposing “accounting software and customer account files, including credit card numbers, social security numbers, customer names and addresses among other information.” Since the accounting software and customer files were on the company’s network drive, the malware was able to encrypt 15,000 accounting and customer files.
The company had no choice but to pay the $50,000 ransom demand. Incidents like this prove that good cyber defense systems must include more than firewalls. Sabre On Point stresses the importance of the 3 Ps of cyber security: training People, implementing good cyber hygiene Processes, and in-depth IT Protection.
Myth: Computers are the main entry point for attackers.
Fact: Hackers attempt breaches through the most innocuous of connected objects, like wireless thermostats, printers, security camera systems, cell phones, and tablets. The Internet of Things has greatly increased vulnerabilities; the more items connected to a system, the greater the risk. In our work with the U.S. Department of Defense, Sabre On Point learned that an F-18 Hornet can be cyber attacked while flying 600 knots through the air. Imagine how much simpler it would be to breach an app-controlled light switch.
Myth: Businesses know immediately when they are under attack.
Fact: A good attacker doesn’t have to directly compromise an IT network. They can attack remotely and be able to monitor keystrokes, steal passwords or mirror a computer screen and see every activity on it. These attacks are not detectable by standard firewalls and virus protections since no actual malware is placed on a computer. Many businesses do not realize they have been compromised for months and during that time they can lose critical data, resources, and intellectual property. Intrusion detection and prevention systems coupled with other in-depth IT defense systems significantly reduce the risk of a catastrophic breach.
Most importantly, businesses should understand that an IT department is not a cyber security department. As the commercial division of Sabre Systems, Sabre On Point applies over three decades of government cyber security to private sector threats and vulnerabilities. Our custom, comprehensive solutions keep businesses secure before, during and after cyberattacks. For more information on protecting your company, including our tiers of assessments and support, contact Sabre On Point today.