Nearly every day we learn of another business hit with a cyberattack whether it is a point-of-sale system or a general data breach. No matter the type of attacks that continue to surface, many employees are stuck in the old mindsets of why attacks happen or who is most vulnerable. To strengthen the security posture of your workforce, you must first educate your employees to know the facts versus old myths that have proven to be false.
1. Small to mid-sized businesses are not targeted.
Many companies think they are safe because they do not have enough valuable data to steal or their mindset is that hackers focus on the giants like Schnucks or Facebook. According to the 2018 Verizon Data Breach 58% of data breach victims are small business. Often attackers will look for the easiest way in and they expect small to mid-sized enterprises to be easier targets. Furthermore, did you know that hackers set up automated attacks to random businesses?
2. Cybersecurity threats come from the outside.
Insider threats are just as common and are often more challenging to detect. Disgruntled employees may come to mind first, but what about your well-intended employee who has not been provided security awareness training? Before I worked in the tech industry, I would have never thought twice about holding open a secured door for someone with their hands full. I would have made several insecure decisions because of my friendly nature, as do many well-to-do employees.
3. Cybersecurity is IT's problem.
Everywhere I've previously worked I was always under the impression that it's up to the tech team to make sure the rest of the employees are secure online. Again, without anyone providing me with the appropriate training, I simply did not know better. According to the 2019 Verizon report, 49% of malware is installed over email. If hackers are looking for the easiest target, then it makes sense that they will send phishing emails and use social engineering tactics on employees outside of the tech team. Every single employee plays an important role in protecting their company from cyberattacks.
4. Anti-virus and anti-malware keep your company safe.
If you still believe a decent firewall is all your company needs then that it's no surprise that you might still think that cybersecurity is IT's problem. If you are still a believer that software alone can protect your company, then watch this video to see how an ethical hacker gains complete control of a company is about 2 minutes.
5. You'll know if your computer becomes affected.
If this was true, then why does it take so long for many breaches to be discovered? Attacks are much more sophisticated and take longer to discover and remediate. The Marriott breach went on for 4 years before detection and resulted in 500 million guests' data stolen.
6. You don't need assessments and tests.
When's the last time you created a document that required zero edits? The same rule applies to your cybersecurity approach. Hire an outside professional to test your company for vulnerabilities and to provide plans for remediation before a real attack takes place. You wouldn't leave your front door unlocked would you? Don't leave your company open to attacks by failing to search for vulnerabilities.
7. If Wi-Fi has a password, it is safe.
Actually, did you know that the primary function of Wi-Fi passwords is to limit the number of users per network? All public Wi-Fi could be compromised and employees should be educated to use virtual private networks when working remotely or traveling. Never use public Wi-Fi if sensitive information is involved. This is especially important with the increase in remote work among employees.
8. Strong passwords are enough to protect against data breaches.
How many times have you read after an attack, that the company involved will now start using multi-factor authentication as an added security measure? Strong passwords are important, but a multi-layered approach to security is necessary. Think about if your employee could fall victim to a social engineering scam and how using multi-factor authentication could be the extra barrier to protect your data if someone is able to guess a password or the answers to someone's security questions. Multiple security layers make it more challenging for a malicious actor to get in.
9. Specific types of industries are vulnerable to attacks.
Any company that handles sensitive information ranging from credit card numbers to customer addresses is vulnerable. Remember, attackers are looking for the weakest link. Do not make the mistake of assuming that attackers are mostly focused on financial institutions. Most industries handle sensitive and private information and are at risk.
10. Cybersecurity can be 100% complete.
Your job will never be complete because for every measure you take, attackers are constantly advancing their craft. There will always be new vulnerabilities that arise. Consider the security awareness training of your employees alone. Think about the employees coming and going at your business. Consider the vendors and partners you work with. Your company must work hard to stay a few steps ahead of the attackers.
These are the common myths and now that you know the real facts, take action to improve your state of security. Get everyone involved in protecting your company by educating every single employee about security.
Written by Michelle Stamps
Michelle has over 10 years of experience in marketing and business development across various industries including government and non-profit. Her background in writing, facilitating presentations and event planning allows her to use her creative skill-set and her relationship building skills strengthens her ability to understand the human element role in cybersecurity and to support positive behavior change. Whether she is out in the community, blogging or developing the next social post for TechGuard, she believes in telling the company’s story and uses relatable, real-life examples to connect with our clients. If you know Michelle outside of work, you would know that she loves sunny days and tropical places.