Fact Checking Cyber Security’s 7 Scariest Urban Legends

The weeks leading up to Halloween have always been perfect for retelling urban legends and other scary tales. Since October is also National Cyber Security Awareness Month, these stories don’t only have to focus on creeping monsters and vengeful spirits. Instead, they can be about truly terrifying things, like the hacker who, it turns out, was actually hiding in the company’s data center the whole time! Frightening as that might be, our cyber security team thinks they can do even better. Keep reading for their list of the seven scariest cyber security urban legends – if you dare!

Cyber security’s seven scariest urban legends

While scary, just like tales of, say, alligators in New York City’s sewers, our team suspects these stories are more myth than reality.

Urban Legend #1: Our borders are safe so we’re good. Every organization needs strong protection for the network edge – but defensive efforts can’t stop there. If they do, and a hazardous file does breach the perimeter, it will be able to crisscross the network freely. Internal defense strategies such as network segmentation provide a necessary backup to edge defenses. These solutions limit what malicious actors can get their hands on even if they find a way in.

Urban Legend #2: We took care of user training already. End users at every level of the company are a huge potential vulnerability. As such, end user training is never truly “taken care of.” Rather, it’s an ongoing process. Regular security training is the only way to keep users up to speed with today’s top threats.

Urban Legend #3: Security really is more of an IT problem. To quote Tom Clerici, Arraya’s Cyber Security Practice Director, “The first thing most employees do when they get to the office is log in to a computer. In essence, EVERYONE is a part of the IT department.” Cyber security is a company-wide responsibility.  Further, the fallout from poor security practices no longer hits IT and IT alone. Example: Following his company’s catastrophic 2017 data breach, former Equifax CEO Richard Smith was called in to testify before Congress and eventually resigned his position.

Urban Legend #4: We’re compliant so we’re also secure. It’s absolutely important to pass security audits and to follow laws and regulations. However, doing so doesn’t necessarily equal security. In many leaders’ minds the concepts of security and compliance are one and the same. The thing is, sometimes compliance comes from something as insignificant as a signed document saying employees understand a concept or performed some action. However, there’s little in the way of practical security in that document and so it should not replace hands-on, regular training exercises.

Urban Legend #5: Updates are too expensive. Modernizing out of date technology can be costly – but so too can pushing ahead with it. Aging solutions can be more vulnerable to ransomware. One study pegged the average cost of a ransomware attack at $5 million. Of that figure, $1.25 million stems from system downtime while $1.5 million comes from lost productivity. Then, there’s the colossal fines associated with failure to comply with GDPR – 4% of annual global turnover or $20M, whichever is higher. So, while it’s true good security can be costly, the cost of poor security can be even higher.

Urban Legend #6: Ransomware is our biggest threat. Based on the volume of headlines it earns, it’s easy to overestimate the threat ransomware poses to organizations. While it is undoubtedly a major concern, the rate of ransomware infection began to decline around the midpoint of 2017. Other threat vectors, things like crypto-mining, have stepped up to take its place. The key is to not get too wrapped up in one style of attack. Cyber criminals have plenty of weapons in their arsenal and so organizational defenses must be just as multifaceted.

Urban Legend #7: If we were under attack, we’d know about it. In truth, attackers can linger on a company’s network undetected for months. One study lists the average length of time it takes organizations to identify a breach at 191 days. By the time a red flag is raised, attackers may have already had half a year or more to help themselves to countless volumes of sensitive data. Organizations yet to invest in a Security Incident and Event Management solution should consider doing so to gain real time insights into the health and safety of their network.

Next steps: Building a ready-for-anything security program

Had enough cyber security urban legends? Don’t worry, security doesn’t have to be scary. Instead, join Arraya and our Security team on 11/6 at Dogfish Head Brewing Company in Milton, DE for an event we’re calling Breaches and Brews. During this event, our team will cover the tools and tactics needed to defuse today’s top cyber threats. This event is free, but registration is required. Reserve your spot now by visiting: https://www.arrayasolutions.com//event/breaches-brews-2/.

Finally, you can leave us a comment on this or any of our blogs via social media – LinkedIn, Twitter, and Facebook. Then, after you’ve shared your thoughts, follow us to stay updated on our industry insights and learning opportunities.