Cybersecurity is simultaneously the fastest growing sector of technology, and possibly the least understood by those it concerns. As with most things in life related to security, ignorance can have major consequences.
There have long been many myths & misunderstandings around cybersecurity. While attackers continue to get more sophisticated, their low hanging fruit still lies in exploiting would be victims lack of understanding.
In this article, we want to bust some of the most prevalent and damaging myths that are alive and well in 2022.
As an IT provider that works with SMB, we hear this all the time.
In reality, this is no different to saying "I'm not a bank, my house would never be robbed". It's just patently untrue.
Just like in traditional crime, cybercrime occurs at all levels. Generally, we only hear about major brand attacks in the news (such as Optus in 2022). The vast majority of cyber attacks however are made on small to medium entities.
Cybercrime is multi faceted. Whilst it's true, your business wouldn't be on the radar of a sophisticated state-backed attacker; it is also true that their is no shortage of lower level hacking groups in which your business is a prime target.
These are the majority of hacking groups. Those that are not politically motivated, but rather solely driven by the business opportunity. To these attackers, SMB's provide vastly more opportunity in both number of targets, and ease of breach.
The business case is simple:
Large Market + Low Cost Market Penetration = High Margins.
According to a 2022 report by CrowdStrike, 62% of attacks in the last year have not involved malware. This means that in most cases, traditional protections are being rendered useless. After all, you can't catch a virus if there is no virus to catch.
Furthermore, a 2022 report from Mimecast suggested that some 98% of companies attacked had Anti-Virus & SPAM protection in place. This suggests that software alone provides little protection against moderns threats.
This is not to say that security software is no longer required. It absolutely is. It means however that software no longer protects your business by simply being installed and up to date. Rather, these systems need to be carefully calibrated, regularly reviewed, and adjusted as the threat landscape evolves.
Effective security is multi layered. Much in the way bulletproof glass is made of multiple layers, an effective cybersecurity strategy requires layers of protection. These layers include policies, access controls, protection, detection, and remediation. How these layers interact with one another is also crucial.
All elements of a cybersecurity defence need to compliment one another. They also need to be capable of stopping a variety of different threats.
Effective cybersecurity needs to be underpinned with strategy. You need a balanced approach that not only covers a broad spectrum of possible threats, but also provides the appropriate layers of redundancy.
It is easy to over invest in singular elements, you should obtain expert advice as to how to best allocate whatever resources you feel appropriate for your situation.
As mentioned in Myth #1, cybercrime occurs at all levels. Big company breaches commonly come from advanced attacking organisations, often state backed.
These attacks can be politically motivated and represent the 'enterprise tier' of cyber crime. These are big organisations going after even bigger targets.
The majority of attacks however occur in the lower end of the 'market'. These attackers target far more common vulnerabilities & exploits. These common vulnerabilities exist in the large majority of SMB's.
The main take away here is that as a smaller business, you don't need to protect yourself from all cyber criminals. Rather, you need only protect yourself from those targeting you. Those targeting small business are largely trying to maximise profitability through a strategy of quantity over quality.
What does this mean? It means that quite a lot can be done. Adopting frameworks such as the ACSC Essential 8 vastly reduces your chances of a breach. Coupled with regular reviews, testing & advisory, your business can easily put itself in the upper percentile and out of the crosshairs of would be attackers.
After all, these organisations are about making money from low hanging fruit. They don't want to waste time and resources on businesses with a mature security model.
There is a profound difference between feeling secure (myth) and being secure (see: Is your business really secure?).
Cybersecurity myths like the ones above can lull businesses into a false sense of security, leaving them vulnerable to attacks.
The threats to your business are real. Successful breaches are beginning to have far more damaging effects than data loss or partial downtime. Could you sustain losing 30-40% of your customer base?
Cybersecurity doesn't have to be scary nor expensive. The key is to be aware, informed and make appropriate investments to ensure that your business is adequately protected.
If you would like to know where your business stands, please give us a call or book a time directly here: https://calendly.com/ray-sweeney. We'll be happy to share our insights on how you can secure your business.