15 Cyber Security Myths Business Owners Should Leave Behind
Cyber security is a topic that is often taken for granted by small- and medium-sized businesses in New Zealand. It’s one of those things that is often put in the back burner along with other “important but not urgent” projects.
Other business owners seem to shrug this off as a low priority in their never-ending issues to tackle. After all, there are a lot of areas where your time will be of better use.
Who has time to deal with cyber security, right?
Marketing, sales, operations, supply chain, and pitching to investors — all these are areas where you can make a significant impact. Ever hear yourself saying, “we’re just a small business, no one would hack us”? While all these might be true, most of these are based on some unfounded belief about cyber security.
Let’s take a look at these 15 cyber security myths that you should leave behind this year.
15 Cybersecurity Myths Business Owners Should Leave Behind
1. SMBs aren’t targeted by hackers
According to a study by the Ponemon Institute, about 70% small and medium businesses have been targeted a cyber attack. So, while you may think that you won’t be targeted by an attack, consider this. The National Cyber Security Centre defines two types of cyberattacks: direct and indirect threats.
- Direct threats have a specific and deliberate target that they are tailored to exploit. For example, a hacker would specifically target a bank in NZ to extract credit card information, etc.
- Indirect threats are indiscriminate and delivered widely. Some call this the “spray and pray” method where automated scripts/software scan the internet to look for vulnerabilities to exploit. The most common in this group are email phishing where the hacker will pretend to be someone or from a well-known brand, then asks you to send them money or log in a site (where they now “know” your username/password).
2. Only certain industries are vulnerable to cyber attacks
Business owners think that since they do not have an Ecommerce website or not in the tech or finance industry, they won’t be a target. But as mentioned above, most cyber attacks aren’t targeted.
If you use the internet, you’re at risk.
Don’t think that what gets shared on the media is an equal representation of what’s really happening out there. Don’t think that the high profile hacks/data breaches you see/hear in the news are all that’s happening.
According to the 2018 Verizon Data Breach Investigations Report, 58% of data breach victims are small businesses.
3. Antivirus / anti-malware software is enough / software will protect your server
While antivirus/anti-malware software can protect you from most attacks, it’s not perfect. No software is perfect.
These antivirus software rely on a database to check for viruses, malware, adware, etc. on your devices. So, if a new kind of malicious program isn’t in the database, your software won’t probably notice it.
In addition, if one of your employees downloads and installs — whether that’s accidentally or not — some malware into your system, your antivirus software won’t be of use. These antivirus and anti-malware software are only the first line of defence of your organization from cyber threats.
4. Cyber security threats come from the outside
Cybersecurity threats don’t always come from the outside. In fact, it’s even harder to track those coming from your own organization.
According to a study, around 75% of security breaches come from internal your organization.
Disgruntled employees, former employees, etc. can have reasons to get back at your organization. There are even some cases where happy employees become the cause of a data breach.
See myth #7.
This is why an IT policy and proper cyber security training is important to ensure that passwords are changed when an employee leaves, their access are removed, etc.
5. Cyber security is IT’s problem/responsibility
Most NZ business owners aren’t IT or technical in nature. So, you shouldn’t worry about cyber security and protecting your data, right?
You probably already know the answer here.
In fact, one of the predictions made by LogRhythm for 2019 is that the CEO will be held accountable to cyber breaches this year, instead of the CIO or CISO.
In small businesses, the CEO/President is usually you, the owner. Cyber security is everyone’s responsibility.
While IT may decide on what hardware/software to use to protect your data, ultimately, it falls on everybody’s shoulders. No amount of hardware/software will protect you if your employees themselves continue clicking links from people they don’t know or installing software they just downloaded from the internet.
6. Our wi-fi has a strong password, so it’s secure
Wi-fi passwords only limit the number of people/devices who can use your internet. But once they get in, it still has the same risks as someone who uses the internet.
7. I don’t need to “secure” my personal devices at work
Today, because there’s a blur between our personal and work lives, we send/receive and do work-related stuff on our personal devices. Without a proper IT Policy or a Bring Your Own Device (BYOD) policy, your employees might assume their personal devices are not subject to any of the cyber security restrictions you might (or might not) have.
But this is one of the ways hackers actually get in the business.
Most people don’t think about their personal devices since they wrongly think that the won’t be targeted. What happens is that your employees bring in an infected device and uses it at work — whether that’s their own mobile phones or USB devices. Then, once they connect it to their computers, the malware spreads. Business and other consumer data can be obtained by the hacker.
8. Complete cyber security can be achieved
With hackers getting more sophisticated, the question you should be asking yourself is not whether you will be attacked or not; rather, you should be thinking about when and what will you do after you get attacked.
What if your website goes down? Do you have a plan to get it back up and running in a few hours, rather than days?
Imagine Amazon’s website crashing. No one can buy, no one can sell. According to Time, Jeff Bezos earns ~$11.5 million an hour. So, if Amazon gets attacked and they don’t have a plan to get it up and running in place, they’d be losing a huge amount of money.
9. Cyber crime is mostly about credit card fraud (or money)
Cyber security threats aren’t just about money.
Any “data” can be compromised, and therefore, affect the way you run your business. For example, you’re in manufacturing and you also sell directly to the consumer. Imagine your server being compromised and couldn’t access it. Even if you can produce your products, you won’t be able to deliver them to your customers because the data is inaccessible.
10. “Cyber risk” is a separate category of risk
Treating cyber risk as a separate category of risk puts your business at risk.
Treat it exactly as what it is — risk.
If you’re in the food industry, there are lots of risks of food-borne illnesses. That’s why there are controls and standards to avoid these kinds of risks. If you’re using heavy equipment, there are risks of getting injured or cutting your limbs.
That’s why there are safety standards developed for these activities so you can avoid losing your limbs (or your life). In today’s world, technology permeates every aspect of our lives. This is why you should treat cybersecurity the same way you treat other risks, and develop a plan of action to safeguard your organization.
11. Protecting yourself is good enough
Businesses rely on other businesses to operate. This means no matter how secure or safe your systems and protocols are, but your vendor isn’t following some sort of standard, you might get hacked as well.
For example, the Facebook-Cambridge Analytica data scandal that blew up last year wasn’t necessarily Facebook’s doing. While it can be argued that Facebook could have done more to protect its users’ data, but ultimately it wasn’t them that collected, shared, and abused the data. Start thinking upstream and downstream your organization’s value chain.
12. Going back to paper minimizes risk
Reverting back to offline/traditional operations might minimize your risk of cyber attacks, but you also lose the ability to monitor everything.
For example, you won’t know if someone has made extra copies or destroyed important documents. In addition, going back to paper increases inefficiency. Just think of how this affects the way you work. No internet!
13. Cyber security is a form of defence (cost centre)
Before writing off that cyber security is just another expense you should cut from your expenses, take a look at these two statistics according to IBM:
- The average cost of a data breach is $3.86 million or 5.75 million NZD.
- The average cost fo each lost or stolen record containing sensitive or confidential information is $148 or 220 NZD.
As we’ve already debunked earlier, hacking isn’t just about money.
For some, it’s some form of ideology.
Just recently, a data breach of username and passwords was just dumped into the internet. If you’re part of that hack, imagine all the accounts you use your email to log into — social media, finance and banking, and many more.
Now, imagine if that’s your work email, think of the problems that hacker can cause your business. They can penetrate your entire system using your admin privileges. They can send an inappropriate email to your suppliers or customers. They can order accounting to wire money to this account.
14. New features/updates of IoT devices are enough
Updating your devices can reduce your chances of getting hacked, but it’s not enough. Remember, that firmware/software update can only protect you from current exploits.
Fact is, cyber criminals are getting more sophisticated. So, if they develop a new type of malware, your device (and data) might be at risk.
In addition, the average time it takes for a business to know there was a breach is 146 days — that’s approximately 5 months. This means you might have already been breached but don’t know about it.
15. I don’t store sensitive data so I don’t need cybersecurity
Everyone stores some form of sensitive data on their devices. You may think of these as only credit card data or your bank’s login information. But any type of information can be used against you.
For example, if you’re not prepared nor have any backups, then a ransomware hits your laptop, you won’t be able to access any file unless you pay the hacker. This includes your address book, your photos, your emails, eBooks, and everything on your computer.
Cyber security may seem like a very complicated topic. It doesn’t have to be.
Leave these myths behind and start protecting yourself, your business, and your data.