By Jack Pittas, Co-Founder and Chief Business Manager of PK Cyber Solutions Inc.
Movies, TV, news, and other sources of media content have painted a version of what cybersecurity looks like that is far from reality.
When you think of the word cybersecurity, it is likely that you already have some idea of what it looks like:
- What a cybersecurity breach or incident looks like
- Who are the common targets of these types of attacks
- Who is conducting cyber attacks
- Who is responsible for managing an organization’s cybersecurity
- How to protect against cyber threats
It is also likely that these same viewpoints are shared with the vast majority of the population.
However, using the updated statistics and trends for 2021, as well as other information gathered throughout this industry, I hope to change your entire viewpoint of the word cybersecurity and the context around it.
Misconception: Cybersecurity is a function of IT, and therefore can be enhanced using only software or hardware.
I felt it was crucial putting this one first, as I believe this is the MOST common misconception. As cybersecurity professionals, we constantly hear variations of people saying that their IT person is handling their cybersecurity, or that some technology is going to be the end all be all of their robust cybersecurity program:
- “I don’t need cybersecurity help as I already have an IT person,”
- “Our managed service provider (MSP) has just updated all of our security software, so we’re good.”
- “We just installed the most elite firewall on the market, so we should be good on our cybersecurity.” (This one is my personal favorite)
These statements allude to the broader issue, which is that most people believe that an organization’s IT staff or MSP are handling all of their cybersecurity needs, and that these needs are strictly technical.
Reality is that 95% of all incidents are a result of some form of human error or negligence. Negligence really can’t be solved by any technology, but can be solved with proper education and planning. In fact, if you examine the varying information-security compliance requirements and guidelines throughout different industries, the two that are pretty universal are 1) having a documented incident-response plan (77% of organizations do NOT have this), and 2) providing cybersecurity awareness training to the organization’s employees. Both of these are considered administrative controls and are likely not being provided by the IT staff. Remember, your IT person’s job is to manage the technology, and that doesn’t necessarily mean that they are doing everything necessary to manage your firm’s cybersecurity program.
A robust cybersecurity program needs to utilize all types of solutions (technical, administrative and physical) and functions (preventative, detective and reactive). It also needs to have the top decision makers involved in the process. So from this point forward, consider cybersecurity a function of management and not IT.
Misconception: The victims of breaches, hacking and other cyber-related incidents are only large corporations or government bodies.
This misconception is completely justified. Of course news reporting is only going to cover the large incidents that occur to the well known commercial entities and various departments in government. Because of this, many small businesses will have an attitude that “an incident could never happen to us, we’re too small.” Or that “we don’t have a lot of data stored, so a breach wouldn’t be catastrophic.” Wrong and wrong, it can happen and it can be severe. 43% of all cyber victims are small or midsized organizations, and about 60% of those who get hit with an incident are out of business within 6 months.
Keep in mind, that if you answer “yes” to any of the following, you are an ideal target for cyber criminals, regardless of the size and scope of your organization:
- Does your organization have a website?
- Is your organization responsible for storing, transmitting, or processing any information about other entities? This includes financial or banking information, credit card information, basic personal identifiable information (names, addresses, phone numbers etc.), credentials information, social security numbers (or other tax identification information), health information, etc.
- Could any operational downtime cause significant financial harm to your organization?
- Could losing any information or data be harmful to your day to day operations?
Misconception: Cyber incidents are quick events that consist of someone “getting past a firewall” or “hacking into a mainframe.”
Okay this one is obviously from pretty much every action movie that contains a hacking type of scene. But the point is to express that those scenes aren’t what a high majority of these incidents look like. They primarily consist of other attacks and are by no means quick.
- The average time to detect a breach is 207 days, with the average life cycle (from detection to containment) being 280 days
- 80% of all incidents are sourced at some type of phishing (primarily email)
- 17% of breaches contained some type of malware, in which 94% of all malware is delivered via email
Another thing to keep in mind, is that cyber incidents have different levels of severity. Your entire organization doesn’t have to be extorted for money from ransomware for it to be considered an incident. Events as minor as accidently CC’ing somebody to a sensitive email, or discovering that your list of passwords was left at a local coffee shop can count as an incident, and you should have a response plan ready prior to the incident taking place.
Misconception: Cyber criminals or scammers are solo, independent, and isolated practitioners
This misconception is also sprouted by movies. The cyber incidents shown are being orchestrated by some person by themselves, possibly living in a basement or some isolated location. The truth is that cyber crime is an industry (projected to hit $6 trillion this year) that similar to any others, contains solutions providers, hires people, and has interworking teams. A great example of this is shown with phishing email campaigns. A typical phishing operation contains three major players:
- The person or team that configures the scam on the back-end
- The person or team that designs the actual email that the target(s) will see
- The person or team that uses credentials harvested, information gathered, or malware downloaded to begin the next steps (depending on the attack and goal)
About the Author
PK Cyber Solutions Inc. was founded in August of 2020, with the purpose of providing small businesses access to comprehensive & cost-effective cybersecurity solutions. Jack and his fellow co-founder Matt Korich, strive to educate and service their clients on all things cybersecurity, cloud computing, software development, and data security compliance.
Jack joined the Tysons Core Chapter of NeXco this past November, and most enjoys the spotlight speaker presentations of every meeting.