Eliminating FUD and focussing facts
Ironing out the most common misconceptions in today’s cyber security landscape
There is a lot of FUD (fear, uncertainty and doubt) around subject of security. Some of it makes perfect sense, while some promote a dangerously misguided picture of the global cyberthreat landscape.
Separating fact from fiction is the first step in helping organizations take sensible steps to safeguard their business from cybercriminals.
Misconception No.1 – It can’t happen to me!
It can happen to anybody. And it is probably happening to your business right now!
Hackers are extremely opportunistic and actively seek out weaknesses. According to a study at the University of Maryland, cyber-attacks are taking place at a staggering average of every 39 seconds on computers with Internet connections.
And it’s not personal. “Brute force” hackers, using relatively simple software-aided techniques indiscriminately seek out thousands of computers at a time, looking for vulnerabilities.” The computers in the Maryland study were attacked, on average, 2,244 times a day.
Misconception No.2 – I’m not a target because I don’t have anything valuable!
That is dead wrong. Every business is a potential target.
It is true that financial institutions, insurance companies and, increasingly, law firms are top targets. But, hackers aren’t always looking for valuable information to sell or exploit. The ability to cripple a business can be valuable in itself.
For example, last year a massive ransomware attack shut down work at 16 hospitals across the United Kingdom, freezing systems and encrypting files. When employees tried to access hospital computers, they were presented with a demand for money, payable in bitcoin.
The same thing happened to a US hospital early this year, when a ransomware attack infected the IT system by locking out data and changing the names of more than 1,400 files to “I’m sorry.” The hospital paid a ransom of US$50,000 to unlock the data, which included patient medical records. A hospital spokesperson said, “It wasn’t an easy decision. You weigh the cost of delivering high-quality care … versus not paying and bearing the consequences of a new system.”
Global businesses are also at risk. The Maersk shipping line was forced to remove and reinstall software on 4,000 servers and 45,000 PCs after a ransomware attack, and suffered losses of up to US$300 million due to business interruptions.
Misconception No.3 – I have a firewall, so my business is safe
Perhaps. But is your first line of cyber defence up to date with the latest security patches?
With close to a quarter of a million new malware signatures being detected daily, and new exploits appearing all the time, the answer is probably a resounding no!
It’s not just firewalls. The truth is that, for years, the majority of compromised computers have been exploited through unpatched software.
Last year, seven out of the top 10 most exploited vulnerabilities targeted Microsoft products – all of which could have been prevented by implementing the appropriate patches.
The majority of attacks use the same code to exploit known vulnerabilities. Experts agree that businesses could eliminate between 80 and 90 percent of all malicious attacks simply by keeping security patches up to date. It’s the first step to cyber-safety.
Misconception No.4 – Security is too hard
The indisputable fact remains that most breaches leverage stolen passwords and exploit publicly known vulnerabilities. For instance, Verizon’s 2018 breach report identifies the most common ways enterprises are compromised, and they haven’t changed much from the previous year.
Focusing attention and effort – and not necessarily massive amounts of money – on end-user education and priority-based patching, can significantly reduce the vast majority of security risks.
Security is about managing risk and there are many simple and practical activities a business can implement that are not complex, but highly effective. Studies have shown that end-user awareness are one of the most effective strategies to improving your security posture.
Misconception No.5 – It’s an IT problem
That is true … kind of. But, it’s really a strategic operational risk. With so much depending on IT these days, any kind of outage – whether accidental or malicious – will inevitably have an impact across the organization and result in significant losses.
Imagine the reputational damage any organization faces following the disclosure of a large breach or cyberattack. It makes existing customers much more difficult to keep, and attracting new ones expensive or even impossible.
Then there is the financial damage if the organization slows down or cannot do business and serve customers. Late deliveries lead to costly penalties or contract cancelations.
On top of all that, there are an increasing number of regulatory issues, including fines, that follow a successful cyber-attack. One of Hong Kong’s best-known toymakers learned that to its cost, when it was fined US$650,000 by the US Federal Trade Commission after personal information about more than five million customers – parents and children – was stolen during a data breach.
As bad as that sounds, the consequences could have been a lot worse if the incident had occurred after 25 May this year when the European Union’s new General Data Protection Regulation (GDPR) came into effect. In that case, the company might have faced a fine of up to €20 million or 4% of the annual worldwide turnover for the preceding financial year, whichever is greater.
Most breaches are easily beaten
Security breaches can be more than embarrassing and expensive. In some cases, they can even be fatal!
Take the Panamanian law firm and corporate service provider, Mossack Fonseca & Co. Previously the world’s fourth biggest provider of offshore financial services, it went out of business in spectacular fashion after its confidential customer information – dubbed the “Panama Papers” – was hacked and leaked to the media.
Security can be challenging. But the majority of breaches are preventable, and many of them aren’t very advanced.
Understanding these fundamental facts could mean the difference between business as usual, or no business at all!
By: Anwar McEntee
Senior Business Development Manager, Adura Cyber Security
Based in Asia since 2001, Anwar combines a strong understanding of the region with extensive experience in the industry to deliver tailored cyber security insights for organisations in Asia.