When it comes to cybersecurity, there is a lot of bad information floating around.
Maybe it is because the field is still relatively new. Or perhaps it is because it is somewhat technical, making it difficult for laypersons to understand.
Regardless of the cause, misconceptions about cybersecurity have serious consequences for companies. Misguided beliefs ultimately lead to misguided actions; garbage in, garbage out. Thus, the first step towards improving your organization’s cyber resilience is identifying and dispelling these digital dogmas.
Myth #1: Cyber attacks can’t be prevented.
This myth is built upon the accurate reality that the cyber threat landscape is more dangerous than ever. Most computer defenses are so weak that hackers can break into your network without breaking a sweat. Given that cyber incidents are inevitable, it seems that the best businesses can hope for is early detection and mitigating as much damage as possible.
Can you imagine a coach telling his team at halftime that there is no way they can win, no matter what they do? That scenario is inconceivable – but that is effectively what many cybersecurity specialists are saying to senior executives.
Sure, a highly sophisticated, state-sponsored hacker group probably can’t be stopped from breaching your business. But this is the exception, rather than the rule. The vast majority of cyber attacks are avoidable. By establishing a strong security posture, organizations can significantly reduce their cyber risk.
Myth #2: Hackers are brilliant.
This is closely related to myth #1. A major reason people think that cyber attacks can’t be stopped is because they believe that all hackers are intrinsically super geniuses. But this is simply an absurd stereotype perpetuated by Hollywood. Movie hackers have seemingly supernatural capabilities – taking control of entire electrical grids and nuclear weapons systems with just a couple of keystrokes.
The truth is that hackers have a range of skill levels. Sure, some are extremely skilled, state-backed actors capable of executing complex attacks (e.g. the 2010 Stuxnet virus that badly damaged Iran’s nuclear centrifuges). The vast majority of hackers, however, have far less impressive capabilities; they’re more like the Marx Brothers than Mark Zuckerberg.
Some are derisively referred to as “script kiddies” – new or inexperienced attackers who are hacking for skills and thrills, often leveraging exploits written by more advanced individuals. Despite the derogatory nickname and lack of direct know-how, script kiddies cause companies plenty of headaches. For example, security experts believe that script kiddies were behind the October 2016 DyN DDoS attack which took down major websites, including Amazon, Netflix, and Spotify. Yet, again, organization’s can employ measures to thwart most hackers.
Myth #3: Cybersecurity is the sole responsibility of the IT department.
Cybersecurity is, much of the time, a technical field. It consists of high-tech tools and complicated concepts. Therefore, cybersecurity matters should be handled solely by the IT department, right?
Wrong! Cybersecurity is not just an IT initiative; it’s an enterprise-wide matter, and must be treated as such. Like all enterprise-wide efforts, a culture of cyber resilience starts at the top. Cyber risk is like a scary octopus whose tentacles extend to nearly all areas of the enterprise. As another form of business risk, it intersects with many other organizational liabilities — including financial, strategic, operational, compliance, and physical risks. Therefore, given the scale and scope of the threat, the C-suite and the Board are essential in helping their organizations improve their cyber resilience. The IT department certainly plays an important role in cybersecurity. But they are just one piece of the larger puzzle.
Myth #4: People with highly technical backgrounds make the best cybersecurity professionals.
Certain cybersecurity positions require highly specialized technical skills (e.g. penetration testers and threat hunters). Most cyber jobs, however, do not. So-called “soft skills,” such as critical thinking and clear communication, are even more important for these positions. Plus, soft skills are often much tougher to teach than technical skills.
As many workforce development experts have argued, too many organizations are looking for cybersecurity talent in all the wrong places. If you’re trying to find security generalists – who can analyze broad threats across an organization – it usually doesn’t make sense to hire individuals with highly specific technical skills. Instead, look for other qualities: problem solving skills, the ability to quickly absorb new information, big picture thinking, etc. First focus on finding smart generalists, and then invest in training to turn them into cybersecurity savants.
Myth #5: Cybersecurity leadership training is boring.
Ok, there is some truth to this. Too many cybersecurity training programs consist of little more than painfully dull PowerPoint presentations. Most people would rather drown themselves in the office water cooler than be forced to watch another tedious batch of company compliance slides.
Fortunately, there’s a better way. Training solutions can be informative, while still being entertaining experiences for employees. There are a number of ways to do this. At N2K, we often like to use humor. You could also try more of a participatory approach. For example, create a contest where employees write an email for your company’s next phishing campaign. Don’t be afraid to unleash your workers’ creativity! When you do, you’d be surprised at how fun cybersecurity training can be.
Want to Learn More?
Don’t be fooled by common cybersecurity fallacies! N2K is here to help you sort fact from fiction in the digital domain. Our engaging and accessible Resolve programs can quickly get you up to speed on cybersecurity essentials – and dramatically reduce your organization’s digital risks.