There’s a lot of existing advice and information on cybersecurity out there, but don’t fall victim to any of these common misconceptions that give you a false sense of security.
Myth #1 – All your vendors maintain appropriate security controls
The reality is, your organization’s security is only as strong as your weakest vendor. Vendors can create unforeseen vulnerabilities by not adhering to their own policies. When you first contracted with a vendor, their cybersecurity controls may have been sufficient, but are they continuing to comply with and update them in response to the changing cybersecurity landscape? In the past, each cyberattack would be looked at individually, but now they’re being linked together, creating a domino effect. Many of the large breaches we’ve all heard about can be attributed to a hacker compromising a vendor and leveraging that access to pivot and attack the vendor’s customers. Make sure you’re checking in quarterly or annually to ensure that your partner’s policies and procedures are up to date, reflect current practices and are being followed. Additionally, request that they provide a copy of their cyber insurance policy.
Myth #2 – Cloud services have built-in cyber protections
Almost every company utilizes cloud services in one form or another. The security team for a cloud service company is on the front lines of the internet’s most critical information security issues and their domain continues to expand. Cloud services have responded by operating within a shared security model. The cloud service company controls the physical servers through to the configuration level that is accessible to users. The user retains responsibility for the actual data and services that are being run on the virtual server, unless otherwise stated in your contract. It’s essential that organizations thoroughly understand their responsibilities and how to best leverage the provided security features to ensure they’re taking necessary precautions to avoid an incident. A hybrid security plan that takes into account both on premise and cloud systems is critical.
Myth #3 – It’s possible to predict the next big cyber attack
Today’s headlines are full of cyber breaches that impact not only the companies that experienced the breach, but their customers and beyond. Though there’s a lot of dialogue around the devices, companies and systems that could potentially be attacked, there is no way to predict exactly when or where the next large-scale attack will occur. This is very similar to thinking we can predict earthquakes; despite monitoring seismic activity for patterns, there is no way to predict exactly when and where the next “big one” will occur. So how should businesses and consumers prepare for a cyberattack? If you lived in an earthquake-prone area you would purchase a house that is built to code, have emergency supplies and have earthquake insurance. Prepping for a cyber event is no different; you take precautions and put controls in place to mitigate your risk and reduce impact. Precautions include purchasing cyber insurance, implementing an effective cybersecurity program and developing incident response, business continuity, and disaster recovery plans. Insurance provides the peace of mind needed in the event of an attack and the support to help you get back up and running while reducing financial impact.
Myth #4 – What worked in the past is good enough
In this ever-changing cybersecurity landscape, traditional methods of securing your perimeter, protecting data and addressing privacy concerns are not enough. The main shift we’ve seen is more visibility into what actions a company is taking to reduce their risks. Cybersecurity cannot effectively operate in a silo; it’s the responsibility of every employee and department to incorporate security controls into their daily business operations. To do so, create a layered approach to securing both internal and external resources to properly address risk. Make sure you are increasing your security budget every year to continue to add to your infrastructure tools and ongoing training and education. Providing your team with continued education and new technology is critical in minimizing the risk and impact of a breach.
Myth #5 – My business is not a target
With the sheer amount of news coverage on large-scale cyber attacks, it can lead businesses to become numb to them and contribute to the notion that they’re not important enough to be the next target. In truth, smaller organizations are often a target because of the access they provide to a larger target. Acceptance of the fact that it’s generally a matter of when, not if, a cyber incident will occur is difficult for many companies to adjust to. In the past, breach prevention was the only goal, but today, having a security team that is realistic and accepts that a breach is likely will make them stronger and faster to respond. Companies will ultimately be judged on both the controls they had in place to prevent a breach and their response during and after an incident. Incorporating cyber insurance into your overall cybersecurity plan will not only provide peace of mind to your customers, but also help minimize the impact and downtime after an attack.
Managing Cyber Risk
Remain vigilant and protect your company with the most up to date cybersecurity and insurance options. Don’t fall for the myths or become numb to the countless news stories of breaches. As it’s commonly said, it’s not if your company will face a breach, it’s when.
Photo Credit: ILSTV.com