York Thought Leadership Blog

We Won’t be Hacked: Top 10 IT Security Myths

Posted by Danielle Toste on Thu, Sep 28, 2017 @ 15:09 PM

Security breaches happen every day. Some are as small as a person disputing a $50 fraudulent charge on a card to huge security breaches, such as the Department of Veterans Affairs, that resulted in 26 million veterans, active-duty, military personnel, and spouses information being
compromised. With IT security being a hot topic and consistent news story in the media, we decided to take a look at some of the top IT myths and how to combat them.

Myth 1: We won’t be hacked

No matter what type of security system businesses have in place, there is always a possibility for a breach. Face the business responsibility to confront security-related requests and make use of a security classification framework. 

Myth 2: We have physical security (or SSL) so you know your data is safe

This myth is associated with not understanding the risk. Ensure that security purchases match data requirements.

Myth 3: Regular
expiration strengthens password systems

Research shows that having regular password expiration may not be useful
and that it should be done randomly. Although, stopping passwords from being
hacked completely might not be possible, this is at least one way to try and
prevent it.

Myth 4: Moving the CISO outside of IT
will automatically ensure good security

Moving the services won’t stop a
company from being hacked. They need to find the area of weakness in their
security programs.

Myth 5: Adhering to security practices is the CISO’s

Passing off the problem to
another business unit won’t solve the issue either. A company should build an
information security program around their culture.

Myth 6: Cyber security is a technical issue
for which executive level business management has little or no ability to

Even though this statement might not be said,
this is implied thru behaviour. It is management’s responsibility to define a
security policy for the overall organization and that requires management to
accurately understand what is needed in a security plan.

Myth 7: IT is, and should be, responsible for
cyber security

Yes, IT is responsible for enforcing,
preventing, and/or detecting behaviours defined by the company’s security
policy. Yet, IT should not be making decisions about who should or shouldn’t be
able to access information. That comes down to the myth above-- management.

Myth 8: Being compliant makes us secure

Just because a company passes a compliance
audit does not ensure that one is properly secure. It only means that the
requirements for a particular regulation or compliance have been met. A company
could be overspending to meet the requirements and still not be secure.
Businesses should focus on improving their security while still meeting the

Myth 9: Any computer virus will produce a visible symptom
on the screen

Many people think that a computer with a virus
will start acting up. Not always the case. A computer can run fine and still
have malware on it. The only way to know 100% is by having the device scanned

Myth 10:  We have a firewall
on our network, of course we’re protected!

Just having a properly configured firewall
will not protect anyone against malicious content encapsulated over an SSL

While being protected from all security
attacks might not be possible, understanding of risk and having a thorough
security policy that is implemented and regularly changed to keep up with new
threats will greatly reduce your chances of being attacked.


What IT security myths have you heard?