York Thought Leadership Blog

We Won’t be Hacked: Top 10 IT Security Myths

Posted by Danielle Toste on Tue, Apr 1, 2014 @ 13:04 PM

Security breaches happen every day. Some are as small as a person disputing a $50 fraudulent charge on a card to huge security breaches, such as the Department of Veterans Affairs, that resulted in 26 million veterans, active-duty, military personnel, and spouses information beingdescribe the image compromised. With IT security being a hot topic and consistent news story in the media, we decided to take a look at some of the top IT myths and how to combat them.

Myth 1: We won’t be hacked

No matter what type of security system businesses have in place, there is always a possibility for a breach. Face the business responsibility to confront security-related requests and make use of a security classification framework. 

Myth 2: We have physical security (or SSL) so you know your data is safe

This myth is associated with not understanding the risk. Ensure that security purchases match data requirements.

Myth 3: Regular expiration strengthens password systems

Research shows that having regular password expiration may not be useful and that it should be done randomly. Although, stopping passwords from being hacked completely might not be possible, this is at least one way to try and prevent it.

Myth 4: Moving the CISO outside of IT will automatically ensure good security

Moving the services won’t stop a company from being hacked. They need to find the area of weakness in their security programs.

Myth 5: Adhering to security practices is the CISO’s problem

Passing off the problem to another business unit won’t solve the issue either. A company should build an information security program around their culture.

Malware imgMyth 6: Cyber security is a technical issue for which executive level business management has little or no ability to contribute

Even though this statement might not be said, this is implied thru behaviour. It is management’s responsibility to define a security policy for the overall organization and that requires management to accurately understand what is needed in a security plan.

Myth 7: IT is, and should be, responsible for cyber security

Yes, IT is responsible for enforcing, preventing, and/or detecting behaviours defined by the company’s security policy. Yet, IT should not be making decisions about who should or shouldn’t be able to access information. That comes down to the myth above-- management.

Myth 8: Being compliant makes us secure

Just because a company passes a compliance audit does not ensure that one is properly secure. It only means that the requirements for a particular regulation or compliance have been met. A company could be overspending to meet the requirements and still not be secure. Businesses should focus on improving their security while still meeting the standards.  

Myth 9: Any computer virus will produce a visible symptom on the screen

Many people think that a computer with a virus will start acting up. Not always the case. A computer can run fine and still have malware on it. The only way to know 100% is by having the device scanned regularly.

Myth 10:  We have a firewall on our network, of course we’re protected!

Just having a properly configured firewall will not protect anyone against malicious content encapsulated over an SSL connection.

 

While being protected from all security attacks might not be possible, understanding of risk and having a thorough security policy that is implemented and regularly changed to keep up with new threats will greatly reduce your chances of being attacked.

 

What IT security myths have you heard?

 

References:

http://www.botzandassociates.com/blog/5-cyber-security-myths/

http://www.infoworld.com/slideshow/33387/the-top-13-security-myths-187168

http://www.networkworld.com/news/2013/061113-gartner-reveals-top-10-it-270738.html

Topics: Blogs, IT Security, IT industry, Industry Trends, Information Technology