Security breaches happen every day. Some are as small as a person disputing a $50 fraudulent charge on a card to huge security breaches, such as the Department of Veterans Affairs, that resulted in 26 million veterans, active-duty, military personnel, and spouses information being compromised. With IT security being a hot topic and consistent news story in the media, we decided to take a look at some of the top IT myths and how to combat them.
Myth 1: We won’t be hacked
No matter what type of security system businesses have in place, there is always a possibility for a breach. Face the business responsibility to confront security-related requests and make use of a security classification framework.
Myth 2: We have physical security (or SSL) so you know your data is safe
This myth is associated with not understanding the risk. Ensure that security purchases match data requirements.
Myth 3: Regular expiration strengthens password systems
Research shows that having regular password expiration may not be useful and that it should be done randomly. Although, stopping passwords from being hacked completely might not be possible, this is at least one way to try and prevent it.
Myth 4: Moving the CISO outside of IT will automatically ensure good security
Moving the services won’t stop a company from being hacked. They need to find the area of weakness in their security programs.
Myth 5: Adhering to security practices is the CISO’s problem
Passing off the problem to another business unit won’t solve the issue either. A company should build an information security program around their culture.
Myth 6: Cyber security is a technical issue for which executive level business management has little or no ability to contribute
Even though this statement might not be said, this is implied thru behaviour. It is management’s responsibility to define a security policy for the overall organization and that requires management to accurately understand what is needed in a security plan.
Myth 7: IT is, and should be, responsible for cyber security
Yes, IT is responsible for enforcing, preventing, and/or detecting behaviours defined by the company’s security policy. Yet, IT should not be making decisions about who should or shouldn’t be able to access information. That comes down to the myth above-- management.
Myth 8: Being compliant makes us secure
Just because a company passes a compliance audit does not ensure that one is properly secure. It only means that the requirements for a particular regulation or compliance have been met. A company could be overspending to meet the requirements and still not be secure. Businesses should focus on improving their security while still meeting the standards.
Myth 9: Any computer virus will produce a visible symptom on the screen
Many people think that a computer with a virus will start acting up. Not always the case. A computer can run fine and still have malware on it. The only way to know 100% is by having the device scanned regularly.
Myth 10: We have a firewall on our network, of course we’re protected!
Just having a properly configured firewall will not protect anyone against malicious content encapsulated over an SSL connection.
While being protected from all security attacks might not be possible, understanding of risk and having a thorough security policy that is implemented and regularly changed to keep up with new threats will greatly reduce your chances of being attacked.
What IT security myths have you heard?