The Cybersecurity Myths

mythThe Cybersecurity Myths

There are   many well-established myths that can hamper you in Cybersecurity Area.

Myth #1 – It’s all about IT

Imagine this scenario: a disgruntled system administrator intentionally disables your core application and deletes your most important databases.

Is this an IT issue? No, this is hardly an IT issue;more like an HR issue. Could this have been prevented by IT safeguards? No. The person in this position is required to have direct access to all of your systems.

So, the way to prevent this type of scenario falls outside the technology area and comes down to how to select your employees, how to supervise them, which kind of legal documents have been 9 Steps to Cybersecurity signed, how this person is treated within the company, and so on.

Don’t get me wrong – information technology and IT safeguards are extremely important in cybersecurity, but they alone are not enough.

These measures must be combined with other types of safeguards to be effective. And this is something I’ll explain later.

Myth #2 – Top Management has Nothing to do with Cybersecurity

You are probably aware that safeguards cannot be implemented without money and employee work time. But, if the executives in your company are not convinced this protection is worth the investment, they are not going to provide the required resources. Hence, the project will fail.

Further, if top executives do not comply with security rules and, for instance, leave the laptop (with its list of top clients together with details about sales and related correspondence) unprotected at the airport, all other security efforts will be in vain.

So, your top managers are a very important part of cybersecurity.

Myth #3 – Most of the Investment will be in Technology

False. Most of the companies I have worked with already had most of the technology in place.

What they did not have were rules on how to use that technology in a secure fashion. This is like purchasing a fancy new BMW and only using such a luxury car for delivering pizzas.

The information will be protected if everyone with access knows what is allowed and what is not, and who is responsible for every piece of information or for every piece of equipment. This is achieved by defining clear rules, usually in the form of policies and procedures.

As a rule of the thumb, I would say investment in technology is usually less than half of the required investment. In some cases, it may even be less than 10%. The majority of the investment is usually in developing the policies and procedures, training and awareness, etc.

Myth #4 – There is no ROI in Security

Yes, security costs money, and usually this protection will not bring you additional revenues.

The whole idea of cybersecurity is to decreasethe costs related to security problems (i.e.,incidents). If you manage to decrease the number and/or extent of security incidents, you will save money. In most cases the savings achieved are far greater than the cost of the safeguards; so, you will “profit” with cybersecurity.

We will talk more about Return on Security Investment in a bit.

Myth #5 – Cybersecurity is a One-time Project

False. Cybersecurity is an ongoing process. For instance, if you develop an Incident Response procedure which requires your employees to notify the Chief Information Security Officer on his or her cell phone about each incident, but then this person leaves your company, you obviously no longer want these calls to go to him or her if you want your system to be functional.

You have to update your procedures and policies, but also software, equipment, agreements, etc. And this is the job that never ends.

Myth #6 – The Documentation Myth

Writing a pile of policies and procedures does not mean your employees will automatically start complying with them.

Security is normally quite a big change and, frankly speaking, no one likes to change established practices. For example, instead of your good old “1234” password, you suddenly have to change your password every 90 days to something with eight characters, out of which at least one must be a number and one a special character.

source : 9 step to cybersecurity


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s