Recognising these common misconceptions will help protect your firm from a cyberattack
Many businesses do not fully understand cybersecurity – or their risks for a cyberattack. And that is putting them in danger.
As I’ve observed, businesses hold three common misconceptions when it comes to cybersecurity: One, they view cybersecurity as an IT issue. Two, they think they will know when they have been hacked. And three, they think that securing their computer systems is enough to keep them safe.
Let’s clear up each of these misunderstandings.
Misconception 1: Firms think that cybersecurity is an IT problem
Many organisations still think of cybersecurity as an IT matter. In fact, it is a concern that everyone in the company should pay attention to and know how to manage. When each employee becomes part of a network that can identify possible breaches, the business as a whole becomes much less vulnerable to attack. That’s why training employees in cybersecurity is so important.
Organisations that are divided into rigid silos are especially susceptible to a breach. Why? If an attacker targets one division, the breach may not be handled swiftly on a company-wide level due to a lack of streamlined collaboration between departments. By contrast, businesses that are organised holistically – where every employee feels responsible for the whole organisation instead of just their sector – are vastly more resilient to a cyberattack.
When we recognise that cybersecurity is not just an IT issue but a vital concern for every employee, we are 90% of the way there. Cybersecurity is everybody’s responsibility.
Misconception 2: Firms think they’ll know when they’ve been attacked
Some cyberattacks are obvious. For example, when a company is the victim of a ransom attack, they will typically see a ransom note pop up on their computer screen that demands payment. However, most cyberattacks are not this blatant or detectable. For example, when Equifax, British Airways and Marriott were victims of a breach, they weren’t aware of it until external sources told them so.
The truth is, companies may not know if they’ve been hacked. My recommendation is that every company should operate under the assumption that they have already been compromised. In addition, all employees should remain alert to any subtle signs of a possible breach. Ask yourself, ‘Is my computer running a bit more slowly? Has any of the data changed?’ It is everyone’s responsibility to look at what might have altered in the system.
Misconception 3: Firms think that protecting their computer systems is enough
It used to be that protecting your computer systems was enough to keep cybercriminals from stealing your intellectual property or client data. That’s no longer the case, thanks to both the advent of the Internet of Things (IoT) and the increase in smart devices in the workplace. These devices have created new risks for organisations; for example, cybercriminals can now hack an employee’s smartphone or smart watch to access vast amounts of information or to commit blackmail or bribery. What’s more, smart devices are not always forcibly hacked. Sometimes, people inadvertently give apps permission to access their smartphone microphone or camera – or data stored on the phone, such as photos or contact lists – leaving the door wide open for a breach.
Vulnerable devices in the workplace also include smart coffee makers, refrigerators or light bulbs. The tiny computers inside these devices are especially weak points because, unlike traditional computers, they do not typically get regular security checks and updates.
The best course of action: Companies should look at their workplace smart devices and identify points that could be easy ‘ways in’ for cybercriminals. Employees in every department should report anything unusual they observe with an internet-connected device. However, the burden of securing IoT devices does not lie solely with the user. Companies need to develop antivirus software that prevents employees from unintentionally giving apps broad access to their smart devices.
Dinos Kerigan-Kyrou is an alumnus of the Oxford Strategic Leadership Programme, Saïd Business School, and an instructor on the NATO Defence Education Enhancement Programme, based at the Partnership for Peace Consortium. He is responsible for the cybersecurity training within the Joint Command & Staff Course at the Irish Defence Forces and was previously a co-author of the NATO Cybersecurity Training Curriculum. He is a Board Member of CSARN, a not-for-profit organisation that brings together police, government and business to address new and existing security challenges. All views expressed are his alone.