Debunking 5 myths about the cybersecurity posture


Small and medium-sized businesses struggle to adopt a cybersecurity posture. The cybersecurity divide hits them the hardest, as most security experts prefer to choose different working environments.

Young information security enthusiasts are in great demand. However, instead of SMBs, they generally prefer to work for specialist security companies and focus on, for example, manual penetration testing. Another preferred choice is for companies, where these enthusiasts can refine their tasks, specialize in specializations such as network security, attack surface and threat landscape analysis, risk assessment or designing security frameworks and / or having a more promising career path, even all the way to the CISO.

Another major problem for SMEs is the budget. A specialist company or team can usually offer security experts much better salaries and extras. And it’s no wonder that young enthusiasts are picky – they’re the ones who win, they’re the ones we fight for.

Ultimately, many SMBs find themselves with administrators or general IT teams taking on the role of IT security. Even if they do manage to recruit a security professional, that professional becomes a jack of all trades, often exhausted and leaving early, looking for a different career path.

Another major issue associated with the cybersecurity posture for SMEs is the lack of cybersecurity awareness and belief in myths, especially in the case of senior executives and executives. This often leads to pushing back security and being treated as a minor issue with budgets focused on development and direct benefits. Even though small business owners and senior executives realize that there is a major security risk, they are often willing to accept this risk because of the challenges associated with its mitigation, for example, the challenge of finding staff, as described above.

Let’s try to debunk some major cybersecurity myths that can have a very bad influence on the cybersecurity posture of the organization. Once the train of thought becomes clearer, it can be easier for SMBs to establish security best practices to effectively manage their information security status.

1. “We don’t need to know about security because we have hired an expert”

It is a very dangerous myth which leads to the loss of personnel. Cyber ​​security is not something you can just put on the shoulders of one person. Just like with physical security, even if you have the best locks and the best alarm system, it only takes one random employee to forget to lock when leaving work and all the effort is wasted. And if a person is blamed in such a case, you can be sure that they will soon find a better place to work.

If you want your business to thrive securely, everyone in the business (or even outside, if the supply chain includes outsourcing) needs to be aware of cybersecurity. And it’s not just about one onboarding training or regularly sending out fake phishing emails to everyone to verify their responses. It’s about making sure everyone really cares, all the time.

In order for employees to truly care about cybersecurity, managers need to care first. Instead of having expectations, managers need to lead by example and ensure that cyber risk is seen as important. And it is not difficult, it is enough that every decision takes security into account and that every important discussion involves the topic of security where appropriate.

2. “We are safe because we outsource our security to a professional company”

There is no way that an outsourced company can be as detailed in security management as you are. A professional security services contractor is a simple and efficient solution for a small organization that cannot afford dedicated cybersecurity resources. A third-party vendor / contractor can help you select your cybersecurity framework such as NIST, design your cybersecurity strategy, assist with risk management and threat intelligence, help you implement your security controls security and even participate in incident response. However, they cannot be everywhere and watch everything in real time and they will likely have a response time that is significantly less favorable than that of your own employees.

If you are outsourcing your security, you should always make sure that everyone in the business is aware of the impact of all their actions on security. For example, outsourcing security to a professional contractor will not prevent your developers from introducing SQL injection vulnerabilities into your software. It would be very rare for your contractor to actively participate in your SDLC and monitor all of your IT assets.

3. “We are safe because we bought a complete security solution”

No software can guarantee the security of your organization. In addition, there is no single security tool that covers even half of potential cyber threats. You can get an office solution that will protect you from malware including ransomware attacks, a firewall to protect your external and internal network from some network attacks, while remaining vulnerable to complete system compromise and the loss of all company data as a result of a single SQL Injection because none of these tools protect you against such vulnerabilities, even in the slightest.

Don’t be swayed by empty vendor promises, and don’t be afraid to go for specific solutions for specific security threats, such as a specialized web vulnerability scanner to protect yourself from web-related threats. Look for manufacturers who aren’t afraid to tell you the facts instead of using big business language to confuse you. Look for specialized manufacturers because they have the means to protect you effectively. And always remember that software automation is just a tool and it’s how you use those tools that really matters.

Another related mistake of many SMBs is that they focus on the security of their offices. In the past, this made sense as most assets were kept in the office, often including servers. These days, SMBs mainly rely on cloud solutions and hence cybersecurity controls should focus on cloud data security and web presence as most of the business assets are based on technologies. Web (including mobile technologies and IoT).

Maybe in 2000, an antivirus solution and a network scanner were more important than a web vulnerability scanner, but now, in 2020, that is no longer the case. While endpoint anti-malware solutions are always essential to protect against threats like ransomware, protecting the web is at least as important, and only web vulnerability scanners can do it.

4. “We are safe because we do not expose our applications or data to the public”

This is another very dangerous myth that leads to major problems. SME managers often think that if the company does not work in the public space, it is safe from attacks. However, this couldn’t be further from the truth.

For example, if you are designing a B2B application that is used by a limited number of companies and requires authentication to access it, it is just as prone to cybersecurity risks as a public website. A cyber attack can be carried out not only by an employee of your client’s company. If, for example, your login form has an SQL injection vulnerability, an external attacker can gain access to the application designed to be used only by specific clients, and not by the general public.

Also note that many data breaches occur as a result of insider negligence or malicious intent. be accessible to the public).

While having public assets increases cybersecurity challenges, not having one doesn’t automatically mean you have good data protection. To be secure, you need to protect your internal assets and authenticated assets as well as your external assets.

5. “We are safe because there is no gain in hacking us”

Cybercrime is not always the result of having something to gain. It is just as often the result of an opportunity. Some cybercriminals focus on valuable intellectual property or sensitive data (and will do almost anything to steal it) while others shoot blind and hope to catch someone off guard. Are you on your guard?

When you look at the biggest data breaches of recent years, very few of them were actually the result of a targeted attack. In some cases, like Equifax, it was indeed a targeted attack by, supposedly, Chinese special forces. However, the big hit of 2019 – the Capital One Breach, was caused by a frustrated and emotionally unstable hacker who sought popularity in black hat circles. However, most of the other breaches were simply the result of someone looking for public addresses and finding a vulnerable resource.

The path to follow

Once your organization gets rid of the above myths, it will be easier for you to maintain security measures without having an urgent and unsatisfied need for that “security magic that will fix everything”. With security seen as an enterprise-wide issue, with proper attention and consideration, and with the right automated solutions, such as web vulnerability assessment and management software with a web engine. Vulnerability analysis like Acunetix, your future looks much brighter than that of businesses still alive. in the past. Congratulations!


Tomasz Andrzej Nidecki
Technical content writer

Tomasz Andrzej Nidecki (also known as tonid) is a technical content writer working for Acunetix. Journalist, translator and technical writer with 25 years of IT experience, Tomasz was editor-in-chief of hakin9 IT Security magazine in its early days and used to run a large technical blog dedicated to email security.

Leave A Reply

Your email address will not be published.