Most business and IT leaders would agree that cybersecurity is a top priority. The thing is, there’s so much to know!
I understand. I follow cybersecurity developments daily as part of my job for the past 8 years. For people who wear multiple hats or for whom cybersecurity isn’t their first priority, it can be tough to stay on top of the latest threats.
In this article, I’m going to expose 5 cybersecurity myths. I’m often asked about these myths, so I figured they are good ones to put to rest.
After reading this article, you’ll know the things that don’t need your attention, so you can concentrate on the things that do!
At Kelser, we provide information that business leaders like you need to keep your IT infrastructure safe, available, and efficient, whether you choose to partner with us or not.
The most important thing to us is that you know how to protect your data.
Don’t Believe These 5 Cybersecurity Myths
Cybersecurity information has taken on a life of its own. I am a firm believer that panic is not a productive approach to cybersecurity. Instead, I encourage business leaders to realistically assess the threats and risks the organization faces. These two things should form the basis for your approach to cybersecurity.
Let’s explore five widely held beliefs that I encounter often in interactions with customers.
Myth #1 - Frequently Changing Passwords Is Best
This myth is one of my favorites.
The Real Story
In recent years, studies have shown that changing passwords frequently (every 60, 90, or even 180 days) can lead to weaker passwords and less secure practices (such as writing the passwords down or adding one digit or character to an existing password).
According to Microsoft:
“...when periodic password resets are enforced, passwords become less secure. Users tend to pick a weaker password and vary it slightly for each reset. If a user creates a strong password…it should remain just as strong in 60 days as it is today.”
If you have evidence that someone's password has been compromised then change it. Other than that, changing passwords frequently doesn’t add security.
Password managers are a wise investment to help employees remember multiple passwords. They electronically store all of a user’s passwords in one vault, accessible with one (strong) master password.
Myth #2 - Strong Passwords Will Keep My Data Safe
Myth #1 connects to Myth #2. Strong passwords are a good starting point, but they are no longer enough.
The Real Story
The best way to add security is multi-factor authentication (MFA).
What is MFA?
In a nutshell, MFA is a security method that requires people to provide multiple forms of identification before accessing an application, website, or other IT service.
Whereas normal password authentication is based only on “something you know,” MFA adds in additional factors such as “something you have” (e.g., an ID card or token from a specific device) or “something you are” (e.g., biometric information).
Passwords of any length and complexity are stored as a “hash.” In simple terms, hashing is an algorithm that turns the random grouping of characters or data in a password into an indecipherable (i.e., it can’t be “decrypted” back into the original password) fixed-length value that is more secure to use.
Related article: Benefits Of MFA: Security For A Network, Simplicity For End Users
So with passwords alone, hashing means that hackers can gain access without even having to guess an exact password. If they can sniff traffic and guess the hash, they can gain access. Sometimes this can happen as a result of using public Wi-Fi that doesn’t have strong security.
With MFA, system monitoring software notifies us that someone tried to gain access to a customer’s data. The hacker may have had the user password (or hash), but they couldn't get into the system because they didn't have that second factor.
MFA thwarts hackers from accessing data without the need to change passwords frequently.
Related article: What Is Multi-Factor Authentication (MFA)? Do I Need It?
Myth #3 - Antivirus/Anti-Malware Software And A Firewall Are All You Need
If you use a home computer for personal use, anti-virus software and a firewall are probably sufficient. Your email platform may filter out a lot of junk, spam, and malicious email, providing a layer of protection for personal use.
But, even a small business needs more.
The Real Story
Firewalls and antivirus/anti-malware are only as good as the rules that are in them. New malicious sites are popping up all the time. It’s a giant game of whack-a-mole!
Antivirus/Anti-malware is the same. New threats are emerging constantly, and even the latest in “artificial intelligence/machine learning” technology will still need some time to catch up.
Anti-virus and a firewall only address one threat vector, and neither will alert you to a potential compromise.
Monitoring software is essential to observe how systems are behaving and acting, and recognize indicators of a compromise. In many cases, they also include investigative tools you can use to understand and resolve the issue.
What Does Monitoring Provide?
A client of ours was notified that something in their system was trying to communicate with a known malicious website.
Their system then began reaching out and communicating with several random systems all over the world.
Without monitoring, we would not have known this suspicious activity was happening. With monitoring, we were able to identify the issue, disconnect the suspect system from the network, and investigate the incident.
Myth #4 - Compliance With Industry Standards Means Your Organization Is Secure
This is another myth that I often hear: “I’m compliant with my industry standards, so that means I’m secure, right?” Probably not.
The Real Story
In security, there are three cybersecurity main principles: confidentiality, integrity, and availability.
Known as the CIA triad, each is equally important, much like the legs of a stool. Regulatory agencies focus on confidentiality, but different organizations prioritize different legs of the stool.
For example:
Confidentiality
Compliance requirements usually fall under the confidentiality leg of the CIA triad. Compliance is one way to ensure that unauthorized people don’t access sensitive information that an organization has access to, but doesn’t own.
Integrity
Financial institutions emphasize integrity (or the consistency and accuracy of data or information) above all else.
They need to be sure that if a customer has $8,000 in their account, that is the amount they see when they check their bank account online or visit a physical branch of the bank.
Availability
It's great if your information is protected from unauthorized people and is accurate, but if you can't actually get to it because it's not available, then that's a problem. Internet service providers, by nature of their business, put availability above all else.
When it comes to cybersecurity, it’s important to go beyond the requirements. For example, most regulatory agencies won’t require you to back up your data, but you’re going to want to do that for data integrity and availability.
Compliance organizations also may not require a penetration test, but (depending on your risk) it may be beneficial to your organization.
Penetration gaps provide the greatest truth about how well an organization is protected from an outsider, an inside attack, and security gaps.
And, although not specifically required by most compliance organizations, I recommend vulnerability scans of internal facing systems at least quarterly and external facing systems monthly. Taking this extra step yields significant improvements in security.
Myth #5 - I Need Dark Web Scanning
Many organizations have been led to believe that they need dark web scanning to know when passwords or data have been stolen.
The Real Story
Free resources are available that can provide similar information available through dark web scans. But let’s start at the beginning.
What Is The Dark Web?
The dark web is a collection of hidden internet sites only accessible by a special browser. Originally used by the U.S. Department of Defense, the dark web is now used worldwide by people who want to remain anonymous. It is used for both legal and illegal activities.
What Is Dark Web Scanning?
Dark web scanning is a paid service that will search for personal information available on the dark web for other people to purchase. This could include credit card numbers, social security numbers, or other data.
Dark web scanning is a service that is more hype than substance. It’s impossible to scan the whole dark web. You will never find everything on the dark web. (And, if you are really interested, there’s a free tool on the open web you can use for free!)
The truth is, we should all be operating under the assumption that our personal information is probably out there, and protect ourselves accordingly with services like credit monitoring.
You can also use free services to find out if any passwords you use have been compromised. If you find your information on a site like this, there might be some degree of risk and you can step up your security efforts accordingly.
For example, I searched “password1” on https://haveibeenpwned.com. It shows that it has been seen 222,887 times. If that was my password, I’d change it immediately.
Whether you rely on free resources or a dark web scan, you likely won’t walk away with actionable information. Either tool will let you know that something was compromised, what information was involved, and maybe the approximate timeframe.
You can use that information to watch for suspicious activity.
From my perspective, dark web scanning sounds good and it makes people feel better, but there’s likely not as much value as you might think (especially when you can get similar information for free).
What’s The Bottom Line?
The real bottom line is that there’s no such thing as 100% foolproof security. What may be good enough today will quickly be obsolete. Does that mean you should stop trying? Never!
In this article, we’ve talked about five cybersecurity myths.
You’ve learned that frequently changing passwords isn’t enough to keep your data safe. You now know that MFA is more secure than strong passwords. You’ve realized that antivirus, anti-malware, and a firewall aren’t a comprehensive solution for your business.
You understand the difference between compliance and cybersecurity. And, you have learned that you don’t need to pay for dark web scanning.
At this point, the best advice I have to offer is to keep learning, monitoring, and adjusting.
Is your business protected from the latest cybersecurity threats? Click on the button below to download your free cybersecurity eBook and learn 10 steps to take today to put in place the tools you need to help secure your data from the latest cyber threats.
Large organizations may have the resources necessary to handle cybersecurity in-house. If you don't have the internal resources, explore external IT support options.
No matter the size of your organization, make sure your technology infrastructure is well protected. It is worth the investment of time and resources, to avoid becoming a victim of cyber crime.
At Kelser, we roll cybersecurity services into our managed IT support offerings.
We know that managed IT isn’t the right solution for every organization, but if you find yourself looking for a strategic, proactive partner, we encourage you to check out several providers to make sure you find one that is the right fit for you.
Find out what managed IT is, what it costs, and what’s included.
And, don't forget to compare several providers. In fact, we believe so strongly in comparison shopping that we’ve done some of the legwork for you!
We've posted several articles that compare our services to those of competitors. Read this one to find out how Walker and Kelser compare. Or go to our Learning Center to see how we stack up against some of our other competitors.
If you prefer to talk with a person, click on the link below, fill out the form, and one of our IT experts will call you within 24 hours to discuss your needs and explore whether we are a good fit to work together. 
