Understanding Cybersecurity: What You Don’t Know Could Hurt Your Business

When it comes to understanding cybersecurity, can you separate fact from fiction? Because cybersecurity is a relatively new industry, there is a lot of noise surrounding it. This can lead to a number of misunderstandings or misconceptions about security that could actually open your organization up to new risks.

Here are some of the most common misconceptions we hear on a regular basis:

Misconception: Compliance & Security are the same thing.

At GreyCastle Security, we often hear these two questions: “Aren’t security and compliance the same thing?” and “Won’t this compliance regulation make us more secure?”

Typically, this line of thinking is driven by an area of an organization that views certifications (such as ISO 27001) as a hurdle to progress. They see security as something that could get in the way of business growth and would rather apply the “Band-Aid” of compliance to ensure security moving forward. However, the true core of security is managing risk. Understanding cybersecurity means making that your primary goal. You know your organization has information that people want, whether it’s intellectual property, health information, or customer data. You need to approach your information security strategy from the perspective of, “What do I need to cover, and where do I focus my efforts?”

The difference between security and compliance can be complicated, but security focuses 100% on the risk that all of the information you hold poses to the organization. Some organizations choose to approach compliance from a check-the-box mentality. The best strategy is to ensure that the two are working together. When you earn a certification, ensure that it works functionally throughout the organization and that your business is able to adapt to it and build security into the overall culture.

Misconception: Penetration testing and vulnerability assessments are the same thing.

There are, in fact, several key differences between vulnerability assessments and penetration testing. Both, however, are critical to maintaining a robust security posture.

A vulnerability assessment is a process for identifying weaknesses within an organization’s environment and locating them. Automated “scanning” tools can be used to search an organization’s infrastructure for technical vulnerabilities and manual tests can be used to verify results and evaluate network security. Vulnerability scanning tools cannot distinguish between exploitable flaws and those that cannot be exploited.

Penetration testing is designed to simulate a real-world cyberattack and uses the same techniques that a modern cybercriminal would use. It simulates as closely as possible the effect that these threats would have on your organization, and it is recommended that penetration testing be performed by a third party to avoid conflicts of interest and provide a more objective view of the business environment. Penetration testing is accomplished by understanding cybersecurity threats and targets as well as your attacker’s motivations and capabilities.

Misconception: Cybersecurity is a technology problem.

There is no “silver bullet” in cybersecurity. Understanding cybersecurity means viewing it as a business excellence issue. Technology is a conduit for a people problem within organizations. There are three parts to cybersecurity and compliance: people, process, and technology. While technology is a piece of cybersecurity and needs to be addressed, we must remember that we are not working for the technology – the technology is working for us.

100% of cybersecurity attacks have a human element to them, whether it is someone clicking a link in a phishing email, an executive assistant giving out credentials over the phone, an employee letting someone into the building, or misconfigured firewalls and endpoint security. It all comes down to the human element. Technology can be an integral part of your strategy, but it’s important not to get locked into a “technology only” mindset.

Additionally, when you expand beyond technology, you can begin to speak on how cybersecurity affects other areas of the business, such as policy development or vendor management, and be in a better position to secure executive buy-in. Remember: cybersecurity is not just an “IT” problem. It is a business problem and a business risk.

Misconception: A cybersecurity breach is a cybersecurity incident.

The distinction here is important. The word “breach” is a legal term. Once you declare there has been a breach, you have started a ticking clock in terms of reporting. Do not use the word “breach” until you have confirmed with your legal team that it is the correct term to use.

How you label an event will determine a variety of factors, including the departments that need to be involved, what actions you need to take, if you are required to notify anyone. If notification is required, you will also need to dertmine who to notify, when, and how.

Misconception: Small businesses are safe.

Many organizations believe they are “too small” to be targeted by cyberattacks. In reality, hackers look for low-hanging fruit. They want the targets that require the least amount of time, effort, and money to exploit – and they know that many small businesses do not invest as heavily as they should in cybersecurity. The 2018 State of Cybersecurity in Small and Medium Size Businesses study conducted by the Ponemon Institute showed that small businesses now face the same information security risks as larger organizations. Despite this, almost half of the survey respondents reported that they had no understanding of how to protect their organizations against a cyberattack.

Malicious attackers will always exist, and they are interested in businesses of all sizes.

Misconception: There is no ROI in cybersecurity.

Are you moving the needle for the business? Are you actually making the organization more secure, and how can you quantify that for people that look only at numbers (e.g. CFO)? Over time, security has grown to be a bigger percentage of the budget inside of organizations. It is the cost of doing business today and it is typically a recurring cost. Despite the misconception, there are real ways you can communicate the value of security to your organization.

  • Identify your biggest risks. Examine the ways risks are being introduced to your business as well as what you are trying to protect (e.g. patient information, intellectual property). You can classify your data and build out buckets for your most valuable data, then build a program based on a risk assessment that addresses any gaps in protecting this data. Reducing risks can mean saving money during a security incident. When your risk goes down, your profile for an incident (and the cost it requires to remediate) is also reduced.
  • Leverage your cybersecurity program as a competitive advantage. Don’t only think about cybersecurity from a reactive or defensive role. Instead, consider how your program can support innovation and help to generate revenue. As digitization continues, we will see two types of enterprises emerge: A) those that can defend themselves against cyberattacks, and B) those that can defend themselves against cyberattacks while also demonstrating the value of this defense to consumers and shareholders. Both types of companies may be equally secure, but those in the B bucket will generate more revenue (ROI) and pull ahead in the marketplace by advertising their cybersecurity program as a unique selling point.

Keeping your organization secure is an ongoing effort that requires participation from everyone in the business. Educating stakeholders on best practices and correcting misconceptions is a good first step to understanding cybersecurity.

Need help busting common cybersecurity myths? Click below to view our on-demand webinars, including “Common Misconceptions in the Cybersecurity Industry.”