Businesses Need to Get Over Two Cybersecurity Myths to Stop the Hackers
Posted on Thursday, May 2, 2019 and filed under Articles
As a business, how do you ensure that your data stays safe? Cybercriminals will steal over 33 billion records by 2023, according to Juniper Research. Yet, are businesses doing enough? Two myths around cybersecurity often prevent organizations from adopting a safe and secure path to stop incidents of cyber-attacks and hacking.
Ciaran Martin, the CEO of the National Cyber Security Centre, which is a part of the GCHQ, identified the misconceptions and expressed that businesses can’t make excuses any longer for not dealing with cybersecurity risks.
Myth 1: Cyber Attacks are Targeted
Many organizations believe that cybercriminals target specific businesses. That’s not always the case. Martin warned at the European Information Security Summit in London that organizations still feel they won’t fall victim to cybercriminals as long as they are not explicitly targeted. You need to ensure you adopt the right practices like having a robust password.
The misconception is baseless, as many businesses face the adverse effects of cyber-attacks even when they are not the direct targets. Take the instance of NotPetya- a malware developed by Russia to target Ukraine infrastructure in 2017.
The malware knocked out many businesses around the world and caused a significant amount of damage. Though the malware was targeted at Ukrainian infrastructure, it infected many companies including British pharmaceutical and advertising firms.
NotPetya even took down the shipping giant Maersk, who had to reinstall more than 45,000 computers and 4,000 servers. The shipping company was not the target, yet it faced business disruptions which cost the company over $300 million in damages.
NotPetya is not the only cyber threat that caught businesses unaware- take the case of WannaCry ransomware which affected many unsuspecting companies. The worm-based virus introduced by North Korea to demand ransoms took down the UK’s National Health Service, which found itself to be an unwitting victim.
Martin said that the WannaCry incident shows that companies who face the damage of cyber attacks are not always the target. The British NHS bodies were definitely not the target, but they were affected nonetheless.
Myth 2: Cyber Security is a Complex Field
Some companies think that cybersecurity is a complex field and they are not capable of handling the complexities. Some of them are so fearful of the perceived challenges that they are not even ready to consider the basic security measures.
The executives feel that cybersecurity is a too complicated problem and beyond their understanding which prevents them from taking precautions. But Martin believes that cybersecurity isn’t so complicated, and businesses deal with far more complex issues every day as part of their operations.
He commented that when he takes a look at businesses in the UK and around the world, he is left amazed by the high level of sophistication and complexities of the organizations, and the risks they deal with. According to him, managing a cybersecurity strategy is a similar game!
Martin feels that any company which can extract resources from below the ground or can deliver fragile goods to far-off distances in short period or can process billions of financial transactions each hour is completely equipped to manage cybersecurity risks.
At its basic core, preventing cyber-attacks and criminals are not that tough- just making sure that your systems and software are up to date can make a significant impact on preventing cyber-attacks.
Martin believes that the approach could have helped companies across the globe from falling prey to Cloud Hopper. The espionage campaign was attributed to China’s state-backed hacking group APT10 and used for stealing data.
The campaign took help of phishing emails attached with malicious Word documents. Once a person opened the infected document, the program went ahead to retrieve malware.
Martin said that the organizations could have easily avoided the attack by applying relevant patches. All it would have taken was an up-to-date Office software, which would have prevented the vulnerabilities exploited by the criminals.
Martin pointed out that the threat was able to persist only because of poor cybersecurity measures, as the attack was not very advanced. APT in APT10 refers to ‘Advanced Persistent Threat, but the attack was really simple at its core.
It had nothing to make it threatening, and some precautions would have stopped it from spreading.
The NCSC also provided insights to senior executives on five cybersecurity questions which need to be answered to prevent the risks of hacking incidents.