The days when cyber security was merely a technical or niche issue to be dealt with by some small department in the basement are long behind us. Boards now have CISOs and CIOs, and yet there is still a need for all directors to understand the impact of cyber security risk when making strategic business decisions as well as to understand what to ask when a breach takes place.
Failing to grasp the nature of cyber security in today’s business environment can have dire consequences. Proper board preparedness and planning are critical both to protecting the business and to insulating officers and directors from liability. Accordingly, directors must ensure that the business is ready to face cyber risks and the potential legal ramifications of those risks by aligning the organization’s cyber risk profile with its business needs.
Of course, there is no shortage of information out there on cyber security and cyber risk, but much of it is couched in sales and marketing jargon peculiar to one vendor or another, and what isn’t is often aimed at a technical audience with a level of detail that is rarely relevant to high-level decision makers. In this post, we cut through the clutter and cover the basics of cyber risk management for directors by dispelling six common cybersecurity myths.
Myth 1: Cyber Security Is Only Necessary for Some Businesses
Many believe that only certain kinds of companies require cyber security and that if they are not in that list, cyber security isn’t for them. Typically that list includes:
companies that store sensitive customer data (PII)
Health, infrastructure and other organizations legally required by law
Companies of a certain size or value
Cybersecurity is critical for all organizations, regardless of their industry. The ongoing wave of ransomware attacks has shown that attackers are opportunistic and will target any organization that has valuable data or systems that they can exploit.
Even companies that don’t store sensitive data (PII) can be hacked or infected with ransomware if their systems are not properly secured, and PII is not the only thing that can be stolen or compromised in a cyber attack. Organizations can also lose money, suffer damage to their reputation, and experience other negative consequences as a result of a cyber breach.
Similarly, size is not a significant factor in risk assessment. Any organization, regardless of size, can be a target for cyber attacks. Small businesses are often seen as easier targets because they may not have the same resources to devote to cyber security as larger organizations. The level of risk increases if the business does not take the necessary precautions to protect itself.
Myth 2: Security Software Is All You Need to Stay Safe
There are so many pinpoint tools in the cybersecurity defense arsenal. Tools like SIEM, SOAR, Firewalls, Anti Virus, and many others have proven in recent years that they are not sufficient to keep businesses out of negative news cycles.
The modern working environment allows employees more freedom than ever before, with the ability to install software and to gain access to company assets from the endpoint, wherever they may be physically located.
The effort of staying safe from cyber risk may start with getting the right tool to see it all, but it does not end there. As the cybersecurity landscape continues to evolve, defense capabilities need to keep pace, too.
Myth 3: Software Vulnerabilities Aren’t an Issue for the Board
Every piece of software that an organization uses can also introduce vulnerabilities that make it easy to penetrate the corporate network.
Some recent high-profile examples include CVE-2022-30190 (aka the Follina vulnerability), which allows attackers to compromise a Windows machine simply by sending a malicious Word document, and CVE-2021-44228 (aka Log4Shell), a vulnerability in a Apache’s Log4j library that most companies didn’t even realize was in their software stack.
Unfortunately, the biggest and most likely source of vulnerabilities in your software stack is likely the operating system itself. Here’s some sobering statistics:
In 2020, Microsoft confirmed 1,220 new vulnerabilities impacting their products, a 60% increase on the previous year.
807 of 1,220 vulnerabilities were associated with Windows 10, with 107 of those related to code execution, 105 to overflows, 99 to gaining information, and 74 to gain privileges.
In 2021, 836 new vulnerabilities were confirmed, 455 of which impact Windows 10 and 107 allow malicious code execution.
While patch management is certainly the responsibility of your IT team, boards need to understand that no amount of patching is going to negate the security risk presented by the operating system itself.
This means that your organizations should look to partner with security-first companies that can provide a holistic approach to security. Avoid relying on the OS vendor either to patch everything or to provide security add-ons to plug the gaps.
Myth 4: You Don’t Need to Worry About Supply Chain Attacks
Even if an organization manages to keep its own software safe, any other service provider can unknowingly facilitate a way into the network. In recent times, we’ve seen the SolarWinds supply chain attack, where the attackers were able to compromise organizations through the SolarWinds software update, and the Kaseya incident, in which attackers targeted Kaseya VSA servers—commonly used by MSPs and IT management firms—to infect downstream customers with ransomware.
Such attacks are highly lucrative for threat actors because compromising one weak link enables access to a complete portfolio of customers using that software.
Ensuring you have maximal protection against digital supply chain attacks is a strategic decision that needs to be taken at the board level.
Myth 5: You Can’t Do Anything About Cyber Security Threats
While it is true that some threats are out of your control, there are many things you can do to protect your organization from cyber attacks. Implementing strong cyber security measures can help reduce your risk of being targeted by cyber criminals.
It is also important to remember that while it may be true that you cannot secure your organization against every possible attack, there are steps that organizations can take to make themselves as secure as possible against the most likely attacks.
In the vast majority of cases, threat actors are financially-motivated, and they are looking for easy wins. Like the weakest animal in the herd, the companies that cannot protect themselves will soon be picked off by cyber predators.
Myth 6: It’s Impossible to Train Employees to be Cyber Secure
While employees are a key part of any organization’s cyber security strategy, they cannot be expected to be experts in cybersecurity. Organizations need to provide employees with appropriate training and resources. This includes regular awareness of the kinds of threats the business faces, simple steps in how to identify things like phishing emails or unusual requests, and clear steps for reporting suspicious activity. Social engineering, more commonly known as the subtle art of convincing people to click on spear phishing emails, remains one of the most common ways cybercriminals operate today.
Cybersecurity is all about managing risk as effectively as possible. There is no organization in the world that is immune to cyber threats, but in today’s threat landscape, it is vital that cyber security is understood to be a strategic factor that must be planned from the very top of the organization. The risk to the business is too great for it to start anywhere else.