Debunking Five Cybersecurity Myths

Originally published by ThreatLocker.

Introduction

Cybersecurity is not an easy topic to fully understand if you are new to the field, and just when you think you have a decent understanding of the technical aspects of it, you open a door to much more undiscovered knowledge. It is this reason that there are numerous misconceptions, misinformation, and myths about cybersecurity on topics such as password strength, which tools you should invest in, how many tools to invest in, and much, much more.

Myth #1: You Have a Strong Password, That’s All You Need

Creating a strong, unique password for each of your accounts is an important tactic to keeping your confidential data and admin-level operations programs out of harm’s way, and if you change it periodically and stray away from using words found in a dictionary, even better! However, threat actors’ abilities to crack passwords have developed exponentially, and they are showing no sign of slowing down. Passwords with seven characters consisting of numbers, upper- and lower-case letters, and even symbols don’t cut it anymore.

Through brute force password attacks, these “strong passwords” can now be cracked in 17 hours... within a day! Alternatively, bumping up the number of characters to 13 can dramatically increase the length it takes to crack a password to about two million years! Creating a password that follows these requirements will strengthen your chances of resisting a password attack, but it is not foolproof. To boost your defenses against a password attack, you should implement a Multi-Factor Authentication (MFA) program into your security stack if you have not yet. With MFA, after a user enters their credentials to log into any account on a website or program, they will be prompted to enter a code sent to them via email or text, or to be extra secure, a third-party MFA application on an alternate device. Users will be required to enter this code as a second form of credentials that proves they are indeed the authorized user and not someone who has gotten access to their password.

Myth #2: It Has Never Happened to Me. I Have Nothing to Worry About

The idea that “I have never experienced ___, so I never will.” is seen in countless situations, including, now more than ever, falling victim to ransomware. An over-elevated level of confidence within your cyber resilience (or lack thereof) may be the biggest threat to your organization. Even with some of the toughest cybersecurity solutions, it is still entirely possible for your organization to fall victim to any malware through a phishing email or by clicking a malicious link online. In many cases, organizations’ decision-makers do not understand the severity of a cyberattack like ransomware until they experience it firsthand. If your organization holds sensitive data of any kind, you should consider yourself at risk of a cyberattack.

To best combat the risk that follows the ideology that you are safe because you have never been the victim of a cyberattack is to turn your thinking around; think about the idea that a cyberattack is imminent, and that it is just a matter of time before a threat actor strikes. Start by educating your staff/colleagues on cybersecurity awareness, especially in phishing attempts. Next, research and test cybersecurity tools that you believe best align with what your organization needs and develop a strong cybersecurity stack. You can find a longer, helpful list of others cybersecurity tactics you can implement in this blog on seven cybersecurity resolutions you can implement in 2023!

Myth #3: More Tools = More Protection

A common misconception is that the more protective tools you have in place within your organization, the more you guarantee your safety from cyberattacks. The fact is, no matter how many of the best tools you implement into your cybersecurity stack, there is no guarantee that your organization is 100% safe from every or any type of malicious software, including viruses, ransomware, worms, trojans, and others. In addition to this, some tools do not agree with each other. They may end up interfering with their individual processes, setting one another’s alerts off, or blocking each other entirely, preventing the detection or protection of ransomware in your network. So, rather than paying for as many tools as you can, it is vital to implement the right tools that not only work well together, but also complement each other in a shared environment.

On the other hand, you should not limit the tools in your security stack to just one; there is no one tool that covers everything! So, for coverage that satisfies your organization’s leads, it is recommended that you do not limit your toolset within your security stack to too little while also not implementing too many tools to the point where some are not contributing or are overlapping and limiting one another. Consider the three of the major portions of cybersecurity: Protection, Detection, and the Human Element (see ThreatLocker’s CEO and Co-Founder, Danny Jenkins’, and Ironscales’ CEO, Eyal Benishti’s, take them on in this webinar). Once you can decipher what tools and tactics work best for your organization, it is important to see how it works on paper and give everything a test run to discover if it is right for you. From there, it is only optimizing your tools and strategies over time.

Myth #4: All Hackers Are Bad People

The term hacker has negative connotations for obvious, well-deserved reasons. However, contrary to common belief, not all hackers have malicious intent. For example, there exists “ethical hackers.” These ethical hackers may sometimes work for a government on legitimate defensive or offensive hacking needs, keeping a nation one step ahead of any tricks a “non-allied” country may try. In other situations, organizations will hire these ethical hackers to test their cybersecurity, allowing them to simulate a malware attack by breaking into their network.

The Merriam-Webster's dictionary has multiple, technical definitions of “hacker”, only one of which has a truly negative context:

1. One that hacks
2. An expert at programming and solving problems with a computer
3. A person who illegally gains access to and sometimes tampers with information in a computer system

ThreatLocker CEO and Co-Founder, Danny Jenkins, mentions in a recent webinar, “3 Approaches to Protect Your Business from Ransomware,” that he has a background in ethical hacking. Various companies would hire him to test their security stacks, resulting in him writing malware and creating rubber duckies to crack into their networks.

“The term hacker has a bad rap, of course, but there are also ethical hackers these organizations hire to test their security as well as defense hackers that work with the government.”

Myth #5: Cybersecurity is Too Expensive $$$

Most cybersecurity tools are NOT cheap, and when their bills add up, they can take up a good chunk of your IT operation budget. Unfortunately, today, technology in the hands of cyber criminals is more advanced than ever, and if you are not protecting your organization from cyber threats, it is practically imminent that a threat actor will have no trouble whatsoever entering your systems and network. Almost every organization, of every size, in any industry, needs to develop a version of a cybersecurity stack that they can both afford and rely on.

Ransomware payout demands are astronomical now compared to where they were years ago. Nowadays, ransoms are demanded in cryptocurrency, mainly bitcoin, because decentralization can prevent any payment from being tracked to whichever account it was sent to. This minimal risk, or lack thereof, has heavily influenced the dramatic rise in financial demands. 2021’s world-total ransomware demands added up to $20 billion (a 57x increase from 2015) and is expected to jump to over $260 billion by 2031! In addition to a ransom payment, your organization will also incur financial loss from the damage done to your reputation as a reliable host for the confidential data of employees, clients, and other entities whose data you are responsible for keeping safe and secure.

When comparing the cost of developing a cybersecurity stack for your organization to the millions of dollars you could potentially lose from a ransomware attack, it is clear to see that making monthly or annual payments for the security of confidential data is not even a fraction of the financial and reputational damage your organization would experience from a cyberattack. Cyber defense expenses are set by your organization’s budget(s) but are inexpensive in exchange for the security you need to sleep easy at night, knowing your organization has a lesser chance of falling victim to a cyberattack.

Conclusion

Cybersecurity is a complicated and heavily technical subject. When going about developing and operating your security strategy, you cannot afford to make decisions based on misconceptions, misinformation, or myths you may have heard/read while doing your research.