Cyber security and information security are often used synonymously, in the sense that the main idea is to protect people, processes, and technology from malevolent actors such as hackers, inside threats, spammers, and other malicious players. It has been observed that both individuals and organisations are not much aware of cyber security and its potential impact on them, as a result, attackers are gaining an unfair advantage over data and information. Since 2013 when Edward Snowden made the biggest reveal pertaining to data privacy and invasion, the world became aware of the significance of data security more than ever.
Still, in Bangladesh, most organisations either ignore the necessity and impacts of potential security breaches or maintain security at a minimum level just to comply with the legal and compliance requirements. Moreover, there seem to be some common myths and misconceptions regarding this issue, making Bangladeshi firms vulnerable to cyber attacks and future problems. Hence, Senior InfoSec Manager at Monstarlab Enterprise Solutions Zakaria Hasan, formerly engaged as an IT security professional in different government projects such as eGP, SEIP, etc, and worked closely with NSDA, DoICT, and BTEB as cyber security trainer & consultant from time to time, sat down with this writer to debunk some myths.
Myth 1: Small and medium-sized businesses aren't really targeted for data breaches: Many firms believe that they are not in hackers' radius because they are not significant enough to be targeted. Unfortunately, this opinion is simply false. According to the 2021 Data Breach Investigations Report from Verizon, around 61 per cent of all SMBs reported at least one cyberattack during the previous year.
Most small and medium-sized businesses do not have sufficient resources and/or willingness to address security threats and risks. Hackers take this window of opportunity to carry out their malicious activities which at least cost the organisation data breaches along with other losses. Technically, it's much easier to compromise SMBs rather than the giant companies as they follow and maintain rigorous "Information Security Framework" enterprise-wide. Besides most, SMBs work as a supplier/vendor/partners of big corporate companies, and Hackers exploit SMBs' weak security infrastructure to compromise Giant companies!
Myth 2: Cyber threats only come from external sources: Unlike the scenes in Hollywood films where a hacker in a dark corner of a room controls the power system of a system from miles away, that is very rarely the case. In reality, insider threats are equally perilous and need equal attention as external threats. According to Gurugul, 98 per cent of companies are concerned about insider threats whilst only 11 per cent believe they're well protected from them. Internal threats fall into three broad categories: (a) Negligent Insider (b) Stolen Credentials and (c) Malicious Insider
Cyberattacks can very well start from someone known to us. Insider threats are on the rise and are fast becoming a cause of concern for businesses. Insider threats can include employees, vendors, contractors, business partners, or an external intruder trying to impersonate an employee. In addition, you can only be partially aware of where these attacks can originate from, and traditional security solutions are largely ineffective when it comes to these threats. This makes them much harder to detect and contain than external threats. Use a combination of behavioural analytics and privilege and access management along with security awareness training to minimize insider threats.
Myth 3: It's possible to achieve complete security: As much as we would want this statement not to be a myth, the truth is it will stay as a myth. As long as a device is connected to the internet, that device has even the slightest chance of being attacked by cybercriminals. Cyber/information security is a continuous process that needs continuous adoption of new cybersecurity strategies and consultancy as new threats emerge.
The cyber security threat landscape is everchanging and evolving. It has been said that a single introduction of new technology may introduce thousands of threats and vulnerabilities. The point is there is no such thing as ‘ABSOLUTE’ security rather it's manageable security. The main objective of cyber security is to minimise the risks to an acceptable level. To keep up with the new technologies and trends like cloud security, AI, and Machine Learning cyber security strategies must also evolve accordingly.
Myth 4: Cybersecurity is too expensive: After the previous statement, you may wonder, what is the point of cybersecurity in the first place? The thing is, the door to your house can be broken down eventually, depending on the force a robber puts behind it. The question is how sturdy you want your door to be so that you can intervene before the robber takes your goodies. And in reality, the proverbial door or cybersecurity is not expensive at all.
The cost of a good cybersecurity solution is nothing compared to the cost of a successful attack. According to IBM, the average cost of a data breach in 2021 is $4.24 million, the highest in the last 17 years. With the help of proper strategy and consultancy, the tradeoff between security and cost can be drastically reduced.
Till today, cyber security is considered a matter of expense and always comes later. This concept is so alarming because without proper cyber security you can lose your business just in a blink of an eye! It is true for most organisations that cyber/information security does not contribute to direct financial profitability but in the long run, it protects the company from losing everything! It is the utmost duty of security professionals to convey this message at all levels of an institution. Security, Cost, and Operations - among these three, there is a common point that every organisation must achieve. Proper awareness, guidance, and consultancy may help an organisation pinpoint its desired level of security cost-effectively without compromising business efficiency!
We live in a world of data. Be it a small business or a large organisation, its data is valuable and susceptible to threats (both internal and external!). Thus, organisations would be wise to invest in a robust cybersecurity strategy and cybersecurity training across the organisation.
The writer is an execution excellence manager at Monstarlab Enterprise Solutions and a BBA graduate from IBA, Dhaka University.
[email protected]
