Inhalt
There are some beliefs, half-truths and myths – and not just in IT – that persist for an astonishingly long time. If they affect the security of a company, it becomes dangerous. Especially in the area of cybersecurity, it is better to rely on evidence than on opinions and outdated wisdom. Otherwise, a false sense of security can quickly lead to a rude awakening.
Here we have compiled a few myths that we encounter time and again in our work as one of Germany’s leading cybersecurity providers. The list ranges from false assumptions about the potential targets of hackers to overestimating one’s own invulnerability. After all, almost every company invests a lot in hazard prevention. However, whether this actually eliminates all risks is another matter entirely.
Myth 1: Our company is too small and insignificant
There are still some companies that believe that their industry, their size or their conventional business model means they are not even the focus of hackers. This impression may be reinforced by media coverage, which mainly focuses on large corporations. In fact, the exact opposite is the case: almost all studies assume that small and medium-sized enterprises (SMEs) are significantly more frequently affected. The latest situation report from the German Federal Office for Information Security (BSI) comes to the same conclusion. The BSI paints a bleak picture: “Even in 2023, many companies will not have sufficient knowledge of the general cyber threat situation or their own risk profile.”
The consequence of this misjudgment is that, according to the BSI, only 62 percent of micro-enterprises regularly run security updates. Only 46 percent leave their IT security to an external service provider, and only 18 percent have an emergency plan. In addition, they often do not have sufficient resources and personnel themselves. Such a situation is ideal for hackers. Many companies often become accidental victims, for example through mass phishing emails or inadequately secured systems that are accessible via the Internet.
Myth 2: We have no valuable data
This may be true at first glance, but hardly at second glance. Because almost all business processes are digital today. Accordingly, all associated data is also included. Hackers could, for example, not only steal sensitive data, but also delete or damage it. This includes customer information, financial transactions, employee data and intellectual property. The loss of such data can have serious consequences – for any company. Ransomware attacks in particular can result in a major loss event. On the one hand, there are high ransom demands, on the other hand, such an attack can block the entire business activity. There are probably very few companies that would be able to cope with their business operations coming to a standstill for an extended period of time. Insolvencies due to cyberattacks are therefore not uncommon.
But even if it doesn’t get that far, the damage can be extensive. For example, it would be very damaging if sensitive payment data, personal files or business contacts were to be traded on the black market. The reputational damage would also be enormous and could undermine the trust of customers, partners or investors. In addition, the financial damage can be further increased by the loss of passwords from other services, for example.
Myth 3: Our compliance makes us safe
Many security solutions are used in companies and compliance, i.e. adherence to legal regulations and industry standards, is an important part of the security strategy almost everywhere. However, the feeling of security here can also be deceptive. This is because many compliance guidelines only set minimum standards for IT security. They therefore guarantee basic protection, but cannot keep pace with the rapidly changing cyber threats. In addition, compliance regulations do not necessarily cover all aspects of security. It is therefore possible that some areas are not covered by the regulations. Poorly implemented compliance can also lead to a false sense of security. It is always important to question your own strategy instead of focusing exclusively on compliance.
Myth 4: Cloud and regular patches offer sufficient data security
The regular installation of patches for the software used in the company should be a matter of course. But often days or even weeks pass before an official patch is released. Attackers no longer wait that long, on the contrary. The average time between the discovery of a security vulnerability and its exploitation has decreased dramatically in recent years. It often only takes a few days or even a single day for a vulnerability to be exploited. Accordingly, your own IT department should act quickly and not postpone the elimination of security gaps in order to avoid annoying downtimes. It is more difficult with zero-day vulnerabilities that are not yet known to the developer or for which there are no patches yet. Here, too, you can at least keep yourself constantly informed and should not wait for the manufacturer to deliver a “perfect” patch. You may have to resort to a workaround here. That is still better than not acting at all.
Although the problem of software patches does not exist for cloud services, this does not mean that you are on the safe side per se. A look at online databases such as the Open Cloud Vulnerability & Security Issue Database shows that there are indeed security gaps here. Apart from that, it always depends on the configuration. If this is inadequate or default settings have not been adjusted, this can lead to critical security vulnerabilities. Last but not least, the old truth still applies: even when storing data in the cloud, each company is still responsible for the security and backup of its own data – and no one else.
Myth 5: All attacks come from outside
With systems that are only accessible internally or via VPN, many people assume that all access is automatically trustworthy. This is a dangerous misconception. The internal network is nowhere near as trustworthy as you might think. It is possible that an insider is already inside and has access through a compromised computer, for example. If network segmentation is then missing, this attacker would have access to the entire company network. He could then, for example, scan all internal services for vulnerabilities and gain access to all important data via an unpatched Active Directory gap. To prevent this, companies must therefore protect and constantly update their internal services in the same way as externally accessible ones. Approaches such as Zero Trust can raise awareness of the fact that not everything that happens within your own network is automatically trustworthy. In this sense, the monitoring and filtering of data traffic should also include outgoing connections. This is the only way to detect the communication of malware with a control server on the Internet, for example.
Conclusion: Facts rather than myths
The list of IT security myths is long – we can only show a small selection of them here. You can see that certain assumptions persist even though they have long been disproved in practice. In many cases, this makes it easy for attackers – too easy. It helps to be aware of a few facts. The most important is certainly that any company could be the victim of an attack, really any. Attack attempts take place everywhere – every day. It is therefore a good thing that companies protect themselves and in most cases also invest in their IT security. Of course, companies are not helplessly at the mercy of threats, but can at least minimize the risks. However, being absolutely certain is another myth that may lead to the exact opposite.
