Four cyber myths smashed

networkIf someone asks you a question and you don’t know the answer, what do you do? “Let’s check Google…” would be a common response. There’s literally an answer to everything you could ever think of, but how do you know if it’s genuine, well-researched and not a complete load of…

Cyber security is no different. There’s a lot written every week about the latest threats, technology and advice on how you should be dealing with cyber security.

If you’re a regular reader of our blog you’ll know that we try to substantiate everything we say with good, hard facts. I know – what a novel approach.

So, here are four cyber myths I’ve come across that I want to smash:

Hackers are your biggest threat

Let’s not beat around the cyber bush: hackers are a massive threat and come in all shapes and sizes. But are they really the biggest threat to your business?

According to a survey from Cisco, 48% of respondents claimed that the company security policy didn’t affect them. That’s a good start: one in two people aren’t really that bothered. Now, let’s add a little fuel from the Information Commissioner’s Office. Its 2014-15 Q4 report found that 93% of incidents were caused by human error. Do you want some more? Okay then… The 2015 Information Security Breaches Survey found that “50% of the worst breaches in the year were caused by inadvertent human error.” We haven’t even mentioned the threat of phishing emails or social engineering, but I think you’re beginning to get the point.

Your staff pose just as big a threat to your business as hackers. A lot of the time it’s not their fault – they’re just human. The good thing is that most of us have the capacity to learn, and you could do a lot worse than sending your staff on an information security e-learning course.

It’s all about the technology

For all the processes and technology you have in place, there is a third factor in this holy trinity of security: people. Just as in the previous section, people are crucial to the security of your business.

If your staff don’t understand how to follow processes and properly use technology, then your cyber defences are not going to work as you intended. The international information security standard ISO 27001 understands this and places this trinity of people, processes and technology at its core. Find out more about this approach, and how to integrate these three aspects of security, in the bestselling guide The Case for ISO 27001.

I’m a small business; there’s really little I can do or afford to do

Implementing a cyber security programme can put a lot of people off because of its perceived cost. How robust can your cyber defences be on a limited budget?

A lot of cyber security hinges on getting the basics right and implementing proportional controls for your business. For example, according to Verizon’s 2015 Data Breach Investigations Report (DBIR), 70% of attacks exploited known vulnerabilities that had patches available, with some exploiting vulnerabilities dating back to 1999. Every week Microsoft publishes its latest batch of patches – what do you think this says to cyber criminals? It says there is a vulnerability here, and if people don’t fix it then they can exploit it. This isn’t complex or expensive; it’s getting the basics right.

Taking this further, the UK Government created the Cyber Essentials scheme to directly help SMEs create better defences. Their research found that around 80% of the most common cyber attacks could be prevented by implementing a set of five simple controls. The scheme itself is reasonably easy to implement and we offer packages starting from just £300 for those with internal cyber security expertise, to £1,895 for those with very few internal cyber security skills. That seems a small price to pay to prevent 80% of cyber attacks.

There is no ROI for cyber security

Gauging ROI from your cyber security programme is definitely a tricky issue, but we need to consider that cyber security credentials are as much a business enabler as a defence system. Many business contracts now require cyber security credentials, with ISO 27001 being an internationally accepted benchmark of best-in-class information security.

Last week the Cyber Essentials scheme won SC Magazine’s Editor’s Choice Award for “putting a bar in place for the first time, potentially having a greater impact on improving information security in the UK than any other single initiative”. The editor of the piece commented on how early adopters were now “gaining market advantage by demonstrating their cyber security awareness” through Cyber Essentials.

On the other side of the coin is the cost of a successful cyber attack. According to PwC’s 2015 Information Security Breaches Survey (ISBS), breaches cost small businesses £75-£311K and large businesses £1.46-£3.14M on average. That’s pretty painful. I’d advise that every business out there conducts a risk assessment, identifying the risks and their consequences. You can then start to build a case for a proportional cyber security programme that protects, gives you competitive advantage and has identifiable ROI.

Okay then, that’s four cyber myths that I’ve hopefully smashed. If you want to join the myth-busting party, then I’d love to hear some of your own.

In the meantime, why not download our free green paper on cyber security. It’s written by our cyber security expert CEO, and offers more detailed advice on how to protect your business in cyberspace.