There are probably a ton of cybersecurity implementation myths. Here's the big 4:
1 If we focus on security, we won’t be able to accomplish as much.
Security doesn’t have to compromise productivity; it can be part of it. Think of vetting devices, solutions, or even vendors themselves. A security risk assessment can be part of the vetting process and can help take appropriate security measures as early as possible before you commit to anything. This helps the planning phase and provides clear objectives to scale from. Become a well-oiled business by including security in business objectives, performance indicators, and strategic planning. Make security something your business can’t advance without, something that not only minimizes risk, but is imperative to implement.
2 Once we complete this project, our security measures are in place and we’re done.
Not a chance. Setting up security or completing a project is only the beginning. Cybercrime as a whole is changing rapidly. Furthermore, new threats or attack vectors are discovered at a rate that’s hard to keep up with. After setup, it’s important to engage in assessments, self-audits, teachable moments, and whatever else you can do to test your user base and infrastructure. Stay current on emerging threats. But you’re still not done. Don’t wonder what would happen if you get hacked. Start planning what will happen when you get hacked. The businesses who have a recovery plan recover the quickest.
3 Ok, this security thing sounds good. I’m going to secure everything to the maximum.
I’m glad you want to but the reality is resources are finite. If you try to go hard on everything, you will miss something or overspend in trying to do so. Not to mention the user experience would most likely be terrible, but I digress. The other end is playing catch-up, trying to secure everything as it comes up. You need to figure out what is most critical to your organization. Take a look at potential weak spots. Think “If someone can break through here, what would the damage be?” This is more of a game of risk and trying to minimize it than getting everything perfect.
4 I’m compliant with _____ regulation. I’m secure.
Unfortunately, that’s not true. Being compliant with security policies enforced by laws and regulations is really doing the bare minimum to get by. Many of these policies have language similar to “this is a compliance floor, not a ceiling,” or “these are minimum requirements,” which is why exceptions are generally not allowed without a compensating control. Thinking in a checkbox, compliance mindset will actually narrow your security posture. Expand your security posture by adding compliance controls on top of a strong, existing security program.
What are some security myths you've heard?