Cybersecurity: 4 Common Misconceptions That Put Organizations At Risk
Nigel Phair, Director of UNSW Canberra Cyber, explains that people—not programs—are a company’s first line of cyber defense, along with some other surprising cybersecurity truths
Cybercrime is on the rise. In 2019, cyberattacks occurred every 14 seconds, up from every 40 seconds in 2017. As coronavirus drives greater internet use than ever before—up 50% compared to this time last year—it is likely that cybercrime will grow in step.
According to a report from leading information security advisory, Herjavec Group, cybercriminal activity is one of the greatest threats companies will experience in the next two decades.
Accenture’s 2019 Cost of Cybercrime Study calculated that these attacks cost for an organization increased from US$11.7 million in 2017 to a new high of US$13.0 million—a rise of 12 percent. This can impact organizations from start-ups to multinationals, and even governments.
Despite this, many professionals remain in the dark about what cybersecurity is, and how to implement it. According to a survey by antivirus software provider, McAfee, 57% of Australian cybersecurity managers have trouble finding staff to join their cybersecurity teams.
“Business [today] is intrinsically linked to the internet, so it’s crucial for businesses to understand threats in the online environment.” Comments Nigel Phair, director of UNSW Canberra Cyber, a global leader in cybersecurity research and education, based at the University of New South Wales (UNSW) in Australia.
Alongside his work in Canberra, Nigel provides thought leadership and policy advice on the impact of cybercrime to multi-national organizations and governments globally.
He is also the program director for the new virtual learning program: Cyber Security Essentials for Leaders, developed in conjunction with the Australian Graduate School of Management (AGSM). The program will help organizations protect themselves from different types of cyberattacks.
“We developed this program with AGSM to cover important aspects of cybersecurity—from assessing security gaps and risks, to planning and implementing an appropriate cybersecurity framework,” he explains.
According to Nigel, there are four main cybersecurity misconceptions that hold back business leaders from maintaining a safe online environment.
Misconception 1: Not all businesses are at risk of cyber attacks
Reality: Since virtually all businesses have at least one digital component—whether a website, email system, or computerized database—all are vulnerable to cyber-attacks.
“Since all businesses have an online aspect, it seemed appropriate that people learn this integral part of a successful business,” Nigel explains.
For Nigel and his colleagues, one fundamental aspect of the Cyber Security Essentials for Leaders short course will be to help business leaders identify risks to their business.
“First, we talk about protecting the business value and ensuring the survivability and ongoing measure of the business,” he says.
“They’ll also learn to use a risk management framework to make decisions about their cyber security protocol and how to action it,” he says.
Misconception 2: Viruses are the biggest cyberthreat
Reality: Although ransomware and spyware attacks tend to attract the most media attention, they are not the most common cyber threat—in fact, according to a study by cyber security solutions provider FireEye, 86% of email attacks are free from malicious software, or malware as it is commonly known.
The two biggest cyberthreats are currently phishing attacks and compromised emails.
In a phishing attack, cyber criminals attempt to collect confidential data using deceptive emails and websites. Email compromise is a similar, but more targeted, form of email attack, during which criminals pose as a prominent company member to convince an employee to provide money or information.
These attacks are incredibly common. One 2019 survey found that 88% of organizations experienced a phishing attack that year, while 86% dealt with an email compromise attack.
“Protecting against these ubiquitous threats requires company leaders to quickly recognize them and relay this information to their team,” said Nigel. “The business’ ability to pass on knowledge is crucial.”
Misconception 3: Antivirus software and firewalls are the only line of cyber defence
Reality: Software plays an important role in keeping digital assets secure, but people—not programs—are a company’s first line of cyber defence.
Email attacks depend on human fallibility, so well-informed employees are a key component of cybersecurity strategy.
“Cyberattacks are not so much a technical problem as a people problem,” Nigel reflects. “Everyone in an organization could be susceptible to a cyber-attack, and it’s everyone’s responsibility to protect the digital assets of their organization. Regular training is a crucial element of any organization’s cybersecurity strategy.”
Incidents like Uber’s 2018 data leak also highlight the human error aspect of cybersecurity. The breach occurred when two hackers accessed data stored in a third-party cloud service and could have been prevented through access monitoring using readily available software.
It was a blindspot in Uber’s cybersecurity strategy that allowed the incident to happen. To avoid such oversights, Nigel recommends a careful assessment of the data an organization holds.
“You then need to use risk management concepts to work out what data needs to be protected, understand where it is housed, who has access, and the login regime,” he explains.
For this approach to be effective, trained individuals must constantly monitor and maintain online security, communicating any potential leads to business leaders.
Misconception 4: Cyberthreats do not vary much
Reality: Although phishing and other email threats are the most common form of cybercrime, it's important to bear in mind that the risks an organization faces can vary significantly depending on industry, size, structure, and the kind of data they hold. These threats are constantly evolving.
“[Besides phishing,] other risks include attacks on unpatched software, payment systems, and supply chains,” Nigel notes.
“Leaders need a clear understanding of all these factors as they predict threats and employ a cybersecurity strategy. Elements of this strategy might include staff training, firewalls, or antivirus software,” he adds. “There’s no blanket route to overcoming cyberthreats.”
Social media accounts have also recently emerged as a point of vulnerability. A recent cyber-attack on Twitter allowed hackers to access the accounts of 130 celebrities, politicians, and businesspeople—including Kim Kardashian, Barack Obama, and Jeff Bezos.
Through the new Cybersecurity Essentials for Leaders course, Nigel hopes to equip professionals with the skills they need to make tailored cybersecurity decisions that will keep their organizations safe.
These competencies include recognizing and classifying common cyber threats, identifying gaps in current practices, and promoting cyber safety to their team.
As we continue to see growth in online transactions, staying abreast of cyberthreats, communicating best practices to employees, and continuously updating cybersecurity strategy is crucial for all team members as well as business leaders.