Misconceptions. A view or opinion that is incorrect because based on faulty thinking or understanding. It is important that small and medium businesses do not have misconceptions about cybersecurity, because the consequences can be dire.
Misconception #1: My data (or the data I have access to) isn’t valuable
Reality: All data is valuable
Take Action: Do an assessment of the data you create, collect, store, access, transmit and then classify all the data by level of sensitivity so you can take steps to protect it appropriately.
Misconception #2: Cybersecurity is a technology issue
Reality: Cybersecurity is best approached with a mix of employee training; clear, accepted policies and procedures and implementation of current technologies
Take Action: Educate every employee on their responsibility for protecting sensitive information.
Misconception #3: Cybersecurity requires a huge financial investment
Reality: Many efforts to protect your data require little or no financial investment
Take Action: Create and institute cybersecurity policies and procedures, restrict administrative and access privileges, enable multi-factor authentication and train employees to spot malicious emails.
Misconception #4: Outsourcing to a vendor washes your hands of liability during a cyber incident
Reality: You have a legal and ethical responsibility to protect sensitive data
Take Action: Put data sharing agreements in place with vendors and have a trusted lawyer review
Misconception #5: Cyber breaches are covered by general liability insurance
Reality: Many standard insurance policies do not cover cyber incidents or data breaches
Take Action: Speak with your insurance representative to understand your coverage and what type of policy would best fit your organization’s needs.
Misconception #6: Cyberattacks always come from external actors
Reality: Succinctly put, cyberattacks do not always come from external actors
Take Action: Identify potential cybersecurity incidents that can come from within the organization and develop strategies to minimize those threats.
Misconception #7: Younger people are better at cybersecurity than others
Reality: Age is not directly correlated to better cybersecurity practices
Take Action: Before giving someone responsibility to manage your social media, website and network, etc., train them on your expectations of use and cybersecurity best practices
Misconception #8: Compliance with industry standards is sufficient for a security strategy
Reality: Simply complying with industry standards does not equate to a robust cybersecurity strategy for an organization
Take Action: Use a robust framework to manage cybersecurity risk.
Misconception #9: Digital and physical security are separate things altogether
Reality: Do not discount the importance of physical security
Take Action: Develop strategies and policies to prevent unauthorized physical access to sensitive information and assets (e.g., control who can access certain areas of the office.)
Misconception #10: New software and devices are secure when I buy them
Reality: Just because something is new, does not mean it is secure
Take Action: Ensure devices are operating with the most current software, change the manufacturer’s default password to a unique, secure passphrase and configure privacy settings prior to use.