In the world of Information Security there are myths that influence senior executives, business managers and sometimes even sector professionals, causing misunderstandings and exaggerations about threats to IT systems and the technologies used to fight them. Many of these myths exist because people tend to react excessively and emotionally in unfamiliar situations instead of making an objective analysis. The result is overestimating the problem and relying on the first solution proposed to us, or worse, underestimating the risks in the hope of avoiding extra costs.
Myth #1 – It Won't Happen to Me
Believing that your company will never face IT security problems. This statement is often made by someone who does not want to spend, or rather invest, hoping the risk will not materialize. Instead, when a problem is recognized, or even only assumed, there should be a risk analysis phase and, if appropriate, the resources needed to mitigate or completely resolve it should be invested.
At other times the opposite happens: the impact of vulnerabilities is exaggerated. The best thing is to use a metrics framework to give an objective value to vulnerability risk.
Myth #2 – All Risks Can Be Quantified
Companies have the wrong idea that everything can have a number attached to it. There is the illusion that security managers can obtain the budget they need only if it is justified by an Excel spreadsheet. Instead, senior management must be helped to understand what can and cannot be quantified, and to obtain the budget needed to implement a robust architecture of basic security controls.
Myth #3 – We Have Physical Security or SSL, So the Data Is Safe
More simply: we have antivirus and firewall, we are safe! This is not true. This idea is often planted by external suppliers trying to sell their products and focusing everything on their features. Please, stop buying products and appliances; they will not magically make you secure! And even if the product is “good”, shouldn't we make sure it is configured correctly and works at its full potential?
In reality, security must be developed as an architecture starting from risk assessment, considering what is being protected, so that the right controls can be implemented. This avoids being distracted by elements that are not essential to security.
Myth #4 – Using Complex Expiring Passwords Reduces Risk
This is not true. Passwords are not effective and the whole scheme has serious gaps. It is only an obsolete historical precedent that companies cling to.
Passwords are not enough, since cracking is not the only way to get past the obstacle: there is also sniffing and credential reuse across systems with different security levels. Finding a valid alternative to passwords is difficult, and two-factor or multi-factor authentication cannot always be implemented easily. Meanwhile, companies can advise employees not to use personal passwords at work, and perform periodic checks on password strength.
Myth #5 – Buying an IT Security Device Will Solve Every Problem
We have just been told about a new product: it solves 95% of problems, is easy to install and costs as much as one of the many servers we have in the company. If only. As said before: stop buying software and hardware hoping they will magically solve our problems. Without serious analysis and audit work on the real critical issues our business is exposed to, we will waste money and increase the complexity of our infrastructure. This myth represents a common and mistaken understanding of the “security” problem as a whole.
Relying on myths is wrong. That is why EasyAudit exists: a professional and affordable tool for getting a second opinion on your company's IT security!
Want to know how exposed your website is?
EasyAudit WEB checks websites, portals and e-commerce with a professional external audit designed for SMEs.