While most enterprises recognize the importance of C-suite involvement in and support of corporate cybersecurity, many execs aren’t seeing the whole picture of protecting against cyber threats. Milad Aslaner, head of technology advisory group SentinelOney, shares the top five myths C-suite execs should be wary of.
With the number and cost of cyber attacks increasing with no end in sight, cybersecurity strategy is now firmly a part of the discussion in the C-suites of most large organizations. But the C-Suite is often tempted to take the word of consultants and security vendors at face value, trusting that bold statements on how to win the war against cyber threats will be enough to protect their organizations. Unfortunately, relying too heavily on assumptions and blanket approaches can undermine an organization’s efforts to secure the business.Â
Five Cybersecurity Myths Busted
Here are some of the key myths told to the C-suite that need to be dealt with cautiously before making any crucial decisions.
1. Operating system (OS) security is enough to secure your endpoints
Microsoft Windows is the dominant desktop operating system worldwide – with a nearly 74 percent market shareOpens a new window as of December 2021. Microsoft is not only an OS vendor. It’s also a vendor of security software. It would seem reasonable to assume that such a widely-used operating system, with built-in security, ought to be safe from attack.
But the popularity of Windows also makes it a prime target for bad actors. Last year alone, cyber attackers took advantage of Microsoft vulnerabilities in Exchange Server, like ProxyLogon and ProxyShell, followed by PrintNightmare, HiveNightmare, and vulnerabilities in the Microsoft Defender suite.
Microsoft Defender was largely ineffective at stopping any ransomware attacks by the Hafnium and Conti gangs that exploited such vulnerabilities. The security product itself came under scrutiny when it was revealed that Microsoft Defender had contained a privilege escalation vulnerabilityOpens a new window for over 12 years. This was followed by a recent discovery allowing remote code execution through Microsoft Defender for IoT.Â
And it’s not just Windows that has vulnerabilities. Apple admitted earlier this year that macOS does have a problem with malware. Macs are extremely popular among C-Suite executives and developers, making enterprise Macs a high-value target for hackers.
See More: Hacking Your Security Behaviors: CISOs Share Best Practices for 2022
2. A Zero Trust approach is easily achievable
The concept behind Zero Trust is simple – as the name implies, trust is no longer automatically granted to anyone, whether inside or outside the corporate network. Instead, Zero Trust follows the principle of “never trust, always verify.†An endpoint user needs to prove they are not compromised, and only then will they receive access to corporate resources and services.
While this can certainly be an effective security posture, in practice, most organizations can’t easily implement a complete Zero Trust Architecture (ZTA). Zero Trust isn’t a ‘flip the switch’ solution that transforms your organization overnight. It can take many years for a business to convert from legacy security models to ZTA, as this requires integration across multiple assets and security systems while facing daily attacks on the company. In short, Zero Trust is a worthy security model, but it takes longer to put into practice than vendors may care to mention.
3. Mobile security is optional
Smartphones have been a part of our personal and professional lives for over a decade. Yet, many security teams and vendors aren’t prioritizing mobile device security in the business setting. Now more than ever, businesses understand that mobile devices are essential in boosting the productivity of their workforce, but their efforts to protect such devices essentially aren’t keeping pace.
On the other hand, attackers aren’t overlooking them and are more than happy to find exploits to target businesses where it hurts. Apple is already in the crosshairs. It was recently discovered that iOS users were at risk from a highly-sophisticated zero-day, zero-click vulnerability under the so-called ‘Pegasus’ mobile spyware package. This exploit was developed by the NSO Group, a private enterprise offering ‘access as a service,’ selling packaged hacking solutions to the highest bidder.
NSO is reportedly branching out into developing this same zero-click exploit for Android devices, demonstrating that many more smartphone users could be viable targets. As a result, C-Suites simply can’t afford to be complacent about the risks posed to their systems by mobile devices a moment longer.
4. Back-ups are a ransomware silver bullet
Businesses that fell victim to cyberattacks, including WannaCry and Petya in 2017Opens a new window , learned how vital data back-ups are. However, backing up data doesn’t mean an organization is bulletproof against ransomware attacks.
Human-operated ransomware gangs Maze and DoppelPaymer evolved to a double-extortion method – denial-of-access to files via encryption, with the threat of public data leaks on top. Unfortunately, back-ups are ineffective in the face of these threats.
And for organizations who are prepared to call their bluff, criminals have raised the stakes to triple extortion. In addition to the threat of leaked data and file encryption, they’ve started flooding victim companies with DDoS attacks to force them back to the negotiation table.
Backups aren’t enough in today’s double and triple extortion ransomware landscape. What’s crucial is preventing a breach in the first place.
See More: NFTs: Functional Innovation or Cyber Weapons of Mass Destruction?
5. Cyber security automation is all you need
Without question, AI and automation play a crucial role in today’s cyber defense arsenal, automatically detecting threats and blocking unwanted processes, disconnecting an endpoint from the network and even performing a selective rollback of the system to a point before the attack occurs.
But new threats are constantly emerging, and as organizations evolve and expand their businesses, the attack surface is continuously growing and changing. There will always be a need for cybersecurity talent that can triage the edge cases, unknowns and false positives, and assess, respond and innovate to address new attack vectors.
Conclusion
Not surprisingly, across industries, C-suites are taking cybersecurity seriously but often lack the background and depth of knowledge to best guide their organizations.
Understanding the top myths of cybersecurity is a start. Combined with reducing your dependencies on OS vendors, deploying on-device endpoint protection that offers visibility across your entire estate, and retaining cybersecurity talent, organizations will be well on their way to cybersecurity success.
Do you know any other cybersecurity myth that needs to be busted? Share with us on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We’d love to hear from you!