Debunking the most popular cyber security myths in India

Gone are the days when cyber security was merely a technical or niche issue to be dealt with by some small department in the basement.  Today, cyber security is highly complex as it has to work with new operational technologies, evolving business needs, and an expanding attack surface.  The Board of Directors needs to have clarity on the impact of cyber security risks while making strategic business decisions. They should also have an understanding of what to ask when a breach occurs to avoid catastrophic consequences.  

Much of the information available on cyber security and cyber risk is buried in sales and marketing jargon, which is unique and subjective as perceived and conveyed by one vendor or another.  This is often aimed at a technical audience and not always relevant to the business directors, who are the decision-makers.  Here are six common cyber security myths analyzed and debunked for the benefit of business leaders.

Myth 1: Cyber Security is only necessary for some businesses

It is a common belief among business leaders that not all organizations require cyber security.  They assume there is a requirement only for technology companies, businesses that store sensitive customer data, or have a legal requirement to meet, and companies of a certain size or value.  This is, however, not true.  Cyber security is critical for all organizations, irrespective of which industry vertical they belong to. Impacted organizations will experience financial loss, customer churn, and brand damage among other negative consequences.  India recorded 36.29 lakh cyber security incidents from 2019 till June this year.  As per information reported to and tracked by Indian Computer Emergency Response Team (CERT-In) a total of 3,94,499, 11,58,208, 14,02,809 and 6,74,021 cyber security incidents were observed during 2019, 2020, 2021 and 2022 (upto June) respectively. 

Myth 2: Security Software is all that the organization needs to stay safe

Many pinpoint tools such as SIEM, SOAR, Firewalls, Anti-Virus, and others in the cyber security defense arsenal have proven to be insufficient to keep attacks at bay.  The modern, remote working models provide more freedom to employees than before as they can install software and gain access to the organization’s assets from anywhere.  Although the effort of protecting assets from attacks may start with acquiring the appropriate tools, it does not end there.  This is because the threat landscape is continuously evolving and the organization’s defense capabilities must keep pace too.  It is critical to weave in cyber resilience with the overall strategic vision of the organization.

Myth 3: Software vulnerabilities are not an issue for the Board

Every software an organization leverages can also introduce vulnerabilities that can increase the company’s attack surface and make it easier for cyber attackers to penetrate the corporate network.  Unfortunately, the operating system itself is among the most likely source of vulnerabilities in the software stack. In 2020, Microsoft confirmed 1,220 new vulnerabilities impacting their products, a 60% increase from the previous year.  807 of the vulnerabilities were associated with Windows 10, with 107 of those related to code execution, 105 to overflows, 99 to gaining information, and 74 to gaining privileges.  In 2021, 836 new vulnerabilities were confirmed, 455 of which impact Windows 10 and 107 allow malicious code execution.  Boards have to understand that the patch management done by the IT team will not protect them from the security risk presented by the operating system itself.  Organizations must explore partnering with security-first companies that provide a holistic approach to security and not rely on the OS vendor either to patch everything or to provide security add-ons to plug the gaps.  

Myth 4: There is no need to worry about supply chain attacks

Sometimes even if an organization ensures to safeguard its software, there is a possibility of other service providers unknowingly facilitating a way into the network.  The recent SolarWinds supply chain attack where the attackers were able to compromise organizations through SolarWinds software update, and the Kaseya incident in which attackers targeted Kaseya VSA servers - commonly used by MSPs and IT management firms to infect downstream customers with ransomware.  Such attacks are highly lucrative for threat actors because compromising one weak link, enables access to a complete portfolio of customers using that software.  The C-Suite has to take a strategic decision of ensuring there is maximal protection against digital supply chain attacks.  The Board’s strategy should include, deploying of the right security solution, the developing of an Incident Response plan, ensuring application integrity policies only allow authorized apps to run, and driving a cyber security-centric culture.

Myth 5: Organizations cannot do anything about cyber security threats

Yes, indeed, one cannot secure organizations from every possible attack, but several measures can be taken by businesses to protect themselves from the most likely attacks and reduce the risk of being targeted by cybercriminals. In the majority of cases, threat actors preying on businesses are financially-motivated and are looking for easy wins.  Like spotting the weakest animal in the herd, organizations that cannot safeguard themselves will be quickly picked off by cyber predators. Organizations should implement a comprehensive cyber security plan that should include several layers of security to protect themselves from most attacks.. 

Myth 6: It is impossible to train employees to be cyber secure

Although employees are a key part of the organization’s cyber security strategy, one cannot expect them to be experts at it.  It is the responsibility of the organization to provide employees with appropriate training and resources.  This should include awareness programs on the kinds of threats the business may face, simple steps on how to identify issues like phishing emails or unusual requests, and clear steps for reporting suspicious activity. Employees are to be considered as an aid to the organization’s cyber defenses.  

Conclusion: 

After debunking cybersecurity myths, the C-Suite will be better equipped to effectively manage risks.  In today’s threat landscape, it is important that cyber security is approached as a strategic initiative by the company’s leadership, involving all key departments.  It should be carefully planned and executed by the top management, so that it may be cascaded down to the rest of the workforce. The risk for the business is too high if cyber security planning isn’t done in a holistic way.

- The author is Managing Director & Country Manager for SentinelOne, India & SAARC.