It seems like we are bombarded with claims of ‘misinformation’ or ‘disinformation’ these days. We all hear about it so much on the news that most of us don’t know what to believe anymore. Politics and COVID have been centers of this controversy, but what concerns us at ITFirm.com are misconceptions still being taken as truth in the world of IT services and Cybersecurity.
Some of these myths are so ingrained among both business owners and consumers that they operate under a false sense of security. It’s time to set the record straight and dispel the misinformation.
‘Status Quo’ is not a concept that has relevance in the Cybersecurity threat landscape – it is ever-changing, where new threats and new solutions follow closely on each other’s heels. Your view of how to protect yourself from the threat matrix may seem the same every day on the surface, but in the underlying technology, it changes every day.
Your IT support or Managed IT Services provider is the shepherd and sheepdog that keeps your network flock safe. They know which information is reliable and true, and what are misconceptions.
As a business owner or administrator, you cannot afford to entertain false beliefs and become complacent. Ignorance of reality and complacency guarantee an inadequate approach to network risk reduction strategies.
The following are the Top 5 misconceptions or ‘fake news’ items about Cybersecurity, which can be very dangerous if taken as fact:
1) “Cyber criminals don’t want us - we’re too small.”
Every year, cyber-statistics refute this most damaging and insidious false belief – that notion is absolutely untrue. Cyber is like ‘Goldilocks & the Three Bears’. One business (or chair or bed in the story) is too big or too small for one crook, but just right for another.
The data breaches and Ransomware attacks that make the news, like the Colonial Pipeline attack in 2021, are committed by a relatively small handful of elite criminals. The lowest echelon are fast smart phone scams for a couple hundred bucks here and there, committed by rank and file, unsophisticated hackers.
The vast majority (over 80%) of all cyber-attacks, most of which are Ransomware, are targeted at Small and Mid-size Businesses (SMBs). The Colonial Pipeline can weather paying a 7-million-dollar ransom much easier than most businesses with 10 employees can handle a 1 or 2 hundred thousand dollar ransom. A couple hundred grand can shut many SMBs down.
2) “We’ve never been attacked, so our Security is fine.”
Another dangerous belief. At ITFirm.com, we stay a step ahead of malware and phishing schemes as they evolve and adapt to new protections, but we still say, “It’s not a matter of IF, but of WHEN”.
As you read this, criminals are busy developing new methods of network intrusion – their well-funded Research & Development (R&D) never stops. With more than 32 million SMBs in the United States alone, they just haven’t found you yet – and the more time that goes by, the closer they get to your network.
You may have the most up-to-date, next-generation cyber defenses available, but they are useless when one wrong click by an employee on a link or attachment in a phishing email opens the door for malware to infect your system. Ransomware generally locks the initially infected workstation screen and starts encrypting your data within a minute or two of that click – relieving you of access to it. Then, a ransom in cryptocurrency is demanded in exchange for a decryption key code. Paying the ransom is no guarantee - 40% of companies that pay the ransom NEVER get the decryption key.
3) “We use strong passwords, so we’re safe.”
Aside from the errant click on a phishing email noted above in #2, it depends on what you think a ‘strong’ password is. I can’t count the times that we have ‘onboarded’ new clients to discover passwords like ‘password’ (seriously) or ‘12345’ (the world’s most common password) – the really clever ones turn it around to ‘54321’ (HaHA!!! – they’ll never figure THAT out!). Yes, they will… in about zero seconds.
If you wonder how long it would take to break your password, PasswordMonster has a great calculator.
Aside from creating stronger passwords, Multi-Factor Authentication (MFA) should be used for access to your network. There are various common factors used: Questions – the first ever was probably, “What is your mother’s maiden name?” The Q & A here should be better than that – and not based on information that can easily be found on your social media. A question like “What’s your pet’s name?” is useless if ‘information miners’ – those who do the research to crack the passwords and sell them to the real crooks – can look on your facebook and see photos captioned ‘Me and Professor McFuzzyButtkins at the park’. Cybercrime is a billion dollar business - they are looking.
After that, retinal scans or thumbprints, even an employee ID card scan greatly improve your Cybersecurity.
4) “We’re compliant with industry regulations, so that should be enough.”
Industry and government regulations generally cover only the bare minimum in security and are often narrow in scope (often just secure backups) – usually in place to ensure the safety of your client information and little more. Your business has a lot more at stake than just that.
5) “IT support will take care of security.”
Good IT Support or a Managed Services Provider (MSP) should be maintaining top-notch cyber defenses, but do you know that for a fact? IT services is an unregulated industry – any bum can open an ‘IT company’. We have come to the rescue of more than a few businesses whose ‘IT Guys’ were unknowledgeable, incompetent morons.
Referring back to #2 above, according to PhishingBox, about 90% of all successful network breaches happen as a result of an employee falling for a phishing scam – Many surprising facts can be found HERE. Ongoing Security Awareness Training is a MUST for any business.
Frequently Asked Questions
Q: What exactly is phishing?
A: Phishing is a ploy that uses phony emails to entice the victim to click a malicious link or attachment which contains some form of malware. These emails appear to come from legitimate sources, like FedEx, the IRS, or one somebody in your email address book whose account has been hacked. Spear Phishing is more targeted – usually towards high level executives. Clients should be advised how to spot these as part of Security Awareness Training.
Q: What do Cybersecurity Services do?
A: They are a company that specializes in security – often acting as a vendor for small IT companies that don’t have the resources to do it themselves. If you have a good, competent IT provider, you really don’t need to look into a separate, specialized vendor.
Simply put, it is the part of a standard IT provider’s services that consists of planning and implementation of security measures designed to give a network infrastructure the greatest degree of security against threats both external and internal, through the application of firewalls, anti-virus (AV), and encryption tools, among others.
Q: What are Cyber Security threats?
A: A threat is any attempt by a cyber crook to breach a network. What the criminal seeks is either money or data. Phishing is by far the most common form of attack, with malware as the main breaching tool. Data theft is where the crooks just copy the client’s data and steal it. It doesn’t disappear, so you won’t even know it was stolen – but your IT company should. The FBI regularly publishes updates to the official government overview of the Threat-Matrix and recommended Best Practices. There are many forms of threats: The Federal Cybersecurity & Infrastructure Security Agency publishes ongoing updates on threats including Ransomware.
Q: How often should you conduct security awareness training programs?
A: It is recommended to provide ongoing training every 3 to 4 months. Users forget or get lazy and need regular reinforcement and updates on the latest scam trends. Your IT support, whether internal or an outsourced Managed IT Services should have some level of involvement in these training sessions. In between trainings, the company you contract with for training, or your IT services vendor should run the Cyber ‘War Games’.
How secure is your network?
As a longstanding, reputable member of the Charlotte IT Support community, ITFirm.com offers a FREE, no-risk network and Cybersecurity assessment. We perform a non-intrusive scan that allows us to deliver a comprehensive report of the state of your system and its vulnerabilities that is yours to keep. There are no strings attached, and you are under no obligation to ever use our Managed IT Services.
The two best defenses are next-generation Cybersecurity to protect your data from theft, and a top-notch Managed Services Provider to ensure continued reliability and defenses against newly emerging threats.
We put our 100% Money Back Guarantee in writing, so there is no risk in trying us out. Because we do not require a ‘hard’ contract, our clients can fire us at any time with 30 days’ notice. We have to be good.
Among the Managed IT Services we provide:
IT HelpDesk Service
Onsite IT Support
Cybersecurity
Cloud migration and management
Email migration services
Backup and disaster recovery
VoIP phone systems
IT disposition and recycling
Office moves
White label services (IT to IT)
For more information, or to receive your FREE no-risk network and Cybersecurity assessment, just fill out the form on this page or call us at:
704-565-9705
