Cyber Security Awareness Month 2024
Common Cybersecurity Myths Debunked: Separating Fact from Fiction
In the ever-evolving world of technology, cybersecurity is more important than ever. Yet, despite growing awareness of cyber threats, several myths and misconceptions persist that can leave individuals and organisations vulnerable to attacks. Misunderstanding cybersecurity practices can lead to weak defences, data breaches, and financial losses.
We will look to debunk some of the most common cybersecurity myths and provide clarity on how to better protect yourself and your organisation.
Myth 1: “I’m Not a Target Because I’m Too Small/Unimportant.”
Reality:
Cybercriminals target everyone, regardless of size or perceived importance. Small businesses, individuals, and lesser-known organisations are often targeted precisely because they may have weaker defences compared to larger corporations. Attacks like phishing, ransomware, and malware are indiscriminate, affecting anyone with valuable data—like personal information, financial details, or business records.
Truth:
Everyone is a potential target. Implementing basic cybersecurity practices like using strong passwords, enabling multi-factor authentication (MFA), and educating users about phishing threats is essential for everyone.
Myth 2: “Antivirus Software Alone is Enough to Keep Me Safe.”
Reality:
While antivirus software is an important tool in your cybersecurity arsenal, it is not a silver bullet. Modern cyber threats often involve sophisticated tactics that can bypass traditional antivirus programs. For example, social engineering attacks like phishing rely on tricking users rather than exploiting software vulnerabilities.
Truth:
A comprehensive approach to cybersecurity includes not just antivirus software, but also firewalls, regular software updates, MFA, user education, and data backup strategies. A defence in depth approach is required.
Myth 3: “Cybersecurity is Only an IT Responsibility.”
Reality:
Cybersecurity is often mistakenly viewed as solely the responsibility of the IT department. In reality, cybersecurity is a shared responsibility across the entire organisation. Human error, such as falling for phishing scams or using weak passwords, is a leading cause of data breaches.
Truth:
Everyone, from the CEO to the newest employee, plays a role in maintaining a secure environment. Regular training and awareness programs are crucial in building a culture of security within any organisation.
Myth 4: “Strong Passwords Are All I Need to Protect My Accounts.”
Reality:
While strong passwords are critical, they are not enough on their own. Passwords can still be compromised through phishing, social engineering, or brute-force attacks. If a password is exposed in a data breach, attackers can use it to access multiple accounts, especially if the same password is reused.
Truth:
Combine strong passwords with MFA, which adds an additional layer of security. MFA requires a second form of verification (like an authentication code or fingerprint) to confirm your identity, making it significantly harder for attackers to gain access.
Myth 5: “Cybercriminals Only Target Financial Data.”
Reality:
While financial data is a common target, cybercriminals are interested in all types of data. Personal information, such as names, addresses, health records, and login credentials, can be highly valuable on the dark web. Additionally, intellectual property, business plans, research data and proprietary information can also be targeted for espionage or sabotage.
Truth:
All types of data are valuable and need protection. Protecting your data requires a holistic approach, securing not just financial information but all types of personal and organisational data.
Myth 6: “I Will Know Right Away If My System Has Been Hacked.”
Reality:
Many cyberattacks go undetected for weeks, months, or even years. Cybercriminals often operate stealthily to avoid detection while extracting valuable information over time. Ransomware attacks, for example, may start with quietly infiltrating systems before launching a full-scale attack.
Truth:
Proactive monitoring using a Security information and event management (SIEM) system, intrusion detection systems (IDS), and regular security audits are essential to identify and respond to suspicious activity promptly. Assume that a breach could happen and prepare accordingly with a strong incident response plan. It’s not a case of ‘if,’ but ‘when’ and how prepared you are.
Myth 7: “Public Wi-Fi Is Safe If It Requires a Password.”
Reality:
Even if a public Wi-Fi network is password-protected, it may not be secure. Cybercriminals can set up fake Wi-Fi hotspots with legitimate-sounding names or intercept data transmitted over the network. When you connect to public Wi-Fi, data transmitted over unencrypted connections can be intercepted by anyone with the right tools.
Truth:
Avoid accessing sensitive information or conducting financial transactions on public Wi-Fi. Use a Virtual Private Network (VPN) to encrypt your internet traffic, ensuring that your data remains secure even on public networks.
Myth 8: “Cybersecurity Tools Are Too Expensive and Complex for Small Businesses.”
Reality:
Many small businesses believe that robust cybersecurity is beyond their reach due to budget constraints. However, there are many affordable and user-friendly tools available today. Additionally, basic cybersecurity practices like strong password policies, regular software updates, and employee training cost little to implement but provide significant protection.
Truth:
Effective cybersecurity doesn’t have to be expensive or complex. Prioritise the basics, such as using reputable antivirus software, enabling MFA, conducting regular backups, and educating employees about common threats.
Myth 9: “I Can Trust My Contacts and Their Links/Attachments.”
Reality:
Phishing attacks often involve impersonating trusted contacts. Attackers may gain access to a friend’s or colleague’s email or social media account, sending malicious links or attachments that appear genuine. Just because an email or message appears to come from someone you know doesn’t mean it’s safe.
Truth:
Always verify unexpected links or attachments, even if they come from a trusted source. If in doubt, contact the sender directly through a different channel to confirm their authenticity.
Myth 10: “Once I’m Compromised, There’s Nothing I Can Do.”
Reality:
Many people feel helpless after a cyberattack, believing that all is lost. However, there are steps you can take to minimise damage and recover from an attack. Change passwords, notify affected parties, disconnect compromised devices, and report the incident to relevant authorities or IT departments immediately.
Truth:
You can take several actions to mitigate damage after an attack. An incident response plan can help guide these steps, and having backups can help you recover data quickly. In addition, Jisc CSIRT is on hand to help as well as the NCSC and police Regional Organised Crime Units (ROCUs).
Conclusion
Cybersecurity myths can leave individuals and organisations exposed to significant risks. By debunking these common misconceptions, you can develop a more accurate understanding of what it takes to stay safe in the digital world. Remember, cybersecurity is a continuous process that involves vigilance, education, and proactive measures. Start by taking small steps, like enabling MFA, using strong passwords, and educating yourself and your team about potential threats.
With the right knowledge and approach, you can better protect your digital assets and navigate today’s complex cybersecurity landscape with confidence.
————————————————————————————
And keep updated by joining the Jisc cyber community group. With more than 2,200 members, it’s a forum for sharing knowledge, best practice and threat intelligence for the benefit of the whole education and research sector.
Explore the latest cyber security technologies, innovations and future insights from both a national and international perspective at Jisc’s Security Conference 2024, 26-27 November, ICC Wales, and 28 November online.