Blog

The Art of the Hack debunks 20 information security myths

By Meg Cater | Sep 10, 2015

Is our personal information more vulnerable than a year ago?

84 percent of Americans think so. In order to bring some light to the many information security myths that plague our paranoid nation, David Spark of Art of the Hack reached out to dozens of industry experts, including Signiant’s CTO Ian Hamilton.

All together, Sparks gathered 20 “misguided beliefs” with several insightful quotes addressing each one. The entire article is well worth a read. But to sum it up, here are the common beliefs that turn out not to be true and a brief synopsis of the experts’ feedback:

  1. “Certain platforms are more secure than others.” Alas, those of us who are Mac devotees can no longer lecture our PC friends about superior software security.
  1. “Mobile devices are not a security concern.” Wrong, experts say they are, and the real problem isn’t mobile malware, it’s users not understanding how to manage their devices.
  1. You don’t need to secure non-sensitive data.” It’s easy to see why this is a prevalent misconception, but in our hyper-connected world, even an app that store only silly cat pictures can present a risk to credentials and provide a window into much more critical data.
  1. “Too big to fail.” Nope, the big companies are so large and complex that more can go wrong.
  1. “Just secure the perimeter.” This is one our CTO Ian Hamilton often warns against, though he offers his advice on a different myth for Spark’s article (see #10). Here, other experts including Perry Dickau of DataGravity chimed in on the importance of realizing that securing a network is nearly impossible. Networks are so intertwined with devices and cloud apps that edges become indefinable.
  1. “Every attack is sophisticated.” Not so, these experts say that blaring security errors like weak admin passwords mean that a large majority of successful attacks had no sophisticated master plan. Even Ashley Madison, go figure.
  1. “No matter what you do, you’re vulnerable.” This is a dangerous belief because it encourages not even trying, but it also allows software vendors to put the majority of security responsibilities on their customers, which is a very risky practice. See Ian’s quote in #10.
  1. “I’m not a target for hackers.” This one turns something seemingly so personal (“me getting hacked”) into the hard cold truth. Malicious hackers don’t think about you or me. They do things like target IP addresses or scan for unprotected endpoints.
  1. “Never write down your password.” Phew, this one is a relief. Apparently all our passwords on Post-it notes are not a security threat. Carry on.
  1. “The cloud isn’t/is as safe as an on-premises network.” This is the one Signiant CTO Ian Hamilton brought in and, since he is our guy, we shall quote him: “Attention to secure design, deployment and operation at the application level is critical to the security of the overall solution, regardless of where it is deployed.” It’s an important point, and relates to #5. Layers of security must be built into the application design and given attention during deployment and operation by the software vendor, especially since network perimeter security isn’t as reliable.
  1. “Most hacks come from the outside.” Whether it’s the malicious, careless or technically frustrated employee, most hacks are inside jobs. This is also where UX design impacts security.
  1. “Tools are the answer.” Even with the best tools, you need security experts on board.
  1. “Cybersecurity is the IT department’s responsibility.” Based on everything above, it’s probably obvious that everyone needs to be involved.
  1. “Antivirus programs will keep you safe.” Nope, they’re just one piece of a comprehensive security plan.
  1. “Attacks happen at lightning speed.” According to the experts, there is often ample time to respond.
  1. “Better detection will solve security issues.” Not so, from failed to ignored detections, detection-only isn’t the answer.
  1. “You just need good password management.” Having employees change their passwords regularly and other forms of management is not enough.
  1. “You can deal with security later.” Security needs to be considered upfront and continuously.
  1. “As long as I don’t click on anything malicious, I’m safe.” Unfortunately, even reputable sites can have malware that can infect your system without even clicking on it.
  1. “We’re compliant, therefore secure.” This myth gives away what most of us ultimately wish for: to have a simple guideline to follow and then be able to just trust that everything is secure. As we’ve seen, it’s not that simple. Security needs to be constantly attended to.

Those are just a quick recap of some insightful responses by security experts across an array of industries. For more detail on any one of the above, see the full article on Art of the Hack.