Common misconceptions and what you can do about them
Contrary to common belief, the external threat â a threat actor hacking their way into your systems through technical skill alone â isnât your biggest problem.
In our previous interview with Damian Garcia, our head of GRC (governance, risk and compliance) consultancy, we learned about the internal, or insider, threat and its significance.
If you donât invest in cyber security or staff training, accidental breaches pose a far bigger threat than technically skilled hackers. Think about it from the attackerâs point of view: why bother taking the time and effort to break into a system if someone can just let you in? You only need one person to click a phishing link.
What are some other common cyber security myths or misconceptions? And what about misconceptions around ISO 27001, the international standard for information security management?
We put these questions to Damian.
Myths covered
- Itâll never happen to me
- My data isnât worth anything
- Cyber security is an IT problem
- Security is just about preventing data from falling into the wrong hands
- Once the ISMS is in place, thatâs job done
Myth #1: Itâll never happen to me
What are some common cyber security misconceptions?
A huge misconception is that âit [a cyber attack/data breach] will never happen to meâ. Especially with small organisations. They say things like: âWhy would anyone ever attack me? I have nothing worth stealing â why would I worry about an attack?â
This was especially true before the GDPR [General Data Protection Regulation] came into force. If you look back at the UK governmentâs 2016 and 2017 Cyber Security Breaches Surveys, youâll see that small businesses were spending very little money on security.
Interviewer note
Damianâs response gave me a sense of dĂ©jĂ vu. When I asked our cyber incident responder Vanessa Horton about common misconceptions in cyber incident response in an interview earlier this year, without hesitating, she replied: âthe [misplaced] belief that âitâs not going to happen to usâ.â
For evidence that anyone can be successfully attacked, just look at big ransomware gangs: among others, LockBit, Ragnar Locker and Black Basta have all been taken down by law enforcement.
As Vanessa pointed out, the mindset that you wonât be targeted isnât just wrong, but harmful. It leaves you unprepared for when you do suffer a cyber attack or data breach, worsening the damage.
Myth #2: My data isnât worth anything
Didnât organisations think their data â their businessâs lifeblood â was worth stealing?
Unfortunately, the common perception was that âmy data isnât worth anythingâ. Which adds to this belief that âIâm not going to be targetedâ.
Fortunately, as awareness of the GDPR grew, the value of data became clearer â just look at the GDPR fines! A cap of 4% of global annual turnover or âŹ20 million [whichever is greater] helped organisations put a price on their data.
By extension, organisations better understood the need to invest in security. They didnât want to be found negligent, so they started to take more steps to protect personal data. Not always enough steps, but they were making more of an effort than before.
Nonetheless, organisations still tend to underestimate the value of their data. And only realise their mistake when itâs too late â when they lose access to it.
Myth #3: Cyber security is an IT problem
Youâve brought up two misconceptions so far: 1) âitâs not going to happen to meâ, and 2) âmy data isnât worth all that muchâ. What are some other common security misconceptions?
Those are the two big ones. Many other misconceptions are extensions of them. For instance, one common information security risk stems from senior management.
I remember doing some work for a finance company. The board of directors was made up of quite wealthy individuals. Self-made wealth, which tends to go hand in hand with a certain arrogance, which only adds to that feeling of âit wonât happen to meâ.
Anyway, I was introduced to the managing director, who said: âWe need your help to sort out our cyber security. Youâll have a great time working with our IT team.â To which I responded: âNo, Iâm going to be working with you, too.â
Is that because âcyber securityâ sounds technical, supposedly making it an IT problem?
Yes. People constantly interchange the words âcyber securityâ and âinformation securityâ. In fact, Iâm not keen on the term âcyber securityâ â I much prefer âinformation securityâ.
Because if you say âcyber securityâ, most people â and organisations â will default to: âOh, itâs IT. Itâs technical. I donât need to worry about it â someone else is dealing with it on my behalf.â
By extension, studies show that unless you make IT security explicit, people will assume that the security is happening in the background, and theyâre still protected â even if the antivirus or padlock symbol isnât showing.
Again, unless you explicitly teach them otherwise, people will assume that security isnât their responsibility. Especially cyber security.
But simply changing the terminology to information security or data security already makes it seem like something non-technical employees â especially in senior management â might be responsible for.
Finding this blog useful? To stay in the loop on future
interviews like this â and other free resources â subscribe
to our free weekly newsletter: the Security Spotlight.
ISO 27001 explicitly requires the ISMS [information security management system] to have senior management support. Are organisations implementing the Standard less prone to making this mistake â to assume that information security is an IT problem?
When they start implementing ISO 27001, organisations often assume itâs just something for IT to deal with.
However, as we [our consultants] begin to work with them, they start to understand that everyone is responsible for information security.
Again, specifically referring to information security is a huge help. Because where is information stored?
In todayâs world, computer systems are a big one, of course. But also:
- What hard-copy information do you keep? How is that secured? How do you destroy it? Do you have wastepaper bins? Do you shred it? Etc.
- What information is undocumented â i.e. only stored in someoneâs head? How many people have that knowledge? If itâs just the one person, what will you do if that person is sick, for example, or hit by a bus? How will you address that âsingle point of failureâ?
When you start asking questions like these, it very quickly becomes clear to the client that everyone has a part to play in information security.
Myth #4: Security is just about preventing data from falling into the wrong hands
That seems to come down to making sure youâre accounting for the confidentiality, integrity and availability of your information.
Absolutely. While you definitely want to stop sensitive data from falling into the wrong hands [confidentiality], you also want your data to be accessible when you need it [availability]. If you have a single point of failure â like vital information only stored in someoneâs head â what will you do if that person isnât around?
If the answer boils down to âtroubleâ, youâd better make sure you document that information â ASAP! Another person reading that document may not have the experience of your key person, but having the information in writing means you can figure out a solution if someone is unavailable.
Of course, the information also needs to be accurate for it to be useful [integrity]. So, once written down, you need to maintain your documents. Make sure theyâre up to date â review them once in a while and revise them if needed.
Myth #5: Once the ISMS is in place, thatâs job done
Speaking of reviews, thatâs important for the overall ISMS, isnât it? To quote Alan Calder: âISO 27001 certification is an ongoing journey, not a destination.â
Thatâs correct. When we help a client implement an ISMS, two things will happen:
- Your organisation will obtain ISO 27001 certification.
- Youâll be managing your information security risks as well as you can.
Iâm emphasising that last bit, as youâve got to accept that a security breach can still happen despite your best efforts.
People can still make a mistake, and a determined attacker, given enough time and resources, can still circumvent your defences. There are things you can do to mitigate the risk â like taking a defence-in-depth approach â but your ISMS isnât foolproof.
One reason itâs important to regularly review your measures is because the landscape is always changing. Threat actors find new exploits. New technology, such as AI, becomes available. Thatâs why a new version of the Standard is out [ISO 27001:2022] â to account for the changing landscape.
ISO 27001 FastTrackâą: Get certification-ready in 3 months
Our turnkey ISO 27001 FastTrackâą consultancy package is designed to help organisations reach ISO 27001 certification readiness in just three months.
Get the resources and expertise your organisation needs to prepare for and achieve accredited certification to ISO 27001:2022 within an agreed timescale for a fixed fee.
Donât take our word for it
Our customer, Claire Brown, said:
Our consultant was always on hand to answer queries and really cared about the end result. He put in an enormous amount of solid effort, so huge thanks to him and the rest of your support team.
About Damian Garcia
Damian has worked in the IT sector in the UK and internationally, including for IBM and Microsoft. In his more than 30 years in the industry, heâs helped both private- and public-sector organisations reduce the risks to their on-site and Cloud-based IT environments.
He also has an MSc in cyber security risk management and maintains various professional certifications.
As our head of GRC consultancy, Damian remains deeply committed to safeguarding organisationsâ information and IT infrastructures, providing clients with pragmatic advice and support around information security and risk management.
Weâve previously interviewed Damian about the insider threat.
We hope you enjoyed this edition of our âExpert Insightâ series. Weâll be back soon, chatting to another expert within GRC International Group.
If youâd like to get our latest interviews and resources straight to your inbox, subscribe to our free Security Spotlight newsletter.
Alternatively, explore our full index of interviews here.