22 cybersecurity myths organizations need to stop believing in 2022

Security teams trying to defend their organizations need to adapt quickly to new challenges. Yesterday’s buzzwords and best practices have become today’s myths.

hand writing on chalkboard showing myth vs fact
Thinkstock

The past few years have seen a dramatic shift in how organizations protect themselves against attackers. The hybrid working model, fast-paced digitalization, and increased number of ransomware incidents have changed the security landscape, making CISOs' jobs more complex than ever.

This convoluted environment requires a new mindset to defend, and things that might have held true in the past might no longer be useful. Can digital certificates' expiration dates still be managed in a spreadsheet? Is encryption 'magic dust'? And are humans actually the weakest link?

Security experts weigh in the 22 cybersecurity myths that we finally need to retire in 2022.

1. Buying more tools can bolster cybersecurity protection

One of the biggest traps businesses fall into is the assumption they need more tools and platforms to protect themselves. Once they have those tools, they think they are safe.

Organizations are lured into buying products "touted as the silver-bullet solution," says Ian McShane, Arctic Wolf's field CTO. "This definitely isn't the key to success."

Buying more tools doesn't necessarily improve security because they often don't have a tools problem but an operational one. "By prioritizing and embracing security operations where they can make the best of their existing investments instead of endless cycling through new vendors and new products, they will go a long way toward addressing the rapidly evolving threat landscape in a way that meets the unique needs of their business," says McShane.

2. Cyber insurance is a solution to transfer risk

Theoretically, cyber insurance allows organizations to avoid the cost of a potential cyberattack. Yet the issue is more nuanced. The cost of a ransomware incident, for instance, expands far beyond its direct financial impact, as it includes things like angry customers and reputation damage.

"[Cyber insurance] should be a piece but not the cornerstone of your cyber resiliency strategy," says Jeffrey J. Engle, president of Conquest Cyber. "The baseline requirements, exclusions and premiums are going up and the coverage is dropping precipitously."

3. Compliance equals security

As the U.S. Marine Corps likes to say, being inspection-ready is one thing, but being combat-ready is another. "Many companies focus too much on meeting compliance requirements and not enough about being truly secure," says Ian Bramson, global head of industrial cybersecurity at ABS Group.

Checking all the compliance boxes is never enough, he says, because being compliant only means meeting the minimum standards. "It takes a much more comprehensive and individualized program to reach an advanced state of cyber maturity," Bramson adds.

Engle agrees: "The road to hell is paved with good intentions and poor contingency planning."

4. If everything is logged, you're compliant

Many companies keep logs but few analyze them properly. "If you're not proactively reviewing logs and automatically hunting for known threats, you've failed to understand modern cyber threats," says Gunter Ollmann, CSO at Devo Technology. "You would be better off printing out the logs and burning them to heat up your corporate offices."

The best logs are simple and structured but have enough information to help researchers investigate an incident. Instead of logging uneventful status checks or system checks, professionals designing logs should focus on changes and exceptions.

5. You can manage all digital certificates deployed across your enterprise network manually with a spreadsheet

Companies rely on thousands of digital certificates that are live at any given point, and keeping track of them all manually is impossible. One of those expiring certificates can cause cascading failures such as outages of critical systems.

"It is no longer possible to govern, secure and authenticate these identities using spreadsheets and manual digital certificate deployment and revocation methods," says Ed Giaquinto, CIO at Sectigo. "Worse still, a single expired certificate can provide bad actors with the perfect opportunity to infiltrate an enterprise network and cause havoc."

6. Your data is safer in the cloud

Roughly half of all corporate data is stored in the cloud, and companies might be putting too much trust in how it is secured. "Surely that data is as precious to cloud service providers as it is to the companies who produce and rely on it, right? Wrong," says Simon Jelley, general manager for SaaS protection, endpoint and backup executive at Veritas Technologies.

Many cloud providers don't provide guarantees that a customer using their service will have their data protected. "In fact, many go as far as to have shared-responsibility models in their terms and conditions, which make it clear that a customer's data is their responsibility to protect," Jelley says.

7. Security is the job of the security department or security team

"Everyone has a due diligence or responsibility to ensure that they practice ethical business operations," says Omotolani Olowosule, Ph.D. candidate at Loughborough University in the UK. "Awareness and good security behavior should be enforced all around the organization."

Olowosule adds that less-aware employees in non-IT departments should be given proper training to make sure they understand the risk and know how to tackle some of the most frequent issues.

8. The once-per-year click-through security training provides employees with adequate knowledge

Many companies require their employees to attend online security training regularly. People watch a short clip and answer a few questions. Although people ace the test, this type of learning is not necessarily effective.

"It does not provide content that is engaging," says security consultant Sarka Pekarova. "It doesn't grab their attention and make them remember the principles taught or the processes and procedures needed in case of a security incident."

9. Hiring more people will solve the cybersecurity problem

Instead of searching for people to hire, businesses should prioritize retaining their cybersecurity professionals. They should invest in them and offer them the chance to gain new skills.

"It is better to have a smaller group of highly-trained IT professionals to keep an organization safe from cyber threats and attacks, rather than a disparate larger group that isn't equipped with the right skills," says McShane. "While hiring new team members can be beneficial, the time and money spent by a business on hiring new employees can be used more effectively to bolster their security infrastructure."

10. Humans are the weakest link

Most attacks start with people, but organizations should stop blaming them and have a holistic approach instead, security consultant Sarka Pekarova says. She suggests flipping this idea around. "If we provide humans with the right support, they will thrive and become the strongest link of our network," she says.

We use "human assets" for a reason, she adds. If proper policies and procedures are in place, such as zero trust, and if people are given enough support, they can increase an organization's security.

11. Everything can be automated

Automation of security-related processes can seem appealing to an organization because it can save time and money. Still, it should be used in moderation. "Blindly relying on automation can actually create gaps in quality and accuracy of a security assessment," says Steven Walbroehl, Halborn co-founder and CISO. "This leads to overlooked vulnerabilities and creates unforeseen security risks."

Walbroehl argues that certain complex tasks are best left to humans because they require intuition and instinct, which machines lack. "I have yet to see an automated tool that can simulate the thought process performed by a skilled penetration tester trying to hack or exploit steps in business logic or sophisticated authentication," he says.

12. If we solve for the latest attack, we'll be safe

Companies often focus on the latest attack, missing out on other relevant things and not building enough capabilities to prevent future incidents. "Only focusing on what has happened is a good way to be hit by what's next," says Bramson. "Threats and attacks are constantly changing. You need to have a program that adapts and prepares for the unknown."

13. Changing your password every 90 days will make your accounts more secure

"Requiring your users to change their passwords on some schedule only ensures that they will have terrible passwords," says Dan Petro, lead researcher at Bishop Fox. According to him, it's the perfect way to have users pick short and simple passwords like “Winter2022”.

William Malik, vice president of infrastructure strategies at Trend Micro, agrees. "The bad actors spray passwords when they get a bunch of them – which is much more often than every 90 days." He adds that using special characters won't make passwords more secure. Instead, users should be encouraged to choose long passwords and enable multi-factor authentication.

14. If the data is sensitive, encrypt it

"Too many developers treat encryption like magic fairy dust: You sprinkle it over data and it magically becomes secured," says Petro. Often, developers don't think about where the key is stored or who the attacker is in certain scenarios. "Cryptography is a complicated subject and too many developers wind up shrouding themselves in a false sense of security thinking that they've "encrypted" their data and so it's safe," he adds.

15. If the website has a green lock next to the URL, then that website is secure

Maybe that was true one or two decades ago, when traffic was seldom encrypted, and the cost of getting a valid HTTPS certificate was high. Today, cybercriminals can get certificates for their malicious websites free of charge.

"My piece of advice: Check websites on your favorite search engine first and when in doubt, always type in their URL manually, instead of clicking on links," says Dan Demeter, security researcher at Kaspersky.

16. We are too small to be a target

Even today, too many companies believe they are not relevant enough to fall victim to a cyberattack. "If you have an exposure, you are a target...and everyone has exposure," says Bramson. "Cyber attackers can specifically target a company, or they can set out general attacks, to see who gets caught in their net. Either way, you will suffer an attack at some point."

Customer data is a valuable commodity sold on the dark web, and compromised websites can deliver malware. "SMBs often lack the resources to implement and manage a proper information security program making them easy prey," says Giaquinto.

17. Serious threats are the government's responsibility

When it comes to security, every organization should do its part. "The feds cannot protect them all – they have a hard enough time protecting themselves from the relentless onslaught of attacks by advanced persistent threats," says Engle.

Laws and regulations are like vehicle recalls, he adds. "There have to be a lot of crashes in order for the government to write, vet and approve something and then it goes out. So, government action typically comes well after the risk is broadly realized," Engle says.

18. Supply chain attacks can be stopped by patching all internal third-party software and hardware

DJ Sampath, co-founder and CEO of Armorblox, wishes it were that simple. "Although software bugs and unpatched systems provide attackers with a perfect attack surface to operate on, they are not the only means at their disposal," he says. "Enterprises need to take a comprehensive look at their vendor management, including business email compromise (BEC), account takeovers, and lateral movements within a supplier's environment."

The cost of inaction can be high. "One case study that exemplifies this danger is the sentencing of a Lithuanian man for theft of over $120 million in a fraudulent BEC scheme," Sampath adds.

19. Your data is safe behind your corporate firewall

The hybrid model has taken companies out of their comfort zone. "With everyone working from home, the corporate network is no longer the security perimeter," says Giaquinto. "Now they have to re-focus on applying zero-trust techniques and understanding that identity -- regardless of location -- is the new security perimeter."

Organizations are implementing innovative public key infrastructure (PKI) solutions, which "play a critical role in enabling zero-trust environments by consolidating and automating the deployment, discovery, management, and renewal of digital certificates that verify device, user, and entity identities," Giaquinto says.

20. Extensive software testing can prevent attacks

Testing software is always a good idea, and doing it diligently helps. But attackers can still find vulnerabilities, says Satya Gupta, co-founder and CTO at Virsec. He mentions PrintNightmare. "In this vulnerability, in July 2021, Microsoft patched code for Windows 2003. Clearly, Microsoft is resource-rich yet couldn't find the vulnerability," he says.

In recent years, an increasing number of organizations have set up bug bounty programs to incentivize white hat hackers. If not managed properly, these programs can provide a false sense of security.

21. Loading remote untrusted arbitrary Java code is perfectly safe

"This might sound like the most obvious thing in the world, but then why does seemingly every Java program still do it?" asks Petro. "Maybe 2022 will be the year where Java programs finally stop intentionally loading arbitrary remote code. One can hope."

1 2 Page 1
Page 1 of 2
22 cybersecurity myths organizations need to stop believing in 2022