• United States




4 dangerous security assumptions to avoid

Nov 01, 20185 mins
ComplianceData and Information SecurityData Breach

Many organizations take steps to guard against data breaches, employing new policies, tools and strategies that make them feel protected, but their defenses may not be as strong as they think. Unfortunately, this false sense of security is all-too-easy to come by.

Slacker guy with feet on desk
Credit: Thinkstock

Data breaches are commonplace now and there’s a growing realization that organizations need to do more to combat them and to deal with the aftermath. The potential cost of stolen data extends beyond cleanup operations to potential regulatory fines and reputational damage. Although there’s more awareness of the risks today, taking the right, comprehensive steps to safeguard data is harder than people imagine.

It’s not unusual for companies to start out in the right direction but fall short in their efforts because one specific area is overlooked. Achieving a high standard of cybersecurity requires a thorough, holistic view of the risks and a robust, continuous effort. The truth is that many organizations do one or two things right and then put their feet up, content to bask in the warm, but erroneous sensation that they’re safe.

Here are four common statements that indicate a false sense of security.

The risk isn’t that big

Smaller businesses are incredibly good at this kind of wishful thinking. They may assume that bigger companies are more attractive targets, but the truth is that cybercriminals favor the path of least resistance. If you shirk security, you’re the low-hanging fruit. One of the most shocking things about basic security hygiene is just how many companies ignore it completely.

The idea that your data isn’t that valuable or desirable to hackers is another risky way to think. A breach may lead to resource hijacking, whereby attackers are using your servers to host pornography or maybe subvert workloads to mine cryptocurrency. If you think you’re immune as a target, you’re kidding yourself.

There’s no need for some big criminal gang to decide to attack you either, a lone novice hacker can buy or rent sophisticated tools on the dark web and wield them effectively without having to understand how they work.

We’re already in compliance

It’s obviously vital to ensure that you comply with regulations like the GDPR and the incoming CCPA, and many industries have their own sets of rules and regulations to safeguard different kinds of data. Failure to adhere to these regulations can lead to punitive fines. While there is some skepticism about how willing regulatory bodies are to hand out major fines, it’s not something you want to put to the test.

Complying with these rules will encourage you to adopt better security standards and more comprehensive, robust incident response plans, but it’s no guarantee that you won’t suffer a data breach. Compliance is unequivocally a good thing, but don’t fall into the trap of equating it with security. It’s also important to remember that compliance isn’t a checklist that you tick off and forget about; it’s a commitment to a standard and it requires constant renewal and consideration.

Too many companies, perhaps having paid consultants to come in and get them compliant in time for the deadline, believe it’s something they no longer have to think about. But they’re wrong.

We have trained our staff

We’ve talked about how important it is to institute a good security awareness training program and to keep an eye on your employees, but this is another security step that too many people think you can complete once and forget about. A proper training program should evolve over time and be a regular part of your employees’ schedule.

Another major mistake many organizations make in this area, is that they don’t test whether the training they’ve provided was effective. It’s crucial to test your employees with mock phishing emails or social media messages to see if they respond correctly. The results must drive some action. Failure should prompt further training, but repeated failure needs to lead to disciplinary action and even dismissal in severe cases.

You can’t turn a blind eye to staff members repeatedly failing to meet your security standards. Your security strategy is only as strong as its weakest link and it only takes one employee to erode your efforts.

We’re covered by cyber insurance

This is a common statement that makes people feel more secure than they should, but there are a couple of reasons why it’s dangerous. This is such a new area of liability that many of the people selling and buying these policies don’t really understand what coverage is required. It’s all-too-easy to assume that you’re covered for a specific eventuality only to find out during the claims process that you aren’t.

The best insurance drives good behavior to reduce risk, but the depth required to do that in cybersecurity is often lacking right now. The policy might dictate you have a firewall, for example, but not how that firewall is configured. Misconfiguration is such a common entry point for an attacker that it really needs to be part of the consideration here.

As it stands right now, you shouldn’t be assuming you’re safe simply because you have a policy in place.

The last word

This is by no means an exhaustive list of the things that can lull you into a false sense of security about the threat of data breach, but you should certainly look at these four myths. The key thing to take away is that a successful defense against data breaches requires commitment and continuous effort.


Michelle Drolet is a seasoned security expert with 26 years of experience providing organizations with IT security technology services. Prior to founding Towerwall (formerly Conqwest) in 1993, she founded CDG Technologies, growing the IT consulting business from two to 17 employees in its first year. She then sold it to a public company and remained on board. Discouraged by the direction the parent company was taking, she decided to buy back her company. She re-launched the Framingham-based company as Towerwall. Her clients include Biogen Idec, Middlesex Savings Bank, PerkinElmer, Raytheon, Smith & Wesson, Covenant Healthcare and many mid-size organizations.

A community activist, she has received citations from State Senators Karen Spilka and David Magnani for her community service. Twice she has received a Cyber Citizenship award for community support and participation. She's also involved with the School-to-Career program, an intern and externship program, the Women’s Independent Network, Young Women and Minorities in Science and Technology, and Athena, a girl’s mentorship program.

Michelle is the founder of the Information Security Summit at Mass Bay Community College. Her numerous articles have appeared in Network World, Cloud Computing, Worcester Business Journal, SC Magazine, InfoSecurity,, Web Security Journal and others.

The opinions expressed in this blog are those of Michelle Drolet and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.