Across all types of industries and a variety of businesses, cyber security remains one of the most serious types of threats. Even if your company is taking steps to thwart attacks and secure company information, it often takes a deeper understanding of how cyber criminals work to effectively bolster your security posture.
Below are five common myths that businesses often fall victim to when it comes to protecting their sensitive corporate information:
A business owner outsources his Point of Sale (POS) network to a PCI (Payment Card Industry Data Security Standards) vendor, therefore the business is protected.
Installing a PA-DSS validated payment processing application does not satisfy all of the PCI-DSS requirements. If breached, it could result in up to a $90 fine per cardholder data compromised; suspension of credit card acceptance by a merchant’s credit card account provider and loss of customer trust. The PCI-DSS contains more than 200 individual requirements, most of which have nothing to do with the POS product. More information on PCI-DSS requirements.
I have virus detection software on all of our company laptops so we have secure company information.
There are many vulnerabilities that locally installed virus detection software are unable to detect.
Malware writers are continually looking for vulnerabilities and writing code to exploit them, as well as using compression techniques to bypass anti-virus software altogether. Anti-virus software vendors are racing to identify ways to detect and eradicate new malware as it appears. User behavior can also counteract even the best antivirus software. For example if the user ignores warning alerts and opens an email attachment or downloads a file that is infected and unintentionally installs a virus before the antivirus software has a chance to act.
Everything we use from an IT perspective is in the cloud, so we are secure.
Just because your line of business applications, email and document management are in the cloud that doesn’t mean you are secure. Employees using laptops, mobile phones, network printers, and even SMART TVs on your local network are what open your business up to compromise.
I’m an investment banker in a small office and use a FINRA certified email and document management system so I don’t have to worry about a cyber-attack.
If your network assets are infected with malware and you lose customer data you are going to have big problems. The Office of Compliance Inspection and Examinations (OCIE) recently published a sample cyber-security examination document request in connection with its recent risk alert to help firms evaluate their “level of preparedness.” Both the SEC and FINRA are now engaged in active cyber-security “sweep” examinations of firms. Securities regulators have taken enforcement actions against firms based on cyber-security governance failures as well as failing to protect networks and non-public customer information with appropriate technology (including encryption, antivirus software and firewalls).
I run a small office of physicians and we use HIPAA certified systems, therefore we have no potential issues to worry about.
If you get malware on one of your local network assets and you lose customer personally identifiable information you will have a serious issue on your hands. The Department of Health and Human Services (HHS) has done a great job of documenting how to comply with the Privacy Rule and the Security Rules out lined in the HIPAA standards. The Department of Health and Human Services, Office for Civil Rights (OCR) is responsible for administering and enforcing these standards and may conduct complaint investigations and compliance reviews.
The bottom line?
Your small business can have prevention tools in place – ranging from antivirus, backups, and firewalls and still not secure company information. With over 60% of mid-sized businesses who fall victim to a cyber-attack out of businesses within six months, it is critical to have a system that detects problems to reduce risk and achieve regulatory compliance. For more information, check out NetWatcher here.