Secure Company Information: Five Cyber Security Myths Debunked

Chief Executive Officer at NetWatcher
November 10, 2015

Across all types of industries and a variety of businesses, cyber security remains one of the most serious types of threats. Even if your company is taking steps to thwart attacks and secure company information, it often takes a deeper understanding of how cyber criminals work to effectively bolster your security posture.

Below are five common myths that businesses often fall victim to when it comes to protecting their sensitive corporate information:

Myth #1: Point of Sale (POS) network

A business owner outsources his Point of Sale (POS) network to a PCI (Payment Card Industry Data Security Standards) vendor, therefore the business is protected.

POS Network Security, PCI Vendor - A point of sale breach could result in a fine.

Fact

Installing a PA-DSS validated payment processing application does not satisfy all of the PCI-DSS requirements. If breached, it could result in up to a $90 fine per cardholder data compromised; suspension of credit card acceptance by a merchant’s credit card account provider and loss of customer trust. The PCI-DSS contains more than 200 individual requirements, most of which have nothing to do with the POS product. More information on PCI-DSS requirements.

Myth #2: I can secure company information with virus detection software

I have virus detection software on all of our company laptops so we have secure company information.

Virus detection software doesn't mean your company laptops are secure. Poor user behavior can counteract antivirus software.

Fact

There are many vulnerabilities that locally installed virus detection software are unable to detect.

Malware writers are continually looking for vulnerabilities and writing code to exploit them, as well as using compression techniques to bypass anti-virus software altogether. Anti-virus software vendors are racing to identify ways to detect and eradicate new malware as it appears. User behavior can also counteract even the best antivirus software. For example if the user ignores warning alerts and opens an email attachment or downloads a file that is infected and unintentionally installs a virus before the antivirus software has a chance to act.

Myth #3: Cloud security

Everything we use from an IT perspective is in the cloud, so we are secure.

The cloud isn't secure. Employees can open your up to a breach every time they take their laptop home with them.

Fact

Just because your line of business applications, email and document management are in the cloud that doesn’t mean you are secure. Employees using laptops, mobile phones, network printers, and even SMART TVs on your local network are what open your business up to compromise.

Myth #4: FINRA certified email

I’m an investment banker in a small office and use a FINRA certified email and document management system so I don’t have to worry about a cyber-attack.

FINRA Certified email doesn't mean you're open protected from a cyber-attack.

Fact

If your network assets are infected with malware and you lose customer data you are going to have big problems. The Office of Compliance Inspection and Examinations (OCIE) recently published a sample cyber-security examination document request in connection with its recent risk alert to help firms evaluate their “level of preparedness.” Both the SEC and FINRA are now engaged in active cyber-security “sweep” examinations of firms. Securities regulators have taken enforcement actions against firms based on cyber-security governance failures as well as failing to protect networks and non-public customer information with appropriate technology (including encryption, antivirus software and firewalls).

Myth #5: HIPPA certified systems

I run a small office of physicians and we use HIPAA certified systems, therefore we have no potential issues to worry about.

HIPPA Certified systems are not 100% secure, but the Department of Health and Human Services is enforcing strict privacy standards.

Fact

If you get malware on one of your local network assets and you lose customer personally identifiable information you will have a serious issue on your hands. The Department of Health and Human Services (HHS) has done a great job of documenting how to comply with the Privacy Rule and the Security Rules out lined in the HIPAA standards. The Department of Health and Human Services, Office for Civil Rights (OCR) is responsible for administering and enforcing these standards and may conduct complaint investigations and compliance reviews.

The bottom line?

Your small business can have prevention tools in place – ranging from antivirus, backups, and firewalls and still not secure company information. With over 60% of mid-sized businesses who fall victim to a cyber-attack out of businesses within six months, it is critical to have a system that detects problems to reduce risk and achieve regulatory compliance. For more information, check out NetWatcher here.

Related Posts: