Most Common Myths about Cybersecurity
Knowing about the most common myths that we find in the cybersecurity field is an important step to start off with the implementations in a business; therefore, we have identified some of the most common myths, which are developed below:
1. Cybersecurity is the same as Information Technology (IT)
It is common to hear people stating that these two concepts are synonyms, since they usually follow the information in technology articles on the Internet regarding smartphones, printers, or laptops and, hence, tend to believe that formation in cybersecurity encompasses technical support, when not necessarily is that the case. Similar situations happen at a professional level with concepts such as Information security, cybersecurity, information technology, and if we elaborate a bit more, also concepts like business continuity and risk management. Many organizations, in order to adapt to their budget, initially include professionals in the fore mentioned areas of technology specialization in the department known as IT, which is one of the main reasons why many people associate these specializations together when hearing the concepts for the first time.
In view of this, this article will go over the meaning of each word omitting the technical jargon.
Information Technology: Area in charge of the administration of the service portfolio (technology) of the organization.
Business continuity: In charge of preventing and protecting the company from the effects that an interruption in the IT services may produce, be it because of a technical failure or a natural cause.
Information Security: Its objective is to protect the information from risks that could affect the information assets in a digital format and the information systems that process and store them, regardless of them being interconnected or not. It is sustained from methodologies, norms, techniques, tools, organizational structures, technology and others.
Cybersecurity: It mainly focuses on data in digital format. It keeps its attention primarily on the risks in cyberspace.
Risk Management: Area specialized in identifying, analyzing and quantifying the probabilities of materializing risks in technological terms.
All the areas or specializations work together to offer and strengthen the different technology services and protect the information of the organization; however, they are not the same because their tasks or approaches are different.
2. Upper management does not have any relation with cybersecurity
When an organization decides to implement cybersecurity, it is important to make sure that it holds the commitment on behalf of upper management, since they are the first ones to comply with the policies and internal regulations in the organization, setting the example, to lately be able to demand them to the rest of the personnel. Security is not a task only for the technical area, but the entire organization, since it may be possible to buy and own the best security architecture, technologically speaking, but if the users do not comply with or respect the rules, policies and procedures, these efforts will be of little use.
3. The best investment is in technology
For many companies and upper management, it is usual to hear comments such as: “investing in technology is very costly, and in security, even more.” However, this type of comments could become less common in the years to come. For instance, this 2020 has the peculiarity of different sectors, such as the educational, commercial, business and personal ones, having to reinvent themselves, making use of ICTs with the purpose of having their economical activities the least impacted possible, given the global situation of this pandemic. And in the process of reinventing themselves, it is possible that these sectors wonder: In what way can technology help me reach my objectives? Interestingly, there is a governance and management framework that seeks to align company goals at a corporate level, making use of ICTs, which is known as COBIT. The implementation of this type of frameworks allows companies to manage adequately the assets and their technologies; furthermore, it allows seeing IT as that support to reach goals. It is there where it is worth wondering: To what extent is it really expensive to invest in technology? Since if a company operates without using technology, it will hardly be a company that accomplishes its goals easily.
4. In security, there is no return of investment (ROI)
If we support the idea that the IT department in an organization is aligned, or aligning to the corporate goals, it is evident that it should make some investment in technology. Also, it is normal for this area not to report any income, which may lead to believe that there is no ROI that justifies the invested resources in the area. But if we consider the critical scenarios that a company may go through, it may be more expensive to neglect technology and security than deciding to timely invest. Up next, some examples of critical scenarios that a company could face as a consequence of not investing in technology:
· Information Backup
Each time it is more common to hear that some companies are victims of ransomware or malware, which is becoming more sophisticated as it encrypts information stored in hard drives, where most of the times it requests money as cryptocurrency or in exchange of gaining access back to information. In occasions, the only solution is restoring the last back-up stored in an alternate device that is not encrypted by malware.
· Business Continuity
It is important that the business identifies which its critical areas are, in case of an incident (caused or natural). These critical areas prevent the business from operating as usual. Having the critical areas identified allows to think of a design for a continuity plan in such cases. On the contrary, more income may be lost than what a continuity plan may actually cost.
· Laws and regulations
Not knowing the laws and regulations that the business should adhere to, in terms of technology, may result in the company closing or the suspension of its operations; it can also cause expenses like fines for non-compliance.
An example would be the stealing of confidential information from clients stored in databases, reason why the company could face a considerable penalty payment.
Letting go of these myths and knowing the correct concepts will prove useful to strengthen the technological part of a company, mainly in the area of cybersecurity, since in a world that is more and more immerse in digital transformation, it becomes crucial to protect information.