Preventative Cybersecurity: Mythbusters (Part 1)

Myths

We regularly encounter several of the same misconceptions about cybersecurity.

The purpose of this article is to set the record straight.

Below are three ‘cybersecurity myths’ we commonly hear.

#1: "I'm not a target."

Unfortunately, we have to start with the bad news. (It gets better from here.)

In 2023, 61% of small and medium-sized businesses (SMBs) in the US and UK were victims of a successful cyberattack¹.

It’s not just about the numbers. The rationale behind targeting small businesses is as follows:

• Security gaps: Hackers perceive SMBs as low-hanging fruit due to generally weaker security measures. Cybercriminals are looking for the highest return on their time investment, which typically comes from an organization with less security.
• Opportunistic criminals: Attackers capitalize on the quieter media aftermath and lesser law enforcement scrutiny post-attack, making SMBs not just targets but also convenient ones.
• Value of data: Business size doesn’t diminish data value. Customer information, financial details, and intellectual property remain lucrative for hackers, whether for ransom demands or black market sales.
• Ransomware and malware threats: Ransomware, including malware, is a significant threat to SMBs. Known ransomware attacks were up 68% in 2023².
• Supply chain exposures: Small businesses are potential backdoors to larger organizations. A highly covered example of this was the Target breach, which was traced back to an HVAC company, a small business in their supply chain.

The average cyber breach cost for businesses with fewer than 500 employees is $3.21 million³.

The prevalence and impact of cyber attacks on small and medium-sized businesses make it clear why every organization needs to be vigilant.

#2: "Not if, but when."

The phrase “a cyberattack is not a matter of if, but when” is common in the industry. We disagree.

It’s like saying that just because it will rain, you won’t be able to stay dry.

Yes, there are numerous ways an attacker can take over an environment. But not an infinite amount.

In fact, in nearly all ransomware events, at least one of three security gaps is present:

1. Missing or misconfigured multi-factor authentication (MFA)
2. Inadequate vulnerability management
3. Excessive user permissions

(I told you good news was coming.)

By proactively identifying these gaps, you can fix them and configure an environment to keep an attacker from reaching their target, rendering an attack inconsequential.

With preparation and appropriate cover, you can stay dry even when it rains.

#3: "Once an attacker breaches an environment, they've taken control."

As hinted at in the previous ‘myth’ covered, gaining initial access into an environment is just the first step for an attacker.

From there, attackers will leverage security weaknesses in an environment to pivot and escalate to their target, your critical assets. These weaknesses, or exposures, come in the form of CVEs, identity issues, and misconfigurations.

By understanding how and where these exposures come together to create attack paths, you can proactively cut off the paths that lead to your critical assets.

(More good news.)

An attacker without an attack path to a critical asset limits the blast radius and allows reactive tools to do their jobs.

An attacker must take logical steps to reach their target. By clearly seeing these steps in real-time, you can proactively remove the ones that lead to their taking control — even if they gain initial access.

This is why continuously scanning for exposures beyond CVEs in the internal environment is crucial.

Key Takeaway

There’s no difference between a pessimist who says, 'Oh, it’s hopeless, so don’t bother doing anything,' and an optimist who says, 'Don’t bother doing anything, it’s going to turn out fine anyway.' Either way, nothing happens. - Yvon Chouinard

Cybersecurity doesn't have to be a mystical subject beyond the limits of comprehension.

We don't have to wait until an attack is underway to catch the bad guy with a net before 'too much' damage is done. We can proactively remove the opportunity for an attack in the first place.

Schedule a demo here to learn how we're helping M(S)SPs proactively reduce their clients' exposure by giving them an attacker's perspective.

¹https://firewalltimes.com/

²https://www.malwarebytes.com/

³https://expertinsights.com