Cybersecurity has never been more critical (or challenging) than it is today. However, numerous myths and misconceptions persistâeven among tech leadersâleading many companies to make misguided decisions when developing their cybersecurity strategies.
Below, 19 members of Forbes Technology Council shed light on some prevalent cybersecurity myths. They also provide critical insights into the significant cybersecurity challenges that organizations face today and how to overcome them.
1. Standard Cybersecurity Training Is Effective
The myth is that cybersecurity training is going to help everyone get smarter about security. The truth is that security training videos with a quiz at the end do not mitigate risk; they just add to peopleâs never-ending to-do lists. What we really need are tools that connect cybersecurity risk to specific activities as a way to help people practice better security hygiene. – Andrew Kahl, BackBox
2. All Zero-Trust Security Is Created Equal
A big myth is that all zero-trust security is created equal. Legacy security vendors misinform the public, leading them to believe that perimeter-based firewalls can deliver true zero-trust security. In truth, these solutions connect users to the corporate network, which opens the attack surface and allows access by bad actors. You can only ensure zero-trust security by connecting trusted users directly to apps and dataânever to the network. – Jay Chaudhry, Zscaler
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
3. Cloud Platform Providers Fully Cover Cybersecurity Needs
More often than not, a company will integrate a cloud platform provider and expect it to cover all needed aspects of cybersecurityâbut it will not. You have to continue to be in charge of your own specific risks. Make sure you are implementing policies in each of your internal and external platforms to follow your intended rules to ensure you stay secure. – Jim Barkdoll, Axiomatics
4. Cybersecurity Is Solely ITâs Responsibility
Your companyâs safety hinges on more than just the efforts of the IT team. It demands that all employees are aware of risks and policies. While many assume cybersecurity is solely ITâs responsibility, itâs not. Without active engagement across the business and the establishment of crucial protective processes, true cybersecurity remains elusive. – Robert Strzelecki, TenderHut
5. âMoreâ Cybersecurity Is âBetterâ
When it comes to cybersecurity, many believe that âmoreâ is âbetter.â In reality, having numerous point solutions can lead to complexity, alert fatigue, duplication of functionality and precious time wasted as analysts log in and out of systems. Technology needs to augment the workforce, not monopolize staff time. Streamlining the cyber stack and looking for systems that easily integrate with one another must be the priority. – Jesper Zerlang, Logpoint
6. Strong Passwords Provide Adequate Security
Contrary to a prevalent assumption, strong passwords alone are not adequate for cybersecurity. In reality, while strong passwords are essential, they are insufficient. Phishing and hacks can both compromise passwords. Multifactor authentication, which requires multiple authentication elements, is critical for increased security. MFA adds an important layer of security, making unwanted access much more difficult. – Neelima Mangal, Spectrum North
7. Advanced Security Tools And Technologies Are Protection Enough
Advanced security tools and technologies are just the start. They are crucial but cannot alone guarantee complete protection. Cybersecurity is as much about people and processes as it is about technology. Poor training and disgruntled employees pose significant risks. So stay vigilant with training and implement a robust access control system and regular monitoring of logs so you can catch issues faster. – Matthew Cloutier, Sticky Strategy
8. SMS-Based Two-Factor Authentication Is Invulnerable
One common myth is that SMS-based two-factor authentication is secure. However, the truth is that itâs vulnerable. Attackers can spoof or access SMS-based 2FA, often by using SIM swapping. Tech leaders should opt for more secure methods, such as app-based authentication or hardware tokens, to enhance cybersecurity. – James Beecham, ALTR
9. âWe Can Secure All Loginsâ
âWe can secure all loginsâ is probably the most dangerous myth. Using social engineering, many two-factor solutions can be compromised, and malware on a userâs device can hijack live sessions. Todayâs role-based access technology can turn even a single such compromise into a catastrophe, as is evident in many recent attacks. Dynamic access control is required to mitigate damage from such attacks. – Atul Tulshibagwale, SGNL.ai
10. Cybersecurity And Physical Security Are Unrelated
One myth is that physical security is unrelated to cybersecurityâ in reality, theyâre interconnected. A breach in physical security can spell digital disaster. Unrestricted access to server rooms or careless disposal of company hardware can lead to significant cyber vulnerabilities. Recognize that physical security lapses can open the door to cyber breaches. – Rob Tillman, Copy Chief©
11. â100% Cybersecurityâ Is Real
Thereâs a myth that â100% cybersecurityâ is real, but itâs not. The law of cybersecurity is like gravityâitâs always at work. Cybersecurity is inversely linked to functionality; that is, added functionality boosts risk, so always ask if itâs worth it. Another myth is that cybersecurity is a tech issue thatâs contained under the umbrella of IT. In truth, itâs a business challenge thatâs not solvable by the tech team alone. IT is part of cybersecurityâIT reports to cybersecurity, not vice versa. – Eric Cole, Secure Anchor Consulting
12. Quantum Computers Are A Universal Decryption Tool
Many believe quantum computing will render current encryption obsolete, making all data instantly vulnerable. While quantum computers will challenge certain encryption types, they arenât a universal decryption tool. Plus, the rise of quantum-resistant cryptographic algorithms ensures that proactive measures are in place to secure data even in a post-quantum era. – Somdip Dey, Nosh Technologies
13. âWhat We Donât Know Canât Hurt Usâ
Too many companies fall prey to the myth that what they donât know canât hurt them. For example, large enterprises often use hundreds of software as a service applications, but they may only have visibility into one-third or one-half of them. A $10 app can carry $10 million in liability if itâs not properly vetted and secured. SaaS portfolios are one of the biggest cybersecurity blind spotsâcentral visibility into your SaaS portfolio is key. – Ben Pippenger, Zylo
14. Human Behavior Isnât An Important Cybersecurity Factor
While state-of-the-art tools are crucial, the real truth underscores the significance of human behavior. Even the most sophisticated systems can be rendered vulnerable by a single employeeâs oversight or lack of training. Comprehensive cybersecurity necessitates a blend of cutting-edge technology and continuous employee education. – Miguel Llorca, Torrent Group
15. âWe Can Let Our Guard Downâ
Having two-factor authentication and robust software security is great, but itâs no excuse to let your guard down. Security isnât static; threats are always evolving, and whatâs secure today may not be secure tomorrow. Itâs crucial to stay up to date with emerging security technologies. Make it a habit to revisit and update your detection and response strategies at least two times a year to maintain a strong system. – Gergo Vari, Lensa, Inc.
16. âOur Business Will Never Be Breachedâ
Too many organizations believe they will never be breached because of antivirus software, endpoint detection and response, filtering, and other defenses. Leaders need to ask themselves, âHow many other organizations in our industry have been compromised? Do they likely have the same or similar defenses?â Likely, the answer to the second question is âyes.â The real question isnât âif,â but âwhen.â You have to test what happens after a breach to see the real state of your detection and response capabilities. – Tim Medin, Red Siege
17. âObscurity Is Securityâ
Many seem to believe that âobscurity is securityââthey think that because their organization is a smaller entity or that theyâre hiding their systems, theyâre less of a target. The reality is that automated cyberattacks scan and target all systems, regardless of size or prominence. Itâs not about being invisible; itâs about being well-fortified. Even smaller companies should prioritize robust cybersecurity measures. – Marc Rutzen, HelloData.ai
18. âOur Web Host And Vendors Will Ensure Our Regulatory Complianceâ
Too many tech leaders rely on minimal privacy requirements, assuming their Web host or vendors will worry about the tougher stuff and ensure compliance with various laws. That couldnât be further from the truthâevery business is responsible for the customer data it collects. When applicable, be in compliance with Europeâs General Data Protection Regulation and the California Privacy Rights Act to ensure compliance almost anywhere. – Jordan Yallen, MetaTope
19. Cybersecurity Is Just A Financial Burden
One misguided belief Iâve come across is that cybersecurity is an unnecessary financial burden rather than a strategic investment. The truth is that cybersecurity is an essential facet of your digital image. In my personal experience in implementing reforms, Iâve realized robust cybersecurity actually saves you from experiencing significant financial losses, data breaches and legal liabilities, and it improves customer trust and your companyâs reputation. – Phil Portman, Textdrip