No one is immune to cyberattacks. But, myths and misconceptions abound about these threats—and it’s time for a reality check.
The exact dimensions and consequences of today’s cyberthreats are not understood clearly. We see tons of stories about cyberattacks in the news—so much so that we tend to instantly suspect a hack or data breach whenever our critical infrastructure fails. It’s become a natural conclusion when we learn about damage or disruption to public services.
Yes, cybersecurity is a top concern in our very digital world. But the reality of cyberthreats is nuanced—differing organizations face different risks and require varying levels of preparedness. Misconceptions can have serious repercussions for our nation’s critical infrastructure, companies that possess valuable intellectual property, and enterprises that store and process sensitive information.
Here are the five most common myths, according to our cybersecurity experts.
Myth #1: We are a small player in the market. No one will target us.
Reality: Smaller companies may feel safe from cyberthreats. They assume that cybercriminals will target larger entities. Similarly, smaller infrastructure owners and operators may believe that malicious actors will not consider them to be valuable targets. Whether or not smaller enterprises are the end target, they serve as excellent proxies for cyberweapons testing and are very much at risk.
A cyberattack on a small utility—or bank, rail, or another public service—serves as a useful proof of capabilities for the perpetrator, who also benefits from lower chances of detection and retribution. Malicious actors learn how to conduct reconnaissance on networks they regard as characteristic of the systems they want to exploit or attack. They study the effectiveness of their tools and tactics, then refine their capabilities on larger targets.
Myth #2: We are big and have invested heavily already in cybersecurity. We are safe.
Reality: As recent cases like the massive Capital One hack indicate, larger enterprises may not be as safe as they hope. The research and development community is still working to understand the effects of sophisticated cyberattacks on complex infrastructures, including those that link traditional IT systems, mobile users, the cloud, and the Internet of Things.
Every device—be it a railway switch or an electrical power turbine—becomes a computer peripheral. Larger players may be especially attractive targets because the complexity of their networks outstrips the capabilities of their cybersecurity defenses.
Myth #3: Our industrial control systems are air-gapped and proprietary. They are safe from hackers.
Reality: In our interconnected world, the field of players with means and motives to do harm is broadening. For companies with industrial control systems as part of their operations networks, recognizing this threat as credible presents a window of opportunity. Control systems must be protected like every other IT system—with robust network monitoring, threat detection, and incident response—especially in machine-to-machine systems. Enterprise-wide cybersecurity needs to extend to the industrial and supervisory control and data acquisition systems on which our factories and infrastructures depend.
Myth #4: We monitor monthly performance reports. We will know if we have a problem.
Reality: Cyberattacks like the takedown of a German steel mill demonstrate the ability to reach and control a physical asset, not just gain access to information. We tend to worry more about data theft than data integrity, but a cyberattack on a physical asset demonstrates why monitoring is so critical and must be continuous. Spotting outlier data on a report after the fact is not good enough. In the real world, consequences happen too quickly.
Myth #5: Our IT department takes care of all our cybersecurity issues.
Reality: If an enterprise suffers a cyber breach, every function feels the impact. In addition to disrupting operations, cyberattacks can jeopardize intellectual property, compromise personal and financial information, and—for critical infrastructure—pose fatal risks.
Lack of preparation and failure to respond effectively can shake confidence in a breached organization. Financial and reputational damage is often severe, even unrecoverable. A whole-of-nation approach to cybersecurity preparation and response—with participation from leadership at all levels—affords regained business and mission operations. It also shows good faith regarding an enterprise’s reputation through coordinated and consistent reporting to regulators, law enforcement, and other stakeholders.
Perfect cybersecurity is impossible, but effective cybersecurity is within our reach. An organization can function confidently, and critical infrastructures can sustain operations despite rising cyberthreats. We’ll only gain this level of confidence, however, by facing the facts about today’s cybersecurity challenges.