In the world of Information Security myths exist that influence senior executives, business managers and sometimes the same industry professionals, causing misunderstandings and exaggerations about the threats to computer systems and technologies used to combat them.
Many of these myths exist because people tend to overreact and emotional in unfamiliar situations, rather than make an objective analysis.
The result is overstate the problem by relying on the first solution that is proposed or worse underestimate the risks, thinking thus to avoid additional charges.
Myth #1 - It will not happen to me
Believing that your company will never be subject to security problems. Many times this statement is said by someone who does not want to spend (or rather, invest), hoping that the risk does not materialize. Instead it is good that when a problem is recognized, or even suggested, there is a phase of risk analysis and, if appropriate are given the resources necessary to mitigate or resolve completely.
Other times the opposite happens: you go too far in assessing the impact of the vulnerability. The best thing is to use a framework of metrics to give an objective value to the risk of vulnerability.
Myth #2 - All risks can be quantified
In companies there is the misconception that everything can have a number attached to it. There is the illusion that the security manager's manager can get the budget they need only if justified by an Excel spreadsheet. We must instead help the upper echelons to understand what can and can not be quantified, and obtain the necessary budget to implement a strong architecture based security checks.
Myth #3 - We have physical security or SSL so your data is safe
More simply: If we have anti-virus and firewall, we're safe! This is not true. Often this conception is inculcated by outside vendors who try to sell their products and link all their peculiarities. buying products and appliances, will not make you magically safe! And even in the event that the product is "good" we want to ensure that it is properly configured and works to its full potential?
In fact, safety will be developed as architecture starting from the risk assessment, taking into account what you're protecting, so as to implement the correct controls. This allows you to not be distracted by non-essential elements to security.
Myth #4 - Use strong passwords reduces the risks
It is not true. The passwords are not effective, and the whole scheme has huge gaps. It 's just an obsolete historical precedent in which business can cling.
Passwords are not sufficient, since cracking is not the only way to jump the firewall. there is also sniffing and the reuse of credentials between systems with different levels of security. Finding a valid alternative to passwords is difficult, and not always authenticate to two or more factors can be easily implemented. Meanwhile, companies can advise employees not to use passwords to work, and perform periodic checks on the strength of passwords.
Myth #5 - Buy one device security, will solve all the problems
We have just been informed of a new product, that solves the 95% of problems, easy to install and costs as one of many server that we have in the company. Maybe As we have said before, we stop to buy software and "iron" hoping that magically solve our problems. Without serious analysis and auditing work of those who are the real problems to which our business is exposed spend money unnecessarily increasing the complexity of our infrastructure. This myth is a common understanding of the problem and wrong "security" as a whole.
Relying on myths is wrong. That is why there EasyAudit, a professional tool and an inexpensive way to get a second opinion on information security of your business!