On November 24, 2014, employees of Sony Pictures Entertainment arrived at work, put their lattes on their desks, and turned on their terminals. Instead of their normal home screens, they were greeted with this creepy screen.

During this time, many computers were inoperable, several of Sony’s twitter accounts were taken over, and the hackers claimed to have stolen over 100 terabytes of data using a Server Message Block worm tool. The attackers leaked unreleased films and confidential data that included personal information of some Sony employees.

Threats were made against Sony and their film, The Interview, which was one of the factors that led the FBI to accuse North Korea for the attacks. Security expert Kurt Stammberger described the attack by saying that Sony was “essentially nuked from the inside.” The repercussions were so severe that in 2015, the company allotted $15 million to cover its associated costs.

Anyone can be attacked. Maybe you haven’t provoked North Korea. You probably don’t work with Seth Rogen. Still, that doesn’t mean that your business is safe. Whether you like it or not, there may be some misconceptions about security that you hold dear to your heart:

“Breaches Only Affect the Big Boys”

The big corporations may have the biggest targets on their backs–they have the most power, influence, and media attention–but that doesn’t mean that they are the only ones being targeted. The sheer scale of these businesses allow them to have seemingly airtight security, whereas small- and medium-sized companies simply don’t have the resources or personnel to protect themselves adequately.

If someone has a wall that’s 20 feet high while their neighbor has no wall at all, a burglar will likely opt for the easy option, even if the first house has nicer things. It’s the same with hackers targeting companies. Large corporations may have the most valuable treasure troves of data, but their security is often just as impressive. Many attackers will aim for businesses with a lower profile because they still have things to steal, often with far less effort and little chance of getting caught.

Look at the hacking group theDarkOverlord. They’ve been targeting medical service providers of all sizes. That’s right, not just the large targets, but the smaller ones too. According to Symantec, this is hardly an isolated incident, with 43% of all attacks now targeting small businesses.

“We have really secure systems”

This is just wishful thinking. You spent all of this money, so the least you can hope for some semblance of safety. Otherwise, it seems kind of pointless. Unfortunately, cyber threats are complex and constantly evolving. While a good security plan won’t make you bulletproof, it will definitely aid in protecting your business and reducing the severity of attacks against your systems.

Just like great policies, having the best physical infrastructure isn’t enough to keep you safe. Even if you’re using Secure Sockets Layer (SSL) and have the world’s best physical security in place, you are still susceptible to weak credentials and social engineering attacks. Your business needs to understand the boundaries of protection provided by its infrastructure and provide additional security controls to fill in the remaining soft spots.

“We have a security plan”

If good security plans were all we needed, we’d all be sipping piña coladas on the beach. Unfortunately, a security plan doesn’t do much good if you don’t adhere to it. This is where regular auditing and monitoring comes into play. The auditing process is useful for confirming what parts of your security plan are being followed and identifying where remediation is required. Similarly, monitoring (and responding when necessary) is critical to ensure that your organization is able to respond to the first sign of trouble. As technology advances, so do the threats we face. In turn, security plans need to adapt: think of them as living documents. Need help coming up with a security plan and ensuring that you are sticking to it? We can help.

“We use antivirus software”

Antivirus programs are important, but they can’t do everything to keep your business secure. You are still susceptible to zero-day attacks, certain forms of adware/trojans, and any intruder who knows your password. One of the best things to keep in mind with security is that it should be incorporated everywhere: this is known as defense in depth or the Castle Approach. Not only should there be layers of security before you ever login to your computer (hiring process, vpn, encryption, identity/access management, etc.), but once you are logged in, there’s even more layers of tooling designed to work in tandem with antivirus software to keep you and your business protected. This includes, but is not limited to: password management software, encryption software, and backup software.

“We use ‘secure’ passwords”

We all hate remembering passwords. Some will just need four digits. Others will want eight or more characters. Some need a mix of upper and lower case. Some need special characters. It wouldn’t be surprising if the passwords of the future require the meaning of life or the Ark of the Covenant.

We all deal with this system, because we think it keeps us more secure. What if you were to find out that the complexity often causes people to use less secure passwords? This is because they either recycle old ones or use personal information that is easy to guess. After forgetting so many passwords over the years, you may not be pleased to hear that these requirements are range from unnecessary to unsafe.

Example: let’s look at a 4-digit pin. If you were to brute force this password (try all possible combinations), how many tries would it take?

10^4 (or 10 * 10 * 10 * 10) = 10,000

That’s 10,000 combinations to try. For a computer this is trivial to break. By increasing the number of possibilities for each character you can drastically alter the number of combinations needed to guess a password. For example, if you include all lowercase/uppercase letters and numbers that’s 62 possibilities for each character (26 lowercase letters + 26 uppercase letters + 10 numeric digits). So the a password like ‘asD1’ would require 14776336 combinations to guess (62^4).

From a complexity point of view, “asd2313JDiJDk194jHy69S!3” and “moosechairsneakerlight1!” would both require the same maximum number of guesses to crack (it’s a lot of guesses—there’s even a fancy word for this called intractable). Anyway, the difference between these passwords isn’t the complexity of the password, just a greater chance that the former password would probably be taped under your keyboard.

For those of you unacquainted with Randall Munroe of XKCD, you should definitely check out his comic about this topic.

“We use encryption”

Uh, no. If encryption is used properly, it is great at keeping your data secret. But there are caveats:
– You data must be decrypted at some point. An attacker is much more likely to steal the data while it is unencrypted (perhaps via an unencrypted communication channel or an application vulnerability).
– Failure to secure your encryption keys could lead to their loss. That could allow an attacker to successfully intercept and decrypt your encrypted traffic, all while you think your data is perfectly safe.
– You may be using outdated algorithms. The once-safe DES block cipher is just too short these days and can be brute forced. Or you might still be susceptible to CVE-2014-0160 (aka “Heartbleed”).
– Social engineering attacks can still retrieve information that can be used to decrypt data.

Given these caveats (there’s a lot more out there), you can’t simply rest thinking you are safe because your data are encrypted.

So there you have it, some of the most common security misconceptions floating around our digitally connected world. Check out our security assessment tool to see if you are taking the right steps to protect your business.