Seven myths of corporate IT security

Myths and prejudices are inevitable companions to any branch of knowledge, and the information security sphere is no exception, no matter how practical it is. This article will briefly touch

Myths and prejudices are inevitable companions to any branch of knowledge, and the information security sphere is no exception, no matter how practical it is. This article will briefly touch upon the seven most popular myths of protecting corporate infrastructure and ensuring data integrity.


Myth 1: “I stay away from it, because my company is not that famous. We work in the area where hackers wouldn’t find anything interesting.”

Well, perhaps they would. As soon as you make something available to the general public, attackers will most likely find it interesting and try to make a profit at your expense. Hackers don’t tend to care what the subject matter is. In fact, they will pick completely random targets, as it is just a matter of finding existing vulnerabilities in network infrastructures and the possibility of gaining access to internal data.

The stay-away approach to IT security is vulnerable in itself: confidence in the absence of threats inevitably produces carelessness bordering on dereliction. Why install patches or bother updating the software if it works? Or, why patch if the software developer announces that they will eliminate a critical vulnerability? This can go on and on until a real problem arises, and then the stay-away approach is null and void.


Myth 2: “Cybercriminals prefer to attack a large corporation rather than a small insignificant company.”

This is an incorrect assumption. As mentioned above, cybercriminals pick victims sometimes just by scanning random networks and servers for possible “entry points.” Large companies tend to realize that they can, at least in theory, attract the attention of hackers, which is why they are very scrupulous about protecting their infrastructure. Small firms tend to hope they won’t be noticed (see Myth 1) and skimp on basic protection. Attackers clearly understand that mindset and often, small businesses are increasingly becoming targeted more often than large corporations.


Myth 3: “A good antivirus will solve all my problems.”

Unfortunately, this is no longer true. Antivirus software is surely a cornerstone of the security system of a corporate network, but reducing everything to just that is no longer possible. Today’s threatscape is very diverse, so limiting protection to an antivirus is like hiding from smart weapons behind barbed wire. An antivirus, even the best of the best, cannot secure from zero-day exploits, hacking, phishing, and bruteforcing, amongst other threats. Obviously, this does not mean that antivirus is unnecessary.


Myth 4, the antithesis of Myth 3: “The solution providing corporate network security is just an antivirus, it will not protect us from more serious threats.”

Identifying an antivirus as a security solution in general is, unfortunately, an atavism, but a tenacious one. We speak of “security” and imply “antivirus.” However, enterprise level solutions include a variety of other features: a web traffic filter, protection from hacker attacks, protection from phishing, protection from zero-day exploits, an application launch control, software vulnerability scanners, etc. All these tools are developed to protect corporate networks from actual threats.


Myth 5: “The developers of security solutions offer signature-based detection only, and that is not enough.”

This is a conscientious but misleading objection. Nowadays, the signature-based detection of malware is by far the most developed and effective in terms of time and resources, but it does not mean that other methods are not used. Kaspersky solutions enable heuristic analysis and proactive technologies and without them it would be impossible to prevent attacks of previously unknown malicious programs.

For example, our Automatic Exploit Prevention technology allows blocking exploits with signatures not yet included in antivirus databases. This is done by analyzing the behavior of legitimate software and immediately blocking any unauthorized processes, assuming a possible attempt at exploiting vulnerabilities.

In addition, our Kaspersky Security Network service continuously collects data on new attacks around the world, helping to cope with emerging threats.

All in all, truly effective protection can be provided by a combination of all possible methods. Using just one of them today is meaningless.


Myth 6: “Data encryption is for the paranoid.”

This statement deserves a proverbial response: the paranoid live longer.

Over the past few years there have been large scale leaks of personal data from compromised servers of multinational companies. The most hyped case was the theft of the personal data of millions of users of Sony Playstation Network. The data was stored on unencrypted servers, and the attackers could do whatever they pleased with it.

A few weeks ago California General Attorney’s Office released a report, which stated that last year the personal data of more than 2.5 million people in California was at risk for a variety of reasons. According to the General Attorney’s estimates, the scale of the threat could have almost been cut in half, if all the companies processing personal data would not have neglected encryption. California Attorney General’s Office recommends legislating the necessity of encryption in cases of processing people’s personal information.


Myth 7: “We have moved all critical data from local computers to an external cloud service. The provider says they have “impregnable defenses”, so now I feel more secure.”

I would not want to sully the joy of life, but there are several inevitable issues here. First of all, do you know exactly what security solutions your cloud service provider uses? Are you sure that you retain full control over your data using someone else’s infrastructure? Finally, do you have a backup copy of your data elsewhere?

The point is that using various information security solutions for different components of the infrastructure (certainly including both local and external resources) is a potential security breach.

If any part of the work is outsourced, it is critical to constantly control the incoming data from external services. We have repeatedly watched malware oozing from leased facilities into local corporate networks, although there should have been no malware in the “cloud”.

If you cannot establish general, centralized protection of your networks and joint work web services, you should put up a barrier between them and check each incoming file denying malicious programs any access to sensitive information on the local resources.

Of course, the “mythology” in our industry is not limited to the listed fallacies. The stated above are the most wide spread and tenacious. For the most part they exist as a plausible excuse to skimp on security measures, but this approach is fundamentally flawed. The numerous incidents confirm that, for after each breach, it turns out that the victims have neglected the basic tools of protection hoping that such problems would not affect them.