Back to all resources

Six myths of information security

Information security is becoming increasingly important in the modern business environment, yet many organisations are still failing to take the problem seriously. Learn how to distinguish myths from facts and protect your business.

Like this resource?

Become a member for access to more resources and benefits.

Learn more

Myth #1: Information security doesn't matter

Some people think all the fuss about information security is just hype created by the IT industry. However, the risks are very real and well-reported.

At best, poor security wastes time and resources – time to deal with spam email, the cost of disinfecting virus-infected systems, etc.

At worst, poor information security threatens the future of the organisation - unauthorised disclosure of confidential information, identity theft, damage to reputation, catastrophic loss/corruption of company data.

A recent survey identified smaller businesses as particularly at risk, as they often lack the expertise required to develop effective security policies and dedicate too few resources to developing adequate protection.

Myth #2: Information security attacks are simply a nuisance

Hackers used to be ‘techies' who hacked systems for the challenge. However, organised criminals now recognise information security attacks as highly lucrative. They have considerable resources – both money and talent – and steal information such as credit card details for subsequent sale.

Myth #3: I'm too small to be attacked

Some companies believe they are too small to warrant the attentions of the cyber criminal fraternity. However, these larger targets usually have the resources to implement effective defences, deterring attackers. Furthermore, attacks are increasingly automated. Instead of targeting a specific organisation, internet-connected systems are attacked at random to identify vulnerabilities. Even if these systems do not hold useful information, they can be compromised and used to house illegal content or become part of organised networks attacking other systems.

Myth #4: I have anti-virus software so I'm protected

Anti-virus software is certainly a key component of effective information security, but it does little to prevent other forms of attack. Hackers can gain unauthorised access to systems via the internet, spyware can be installed to monitor what users do on-line, software can be installed to allow systems to be remotely controlled. An effective information security policy must deal with all types of attack.

Myth #5: All attacks come from outside my organisation

Evidence shows that many attacks originate from inside organisations. These may be deliberate (disgruntled employees stealing confidential data such as customer databases) but are often accidental (unintentional circulation of libellous information).

Organisations are becoming increasingly concerned about what their staff do on-line – downloading unacceptable or even illegal content, watching videos on video sharing sites such as Youtube, emailing friends with jokes, videos, etc. Directors should realise they can be held accountable for data stored on company systems.

Myth #6: I can't afford adequate protection

Many organisations see information security as an unnecessary expenditure. However, the key is to make any investment count by addressing the most important areas. One of the most effective ways to achieve this is through a risk assessment:
  • What risks do you face?
  • How likely are these to occur?
  • What would be the impact if they did?
  • What are the options to avoid or mitigate the risk?
  • Does the potential risk justify the cost of correction?
The basic aim of an information security policy is to deter casual attacks – the equivalent of locking doors and windows.
A layered approach offers the best protection:
  • Firewalls restrict who can access your systems and what they can do
  • Anti-virus software stops viruses
  • Anti-spyware software can prevent spyware infections
  • Email filters can intercept and block or tag spam
The key point is that information security is an important consideration for modern businesses and cannot simply be ignored. However, achieving an acceptable level of protection is not that hard, can be relatively inexpensive and with appropriate advice, should be within the capabilities of anyone savvy enough to run or manage a business.
To find out how the Forum can help you protect yourself against the risks posed by IT crime, call us on 0845 130 1722.