Data Security (Inc. Data Loss Prevention), Cyber Security, Privacy, Website Security, Email Security, Malware/Viruses, Open Source Intelligence, Cyber Security/Product Training

Common Security Myths

Details
1. Formatting an SSD, HDD, USB or SD card drive is fine
‘New York computer forensics firm found that 40% of the hard disk drives it recently purchased in bulk orders from eBay contained personal, private and sensitive information -- everything from corporate financial data to the Web-surfing history and downloads of a man with a foot fetish.’ Computerworld, 2009.

The above may be old, but nothing has changed drastically for 2025. Format a USB stick or SD card, and you can use off-the-shelf software like Piriform Recuva to get most deleted files back in minutes. Such software is free and just imagine what a specialist forensics lab could recover. What is the solution then? Physically destroy media by crushing, shredding or smelting. If you want to be enviro-friendly then overwrite the entire drive to stop recovery.

2. Most malware comes from emails
Statistics say that up to 85% of attacks start with an email, so yes, email does purport for most intrusions, but it is not the only. Apart from email, QR codes on the street can point your smartphone to a malicious link. On top of this, the infection vector list includes USB sticks, CDs/DVDs, Wi-Fi, Bluetooth, Airdrop, websites, inc. DBDL (drive-by downloads) and other devices in your network.

3. Windows or MacOS log-in prompt is bulletproof
Without encryption of the disc which is mostly BitLocker or FileVault, getting past a user account is a possibility using off-the-shelf paid or free software. Once someone pops your username, they can get your files and emails.

4. I have antimalware, so I can’t get infected
Just like the real world, nothing is 100% impenetrable. Just look at assassinations or attempted assassinations of presidents and prime ministers over the last few years. Standard antimalware looks for known strains based on a signature list, which is updated many times per day. Each day, thousands or tens of thousands of new strains or variations are released, so it is a cat-and-mouse game to keep up. EDR/XDR/MDR are a step up, but this technology is barely used by home users or micro businesses.

5. A firewall is enough
Years back, I was chatting to an IFA (independent financial adviser) at a business networking event, and his response to a security question was, ‘We have hefty firewalls’. A firewall serves a purpose, yes, but it is there to counter certain inbound/outbound connection threats. As with everything in life, a multi-pronged defence strategy is needed. A firewall on your network cannot block a USB stick from being inserted.

6. I have nothing to steal
Perhaps twenty years ago, this argument was sounder than it is now. ‘Who’s going to target me? I am just a 30-year-old man or woman earning £30,000 a year in London.’ You might not be a celebrity earning millions, and the paparazzi are scarcely going to be interested in your holiday photos, but identity theft can still happen, and credit card details are always useful. Failing this, what about a supply chain attack? You may be a PA or landscape gardener to a HNWI, and you could be hit for details on your principal.

7. Website security baloney
Many websites state that they use military-grade or banking-grade encryption to protect your transactions. What does this mean? Data sent between the client (your PC) and the server (the website) is encrypted to stop interception. It doesn’t mean the data stored on your computer or on their server is secure. All it means is that eavesdroppers cannot intercept data en route between you and the website. SSL certificates can be bought easily from around £8 a year, or these days, there are free ones – Let’s Encrypt. PCI, ISO 27001 or Cyber Essentials Plus, which is a better measure.

8. Macs are bulletproof
This argument has some truth in it. Having one hardware manufacturer, one operating system developer, and fewer users than Windows helps. If MacOS made up 0.0001% of global users, then perhaps no one would target it. Unfortunately, it is used by home users, businesses and governments across the globe, which means that people do target it. Yes, MacOS is better secured and restricted compared to Microsoft Windows, but like anything, it is not perfect. Years back, Sophos used to offer antimalware for free since they struggled to sell it. These days, plenty of vendors offer a paid product.

9. Friendly emails
My colleague or friend sent me this email, so it must be safe and malware-free, right? Three problems: their account could have been hijacked, so everyone gets a dodgy email from them; someone is spoofing their email address, which is quite a simple process; or typo domains, i.e. smithhlaw.co.uk. Best to call them to double-check.

10. Malware infections shout
Yes, ransomware will have its presence known swiftly, but pick up a banking trojan or government-grade spyware kit like Pegasus or Finfisher, and it does not want to be found.

11. Backup means I am fine
Until ransomware came along, backups were a bit less of a worry. If you use a cloud service, external HDD, or NAS (network attached storage) to backup and ransomware calls, it will encrypt the backup also. Best to use a few types for backup, inc. one with antimalware and ant ransomware integrated. An onsite backup is not much use if a fire or flood occurs, so ensure data is stored outside of the premises also.

12. High spending on hardware/software controls means greater security
We’ve just re-designed our security with 12-foot-high fences, barbed wire, hardware firewalls, three tiers of antimalware, data encryption, data backup, fingerprint scanning, armed guards, retina scanner and man traps. Great, but what about the weakest link.... your staff? We often put staff down, but you cannot blame them unless the culture includes awareness training and constant reinforcement. If not, a social engineer can phone up any member of staff and ask for sensitive details: in a flash that £5 million security strategy has failed.

13. Intrusions come from the outside
Go back 10-15 years, and statistics will say that 80% of intrusions include an inside element. In 2024, a study found 83% of organisations have reported insider attacks. Just think about Bradley Manning, Edward Snowden, or the alleged inside hack of Al Jazeera. Employees know passwords, software versions, and infrastructure layout, which is great for pulling off an attack from the inside or passing the details on to an outside threat actor.

14. So many people out there ... so it won’t happen to me
A lot of network attacks and malware infections are automated and work without much threat actor intervention. Many people or companies think it won’t happen to them – Do you think the man in the following story expected it to happen to his hairdresser?

Police launch probe as Glasgow hairdressing firm pays ransom to cyber attackers - https://www.glasgowtimes.co.uk/news/13897310.police-launch-probe-as-glasgow-hairdressing-firm-pays-ransom-to-cyberattackers/.

15. Security is only needed for larger businesses
Most individuals and small businesses do not seem to think about cyber security or invest in it, while larger businesses will often have a department dedicated to it. Small businesses can still hold sensitive and valuable data. For example, people are going to take a greater interest in a private, one-man celebrity barrister because of the data he or she holds. Anybody can lose a USB drive, so if a solicitor were to leave sensitive papers on a small-scale divorce case on a train, the end client, famous or otherwise, would not be best pleased. All data is important to somebody.
© Copyright 2012-2025 DataSecurityExpert.co.uk