Acunetix cybersecurity experts have warned that many smaller companies in particular can too easily fall prey to certain misconceptions about web security.
As Acunetix’s Tomasz Andrzej Nidecki explains, SMBs often end up hiring generalists or non-security enthusiasts because the more specialised, technical people are in high demand. So it’s critical that they don’t fall prey to common assumptions about cybersecurity.
This includes the idea that a company is “safe” from cyberthreat because it doesn’t expose any applications or data to the general public.
“This could not be farther from the truth,” Nidecki writes. “For example, if you design a B2B application that is used by a limited number of businesses and requires authentication to access, it is just as prone to cybersecurity risks as a public website.
“A cyberattack may be conducted not only by an employee of your customer’s business. If, for example, your login form has an SQL Injection vulnerability, an external attacker may gain access to the application that is designed to be used by specific customers only, not by the general public.”
Also, many data breaches happen as a result of insider carelessness or malicious intent, Nidecki notes.
Other common misconceptions include that the company as a whole doesn’t need to know about security because it has hired an expert, outsourced to a professional business, or has purchased and deployed a comprehensive security solution.
However, cybersecurity – like physical security – requires buy-in and best practice across the business.
“Everyone in the company needs to be aware of cybersecurity. And it’s not just about a single onboarding training or about regularly sending everyone fake phishing emails to check their responses. It’s about making sure that everyone truly cares, all the time,” Nidecki explains.
“A contractor may help you select your cybersecurity framework such as NIST, design your cybersecurity strategy, assist you with risk management and threat intelligence, help you set up your security controls and even take part in incident response. However, they are not able to be everywhere and watch everything and they will probably have a response time that will be significantly less favourable than that of your own employees.”
Nidecki warns SMBs in particular not to be swayed by empty vendor promises: instead, they should ensure they look at specific solutions for specific cybersecurity threats — such as specialised web vulnerability scanners to protect themselves from web-related threats.
Similarly, SMBs cannot assume that they are safe because there is “no gain in hacking us”. Cybercrime often comes about purely as an opportunistic threat, rather than being an action carefully targeted towards those with the most to lose, says Nidecki.
So it’s important to look for manufacturers that are not afraid to tell you the facts instead of using big-business language to cloud your eyes, he adds.
“Look for specialised manufacturers because they have the means to protect you effectively. And always remember that software is just a tool and it’s the way that you use that tools that really matters,” Nidecki writes.
In other news, Acunetix recently released guidance on scanning OWASP Juice Shop.
Juice Shop is an intentionally vulnerable web application developed by OWASP for educational purposes; Acunetix can function as a DAST (black box) tool with which to scan its various vulnerabilities.
Acunetix customers for its vulnerability scanner include banks and financial services providers, healthcare, government, defence, risk advisory companies and many more.
“Maybe back in 2000 an antivirus solution and a network scanner were more important than a web vulnerability scanner but now, in 2020, this is no longer the case,” says Nidecki.
“While anti-malware solutions are still key to protect against threats such as ransomware, protecting the web is at least just as important and only web vulnerability scanners can do it.”