It must be good, someone posted about it on LinkedIn!

Ok this isn’t my normal jam, normally I’d just write something that’s hopefully good advice/practise and that would be that. But today let’s try something different!

This was inspired by a twitter convo which evolved into this: https://twitter.com/UK_Daniel_Card/status/1522138771789123584?s=20&t=dL9OkicTY2Orj5hfBtDvVQ

So… what are some cyber security myths that ended up being good practise or “good advice”? Well here’s what I came up with, supported by some awesome cyber community people!

1. Rotating passwords every 30 days is a “good” idea
2. 8-character passwords with Uppercase, Lowercase, Numbers and Symbols make good/strong passwords!
3. Systems don’t need external logging systems as they store logs on the device!
4. You aren’t a bank, so you don’t need “good” cyber security
5. You can do cyber security at scale without budget and resources
6. You can just add more specialist workload to the IT team, and it will just be taken care of
7. Cyber security is simple/easy
8. Doing a CBT for security awareness is highly effective
9. Phishing simulations increase employee trust
10. Telling people to not click on “suspicious” or “malicious” links works (thanks @Dave_Maynor)
11. Macs can’t get viruses (thanks @jlphamill)
12. The vendor says their solution is secure, so just trust them!
13. Security teams don’t need to understand the technology, architecture, and engineering elements (or the business environment (thanks @spyblog))
14. Just deploying EDR will solve all the security problems
15. If a vendor says a solution needs “domain admin rights” it must be true! (thank @jlphamill)
16. Simply removing admin rights makes an environment “easy” to manage
17. Admin rights are ok if you trust your people, or they are advanced/clever (thanks @_4_d_4_m_)
18. Simply by following a list of TOP 18/20 controls you will achieve “good posture”
19. Zero trust solves everything (especially when you use SaaS) (thanks @js_opdebeeck)
20. By deploying more products “Security management” gets simpler
21. Getting Cyber Essentials/ISO27001:2013 is a good endgame for a security program
22. Buying policy packs is a good way to implement cyber security policies, cultures, and practises into organisations
23. Just patch everything (thanks @WilRockall)
24. You don’t need a SOC/Logging if you have an EDR
25. If you don’t have a TLS grade A+ your security is “TOTALLY COMPROMISED”
26. Exposing RDP to the Internet is fine, if you change the port number, because nobody will expect that! (thanks @wright_de)
27. Don’t install Microsoft products (thanks @stautistic)
28. Just deploy Linux
29. Security doesn’t require specialist training
30. Not Training a workforce gives good outcomes and they are less likely to leave
31. Attackers only have to be right once (thanks @DrewHjelm)
32. Un monitored Passive network taps reduce residual risk and increase secrity (thanks @ron_brash)

Now I’m sure there are more! feel free to join in a convo on twitter!

The good part about knowing “bad” is that we can at least use this to help us contextualise and understand what “good” might look like for our scenario. Remember, one size often does not fit all, if it did your business woulnd’t have a product or service that differentiates itself in the market!