Familiar security claims like "we use AES-256" or "we're SOC 2 compliant" are technically true. Each one omits conditions that determine risk, and we need to communicate them carefully to avoid misleading users and customers.

9 Convenient Lies in Cybersecurity - illustration

Organizations sometimes stretch the truth regarding their ability to protect data or offer other cybersecurity assurances. The crux of the problem is that implementing security is hard, as is explaining the effectiveness and roles of various controls. So we’re often left with promises or recommendations that can, at best, be seen as having an optimistic perspective on security.

Here are some of the statements that might often be considered lies, half-truths or idealistic simplifications…

“Your data is secure” because:

  • We use AES-256 encryption. Encryption by itself is insufficient, as there are numerous other ways in which data can be put at risk.
  • We are compliant with applicable industry regulations and standards. The compliance status demonstrates that a set of practices is being followed, but doesn’t address all necessary security measures.
  • We display a trust badge to demonstrate that we passed a security scan. Such scans are often limited in the weaknesses that they examine, potentially leaving the organization vulnerable to numerous other attack vectors.

“Protect yourself online” by:

  • Not opening email attachments from suspicious senders. People often receive legitimate attachments from unknown senders, yet have no basis for determining what is suspicious.
  • Not clicking on links in email messages. People are often in a hurry or are multitasking, which makes it too tempting to click a link rather than inspecting it.
  • Selecting a “strong” password. A strong password doesn’t prevent reuse across sites, credential leaks, phishing, or attacks that bypass multi-factor authentication.

“Your data is safe with our employees” because:

  • We conduct background checks. A “clean” record doesn’t guarantee that the person will exhibit ethical behavior in the future; also, many background checks are limited in their scope.
  • We provide mandatory security awareness training. Many training programs don’t affect employees’ security-related behavior; also, participating in the session doesn’t imply that the employee absorbed the material.
  • We have a security policy. Security policies seem to be rarely read and more rarely understood; also, the existence of security policies doesn’t imply that they are being followed.

When you see or hear the claims above, dig deeper to understand their meaning. When you hear security advice, consider whether it is practical. If you are tempted to offer untruths to users or customers, make sure your statements are accurate.

Related Articles

What to Make of AIUC-1, a New AI Agent CertificationWhen Executives Reject Your Security Recommendations

About the Author

Lenny Zeltser is a cybersecurity executive with deep technical roots, product management experience, and a business mindset. He has built security products and programs from early stage to enterprise scale. He is also a Faculty Fellow at SANS Institute and the creator of REMnux, a popular Linux toolkit for malware analysis. Lenny shares his perspectives on security leadership and technology at zeltser.com.