A few years ago, cybersecurity in Kyrgyzstan seemed like a distant and irrelevant issue. However, the country is now actively developing a legal framework for this field: last year, the Law "On Cybersecurity" was adopted, and in 2025, a Digital Code will be introduced, covering the main aspects of information and cybersecurity.
On one hand, a legal basis is being created for the development of this industry. On the other hand, there are still myths and misconceptions about cybersecurity in society.
Dastan Omuraliyev, the head of TSARKA Kyrgyzstan, discussed common misconceptions and provided advice on how businesses can protect their data and ensure security for clients. He also touched upon key myths existing in the field of cybersecurity among entrepreneurs.
Myth #1: A security budget should only be allocated after an incident
One serious problem is that many organizations do not allocate funds for cybersecurity until an incident occurs. In calm times, such expenses are perceived as excessive.
Funding for cybersecurity often begins only after a problem arises. This leads to the conclusion that the lack of a sustainable budget makes it impossible to protect infrastructure, train personnel, and create an effective incident response system.
Myth #2: A strong password provides complete security
"I hate to break it to you: having a complex password is just a basic level of protection. Research shows that two-factor authentication (2FA) reduces the likelihood of a breach by 99.9%. However, not all methods of two-factor protection are equally reliable," emphasized Dastan Omuraliyev.
For example, SMS codes can be easily intercepted. Last year in Kazakhstan, they demonstrated how to capture an SMS message while being in the same room using readily available tools.
Even simple measures, if implemented correctly, can significantly reduce risks for users and companies.
Myth #3: Small businesses are not of interest to hackers
Many believe that only large companies and banks are susceptible to cyberattacks. In reality, any organization that possesses confidential or personal information can become a victim.
According to global statistics, more than half of all cyberattacks are aimed at small and medium-sized businesses.
"There are obligations for the leakage of personal data of Kyrgyz citizens. Therefore, compliance with the data protection law will soon be monitored more strictly," noted Omuraliyev.
Myth #4: An antivirus program solves all problems
An antivirus is just one component of a security system, but not the only solution. It cannot prevent all types of threats. There is also a misconception that threats only come from outside.
It is important not only to install software solutions but also to develop internal procedures, train employees, and control access to data.
Myth #5: One system administrator can handle everything
In most organizations, the functions of IT and cybersecurity are combined under one specialist. Often referred to as an IT guy, he is perceived as a universal protector. But even an experienced administrator cannot ensure a sufficient level of security without proper training, tools, and support from management.
"Some don’t even know his position. We have an IT manager who, according to some, handles all tasks. But the likelihood that he won't manage is very high, especially if he lacks specialized knowledge," added Omuraliyev.
Today in Kyrgyzstan, out of 80 students admitted to relevant faculties, only six or seven graduate — less than 10%. This is extremely insufficient given the rapid pace of the country's development. Employers are already noting that new employees require additional training for up to six months. Therefore, government and private institutions are working with universities to update curricula and develop practical courses.
Myth #6: Hackers operate alone
In reality, this is a whole industry, involving not just one person or even a group of five to ten. It employs hundreds of people, many of whom may never cross paths. There are hackers, PR specialists, negotiators, financiers, and those who cash out cryptocurrency.
"Therefore, it is important to understand who you are fighting against when you talk about protecting your organization with just one system administrator. It is necessary to match the capabilities of the adversaries. This is why companies are increasingly creating or joining SOCs (Security Operations Centers) for monitoring and responding to cyber incidents," experts emphasize.
For a SOC to operate 24/7, at least six analysts are required, and their training takes years. These are serious investments, but without them, reliable protection cannot be ensured.
