Top 10 IT Security Myths — Debunked


Thanks to the recent COVID-19 pandemic, there has been a historic shift in the way people work. Remote work or work-from-home (WFH) policies were set in place as businesses adapted to the restrictions and lockdowns. While many employees reported being more productive while at home and were generally more content with their working conditions, another sector also enjoyed the benefits — cybercrime. 

According to the FBI, there has been a 300% increase in cybercrimes committed ever since the pandemic began. A record-breaking 36 billion records were exposed in data breaches in the first half of 2020 alone.

Whether you are a small to medium-sized company, a government contractor, or a B2B business leader, your company has information that you need to secure. Taking an interest in cybersecurity is the first step in the right direction, but there are many common misconceptions that you might still believe. These myths will do nothing but harm your business. If you fail to protect yourself adequately against cybersecurity attacks, you leave yourself at risk of losing money, damaging your company’s reputation, and losing customers.     

Learn more about how to protect yourself and your business- continue reading below for the 10 most common IT security myths, debunked.

1. Complete Cybersecurity Is a One-time Commitment

Given that cybersecurity is a topic often misunderstood by the layperson, you might think that as long as you hire IT security professionals, install antivirus software on all of your devices, and use long, complicated passwords, then you can rest at ease knowing that you’ve done all you can for your company’s cybersecurity. 

That is most definitely not the case. Cyberattacks are constantly evolving, and a new, sophisticated, innovative method that bypasses all your security can come out the day after you think you’ve completely protected yourself. Keeping your business safe is a continuous process, one that involves every employee. The goal is to constantly monitor, audit, and review security tools and policies to develop a system that will let you react quickly to any security incident.

2. Small or Medium-sized Businesses Are Not at Risk

If you’re a small to medium-sized business, you might be under the impression that your data isn’t valuable. This is one of the most dangerous misconceptions you could have about cybersecurity. In reality, smaller businesses are more likely to be targeted — accounting for over 50% of all breaches. In addition, they have the highest targeted malicious email rate, with 1 in 323. 

This occurs due to a combination of factors. Hackers aren’t targeting your business specifically; many set up automated systems to do “spray-and-pray” attacks that target random businesses, regardless of size. 

In addition, smaller businesses also tend to be easier targets as they have less funding for advanced cybersecurity measures. The perceived value of the data also doesn’t matter — “ransomware” attacks are when hackers render your data unusable unless you pay for a decryption key. This data might not be the billions of accounts handled by giants like Google, but it could be data that is imperative for your business to function, and that forces you into paying out. 

3. Security Breaches Are Easily Detectable

You might still be operating under the assumption that you can tell immediately if your computer was infected with malware, with increased pop-up ads, sluggish loading from your browsers, and even full system crashes. While true a decade ago, this is no longer the case today. According to IBM, the average time needed to identify a breach in 2020 was 207 days, with the average lifecycle being 280 days from identification to containment. That’s over half a year that malware could be wreaking havoc on your system.

Often, it’s more beneficial for a hacker to remain unnoticed, so they can gather more information from you. 

4. The IT Department Is Solely Responsible for Cybersecurity

While having a skilled IT department or hiring a 3rd-party security provider, like a cybersecurity firm or a Managed Security Services Provider (MSSP), can certainly provide you peace of mind about how safe your company is, they are still only one part of the puzzle. They have the biggest share of the responsibility as they have the technical expertise for it, but your company is made up of more than just the IT department. Every single employee has a role in ensuring the safety of the company.  

According to CSO Online, 94% of malware is delivered by email. If your employee is unaware of good cybersecurity practices, they could click on an unsafe link and make your entire company vulnerable.

5. Good Password Hygiene Is Enough for Safety

By nature, people are averse to difficulty. They will often default to one simple, easy-to-remember password across all their accounts. This is an obvious risk, as once a hacker obtains your information from one site, then they will have access to all the others.

As a business owner, you might circumvent this by requiring your employees to set strong passwords. In the face of the technology available today, however, this does not amount to much. Programs can now run billions of password combinations in an attempt to brute-force your account, and they can do it in a matter of minutes.

Employing good practices such as two-factor authentication will help lower the risk, as well as monitoring the data access of your employees. It was found that 15% of companies had 1,000,000+ files open to every employee, with sensitive files among them. Monitoring access more closely will help you keep your data safe.

6. Investing in Security Software Is Enough for Safety

Antivirus and anti-malware software seem like an attractive solution to the problem of keeping your business secure, but remember that they will not shield you from everything. Security software will be at its most effective when it is integrated into a comprehensive cybersecurity plan that takes into account the entire organization.

95% of cybersecurity breaches are caused by human error, and so purely relying on having high-end software will still allow for attacks. Companies need policies in place that promote cybersecurity awareness from the ground up, making employees conscious of potential security hazards, common phishing scams, password protection, and so on. 

7. Complying With Industry Regulations Is Enough for Safety

Complying with industry regulations will ensure that you are able to conduct business and avoid legal consequences, but don’t mistake compliance for full protection. Regulations are meant to establish a baseline, and so will only cover the bare minimum. If you want to be fully cyber-safe, you must consider the scope of the regulations you follow, and what areas of your business it misses. For example, PCI compliance will focus on credit card data, but you may have other valuable information you handle aside from that.

8. Securing Only Internet-Facing Applications Is Enough for Safety

It’s true that securing your internet-facing applications is highly important, with 32% of web applications considered at high or critical risk for security vulnerabilities. Nonetheless, focusing solely on these applications will leave you open to insider threats, such as an employee accidentally using a flash drive with malware on a company device.

9. Bring Your Own Device (BYOD) Policies Are Secure

If you want to be as cost-effective as possible, you may have considered a BYOD policy for your business. While this will save you money in the short term, it may end up costing more when the increased risks end up allowing a cyber attack through.

When employees bring in their own devices, they may assume that these devices are free from the restrictions and security protocols a company device is subject to. As such, the number of unprotected areas in your IT network will increase.

If even now you want to continue using BYOD policies for your workplace, then you must implement the same level of security protocol across all these devices — whether they are smartphones, laptops, wearables, or any IoT devices (e.g. smart fire alarms, smart door locks).   

10. Threats to Cybersecurity Are Always External

Of course, outsider threats remain the greatest concern to any organization, but that does not mean you should assume that internal threats do not exist. 30% of data breaches involve internal actors. The reasons for these internal attacks may be due to anything from malicious intent from a resentful employee, to simple ignorance of proper cybersecurity practices from a well-meaning employee. Being aware of the possibility of internal attacks will make you more vigilant in anticipating and deterring these threats.

Keep Your Organization Safe

Learning what misconceptions you may have previously had about cybersecurity are false will hopefully help you in identifying the current gaps in your security and addressing them. It is never too late to employ good cybersecurity — with every year, the cost of a data breach will only increase, and taking steps today will secure the future of your business.


Follow Us on Social Media

Subscribe to our Blog

Most Recent Blog Posts

Don’t Stop Here

More Useful Security Information

Cybersecurity Policies That Bridge Generations


Cybersecurity policies are necessary for any business to avoid becoming cybercrime victims. Cybercrimes continue to rise as cybercriminals get more creative- it’s imperative every business