Also known as IT security, cybersecurity refers to the act of safeguarding internet-connected systems, critical data and other digital assets from potential cyberthreats. In other words, cybersecurity consists of the strategies implemented to help protect people, processes and technology from cyberattacks and related losses. Cybersecurity has become all the more important as organizations of all sizes and sectors expand their reliance on technology and other digital services in their operations.

Even so, there are a variety of myths circulating regarding cybersecurity, many of which undermine the severity of possible threats and diminish the value of effective mitigation strategies. If organizations mistakenly assume these cybersecurity myths to be true, they could leave themselves increasingly vulnerable to cyberattacks and subsequent losses. The following article debunks five of the most common cybersecurity myths, giving organizations the information to better understand their exposures and implement appropriate risk management measures.

Myth #1: Cybersecurity measures are only necessary for large corporations.

Some organizations think small businesses are unlikely targets for cyberattacks, as they often have less data and lower funds for cybercriminals to exploit. As such, it has become a frequent misconception that adopting proper cybersecurity measures only makes sense for large corporations, particularly those that possess substantial capital and store sensitive information.

Large organizations are definitely susceptible to cyberattacks, but this doesn’t mean small businesses are immune to such incidents. On the contrary, some cybercriminals consider small organizations more attractive targets than their larger counterparts because these businesses are more likely to have weaker cybersecurity measures in place, thus simplifying the overall attack process. According to a recent study conducted by international IT services and consulting company Accenture, 43% of all cyberattacks target small businesses, and 66% of such organizations have experienced an attack within the past year. With this in mind, it’s clear that cybersecurity measures are necessary for organizations of any size, but especially small businesses.

Myth #2: Basic cybersecurity procedures are enough to protect against possible threats.

For certain organizations, cybersecurity consists of a few basic protocols, such as deploying firewalls, installing antivirus software and encouraging employees to maintain strong passwords. While these procedures can certainly prove useful, adopting such a single-layer approach to cybersecurity might not be effective in minimizing all possible threats.

For instance, basic cybersecurity protocols aren’t as successful in protecting against brute-force incidents and social engineering scams, which are some of the most common attack techniques. To put this into context, a report from multinational cybersecurity firm Kaspersky Lab found that brute-force attacks contribute to nearly one-third (31.6%) of all cyber incidents; meanwhile, the aforementioned Accenture study revealed that 85% of organizations have encountered social engineering scams. This means that organizations would remain vulnerable to a sizeable proportion of cyberattacks with only basic protocols in place. As the cyber risk landscape shifts and changes, organizations’ mitigation strategies should follow suit. By implementing a multilayered approach to cybersecurity and leveraging a wide range of protective measures (e.g., multifactor authentication, endpoint detection and response solutions, email authentication technology, patch management plans and data backup systems), organizations will be better equipped to handle their advancing digital exposures.

Myth #3: Cybersecurity measures aren’t worth the associated costs for small businesses.

Small organizations may initially be less inclined to invest in cybersecurity due to the related expenses, especially considering their limited budgets. Most of the time, this stems from these organizations thinking that cybersecurity measures aren’t worth the various benefits they provide; yet, the reality is quite the opposite. As previously mentioned, small businesses are frequent targets for cyberattacks. What’s worse, these businesses are more likely to face financial ruin in the aftermath of such attacks. In fact, global cyber economy researcher Cybersecurity Ventures reported that 60% of small businesses close their doors within just six months of experiencing a cyber incident. Considering this data, small organizations simply can’t afford to ignore cybersecurity. Investing in sufficient mitigation strategies could make all the difference in helping these businesses avoid major losses and prevent financial devastation at the hands of cyber incidents.

Myth #4: Cybersecurity is the IT department’s job.

Even when organizations make the wise decision to invest in cybersecurity, they may still make the mistake of placing all related responsibilities on the IT department. Although these professionals definitely play a role in upholding adequate cybersecurity measures, they can’t act alone. The most effective cybersecurity models involve companywide participation, which requires support from corporate executives and routine training for all employees. Without companywide participation, organizations are more likely to have poor

cyber hygiene and awareness. Not to mention, businesses that don’t take cybersecurity seriously will likely pass the same attitude to their employees by neglecting to provide essential education on digital risks. This is particularly concerning, as recent research conducted by World Economic Forum, an international lobbying organization, found that 95% of cyberattacks stem from human error. As a result, it’s imperative that organizations foster a strong working culture that encourages everyone to take responsibility for cybersecurity. This entails having company executives lead by example, training employees to detect and defend against prevalent cyberthreats, and recognizing those who demonstrate a continued commitment to security.

Myth #5: Cyberthreats are always external.

When most employers and employees picture a cybercriminal, they likely visualize an external threat actor. Nevertheless, cyberattacks can also arise from insider threats. An insider threat refers to an individual who has been entrusted with access to or knowledge of an organization’s confidential resources and information (e.g., an employee, vendor or third-party collaborator). Due to their unique privileges, insider threats have the potential to compromise organizations’ most valuable assets and leave them more susceptible to a range of cyber incidents (also called insider events). At least 74% of organizations are at least moderately vulnerable to insider threats, according to IT company Cybersecurity Insiders. Further, a recent Cybersecurity Insiders survey found that the average insider event costs over $1 million CAD. Therefore, it’s vital for organizations to consider both external and internal threats when developing their cybersecurity measures.

Conclusion

By adopting an informed approach to cybersecurity and understanding the reality behind common myths, organizations can effectively position themselves in this evolving digital risk environment and limit the likelihood of large-scale losses.

Contact us at 905-688-9170 for risk management guidance and insurance solutions.

---

This Cyber Risks & Liabilities document is not intended to be exhaustive nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel or an insurance professional for appropriate advice. © 2024 Zywave, Inc. All rights reserved.