12 huge small business cyber security misconceptions – debunked!

30th November 2021

All areas of technology are rife with myths, misconceptions, and outright falsehoods. Anything digital is seen as a bit of a dark art to some, which naturally seems to attract rumour and hearsay.

However, nowhere are technical misconceptions potentially more damaging than in cyber security. And the organisations who stand to relatively lose the most from poor cyber advice are those at the smaller end of the scale.

So with that in mind, we’ve compiled a list of 12 common cyber security myths that typically float around the SME-verse, and we’ll offer our cyber-aware rebuffs to each of them.

So let’s get our “well, actually” specs on and let’s get started.

Myth 1: “We’re too small to be a target”

Every now and then, we’ll see big, household name brands in the news for falling victim to cybercrime – but that doesn’t mean that much smaller companies can’t fall victim too. Just because they don’t make the evening news, doesn’t mean they don’t happen.

In fact, the NCSC’s 2021 Cyber Security Breaches Survey shows that 37% of micro businesses, 39% of small businesses, and 65% of medium businesses suffered a cyber incident in the 12 months leading up to the report. They also discovered that the most common threat vector is phishing, encountered by 83% of respondents who had identified an attack in the previous year.

This highlights the importance of good cyber-awareness training. If your team know how to identify a fraudulent email – and get in the habit of doing so – then you’ll all become far safer.

So why are smaller businesses such a target? Well, many criminals see smaller organisations as poorly protected, low hanging fruit. And to be frank, they often are. Attacking smaller companies will lead to smaller returns for criminals, but it will generally be an easier process and a safer bet than a noisy attack on a large brand. Forbes puts it perfectly: “if you’re in business, you’re a target”

Myth 2: “We have an antivirus and a firewall, we don’t need anything else”

Just relying on antivirus and firewall? Well no matter how advanced they may be, that only qualifies your cyber defences as “better than nothing”.

Nowadays, threats are ridiculously multifaceted. Yes, antivirus and firewall are essential but you will likely need more comprehensive cover from solutions like cyber security trainingmulti-factor authentication (MFA) tools; and managed detection and response (MDR). However, that said, there’s no single, definitive list of essential cybersecurity solutions that will apply to all businesses. It all depends on what your organisation does, how your network is set up, and how you use tech.

Myth 3: “There’s no value in our data

There’s a dangerous misconception that “we don’t collect payment details so our data is unlikely to be valuable to anyone”. Alas, this is false. There’s a market out there on the dark web for any kind of data you care to mention, no matter how insignificant it might seem.

Let’s explore some examples. If you have employees, their PAYE information could be snatched and used nefariously. Hackers may swipe an email marketing list to send out phishing emails or scams. Even confidential contracts and correspondence can find themselves in the wrong hands.

Threat actors are constantly scouring the dark web for opportunities, so don’t just assume that you’re safe because you only collect “safe” data – alas, there is no such thing.

Myth 4: “We take backups so we’re safe from ransomware”

Keeping backups is excellent practice. However, how you keep your backups also matters. Ransomware is generally designed to spread far and wide once it hits a network, so if your backup media is always connected to your network, it could easily become encrypted in a ransomware attack.

In their Mid-2021 Cyber Threat ReportSonicWall found that ransomware attacks were soaring, with a 151% increase in attacks worldwide. Scary stuff.

So what’s an organisation to do? Well, we’re quite partial to a very sensible backup strategy known as “3, 2, 1”: Take three copies of everything, using two different methods, one of which is offline when not in use.

Myth 5: “Cyber attacks are like lightning: they don’t strike in the same place twice”

Sadly, if you’ve ever fallen victim to a cyber threat, you’re likely to be hit again. Crowdstrike’s Services Cyber Front Lines Report discovered that of the canvassed organisations who suffered an intrusion attempt, 68% of them encountered another within 12 months.

Hackers and scammers of all kinds maintain very well-manicured lists of “soft targets” who have fallen for their tricks before – shortlists of easy prey. And what’s more, these lists often get bought and sold and passed around on the dark web, so companies who have suffered a breach once could find themselves fighting off threats from numerous angles!

Persistent threats can also result in repeat threats. Advanced Persistent Threats (APTs) are designed to hide in the background, sometimes disguised as legitimate apps and processes. They can be used for a variety of nefarious ends, but can serve as an unsecured backdoor into a network, potentially leading to repeat infections and attacks until properly removed.

Myth 6: “Cloud solutions are inherently secure”

This is particularly confounding – you see the complete opposite sides of this debate floated as security advice – yet both opinions are wrong!

Simply plonking your data and functions “in the cloud” doesn’t make them inherently safe. It’s like any tech that your company uses – you and you alone are responsible for maintaining and securing it. Providers like Azure or AWS are merely responsible for keeping their servers online, not for the security of your patch.

Though that said, when secured properly, cloud storage and software can be incredibly useful. Cloud storage solutions can serve as offsite backups for continuity; cloud tools can help you achieve secure remote working policies; and moving functions and data to the cloud can help you downsize or scale internal tech functions without having to buy new hardware.

Myth 7: “Cyber security solutions are too expensive nowadays”

Cyber security is an essential expense of doing business. Unfortunately it’s as simple as that. We certainly don’t advise you to overstretch your finances in any way, but consider cyber-defences an investment – an insurance plan of sorts – to protect you from potential losses.

If any given cyber security tool seems a little pricey for you, chances are there are other, more affordable tools out there that provide a narrower scope of protection, or perhaps approach a problem in a slightly different way. We recommend having a frank discussion about costs with your friendly neighbourhood cybersecurity experts so they can pair you with the best possible solution to suit you.

Cyber security pricing tends to operate on a sliding scale dependent on company size, so smaller businesses may be pleasantly surprised as to how affordable proper cyber protection can be.

Myth 8: “New/updated software = secure software”

We cyber-boffins are always banging on about keeping all software up to date in order to minimise the risk of zero-day attacks. And it’s sound advice, don’t get us wrong.

When a software patch is released to close a security gap that has been exploited by cybercriminals, that’s great! But it does mean that the gap had been there all along, waiting to be discovered. And even when the fix has been engineered and installed, it doesn’t take back any damage that the gap caused in the first place, like malware infections and APTs.

As soon as a software update is released, hackers will set to work trying to find weaknesses in it to engineer some kind of exploit. And once their exploit is released into the wild, it’s only a matter of time before the vendor secures it with another patch – and the cycle begins anew!

So keep your software up to date but understand that this alone won’t keep you safe. Seek out a firewall that includes heuristic gateway antivirus tools like sandboxing and deep packet inspection to defend against as-yet-unknown threats. A spot of network monitoring can’t hurt either.

Myth 9: “If I get hit with ransomware, I’ll just pay up and get my stuff back”

This is one of those situations where having a bad plan is worse than no plan at all. Simply planning to pay a ransom is problematic on three counts:

  1. Attackers don’t always encrypt ransomed data in a salvageable way. They’re criminal meanies, so why expect any better? Sophos’ State of Ransomware 2021 Report states that only an average of 65% of data is restored after paying the ransom, so don’t hang your hat on getting everything back, if anything at all.
  2. The same Sophos report states that the average ransom paid in 2021 was a whopping $170,404, which would cripple most small and micro businesses (though it’s important to note that their respondents were in the 100-5,000 employee bracket, so smaller business mileage may vary). And remember this is just the ransom – not the costs incurred in putting things right; not the costs to salvage lost data; not the losses to time and disruption.
  3. Any ransom you pay is giving money directly to known criminals so they can go and harm someone else.

So just “paying up” isn’t a guarantee of getting all of your data back (if anything at all), it can be a costly approach compared to investment in the right tools, and could be highly unethical to boot.

Myth 10: “Cyber attacks always come from external sources”

Many teams are happy and cordial and work together like a well oiled machine. But there’s nothing like the wrath of a disgruntled employee. Though the vast majority of cyber attacks come from criminals outside an organisation, it is by no means 100%. In fact, the Verizon 2021 Breach Investigations Report seems to suggest that insider attacks could make up for around 22% of all cyber attacks.

However, we need to distinguish between two distinct flavours of insider threat: there’s negligent insider threats (who unwittingly cause problems in their negligence) and there’s deliberate insider threats (who cause cyber-harm intentionally). Negligence can usually be solved with good training. But staff who are disgruntled enough to commit cybercrime against you is a dangerous problem to have. All in all, keep your team happy and they’ll keep you happy.

Myth 11: “Our team knows how to stay safe online”

It would be easy for us to respond to this one with a condescending “yeah but are you suuuure though?”. Instead, we’d like to remind you that there’s a big difference between knowledge and action.

Your team may know to avoid poorly worded login prompt emails. But if their work pulls them in numerous directions at once or they’re battling a looming deadline, are they – in their frazzled state – really going to inspect that email for spelling and formatting? Are they really going to inspect a file’s download URL to make sure it’s coming from an expected domain? Probably not.

That’s why cyber training isn’t just about knowledge. It’s about behaviour and habit forming. When security checks become second nature to your team, that’s when they’re truly cyber-fighting-fit!

Myth 12: “Digital & physical security are totally unrelated”

Cyber threats aren’t limited to things that happen over the ether – far from it“Baiting” attacks happen by leaving a tempting tech morsel like an infected drive outside a premises and letting the law of “finders keepers” take its course. “Vishing” – basically “voice phishing” – is what happens when a social engineering attack takes place over the phone. And if a nefarious actor managed to slip past security and into a company’s server room, there’s potentially no end to the havoc they could cause!

Therefore, good penetration testing should always include an element of physical testing too.

Also consider the increase in digital security and building access control systems. If someone wanted to break into an office, they could potentially hack those systems to switch off security cameras and deactivate locks… yes, like in the video games!


Don’t let these myths mean “game over” for your cyber security!

Whether you need to completely overhaul your security systems or you have numerous cyber-quandaries (no matter how small), get an expert’s input.

Request a callback or give us a ring on 0808 1644414 today.

You’re in safe hands with our cyber security team