Cybersecurity myths that are putting businesses at risk

In today’s digital-first world, cybersecurity is no longer a luxury; it’s a necessity. Yet many people and businesses are still falling prey to myths and misconceptions that leave them vulnerable to devastating cyberattacks. These false beliefs often create a dangerous sense of complacency, putting data, reputations, and even livelihoods at risk. Let’s debunk some of the most persistent cybersecurity myths, share real-world examples of small businesses impacted by breaches, and explore simple, cost-effective measures any organisation can adopt.

Myth 1: “My business is too small to be targeted”

Many small business owners believe cybercriminals only target large corporations. This couldn’t be further from the truth. In fact, small businesses are often prime targets because they typically lack the robust security measures of their larger counterparts. According to a 2022 report from the National Cyber Security Centre (NCSC), over 40% of small businesses in the UK experienced a cyberattack in the previous 12 months.

Here's a real-world example:

A small independent retailer in Manchester became the victim of a ransomware attack after an employee unknowingly clicked on a malicious link. The attackers demanded £8,000 to release access to the retailer’s payment system. Unable to recover their files quickly, the retailer faced weeks of disruption and significant financial losses. For a small business, such a long period of downtime can be critical (60% of SMBs that are victims of a cyber-attack go out of business within six months)

How can partners help their customers?

• Implement basic defences: Start with strong passwords, multi-factor authentication (MFA), and regular software updates to reduce vulnerabilities, and look at becoming Cyber Essentials accredited to ensure a good standard of basic cyber hygiene.
• Backup critical data: Ensure all essential data is backed up regularly to a secure, offsite location (following the 3:2:1 rule – 3 copies of the data, across 2 different devices, and 1 copy off-site).

Myth 2: “We have antivirus software, so we’re safe”

Antivirus software (or more commonly just referred to as endpoint security) is an essential component of a cybersecurity strategy, but it’s far from a silver bullet. Modern cyber threats—including phishing, social engineering, and zero-day attacks—often bypass traditional antivirus program, and it’s essential to have defence in depth – multiple layers protecting data, users and devices. While too many tools can cause complexity, it’s important to not rely on one solution (an important consideration when looking at single-vendor platforms that offer a unified approach to everything).

Here's a real-world example:

A small marketing agency in London suffered a data breach despite having antivirus software installed on all devices. An employee’s email account was compromised through a phishing attack, allowing hackers to access sensitive client information. The breach not only damaged the agency’s reputation but also led to financial penalties under GDPR.

How can partners help their customers?

• Employee training: Encourage customers to conduct regular cybersecurity awareness training to help employees recognise phishing attempts and other common scams.
• Ensure they have layered security: Implement additional security measures, such as firewalls, endpoint detection and response (EDR) tools, and email and web security solutions.

Myth 3: “Cybersecurity is too expensive”

While advanced cybersecurity tools and services can require investment, protecting a business doesn’t have to break the bank. Many products can enhance an organisation’s cybersecurity posture without huge investment, while leveraging the services of a MSP can help provide a simple, all-in-one solution that includes a proactive threat-hunting solution.

Here's a real-world example:

A small charity in Bristol avoided disaster thanks to free tools provided by the NCSC’s Cyber Essentials scheme. After identifying vulnerabilities through the self-assessment process, the charity implemented basic fixes that protected them from a subsequent attempted breach.

How can partners help their customers?

• Ensure they make the most of free advice: Explore resources like the NCSC’s Cyber Essentials certification that provide guidance on getting the fundamentals right, as well as leveraging the partner’s expertise and experience. Another great tool are the many vendor free assessments, from vulnerabilities to clod posture, that can highlight priority areas
• Prioritise investments: Focus spending on high-impact areas, such as securing email systems and implementing MFA.

Myth 4: “We don’t have anything worth stealing”

Some businesses underestimate the value of their data, assuming that cybercriminals wouldn’t be interested in their operations. However, all businesses handle valuable information, whether it’s customer data, employee records, or financial details. Even seemingly insignificant data can be exploited for financial gain – and the increase in compliance requirements means that having a higher standard of cybersecurity protection will no longer be optional.

Here's a real-world example:

A small logistics company in Birmingham suffered a breach in which hackers stole customer delivery details. The attackers sold this information on the dark web, leading to fraud cases and damaged trust between the company and its clients.

How can partners help their customers?

• Data inventory: Help conduct a thorough inventory of the data the business collects and stores, and secure it appropriately.
• Access control: Limit access to sensitive data to only those employees who need it for their job roles.

Myth 5: “We outsource IT, so we’re covered”

While outsourcing IT functions can enhance efficiency, it doesn’t absolve businesses of their responsibility for cybersecurity. It’s important to ensure there are clear guidelines on what a trust partner, MSP or MSSP deliver as part of their service, and where the responsibility lies with the customer. More organisations holding critical data, assets or infrastructure in the cloud has increased the potential for gaps, if businesses assume the SaaS providers are including security protection or backups.

Here's a real-world example:

A boutique law firm in Leeds relied on an outsourced IT provider to manage its systems. However, a lack of clear communication about cybersecurity responsibilities led to a malware infection through an unpatched software vulnerability. The firm suffered significant downtime and incurred high recovery costs.

How can partners help their customers?

• Clarify roles: Ensure everyone in the supply and service chain fully detail the scope of any cybersecurity services.
• Conduct audits: Regularly review customer systems and processes to identify gaps in protection.

Practical steps to enhance cybersecurity

Every business, regardless of size or budget, can take actionable steps to improve its cybersecurity posture. Here are a few cost-effective strategies:

1. Enable Multi-Factor Authentication (MFA): Adding an extra layer of security for account logins can prevent unauthorized access, even if passwords are compromised.
2. Regular Updates and Patching: Keep software and systems up to date to close vulnerabilities that attackers could exploit.
3. Cybersecurity Awareness Training: Educate employees on recognizing threats, such as phishing emails and suspicious links.
4. Use password manager: Encourage the use of strong, unique passwords for every account and store them securely in a password manager.
5. Conduct regular backups: Ensure that all critical data is backed up and that backups are tested periodically for reliability.
6. Implement network segmentation: Separate sensitive data and critical systems from less secure parts of your network to limit the impact of breaches.

Final Thoughts

Cybersecurity myths can create a false sense of security, leaving businesses exposed to significant risks. By understanding and addressing these misconceptions, businesses can take control of their cybersecurity strategy and protect themselves against evolving threats.

For partners, providing advice on small steps, such as training employees, enabling MFA, and maintaining regular backups, can make a significant difference and help build trust – especially where the partner may not already have an established cybersecurity business. In the end, the cost of prevention is always far lower than the cost of recovery, and starting with the fundamentals while working with trust channel partners (such as leveraging services and expertise from distributors and vendors) is a great way to help customers start 2025 off on a positive footing.