SecurityTrails Blog · Jan 21 · by Sara Jelen

Breaking Cybersecurity Myths

Reading time: 10 minutes

We're now at a point where cybersecurity is considered an integral part of any business, no matter how big or small. You'd be hard-pressed to find any organization that doesn't have at least some form of cybersecurity procedures and practices in its business model, and for good reason.

Every year there are so many data breaches and so much sensitive data being exposed that it's of prime importance to protect your organization against network threats. A single attack could leave your reputation, and the entire organization, badly damaged.

There's a lot of information on how to protect yourself against security threats out there, but as with everything, you shouldn't believe something just because you've read it online or in the media. The same holds true with cybersecurity and the common myths that surround it. Add the slight layer of mysticism and complexity that many "outsiders" ascribe to cybersecurity, and you have a recipe for a cyber attack.

Top 8 common cybersecurity myths

To battle misinformation and any lack of understanding, we've compiled a list of 8 common cybersecurity myths that might not be that benign if they influence an organization's cybersecurity policy. Today, we're the myth-busters:

  1. "It won't happen to me"

This one has to be one of the worst excuses, misconceptions and myths when it comes to keeping your organization safe. Thinking your organization won't be targeted (a little more on that below) means that you are, in some part, relying on luck to spare you from a cyber attack.

There are many reasons people believe in this myth. It's often associated with companies who think they're too "small" a target for an attacker, who believe they don't hold data of any real value to cybercriminals, or who've become desensitized with all the news coverage of "major" data breaches. ("After all, why would hackers attack me over Yahoo or Equifax?")

Whatever the reason, the fact that there is a cyber attack happening every 39 seconds shows us that our mindset on cybersecurity shouldn't be based on the question "will we be attacked?" but on "when?"—prompting us to adjust accordingly. Otherwise, putting faith in this cybersecurity myth often yields one of two frequent, and undesirable, results: either not planning a budget for cybersecurity at all or having full confidence in the security of ones' devices, systems and networks. Either case leaves you thoroughly unprepared for a cyber attack.

You're never too small to be attacked—43% of cyber attacks target small businesses. Small to medium-sized businesses are often the pathway to bigger targets, and every year we see more phishing and ransomware attacks directed towards them. With those facts in mind, having a plan to mitigate threats, putting an incident response strategy in place, and being proactive about your defense is crucial for any business, however small it may be.

  1. Cyber attacks are targeted

Another myth that's often tied to thinking you're not valuable and/or too small to be of interest to attackers is the misconception that all cyber attacks are targeted, that a given hacking campaign has been designed specifically to attack you and you alone. The truth is a little bit different.

Most attacks are opportunistic: attackers scan for vulnerable systems and then attack. There might not be any huge plot to overturn your organization; you might only be collateral damage. Knowing which attacks are targeting you specifically and which are merely opportunistic will help you keep procedures in place for both, ready to use as needed.

  1. I don't hold any valuable data

This cybersecurity myth often goes hand-in-hand with the mindset of being too small or of little use to outside attackers. It's easy to believe your data isn't valuable enough to warrant an attack, and consequently, for that data to be stolen.

But having an account on any system, and hackers obtaining the password or email, is enough to compromise your entire network. Information is power, and not knowing the extent of your attack surface is a cyber attack just waiting to happen.

As we said before, you might not even be the final target. Cyber attacks aren't always about stealing your data; you could be a mere step on the road to other, bigger, different organizations. Even apart from the organizational level, you as an individual are always under threat. Something as commonplace as a Facebook account gives you something of value to attackers, and having your private photos and contacts held under ransom by cyber criminals is not a fun situation.

Some basic steps to take in protecting your data both on- and offline: encrypt and backup your data, use strong and complex passwords, always update your OS and other software, secure all your wireless networks, use a VPN, and disable unnecessary data and media sharing.

  1. Data breaches come from external actors

We've said it before and we'll say it again: Human error is one of the leading causes of data breaches. So why are some organizations deaf to this truth, believing that the only kind of cyber threats are those that come from the outside?

If we talk numbers, sure, 48% of data breaches are caused by malicious third-party actors, but let's not forget about the 27% caused by human error. The popularity of this myth may be understandable, but don't limit your focus to the outside when it comes to possible threats. Pay attention to your internal procedures and give your staff a look, because that's what your attackers are doing.

While risks lurk on the inside of an organization, that doesn't mean you need to doubt the intent of your internal staff. A team member clicking on a phishing link may not have been driven by malice; they may have done so from a lack of proper security training and subsequent assessment.

Depending on their work and department, different teams in your organization may have access to plenty of sensitive data. Building and nurturing cybersecurity culture on all levels of your organization will go far in educating and empowering staff to understand threats and protect themselves against them.

  1. It's easy to spot a phishing email

There are a couple of tests online that you can take to see how well you can spot a phishing email. You might be surprised to learn that even some highly experienced security professionals couldn't get a perfect score.

Phishing is a type of a social engineering attack that works to exploit human psychology and susceptibility to manipulation to trick people into uncovering sensitive data, allowing attackers to break into systems. The most common vector of phishing is sending emails that feature a call to action, such as an urgent need to change the password on one of your accounts. You'll need to log into a website to do so, with that website being set up to infect your device with malware. And these websites and emails can really look like the real deal.

Phishing is also the most prevalent security threat to organizations, as 62% of businesses experienced phishing and social engineering attacks in 2018. And phishing attacks don't even need to be targeted at you. With the amount of time an attacker would need to spend on information gathering just to craft a custom email for your organization, it's more likely that you're one of many entries on their vast list of targets.

Placing too much confidence in each team member and their ability to distinguish phishing emails puts your organization on thin ice. There are different tests for engagement and assessment you can give your team to make sure everyone is equipped, as much as possible, to avoid this type of attack. For example, take Google's test to see how well you can distinguish a legitimate email from phishing bait.

  1. Perimeter security is enough

Currently, most organizations are adopting cloud and hybrid infrastructure; a traditional security perimeter simply doesn't stand a chance in the current threat landscape. Even with next-gen firewalls, VPNs and anti-virus software, they're just not able to fully protect you from cyber attacks.

Cyber criminals have long found ways to overturn antivirus software and hide their presence in a network, so putting your trust in perimeter security may be nothing more than a security theater measure.

However tempting it might sound to employ antivirus software or use the newest firewall, it's just not enough. Perimeter-based security tools don't have data on newer network concepts and technologies, and they can leave you vulnerable to many different attacks.

Today, organizations need to work with the new perimeter and use tools and solutions that work within it and can protect resources that are now located anywhere—including devices, apps, users, infrastructure and data.

  1. You only need to protect your organization

Modern organizations are dependent on their digital assets, including the way they are stored and protected. It's only logical that crackers are dependent on them as well. Organizations can struggle to keep their own networks and data secured, and adding another organization to the mix as a third-party vendor doesn't help.

You can keep defenses in line, but you're only as secure as your weakest vendor. There are often cybersecurity protocols, requirements and policies set in place when you contract with a vendor, but failing to re-visit them and re-assess the security posture of your vendors leaves a few dangerous backdoors open.

Many of the biggest security breaches we've seen in past years have been the direct result of attackers gaining access to a vendor's systems, using them to access their contact list and attack their customers. Or that vector may have been a mere stepping stone toward the attacker's main target. And the threat doesn't stop there. In the case of mergers and acquisitions, the landscape is highly susceptible to attacks; the more people and systems at play, the easier it is to overlook some critical aspect of the network.

Make sure your partners and vendors conduct regular penetration testing, vulnerability assessment and regular checking on their cybersecurity policies, ensuring that they're up to date and efficiently enforced. Your security is not just your own.

  1. You can be 100% secure

Now this can be thought of as the culmination of all cybersecurity myths: thinking you can achieve total cybersecurity. There is no such thing as a perfect security solution and we should approach all our strategies and tactics with that in mind.

You don't need to have perfect security, as that's unachievable. There are constant threats, with new ones emerging all the time, and we need to be able to observe, learn and adapt to them. As we said earlier, we shouldn't think of cyber attacks as something that could happen, but as something that will happen. We need to expect it and be proactive.

Be prepared: Have systems in place that will allow you to react to threats and mitigate them quickly and efficiently. Create disaster recovery measures and be able to learn from them. There is no truly impenetrable system, and your organization will never be truly bulletproofed against cyber threats. Mitigate them, learn from them, and have disaster recovery measures at the ready


Believing in myths will do you no good, and that rings true in the world of cybersecurity. These myths shouldn't be considered lightly, however, as they can leave you vulnerable to many threats. Everyone in the industry should break open misconceptions.

The key to good cybersecurity posture is resilience and being proactive. In a time when we have so much information available, we can't afford to stay misinformed and unprotected.

Tracking your assets is crucial in creating a clear picture of your shadow infrastructure and attack surface. Now you can catch any threats before they even enter your system. Our Attack Surface Intelligence - ASI enterprise tool helps you grow and maintain your directory of digital assets, meaning you're never left unprepared. Schedule a call with our sales team to find out more!

Sara Jelen Blog Author

Sara believes the human element is often at the core of all cybersecurity issues. It’s this perspective that brings a refreshing voice to the SecurityTrails team. Her ability to bridge cognitive/social motivators and how they impact the cybersecurity industry is always enlightening.

Subscribe to the SecurityTrails newsletter
Sign up for our newsletter today!

Get the best cybersec research, news, tools,
and interviews with industry leaders