Are These 10 Cybersecurity Myths Putting Your Business at Risk?

From the myth of strong passwords to misconceptions surrounding which businesses hackers target and why, there are a number of cybersecurity misunderstandings that could be putting your business at risk of attack. Are you or your employees falling for them?
Rob Sobers
4 min read
Last updated June 12, 2023

Cybersecurity preparedness is one of the major obstacles facing businesses today. Despite the increased focus on making companies cybersafe, there are several common cybersecurity misconceptions that still pervade the business world.

If you or your employees believe any of the myths below, you could be opening up your business to unknown risk. Check out the full list, or jump to our infographic for tips on how you can bust these myths and keep your business cybersafe.

Get the Free Pen Testing Active Directory Environments EBook

“This really opened my eyes to AD security in a way defensive work never did.”

strong password cybersecurity myth

Strong passwords are one of the foundations of good cybersecurity practices, especially for businesses. However, implementing and enforcing strong password policies is only the start. In fact, one of the major components of cybersecurity preparedness that companies overlook isn’t how people access the information — it’s what information is available in the first place.

Not only do employees need strong passwords, companies need to be more aware of who they allow to access what data. In a recent study, we found that 41 percent of companies had at least 1,000 sensitive files open to all employees. Many companies also don’t have a system in place to monitor admin access. Strong passwords help keep your company safe, but there’s a lot more at risk once employees are in the system.

small businesses aren't hacked myth

The proliferation of high-profile hacks in the news cycle often tricks small- and medium-sized businesses into thinking that they won’t be targets of attack. In reality, the opposite is actually true. In fact, according to the 2018 Verizon Data Breach Investigations Report, 58 percent of data breach victims are small businesses.

This happens for several reasons. Many businesses aren’t targeted specifically, but instead are victims of what’s known as “spray-and-pray” attacks — hackers set up automated systems to randomly infiltrate businesses. As these attacks are random, any business can be damaged, regardless of size.

Small businesses tend to be “softer” targets, as they have less funding for advanced data protection software and often don’t have skilled security teams, which makes them more likely to fall victim to spray-and-pray attacks. Targeted attacks also tend to focus on small businesses, precisely because they’re unprotected.

vulnerable industries hacking myth

Much like some businesses believe they won’t be attacked because of their size, other businesses wrongly assume that they won’t be attacked because of the industry they’re in. This myth also goes hand-in-hand with the belief that some companies don’t have anything “worth” stealing. The reality is that any sensitive data, from credit card numbers to addresses and personal information, can make a business a target.

What’s more, even if the data being targeted doesn’t have resale value on the darkweb, it may be imperative for the business to function. Ransomware, for example, can render data unusable unless you pay for a decryption key. This can make attacks very profitable for cyber criminals, even if the data is deemed “low value.”

anti virus cybersecurity myth

Anti-virus software is certainly an important part of keeping your organization safe — but it won’t protect you from everything. Software is just the beginning of a comprehensive cybersecurity plan. To truly protect your organization, you need a total solution that encompasses everything from employee training to insider threat detection and disaster protection.

insider and outsider security threats

While outsider threats are certainly a concern and should be monitored extensively, insider threats are just as dangerous and should be watched just as closely. In fact, research suggests that insider threats can account for up to 75 percent of data breaches.

These threats can come from anyone on the inside, from disgruntled employees looking for professional revenge to content employees without proper cybersecurity training, so it’s important to have a system in place to deter and monitor insider threats.

IT's role in cybersecurity

While IT has a big responsibility when it comes to implementing and reviewing policies to keep companies cybersafe, true cybersecurity preparedness falls on the shoulders of every employee, not just those within the information technology department.

For example, according to Verizon, 49 percent of malware is installed over email. If your employees aren’t trained on cybersecurity best practices, like how to spot phishing scams and avoid unsafe links, they could be opening up your company to potential treats.

public wifi misconceptions

If your business has employees who travel often, work remotely or use shared workspaces, they may incorrectly assume that a password keeps a Wi-Fi network safe. In reality, Wi-Fi passwords primarily limit the number of users per network; other users using the same password can potentially view the sensitive data that’s being transmitted. These employees should invest in VPNs to keep their data more secure.

computer virus myth

A decade or so ago it may have been true that you could tell immediately if your computer was infected with a virus — tell-tale signs included pop-up ads, slow-to-load browsers and, in extreme cases, full-on system crashes.

However, today’s modern malware is much more stealthy and hard to detect. Depending on the strain your computer or network is infected with, it’s quite possible that your compromised machine will continue running smoothly, allowing the virus to do damage for some time before detection.

BYOD at work

Employees often assume that their personal devices are immune to the security protocols the company’s computers are subjected to. As such, Bring Your Own Device (BYOD) policies have opened up companies to cyber risk they may not be aware of. Employees who use their personal devices for work-related activities need to follow the same protocols put in place on all of the network’s computers.

These rules aren’t limited to cellphones and laptops. BYOD policies should cover all devices that access the internet, including wearables and any IoT devices.

achieving cybersecurity preparedness

Cybersecurity is an ongoing battle, not a task to be checked off and forgotten about. New malware and attack methods consistently put your system and data at risk. To truly keep yourself cybersafe, you have to continuously monitor your systems, conduct internal audits, and review, test, and evaluate contingency plans.

Keeping a business cybersafe is a continuous effort, and one that requires every employee’s participation. If anyone at your company has fallen victim to one of the myths above, it may be time to rethink your cybersecurity training and audit your company to assess your risk.

download cybersecurity myths inforgaphic

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:


Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.


See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.


Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

Last Week in Ransomware: Week of June 28th
Ransomware in the News If you’re a small or medium business using locally hosted cloud storage drives by a popular brand you need to disconnect them from the internet immediately....
What is PSD2 Compliance and What Does it Mean for Your Business?
The PSD2 regulation for the EU encourages financial innovation while also mandating better safeguards for consumers. Read about PSD2 compliance and what it means for your business.
Ransomware Meets Its Match With Automated Cyber Defenses
The “good news” about hacking is that while leaving you with potentially enormous incident response costs — customer notifications, legal fees, credit monitoring, class-action suits — your business can still...
How Hackers Use OSINT to Find Business Data
OSINT can be a valuible resource for finding business data, if you know where to look. Here are the best sources of OSINT for business info in 2019.