014: 26 Cybersecurity Myths

John Barker
October 22, 2023
Read Time: 5 Minutes

This is the first of a 3 Part Series separating fact from fiction in the world of Cybersecurity.  We will re-align the misconceptions that business leaders have about the role of cybersecurity in their organization.

Clarify various job roles in cybersecurity, the skills needed to perform, and the certifications that most align with those roles.

An issue that has plagued the cyber community for years is job descriptions that are wrong.  Jobs that are entry-level should be senior level.  Jobs described as entry-level with senior level requirements.

It’s all backward.

Let’s clear this up.

All the time I hear “I need someone in cybersecurity.”  That can mean all sorts of things.  Lets clear this up.

Myth: You must know how to code if you work in cybersecurity

Fact: This is one of my favorites.  Many cybersecurity roles focus on policy, management, or analysis and don’t require coding knowledge.  I started running computer networks.  I heard this also when it comes to the CISSP certification.  CISSP is a management certification not technical.

 Myth: Your Small business is not targets for cyber-attacks.

Fact: Small businesses are often targeted because they typically have less security measures in place compared to larger corporations.  Small businesses can be crimes of opportunity because of the lack of basics.

Myth: Antivirus software is enough to keep you protected.

Fact: Antivirus is just one small piece of the cybersecurity puzzle. A good security approach includes firewalls, regular updates, employee training, backups, and other tools is crucial.

 Myth: Cybersecurity is purely a technology issue.

Fact: Human error or lack of awareness often is the most common reason breaches occur. Proper training and awareness are equally important.  I talk about this specifically in October 2023 Fredericksburg.com Column “Cybersecurity is a People Problem”.

 Myth: Cyberattacks only come from external sources.

Fact: Insider threats are the primary reason cyber-attacks occur. This can be employees doing something purposeful or due to their negligence.  These events can be more damaging to a company.

 Myth: Once you’ve set up your cybersecurity measures, no regular updates are needed.

Fact: Cyber threats evolve constantly. Regular reviews, updates, and patches are essential.

 Myth: Passwords are the best single security measure.

Fact: You want a strong password policy.  Better yet I recommend password phrases and a password manager such as Bitwarden.  Don’t forget to include multi-factor authentication to better secure the software and tools you use.

 Myth: Cybersecurity is too expensive for most businesses.

Fact: The cost of a security breach can be far higher than the cost to be preventative. For small businesses the basics of patching, no old software, passwords, firewalls, backups, antivirus, can get you on the right path.  If you have a cyber incident, it may not be possible to retrieve your data.

 Myth: Cybersecurity is only the IT department’s responsibility.

Fact: Cybersecurity is everyone’s responsibility. Everyone in an organization should be trained and vigilant.  Each functional department in your business should have a cyber champion to help keep the company more secure.  The IT Dept. or outsource provider won’t know everything that is happening at all times.

Myth:  I have Cyber Insurance So I am protected

Fact: Cyber Insurance does nothing to actively protect you from a cyber attack.  Cyber insurance helps to cover your monetary losses and provide you with extra resources to try and recover your data.  There is no guarantee you will get it back.  Prevention is the best medicine.  Insurance providers want to know you have the right plan in place before they pay out.

Myth: Mobile phones are not targets for cyberattacks.

Fact: Mobile devices can be vulnerable to attacks, and businesses must secure them just as they would desktop computers.  Setup a Mobile Device Management (MDM) plan and policy for phones.  Phones should all have security to login to the phone.

 Myth: All cyber-attacks are for financial gain.

Fact: Motivations range from espionage to political reasons, to simple mischief.  I encourage you to check out the podcast Darknet Diaries.  An entertaining take on cyber incidents.  Many are just kids screwing around.  Others are nation states trying to wreak havoc in the world.

 Myth: Deleting data means it’s gone forever.

Fact: Data can often be recovered unless it’s securely wiped or encrypted. Before disposing of your old computers pull out the hard drive.  You can wipe them with a free tool such as DBAN or run them through hard drive shredder.  I personally save old drives up to use for target practice.

 Myth: Public Wi-Fi networks are safe for business use.

Fact: Public Wi-Fi can be a hotspot for cyberattacks. Secure VPNs should be used when accessing business data on public networks.  Airports are notorious for people trying to steal data.

 Myth: Cybersecurity solutions are one-size-fits-all.

Fact: Solutions should be tailored to the unique needs and risks of each business.  The type of business, data you store, and industry regulations will hep determine what you need.

 Myth: Physical security is separate from cybersecurity.

Fact: Physical breaches can lead to cyber breaches. Securing hardware and access to devices is essential.  Do you have smart locks that track entry, security cameras, and alarm systems?  Do you track the names of contact info of the people that visit your office?  Ensure your employees lock away sensitive paperwork into file cabinets.  You want a clean desk policy.

 Myth: Encryption slows down systems and is not always necessary.

Fact: Modern encryption tools have minimal impact on performance, and they are critical for data protection.  Encryption used to have a tax on bandwidth and speed.  This is not the case anymore.

 Myth: Regular employees can’t make a difference in cybersecurity.

Fact: Many breaches come from simple mistakes. Training and empowering every employee is crucial.  Don’t click random links.  Don’t give out your MFA codes over the phone or in an email.  Overall slowdown when something doesn’t seem right.

 Myth: More technology always means better security.

Fact: More technology usually means more vulnerabilities. You are increasing your threat landscape. Don’t forget to evaluate the security measures in the new technology.  You don’t want new gaps when condensing you tech stack from many tools to just a few or automating processes.

 Myth: Hackers always leave signs of a breach.

Fact: Many breaches go undetected for months or even years.  This is called Advanced Persistent Threats (APT).  A hacker will just sit in a network and siphon off what they want for a long time.  Or wait for a specific moment to strike.  This is a regular method for nation states to spy or interrupt their adversary countries.

Myth: A strong firewall guarantees security.

Fact: While firewalls are fundamental, they are just one layer of a comprehensive security approach.  Firewalls protect what we call North and South.  You manage the traffic that comes in and out of a network.  The next step is monitoring the traffic going East and West in your network.  Just because someone was allowed in through firewall means they can go anywhere they want.  There needs to be constant authentication of the user and its devices.  This is a concept called Zero Trust.

 Myth: Outsourcing IT means outsourcing all cybersecurity responsibilities.

Fact: Businesses must ensure that their partners and providers also follow robust security practices. Cybersecurity is a whole team sport. Outsourcing IT means you must continue monitor your tech partner.  They become a new extension in your threat landscape.  If they suffer a breach, you will most likely suffer a breach.

 Myth: All cyber threats come from anonymous hackers.

Fact: Competitors, disgruntled employees, or even nation-states can pose cyber threats.  Internal threats that already have access is most likely going to cause you the most problems.

Myth: Cybersecurity impedes business operations.

Fact: Properly implemented, cybersecurity measures can support and streamline business operations.  There can be extra steps such as in MFA.  But those few extra seconds to login can save a world of hurt if you have a ransomware attack.

Myth: All cyber-attacks are sophisticated and complex.

Fact: Many attacks exploit basic vulnerabilities or rely on social engineering.  This is why regular patching and employee awareness are key to keeping you safe.

Myth: If a company hasn’t been attacked yet, it’s not at risk.

Fact: It’s often not a matter of “if” but “when.” Proactive measures are essential to prevent potential breaches.

Next week we will dive into Entry Level Jobs in Cybersecurity.

See you then.


Whenever you’re ready, there is one way I can help you:
I can help if you need help whipping your technology back into shape, looking to improve your cybersecurity, or just need someone to look over shoulder.
Click the above link, send me some details about your business, and schedule a zoom meeting.
Simple as that.

About the Newsletter

Get One Tip every Sunday morning to optimize and secure your business technology.

John Barker

John Barker

John has over 25 years of technology experience and earned a Bachelor’s in Business Management & MBA.  He also holds CISSP and PMP certifications.