Building upshot

About us

Latest Insurance News


Debunking 5 common cyber-security myths

Cyber-risks and liabilities

Also known as IT security, cyber-security refers to the act of safeguarding internet-connected systems, critical data and other digital assets from potential cyber-threats—threats that may attempt to exploit sensitive information, steal funds or disrupt normal business operations. In other words, cyber- security consists of the strategies implemented to help protect people, processes and technology from cyber-attacks and related losses. Cyber-security has become even more important as organisations of all sizes and sectors expand their reliance on technology and other digital services in their operations. After all, cyber-attacks can carry serious consequences, including damaged data and systems, customer harm, prolonged business disruptions, diminished customer loyalty, lost revenue and regulatory concerns. Even so, there are a variety of myths circulating regarding cyber-security, many of which undermine the severity of possible threats and diminish the value of effective mitigation strategies. If organisations mistakenly assume these myths to be true, they could leave themselves increasingly vulnerable to cyber-attacks and subsequent losses. The following article debunks five of the most common cyber-security myths, giving organisations the information to better understand their exposures and implement appropriate risk management measures. Debunking the myths: –

Myth #1: Cyber-security measures are only necessary for large corporations

Some organisations think small businesses are unlikely targets for cyber-attacks, as they often have less data and lower funds for cyber-criminals to exploit. As such, it has become a frequent misconception that adopting proper cyber-security measures only makes sense for large corporations, particularly those that possess substantial capital and store sensitive information.

Large organisations are definitely susceptible to cyber-attacks, but this doesn’t mean small businesses are immune to such incidents. On the contrary, some cyber-criminals consider small organisations more attractive targets than their larger counterparts because these businesses are more likely to have weaker cyber-security measures in place, thus simplifying the overall attack process. According to a recent study conducted by international IT services and consulting company Accenture, 43% of all cyber-attacks target small businesses, and 66% of such organisations have experienced an attack within the past year. With this in mind, it’s clear that cyber-security measures are necessary for organisations of any size, but especially small businesses.

Myth #2: Basic cyber-security procedures are enough to protect against possible threats

For certain organisations, cyber-security consists of a few basic protocols, such as deploying firewalls, installing antivirus software and encouraging employees to maintain strong passwords. While these procedures can certainly prove useful, adopting such a single-layer approach to cyber-security might not be effective in minimising all possible threats. For instance, basic cyber-security protocols aren’t as successful in protecting against brute-force incidents and social engineering scams, which are some of the most common attack techniques. To put this into context, a report from multi-national cyber-security firm Kaspersky Lab found that brute-force attacks contribute to nearly one third (31.6%) of all cyber-incidents; meanwhile, the aforementioned Accenture study revealed that 85% of organisations have encountered social engineering scams. This means that organisations would remain vulnerable to a sizeable proportion of cyber-attacks with only basic protocols in place. As the cyber-risk landscape shifts and changes, organisations’ mitigation strategies should follow suit. By implementing a multi-layered approach to cyber-security and leveraging a wide range of protective measures (e.g. multi-factor authentication, endpoint detection and response solutions, email authentication technology, patch management plans and data backup systems), organisations will be better equipped to handle their advancing digital exposures.

Myth #3: Cyber-security measures aren’t worth the associated costs for small businesses

Small organisations may initially be less inclined to invest in cyber-security due to the related expenses, especially considering their limited budgets. Most of the time, this stems from these organisations thinking that cyber-security measures aren’t worth the various benefits they provide; yet, the reality is quite the opposite. As previously mentioned, small businesses are frequent targets for cyber-attacks. What’s worse, these businesses are more likely to face financial ruin in the aftermath of such attacks. In fact, global cyber-economy researcher Cybersecurity Ventures reported that 60% of small businesses close their doors within just six months of experiencing a cyber-incident. Considering this data, small organisations simply can’t afford to ignore cyber-security. Investing in sufficient mitigation strategies could make all the difference in helping these businesses avoid major losses and prevent financial devastation at the hands of cyber-incidents.

Myth #4: Cyber-security is the IT department’s job

Even when organisations make the wise decision to invest in cyber-security, they may still make the mistake of placing all related responsibilities on the IT department. Although these professionals definitely play a role in upholding adequate cyber-security measures, they can’t act alone. The most effective cyber-security models involve companywide participation, which requires support from corporate executives and routine training for all employees. Without companywide participation, organisations are more likely to have poor cyber-hygiene and awareness. Not to mention, businesses that don’t take cyber-security seriously will likely pass the same attitude to their employees by neglecting to provide essential education on digital risks. This is particularly concerning, as recent research conducted by World Economic Forum, an international lobbying organisation, found that 95% of cyber-attacks stem from human error. As a result, it’s imperative that organisations foster a strong working culture that encourages everyone to take responsibility for cyber-security. This entails having company executives lead by example, training employees to detect and defend against prevalent cyber-threats, and recognising those who demonstrate a continued commitment to security.

Myth #5: Cyber-threats are always external

When most employers and employees picture a cyber-criminal, they likely visualise an external threat actor. Nevertheless, cyber-attacks can also arise from insider threats. An insider threat refers to an individual who has been entrusted with access to or knowledge of an organisation’s confidential resources and information (e.g. an employee, vendor or third-party collaborator). Due to their unique privileges, insider threats have the potential to compromise organisations’ most valuable assets and leave them more susceptible to a range of cyber-incidents (also called insider events). At least 74% of organisations are at least moderately vulnerable to insider threats, according to IT company Cybersecurity Insiders. Further, a recent Cybersecurity Insiders survey found that the average insider event costs almost £600,000. Therefore, it’s vital for organisations to consider both external and internal threats when developing their cyber-security measures.


By adopting an informed approach to cyber-security and understanding the reality behind common myths, organisations can effectively position themselves in this evolving digital risk environment and limit the likelihood of large-scale losses.

Contact us today for more risk management guidance and insurance solutions.

Information provided by Zywave and contributed by Lisa Langley, Cert CII, Team Leader, Professional Risks, Cox Mahon Ltd.

This article is not intended to be exhaustive, nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel or an insurance professional for appropriate advice.