business woman learning truth about cybersecurity misconceptions

Top 10 Cybersecurity Misconceptions of SMBs

October is National Cybersecurity Awareness Month, which makes it the perfect time to dispel some of the most common cybersecurity misconceptions held by SMBs.

The National Cybersecurity Alliance compiled these 10 commonly held beliefs of Small and Medium-sized Business owners. We’ve broken them down and provided additional analysis and suggested actions, but you can download the original list for free here.

Cybersecurity Misconception #1 – My data (or the data I have access to) isn’t valuable.

Here is a common misconception that SMBs have: thinking their data isn’t worth hackers targeting them.

Perhaps you think your list of first names and email addresses doesn’t have any real personally identifying information. But consider that list sold on the dark web and cross-referenced with another list that has email addresses and Amazon accounts. Or birthdays. Or banking institutions.

Your information doesn’t have to include everything to be considered valuable. These days it just has to be easy to get to. That alone can make it a worthwhile target.

Take Action: Do an assessment of the data you create, collect, store, access, and transmit. Classify all the data by level of sensitivity so you can take steps to protect it appropriately. For more on data privacy, click here.


Cybersecurity Misconception #2 – Cybersecurity is a technology issue.

It may seem completely ‘obvious’ that cybersecurity has to be a technology issue. But consider this:

You can have the most limited access control, the strictest password policies, and the most up-to-date hardware and software…but if you have people who engage in risky behaviors because they don’t know (or don’t care), then your cybersecurity falls apart.

Take Action: Educate every employee on their responsibility for protecting sensitive information. An easy way to get started is to review and sign up for our top cybersecurity scams monthly email.


Cybersecurity Misconception #3 – Cybersecurity requires a huge financial investment.

It’s easy to think that cybersecurity would cost a lot. We hear “cybersecurity” and we think technology, innovation, and dollar signs.

The good and bad news here is that there is no magical technology “cure” that you can simply throw enough money at to fix everything. The real cost in cybersecurity is time and effort – teaching, reminding, and encouraging best practices.

We all love shortcuts, but taking them in this area will only get you in much bigger, costlier messes.

Take Action: Create and institute cybersecurity policies and procedures, restrict administrative access, enable multi-factor authentication, and train employees to spot malicious emails.


Cybersecurity Misconception #4 – Outsourcing to a vendor washes my hands of liability during a cyber incident.

Common cybersecurity misconception number four is that outsourcing your security nullifies your liability.

The truth is that no matter who is ‘supposed’ to protect your data, you and your business will ultimately be held responsible. That’s why it’s so important to choose your partners carefully and put the proper expectations and agreements in place.

Take Action: Put data sharing agreements in place with vendors, and have a trusted lawyer review. You can also use our free risk assessment tool to get instant results on where your current IT services vendor stands on best practices. Use it to guide your next conversation and improve your relationship.


Cybersecurity Misconception #5 – Cyber breaches are covered by general liability insurance.

Many standard insurance policies do not cover cyber incidents or data breaches. According to Old Republic Risk Management, “Cyber losses are typically excluded from current commercial general liability policies or at least are not specifically defined in traditional insurance products.”

That doesn’t mean you should panic. It simply means you need to check with your insurance provider to find out exactly what is and is not covered. Don’t assume. Once you know, you can decide if you need anything different, and you can rest easy knowing you will have protection if the worst occurs.

Get some cyber insurance basics and questions to ask your agent here.

Take Action: Speak with your insurance representative to understand your coverage and what type of policy would best fit your organization’s needs.


Cybersecurity Misconception #6 – Cyberattacks always come from external actors.

We might all like to believe this common cybersecurity misconception, but it’s just not true. Cyberattacks do not always come from external actors.

This doesn’t mean you can’t trust your employees, of course. You vetted, hired, and trained them, so of course you should trust them. But since it’s better to be safe than sorry, there is no reason to allow everyone access to sensitive information they don’t need to complete their jobs.

And it’s not a matter of employee trust to keep server closets and confidential file rooms locked. These are simply best practices to lower your potential risk, especially if you ever have visitors in your business.

Take Action: Identify potential cybersecurity incidents that can come from inside the organization, and develop strategies to minimize these threats.


Cybersecurity Misconception #7 – Younger people are better at cybersecurity than others.

Age is not directly correlated to better cybersecurity practices.

While it’s understandable that we think of young people as having grown up with more online activities and earlier adoption of mobile devices, that in no way means they were taught how to secure those devices or protect their sensitive information.

Take Action: To ensure that your business has the proper security measures in place, communicate your policies and best practices with all employees on a regular, if not frequent, basis.


Cybersecurity Misconception #8 – Compliance with industry standards is sufficient for a security strategy.

This cybersecurity misconception is a little tricky. The key word here is “sufficient.”

When beginning to build your security strategy, industry standards are a great place the START. The problem is thinking that’s all you need to be perfectly safe.

Think back to when you were in school getting grades on papers and tests:

  • You’d be passing with a 70.
  • You might be happy with an 80.
  • Your parents could be hoping for a 90.
  • And your teacher could be wishing for everyone to get 100.

One way to think of industry standards is that score of 80. It’s more than just passing, but it’s a threshold set for an entire industry. So with your resources and ability, you could easily be capable of a 90. And the goal remains 100.

As Maya Angelou said, “Do the best you can until you know better. Then when you know better, do better.” It’s good advice under any circumstances.

Take Action: Use more rigorous guidelines, such as the NIST Cybersecurity Framework, to better manage your cybersecurity risk.


Cybersecurity Misconception #9 – Digital and physical security are separate, unrelated things.

Far too many businesses believe this common misconception: that digital security and physical security are separate and unrelated. The truth is that physical security – locking doors or cabinets and using access control systems – can, and should, complement your digital security measures.

Just like layered digital security can slow down hackers and make your data a less attractive target, physically locking rooms and cabinets can change an opportunistic crime into not worth the effort. Why make it easy? Consider physical security as part of your cybersecurity strategy.

Take Action: Develop strategies and policies to prevent unauthorized physical access to sensitive information and assets, e.g. control who can enter server rooms and file rooms.

We maintain relationships with the Department of Homeland Security and the FBI who may be able to help you with an evaluation or walkthrough. Reach out if you’d like to know more.


Cybersecurity Misconception #10 – New software and devices are secure when I buy them.

It is completely reasonable to believe new devices are secure. But that doesn’t make it true.

Software and devices that come ‘out-of-the-box’ should certainly not be infected with any malware or viruses. But that’s about all the vendor needs to promise.

Take Action: In order to protect yourself, you should always check software versions to make sure they are up-to-date and then configure your settings. This means changing passwords and turning off any default data-sharing that you may not want (such as location tracking). And as a digital hygiene habit, you should periodically go through these settings as they may change with use or updates.


Next Steps? Discuss these recommended actions with your team. Then click on the arrow icon here to find more cybersecurity information to help protect your business.