Cyber Security Myths and Misconceptions

cyber security myths cybergate international

Cyber Security Myths and Misconceptions


Top cyber security myths and misconceptions. Busted.

Cyber security preparedness is one of the key attributes businesses must manage today. There are several cyber security misconceptions that are still present in the business world in this day and age. If your workforce believes any of the myths below, then your organisation could be open to some serious threats and risks.

Sticking to facts not myths is essential to reduce security risks!

These are some of the most common cyber security myths.

Having an antivirus installed on all company computers is enough

Antivirus software might have been enough to safeguard your company from possible attacks two decades ago but today it is definitely not enough to protect your organisation and all the data you hold. Traditionally antivirus scanners scanned files and hard disk drives by comparing the hash of files against sets of malicious ones – when a match was identified, the users were notified and an action to clean or delete the file provided.

Hackers have found ways to bypass this AV mechanism completely by using ‘fileless malware’. Fileless malware leverage tools built into the operating system to run malicious code exclusively in the computer’s memory, i.e. RAM. As there is no executable on disk, there is no signature for the AV software to compare to, bypassing it completely.

The fileless malware would then act like traditional malware in which it would try to steal your data, access sensitive information or take full control of your machine.

Strong passwords are enough

It is best practice to have long and complex passwords and essential to change passwords on a regular basis. Attackers make use of sophisticated programs that generate combinations that match passwords. In addition to strong passwords, it is highly recommended nowadays to have two-factor-authentication (2FA), whereby you add an additional layer of security. 2FA requires users to have 2 of the following features to be able to authenticate:

  • Things you know – eg: password and pin
  • Things you have – eg: smartphone and security key
  • Things you are – eg: fingerprint and facial recognition


Location-based 2FA is also emerging in which the user’s geolocation is taken into consideration when authenticating them.

Most commonly, 2FA makes use of SMS / Emails fired with a code or you can use specialised apps such as Google Authenticator.

Needless to say, avoid having the same password for different websites – in case of a data breach, your exposure to risk increases exponentially.

Threats are spread only through the Internet

Let’s contextualise … Thinking that disconnecting from the Internet will prevent threats spreading throughout an internal network is a myth. Imagine one of your employees plugs in an infected USB stick – multiple computers may get infected leading to loss of valuable information and company data. Threats can be physical. Ensure your employees are trained and that you have operating procedures in place.

Only financial institutions get targeted by hackers

Some may think that only certain sectors and industries experience cyber attacks. Being small or medium sized or in specific industries does not make you immune to cyber threats and potential attacks. Hackers might want to hold you ransom or use your assets to carry out scams or bigger-scale attacks.

All businesses in every industry can be a potential target. In addition, a related myth is that of thinking that one has nothing worth protecting. Attacks will (definitely!) disrupt your business operations, thus such incidents have (absolutely!) no positive aspects to them.

Phishing emails are easy to spot

Phishing emails have skyrocketed over the last months. Although some emails are evident that they are spam or phishing mails, hackers are social engineering phishing emails in such a way that they look as identical as possible to ‘normal’ day-to-day emails. These very realistic looking emails, may look familiar, leading receivers to an action such as transferring of funds or clicking or a malicious link / downloading of a (usually a backdoor or ransomware) file.

Bonus – Dodgy websites are blocked by our IT Department

The truth is that even legitimate websites can be compromised and infected with malware, viruses and other malicious code. It is estimated that more than 75% of all legitimate websites have unpatched vulnerabilities. Hackers are increasingly exploiting website plugins vulnerabilities and open source frameworks flaws to spread malicious scripts.

Are these cyber security myths putting your business at risk? Learn more how we can deliver awareness training that can help you and your business be proactive against cyber threats.

    We are here to help




    Francesco Mifsud
    [email protected]

    I live and breathe cyber security and everything else in the discipline. With around a decade of experience in the industry I have had the opportunity to develop skills in penetration testing, cloud security, reverse engineering & exploit development, application security engineering, management and organisation-wide cyber security strategy. I hold a well-rounded set of security certifications such as OSCP, eWPTX and CISSP and have delivered training & workshops at some of the most prestigious hacking conferences such as DEF CON, BRU CON, BSides London and BSides Manchester.