8 Lies Businesses Tell Themselves About Security Awareness and Their People

8 Lies Businesses Tell Themselves About Security Awareness and Their People

Cybersecurity is incredibly critical for businesses of all sizes. However, many businesses have some outdated beliefs when it comes to cybersecurity awareness and their people. These false assumptions can leave businesses vulnerable to cyber-attacks, data breaches, and financial loss. Here are eight common lies businesses tell themselves about security awareness—and why these beliefs are more dangerous than you might think.

A few years ago I was leading the creation and go-to-market efforts for a fully-automated security awareness microlearning program. I spoke with business leaders responsible for the cybersecurity of thousands of companies about their approach to cybersecurity and training their employees. What they shared with me in those meetings was somewhat shocking, but perhaps as you read these false assumptions you might relate. And yes, these are real.

False beliefs:

1. “We haven’t had any problems yet, so we’re fine.”

Why this is a lie…
Just because your company hasn’t been hit with a cyberattack yet doesn’t mean you’re in the clear. The bad guys never rest. They’re always changing their attacks, and will continue to target new businesses. Also, just because you haven’t felt or spotted an attack yet doesn’t mean your business hasn’t experienced one. Many attacks can go undetected for weeks, months, or even years. The bad guys are talented at going undetected. The longer they remain undetected the more time they have to exfiltrate data and perform reconnaissance, learning all of the important information about how your business works, so they can be even more successful in their scam attempts. Businesses often don’t realize they’ve been breached until it’s too late. The lack of visible problems doesn’t mean a hacker isn’t lurking around in your systems, waiting for the right moment to strike.

Believing that “no problems so far” means “no problems in the future” is like skipping insurance because you haven’t had an accident. Cybersecurity is about prevention, not just reaction.

2. “We have email and web filters, so we’re safe.”

Why this is a lie…
Email and web filters are crucial layers of defense, but they aren’t perfect. Cybercriminals are constantly developing ways to bypass even the most robust filters. Many sophisticated phishing schemes are specifically designed to slip through these safety nets. Bad guys will do their homework and piggyback on one scam to accomplish another. If a bad guy successfully gains access to someone’s business email, they will move quickly to use that legitimate email to execute attacks on the contacts in that email account. These attacks will go completely undetected by filters because they are coming from a legitimate email address that has already been marked as known by the recipients.
It’s true, filters can help mitigate risk, but they can’t be your only line of defense.

Remember: No security measure is 100% effective. You need a multi-layered approach that includes not only filters but also continuous training, strong password policies, and advanced threat detection tools.

3. “The bad guys aren’t interested in us or our data.”

Why this is a lie…
It’s easy for small and medium-sized businesses (SMBs) to think they’re too insignificant to be targeted by hackers. But in reality, cybercriminals often see SMBs as easier targets because they likely don’t have the big cybersecurity budgets that larger companies do.

Bad guys aren’t just interested in Fortune 500 companies or large enterprises; they go after any business. They view all data as valuable data—whether it’s customer information, credit card details, or intellectual property. Even ransomware attacks are increasingly being aimed at SMBs.

No business is too small or unimportant to be attacked.

4. “Phishing scams are so obvious, our people won’t fall for them.”

Why this is a lie…
In speaking with hundreds of business owners, this was one of the weirdest trains of thought I encountered. Leaders shared the thought, “Phishing scams are easy to spot.”
Well, perhaps for those leaders, focused daily on cybersecurity, they have become really good at noticing all the tells of every phishing email they encounter and that they would never fall for them. But, I would always ask them, “Well, what about your people? If a phishing attack happened right now, would they all spot it and know what to do next?”
EVERY TIME, they would recognize that they were being falsely confident.
Just because the person in charge of technology is good at spotting phishing scams, doesn’t mean everyone in your organization is good at it.

Also, it’s not about how great your intelligence is at spotting phishing scams. It also has a great deal to do with whether or not you’re paying full attention. If you’re tired, stressed, distracted, being interrupted or just accidentally hit the wrong button, you can fall prey to an attack that may, under more careful review, would be obvious to someone who took their tirne to properly evaluate an email.

NOW, Pause and please re-read that last sentence. Did you catch the typo in the word “time?”
Spelled t-i-r-n-e. If you were reading quickly, not intentionally looking for errors, some can slip past you. That’s the only intentional typo I put in this blog. If you find others, please be gracious with me. I do not want to be arrested by the grammar police again. That example of replacing an ‘m’ with an ‘r’ next to an ‘n’ is a classic scammer’s way of getting someone to think what they are sending you is legitimate. By altering the spelling just a little, they can get away with a lot!

While some phishing attempts may seem really simple to detect, many can be extremely sophisticated. Cybercriminals are constantly improving their techniques, using tactics like spear-phishing, which targets specific employees with personalized information to make the scam appear legitimate. Even tech-savvy individuals can be tricked by these more complex phishing schemes.

Human error is still the leading cause of data breaches. Assuming your employees will always spot phishing emails is a dangerous gamble.

5. “We issue annual security awareness training, so we don’t need extra cybersecurity measures.”

Why this is a lie…
Cybersecurity isn’t a “set it and forget it” task. This applies to your people as well as your technology and practices. Cybersecurity requires constant maturing and monitoring.

New threats emerge all the time. Cybercriminals are constantly trying and finding new ways to bypass existing defenses. This means your employees need to be continuously updated on the latest threats and best practices, not just once a year. Cybersecurity needs to be part of your everyday company culture.

Every security measure you place within your organization needs to be reviewed, updated and regularly tested.
When was the last time you tested your backups?
When did you last review your cybersecurity incident plan?
How often do your employees update their passwords?

6. “Cybersecurity is the IT department’s responsibility.”

Why this is a lie…
Cybersecurity isn’t just the responsibility of the IT department—it’s everyone’s job. Every employee plays a role in protecting your company from threats, from recognizing phishing attempts to following secure password practices. Treating cybersecurity as an IT-only problem is a recipe for disaster. Company-wide engagement is the way to create a robust security culture.

7. “We don’t need a cybersecurity budget, it’s too expensive.”
   OR, “We can’t possibly do everything, so let’s not do anything.”

Why this is a lie…
While investing in cybersecurity can seem costly upfront, the financial damage of a data breach is far more expensive. Data breaches can lead to lost revenue, damaged reputation, and hefty legal fees. A proactive investment in cybersecurity, including advanced tools, regular training, and risk assessments, is way cheaper than the destruction that can occur because of an attack.
Cybersecurity is an ongoing journey. There’s no way to put it all in place all at once for all time. It is a maturing process and a continuous practice. So just because you can’t afford it all or do it all at once, doesn’t mean you should skip it all. Instead, work with a trusted partner to strategize and prioritize your cybersecurity efforts and budget.

8. “We have strong passwords, so we’re secure.”

Why this is a lie…
Strong passwords are a good start, but they’re not enough on their own. Password reuse, weak passwords, and even insider threats can lead to breaches. To bolster password security, businesses should implement multi-factor authentication (MFA), password managers, and regular password change policies. Focusing solely on passwords without adding extra layers of security is a major oversight.

How can you demonstrate you don’t believe these lies…

The greatest defeat to a lie is to share the truth. Here are ways to show you know the truth about cybersecurity and how it will cultivate a culture of cybersecurity within your organization:

1. Provide your teams with ongoing training and awareness programs.
2. Lead by example. Demonstrate to everyone in your organization that even the leaders take the training and evaluating emails for security is taken seriously by everyone.
3. Perform periodic risk assessments so you know where your weaknesses lie and can build a strategic cybersecurity plan.
4. Adopt a proactive cybersecurity mentality by sharing and evangelizing your organization’s cybersecurity strategy.
5. Evangelize and demonstrate best practices for cybersecurity such as over the phone or in-person confirmation before wiring funds.
6. Perform ongoing proactive monitoring.
7. Consult or partner with an outsourced cybersecurity expert to ensure you are uncovering any cybersecurity weaknesses.

The eight lies shared in this blog reflect dangerous misconceptions that many businesses hold about cybersecurity. Overconfidence and lack of awareness can make a company an easy target for cybercriminals. To stay ahead of evolving threats and costly errors, businesses must have a consistent focus on  employee education, embrace cybersecurity tools, and continuously evaluate their cybersecurity journey.

Cybersecurity isn’t a one-time-only, all-at-once event. It’s an ongoing effort to reduce risk and improve resiliency.

A strong cybersecurity culture begins with understanding that no business is immune to attack—and that everyone, from the CEO to the newest employee, plays a vital role in keeping the company safe.

Is your business prepared for the latest cyber threats? Let us help you develop a robust cybersecurity plan. Contact us today.