Section 1: The illusion of cyber security
Introduction: What you think you know
When it comes to cyber security, it’s easy to assume that you’re protected, but many fall into the trap of believing common security myths. This can leave your business vulnerable to threats you weren’t even aware of.
The struggle lies in the harsh reality: you don’t know what you don’t know.
This blog tackles the common myths that your IT support may not be discussing with you. By the end, you should be set up to challenge whether you’re truly protected. Plus, if you’re part of a charity, stick around for a special opportunity to get Cyber Essentials certification at a reduced cost!
Contents:
Myth 1: "My IT support has cyber security covered by default"
Many businesses assume that their IT support automatically handles all aspects of cyber security, but this is often not the case. While some IT providers may offer low-level protections like antivirus software or email filtering, these measures alone leave critical security gaps.
A UK government study revealed that only one in ten businesses reviewed the risks posed by their supplier. Most businesses are at risk because they only incorporate a basic level of protection, not realising that current threats are much more sophisticated.
When it comes down to it, you need to know what exactly your IT support is doing to secure your systems and data. Question them and make sure their solution also includes a detailed security analysis that is unique to your business.
Myth 2: "Cloud is automatically secure"
One of the biggest myths is that if data is in the cloud, it’s protected and security is the provider’s concern – but that’s far from the truth. Just like physical servers on-site, cloud data still needs strong security measures to keep it safe.
One of the major risks is “cloud sprawl”. This is when businesses have unmanaged or forgotten cloud accounts that weaken overall security. Unsecured accounts become easy targets for attacks.
Hackers follow the data and as more businesses move to the cloud, it becomes even more appealing for attacks.
To ensure your cloud systems are secure, consider the following:
- Regular log reviews
- Security audits
- Strong password policies
Another aspect that your IT support should be involved in, is the protection of your cloud environment. At a minimum, they should be regularly reviewing security logs, ensuring systems are updated, and only using services that have been thoroughly vetted for security. For instance, your IT support can offer you a secure SharePoint for your data, but you have to continually monitor this to ensure that data is safe.
Myth 3: "Antivirus is enough"
Relying on traditional antivirus software to keep your systems safe is another myth. Though antivirus programs were once essential, they no longer meet their purpose.
They operate by comparing files on your computer against a ‘signature file’ – a list of known viruses. If something matches, the antivirus software identifies and removes it. The problem is that cyber threats now extend far beyond viruses, and hackers are constantly finding new ways to get past these defenses.
This means that antivirus software often misses more sophisticated attacks, leaving your systems vulnerable. Simply put, it’s no longer enough to rely on signature-based detection.
Instead, modern cyber security requires advanced tools like Endpoint Detection and Response (EDR). Unlike traditional antivirus, EDR uses artificial intelligence (AI) to actively monitor your system in real-time, looking for suspicious behavior, not just known threats. This gives you an extra layer of proactive protection.
Additionally, EDR solutions are often monitored by a dedicated Security Operations Center (SOC), where experts can take immediate action if a threat is detected.
If your IT support is still pushing traditional antivirus as your primary defense, it should be a cause for concern as they may not be using the latest software to keep your business safe.
Myth 4: "Email signatures are just formalities, not a security risk"
It’s easy to think of your email signature as a formal sign-off at the end of a message, but could it actually pose as a hidden threat?
Picture this: you receive an urgent email from a trusted partner, complete with a signature you’ve seen countless times. Without thinking twice, you act on it – only to find out later the email was a scam. The signature, which convinced you it was legitimate, was used to deceive you.
This isn’t a rare event and cybercriminals are increasingly weaponising email signatures.
While you may have secured your networks and trained your team, the small details, like your email signature, are often overlooked. But these signatures, which typically contain names, job titles, contact info, and even business logos, can be a goldmine for attackers.
Cybercriminals take advantage of the trust we place in familiar email signatures, using them to craft emails that look convincingly real. Once spoofed, these fake emails can trick recipients into acting on fraudulent requests or even clicking on malicious links.
The solution? Standardise signatures across your business, regularly verify any links and be mindful of how much information you’re including. By treating email signatures as part of your security strategy, you reduce the risk of them being used against you.
Section 2: The human element of cyber security
Myth 5: "Cyber security is all about technology"
One of the biggest myths is that cyber security is only technology-related. The weakest security link in any system is the person sitting in front of the screen.
Cybercriminals know this and often target people rather than systems, using phishing attacks to trick people into clicking dangerous links or sharing sensitive data.
Have you ever clicked an email and later thought, ‘Should I have clicked that?’. It happens, and it highlights why relying on technology alone isn’t enough to keep your business secure.
During busy periods, you’re likely to make a mistake, so cybercriminals take advantage of this. They also target new employees who are more likely to follow through with suspicious requests, like an email from their boss asking to buy gift cards. Without proper training, these types of attacks can easily happen.
To avoid this, you must pay attention to people as much as you pay attention to technology. This means making your team aware of the kind of emails that are likely to be phishing, the kind of behaviours to look for, and what to do when they suspect they have made a mistake.
Two key approaches can help:
Employee Training: Regular cyber security awareness training teaches your team what to look for in phishing attempts and other scams. When they know the red flags, they are less likely to fall victim to attacks.
Phishing Simulations: Fake phishing emails are sent to your team to test how well they spot threats. If someone clicks on a link, it will help to identify who needs extra training.
The problem we often find is that businesses aren’t aware that they need these services.
With most IT support companies, you will buy the services you feel are important, so when phishing simulations and employee training aren’t on your radar, it’s possible your provider hasn’t offered it to you. It’s not that they don’t want to provide it – it’s often down to budget and priorities.
The question is: Has your IT support made you aware of these options?
If you’re not being offered comprehensive solutions, including education for your team, it’s time to ask, who’s got your back? Your IT support should be training you on how to prevent security breaches in the first place.
Myth 6: "I have a secure password, so I’m safe"
Having a strong password unfortunately doesn’t mean you’re protected from cyber attacks, especially if reused across multiple platforms.
Hackers are constantly looking for ways to exploit breached credentials from past data leaks, like the infamous LinkedIn breach, and use them to access other accounts.
When you reuse a password across several sites, it takes just one breach for hackers to gain full access. If your LinkedIn password is leaked, for example, hackers will try the same password on your email, banking etc.
If you regularly use the password on multiple accounts, try using both a password generator and password manager to help you generate and store these securely. You can also check if your password has been exposed on ‘Have I Been Pwned?‘, simply enter your email to see if your data has been leaked in a previous breach.
Your IT provider should ensure your password security measures are in place. If you’re not already getting this kind of support, it may not be part of your IT package, but that doesn’t mean it’s not essential. Ask yourself, has your IT support talked to you about scanning for compromised passwords or implementing password management systems? If not, it’s time to ask for it.
As part of ongoing account management, your IT support should check your domain for compromised passwords, run audits to flag weak or reused passwords and implement policies to prevent employees from using insecure credentials. This ensures that even if one password is exposed, it doesn’t lead to a chain reaction of security breaches.
Ultimately, passwords alone won’t keep you safe – Use the right tools, keep updated, and work with your IT support to regularly audit your systems.
Myth 7: "Hackers won’t target us because we’re too small"
A common misconception among small businesses and charities is that they’re ‘too small’ to be on hackers’ radar. The reality? Size doesn’t matter to cybercriminals. In fact, smaller businesses are often seen as easier targets because they tend to have weaker security measures in place.
Hackers frequently look for what’s called “low-hanging fruit” – the easiest targets with minimal defences. Small businesses and charities, often operating on tight budgets, may lack the resources to invest in robust cyber security, making them ideal targets for cybercriminals.
They aren’t interested in who you are; they’re interested in how easy it is to breach your systems. Once inside, they can steal sensitive data, hold it for ransom, or even disrupt operations entirely.
Just because you might not have the budget of a larger company, doesn’t mean you can’t protect yourself. By investing in basic security measures like firewalls, antivirus software, employee training, and regular security audits, you can avoid becoming an easy target.
It’s important to remember that cybercriminals go where the defences are weakest, not necessarily where the big profits are. Even if you’re a smaller business, you’re still handling valuable data like customer information, donor lists, or even financial records – all things hackers can exploit.
Cyber Essentials Certification – Charity offer
Throughout October, charities can take advantage of Cyber Essentials certification at a reduced rate through this offer. It’s a limited-time opportunity for charities to boost their security without straining their budget. The Cyber Essentials certification allows businesses to protect themselves against cyber attacks.
If you’re a charity and would like to find out how to access this offer, talk to us today!
Time to reevaluate your cyber security
We’ve covered a lot of ground, but the bottom line is that no one is too small to be targeted by cybercriminals. It’s time to take a closer look at your current IT support and ask yourself if you’re truly protected.
The myths we’ve discussed highlight just how easy it is to overlook crucial aspects of security. But it’s the things you’re unaware of that can pose the biggest risks.
If you’re unsure about your current security measures or what steps to take next, don’t hesitate to reach out. We’re here to help guide you through the process and ensure you have the right protections in place.
Remember, it’s better to ask questions now than to face a crisis later.