Despite growing awareness of cybersecurity risks, misconceptions persist that could lead your business astray in 2025.
By Stephen Osler, co-founder and business development director at Nclose, examines the most common myths and how organisations can debunk them in order to strengthen their defences.
Myth 1: Cybersecurity is only for large corporations
This statement is simply not true. Small and medium-sized enterprises are increasingly being targeted, as well as individuals.
According to the Harvard Business Review, mid-size businesses are often considered a soft underbelly for cybercriminals to exploit.
The Nclose State of Ransomware in South Africa 2024 Survey shows that ransomware and other cyber threats are widespread across businesses of all sizes, with 63% of respondents experiencing at least one ransomware attack in the past two years.
The problem that many smaller companies face is third-party risk management. Cybercriminals know how hard it is to get a foothold into a large enterprise because of their strong defences, so instead they target a third-party service provider.
A well-known example is the US retailer Target whose system was hacked by cybercriminals who gained access to customers’ personal data via the air-conditioning sub-contractor in 2014. Because third-parties have access to large volumes of data, this makes them an attractive target for cybercriminals who are looking for low barriers to entry.
Myth 2: We’ve never been attacked before, so we’re safe
Complacency can be dangerous because it can lead to organisations dropping their guard. As our 2024 survey shows, just because a company has no previous ransomware incidents doesn’t mean it won’t still face future risks.
When it comes to cybercrime, it’s not a matter of if, but when. Having good cybersecurity measures in place comes down to good governance. If an organisation’s leaders don’t consider cybersecurity as a risk, they’re less likely to be conscious of what risks there are and put controls in place to mitigate them.
Consider Covid-19 or loadshedding. No one ever would have thought they were possible and yet both have happened. In the same way, cybersecurity attacks are happening more frequently and organisations should be prepared.
Myth 3: A basic antivirus is enough
While this may have been true in the past, it certainly isn’t any longer. We serve over 100 clients and no one of them relies solely on a basic antivirus for cybersecurity. Although it’s a good place to start, cyber threats often bypass traditional antivirus defences. Moreover, a basic antivirus struggles to identify new, unknown threats (zero-day attacks) that have not been catalogued yet.
Given the advanced nature of threats like ransomware, companies require cybersecurity systems that are more robust and increasingly sophisticated. The focus should be more on detection and less on prevention. To do this, tools like managed detection and response (MDR) and zero-trust frameworks should be employed.
In addition, employees need to be trained to spot scams and hackers’ ploys. Social-engineering attacks, such as phishing emails, remain one of the most popular weapons in cybercriminals’ arsenal, as the human psyche is surprisingly easy to exploit.
Myth 4: Cybersecurity is too expensive
Cybersecurity is a cost to businesses – there’s no doubt about it. According to the Nclose State of Ransomware in South Africa 2024 Survey, almost half of respondents are spending 16% or more of their IT budgets on cybersecurity for their firms.
The same research showed that 19% of companies take seven days or longer to recover after a ransomware attack, highlighting how under-investment can lead to higher recovery time and costs after an attack.
Those who are tempted to dismiss cybersecurity because of the expense should ask themselves: How much will an attack cost you? Cybercrime can have a catastrophic impact on your business. Over half of respondents in our survey reported that they’d lost between R100 000 and R1-million due to ransomware attacks.
Rather than bemoaning the cost of cybersecurity, organisations should interrogate their IT service provider to get the answers they’re looking for. Make sure cyber risk is listed on your company’s risk register. I believe managers need to take their responsibility seriously to identify and mitigate cyber risks.
Providing cybersecurity training to your employees is also crucial. By implementing these steps, you can greatly reduce cybersecurity risks at your company and build a more resilient security infrastructure.