Skip to main content

Intelligence assured

Subscribe to future blog posts featured in our newsletter

Read more about how we handle personal data


Organisations are becoming more enlightened about the threats that cyberattacks provide. According to the 2017 State of Endpoint Security Risk Report by Ponemon Institute, 7 out of 10 organisations feel that the risks have increased during the previous year. Despite the positive fact that awareness is increasing, organisations now seem to believe too much of what they hear. When misconceptions (or rather myths) about cybersecurity are circulating freely, how do we know what to trust?

Myth #1: All attacks are noticeable

The notion that a user will automatically notice an attack is no longer accurate. Cyberattacks are becoming more sophisticated and the notion that there will appear a clear signal on your screen is no longer true.

That we will always notice an attack is based on another misconception – that we know what we are looking for. If we haven’t been previously exposed to a certain threat, we may not recognize it as one.

Myth #2: Software is the solution

Installing anti-virus or anti-malware software is a step in the right direction to keep threats out. The problem with anti-virus software is that it will only protect against previously known virus signatures. With the increasing sophistication of attacks and development in new techniques, this is no longer considered sufficient protection. Fileless attack techniques is just one example. These attacks don’t rely on malicious executables, which is what the software analyses to detect a virus.

myths cybersecurity

Thankfully the belief in this myth already seems to be declining. The 2017 State of Endpoint Security Risk Report also showed that almost 70% of organisations feel that antivirus software isn’t enough protection against potential threats anymore.

70% of organisations feel that antivirus software isn’t enough protection against potential threats

If software isn’t enough, then can we automatically say that the more expensive and highly technological solutions you have, the safer your data is? Sadly, this is another misconception. If your organisation lacks understanding of the system’s function, the overall purpose, sufficient protocols or a trained system administrator, the price tag will become irrelevant.

Read more about too much faith in technology in our previously published blog post "Are we taking cybersecurity seriously enough?"

Myth #3: 100 % cybersecurity is achievable

If we can agree on the fact that we won’t always notice an attack and that antivirus software or even more complex technology on its’ own isn’t the answer, than what is?

If we take all the previous factors in consideration, will this ensure us complete security? This brings us to yet a misconception – that there is such a thing as 100% cybersecurity.

100 % protection may currently not be achievable due to the fast pace of change in attack techniques, but it doesn’t mean that organisations can’t keep their information safe.

myths cybersecurity

Avoiding myths with the right resilience

There are many more myths to uncover about cybersecurity and it is important to turn them inside out before deciding what to believe. Organisations should keep a holistic mindset, which means that cybersecurity needs to be a strategic decision, not just a defense mechanism.

Cybersecurity needs to be a strategic decision, not just a defense mechanism

Unfortunately, today’s organisations do not seem to feel this way. NTT Security’s survey showed that a third of the participating organisations would rather pay a ransom to a cybercriminal, than to invest in cybersecurity.

Reacting once an attack has been detected (if it is detected) is not the key, prevention and resilience is. This is something we should make sure isn’t considered a myth.


There are many examples of companies and organisations that have paid a high price for a lack of information security, both financially and in terms of their reputation. But why aren’t more resources and a higher priority given to preparing for cyberattacks?

The Danish shipping company Maersk says that the cyberattack against them in 2017 cost the company between 200–300 million dollars. Utility companies are suffering from cyber-related malfunctions in several places around the world, for example in Ukraine. There are many more examples.


The term often mentioned alongside cybersecurity is cyber-resilience. Cyber-resilience is the resistance to a possible cyberattack and consists of technology combined with people and processes in the organisation and how well you manage to connect these technical aspects with your business aspects.

But how much energy and money are really put into cybersecurity?

87 % haven’t learned from previous mistakes

According to a survey by the Global Economist Intelligence Unit (EIU), most organisations invest less than 1-2% percent of their revenues in cyber-resilience.

The average cost of financing cyber-resilience is approximately 1.7% of the revenue.

The survey, conducted among 450 companies worldwide, shows a lack of ability to learn from previous cyberattacks - only 13% of board members feel that their organisation has learned from past mistakes in cybersecurity. Likewise, few people say that their level is above average compared to competitors when drawing lessons from a cyberattack. Only 15% of companies indicate that they spend enough on the proactive part of cybersecurity in cyber-resilience.

Too much faith in technology

The latest technology and the most skilled IT department are not enough to defend against cyber-related threats. The management and board must have an ambition to put cybersecurity high on the agenda.

Today’s cybercapacity extends beyond technical solutions - if there is no willingness to prioritise security awareness internally, investing in products is a waste of time.

Too much faith in their own ability

When we look at the Swedish market we see that 90 % of companies consider themselves to have better cybersecurity compared to their competitors. More than a third even state that they are leaders in cybersecurity.

So how is it that we believe we know all about cybersecurity? Are we just being naïve? Perhaps there is a psychological idea that what hasn’t happened won’t happen. A kind of “It’s been OK so far” mentality.


But in reality, cybercrime is increasing and the average time it takes to discover that you are under attack is 191 days. This means that you can make the decision not to prioritise cybersecurity while an attacks is actually taking place.

Too few companies have sufficient priority in cybersecurity. Only a quarter of companies have appointed someone in the board to be responsible for the organisation's cybersecurity. 43 % do not have any insurance against cyber threats, although a hacker attack is estimated to cost about 30 million SEK.

Belief in the future

It's time to take security seriously to avoid high risks and costs that could be much more than investing in building a security-conscious organisation. Businesses today are direct targets for many cyberattacks and companies that depend on IT systems for operation, monitoring and governance are particularly vulnerable.

Information that needs to be protected should be identified and new processes introduced to eliminate the risk of information leakage.

If you are transparent and take proper care of information security, you have every opportunity to show yourself as being competitive in many contexts, such as recruitment, new business partnerships and to encourage customers to start or continue using your digital services. It's time to take cybersecurity seriously.