There are myths in every part of the world. Old maps that believe in dragons, and users who believe that their mobile phones are safe from cybercrime. Both are myths, but only one will cause harm.

There are no dragons, but there are attack vectors for every system, size of business and platform. As Anna Collard, SVP of content strategy and evangelist for KnowBe4 Africa, points out, it has become increasingly important for organisations and users to recognise these myths and misconceptions so they do not become complacent or make expensive mistakes.

“There are several misconceptions that put companies and individuals at risk and one of the biggest is the belief that a company is too small to be of interest to the criminals,” she adds. “This could not be further from the truth. Increasingly, small companies are being targeted by cybercrime groups because they do not have great security in place and are vulnerable to attack. Do not make this mistake – keep up with cybersecurity hygiene, train your people and implement robust defences.”

Another misconception is that our mobile devices are inherently more secure than computers. As much as any user would like this to be true – it is not. Although mobile devices have different built-in security models compared with the original Windows OS, which had very little security. But just because mobile devices were built to be more secure, does not necessarily mean they still are.

“No piece of technology or slice of innovation is free from risk,” says Collard. “Every user and company must ensure that their authentication is robust – multi-factor is best – and that they practice good security hygiene and awareness when receiving messages or downloading apps. ”

Another myth, one that can hit the unsuspecting business hard, is the belief that because the company does not sell goods online, it is not at risk. This belief is often tied up with the misconception that the company does not have anything of value to steal. Wrong, on both counts. In fact, if the business has any kind of information or digital operations, it is valuable to the hackers. Any organisation can be held hostage by cyber extortionists and fleeced for funds, so it is critical that every organisation is rigorous with its cybersecurity.

“Then, there is the idea that any employee or individual can recognise a phishing attack,” says Collard. “Unfortunately, this is not true. Perhaps, if people were sent the clumsy phishing attacks of the past, they could recognise them, but today, the criminals are sophisticated and determined. Social engineering attacks – of which phishing is just one part – have become incredibly diverse and clever, and anyone can fall victim to one.”

The KnowBe4 & ITWeb ransomware survey found that of the South African organisations participating, 32% fell victim to ransomware before and 4% fell victim multiple times.

Sophos reports in their “IT Security team 2021 and beyond” report that 58% of South African respondents' organizations experienced an increase in cyber attacks over the course of 2020^[1]. 

“Whether your organisation is adopting remote working, hybrid working or in-office working frameworks, you need to invest in employee training to ensure that people understand the risks and are able to catch themselves before they make an expensive mistake,” concludes Collard. “This training adds that extra layer of security that can ultimately prevent a breach, and protect both company and employee.”

There may not be dragons at the end of an ancient map, but there are definitely scams, hackers, phishing emails, social engineering attacks and criminals banging on the virtual business doors. To embed protection, make sure that none of these myths and misconceptions are influencing security behaviours for both the business and the individual.