Posted: 22nd June 2026
Summary of the IT myths putting your business at risk.From thinking that small businesses aren't targets for cybercriminals to assuming Microsoft 365 automatically backs up everything, these misconceptions can create serious gaps in cyber security for businesses. In this article, we'll bust five of the most common IT myths and explain what you need to do instead. |
Over the years, we've heard many myths and misconceptions around cyber security repeated by businesses of all sizes: Our systems have in-built protection; we’re too small for hackers; phishing attacks are easy to spot.
Let's put to bed five of the biggest myths we still hear today.
5 IT myths that could put your business at risk
Myth #1: Small businesses aren't targets for cybercriminals
This is probably the most costly myth on the list. Many business owners assume attackers only target large corporations with household names and multi-million-pound revenues. After all, why would a cybercriminal be interested in a local business with twenty employees?
The answer is simple: Smaller businesses are often easier targets.
Large organisations typically have dedicated security teams, strict controls, and significant cybersecurity budgets. SMEs rarely prioritise cyber security, and that makes them low-hanging fruit.
What many people don’t realise is that cyber crime is low effort, low risk, but high reward. In many cases, cybercriminals aren't specifically targeting your business at all. They're using automated tools to scan thousands of organisations looking for weaknesses. If they find one, they take advantage of it, no matter how many PCs you have.
Think of it less like a burglar carefully selecting a mansion and more like someone walking down a street checking for doors left unlocked.
43% of UK SMEs identified a cyber breach or attack in the last 12 months
Myth #2: Microsoft automatically backs up everything
We’ve come across countless businesses that have moved to Microsoft 365 and assumed everything is automatically backed up forever. Unfortunately, it's not quite that simple.
Having your data stored on any cloud-based service makes it more accessible, and yes, recovery is sometimes possible, but it’s not guaranteed. It depends on a number of factors such as what was deleted, when it happened, and what retention settings are in place.
Microsoft 365 is designed to provide flexible access to your data and keep services running reliably. And of course, its security is tight. But it isn't the same thing as having a dedicated backup solution.
Think of it like renting a storage unit. The storage company is responsible for keeping the building secure and accessible. But in the event of a disaster, they can’t recover what was damaged.
Myth #3: Antivirus software is enough protection
There was a time when installing antivirus software felt like you’d built a fort around your IT infrastructure. But cyber threats have evolved considerably since then, and there are now countless threats your antivirus software could miss.
Modern attacks often rely on phishing emails, stolen credentials, social engineering, and compromised accounts rather than traditional viruses. In many cases, attackers don't need to break into your systems. They simply log in using valid credentials.
That's why relying solely on antivirus software is a bit like securing your office door with a giant lock while leaving all the windows open.
Effective cyber security for businesses now involves multiple layers of protection, including user awareness training, patch management, access controls, email protection tools, multi-factor authentication and 24/7 monitoring.
Antivirus software is still important, but it's not the whole story.
Myth #4: Cyber insurance covers everything
Cyber insurance can be an extremely valuable safety net, but it’s no substitute for security.
A surprising number of organisations assume that if they have insurance in place, any cyber incident will simply be covered. But the truth is, many policies include conditions and security requirements that businesses must meet before a claim will be paid.
Just like your car insurer would expect you to have a driving license and keep your vehicle roadworthy, cyber security insurers expect businesses to implement sensible security controls before providing cover.
Having insurance is sensible, but it doesn’t make you bulletproof.
Myth #5: We don't need MFA because we use strong passwords
If everyone uses long, complex passwords, surely that's enough? Not necessarily.
That’s because passwords aren't always stolen by hackers guessing them. They are captured through phishing attacks, data breaches, malware, or simply by users entering them on convincing fake websites. Even the strongest password can end up in the wrong hands.
That's where multi-factor authentication (MFA) comes in. MFA adds an extra layer of verification beyond a password. Even if credentials are compromised, attackers face another obstacle before gaining access.
It's one of the simplest and most effective security controls available today.
Thinking you don't need MFA because you have strong passwords is a bit like saying you don't need a seatbelt because you're a careful driver.
MFA can reduce account compromise risk by 99%
We’re more than IT support - we’re cyber security specialists
The interesting thing to note about these myths and misconceptions around cyber security for businesses is that none of them are tech issues. They’re knowledge gaps. In each scenario, the systems aren’t necessarily vulnerable; the users are.
That’s why we offer all our clients free cyber security awareness training for all of their employees. So if you thought some of these myths were true, get in touch.
