CRACoWi Project

Running a business is synonym to risk, under the concept that there are too many risks in the daily operation in any business; organisational risks due to weak organisational measures, operational risks due to weak fulfilment of tasks by the staff or related third parties, technological risks, financial, risks related to the legal or institutional framework, risks related to contracts, etc., etc. Cybersecurity is one of the more common risks nowadays, in terms of measures to prevent an attack and the frequency that cyberattacks occur, taking into consideration consequences on the organisations. The estimated cost worldwide of cybercrime is calculated to 9.2 trillion USD (Source: https://www.statista.com/forecasts/1280009/cost-cybercrime-worldwide). Many businesses receive serious actions with this regard; some other businesses believe that this is not that important, it is not affecting them. The later, is usually based on several myths related to Risks in the Business and hereinafter we will try to point out 5 myths, the most usual at our perception.

1. ‘’We are too small to be noticed, who is going to put an effort on hacking us’’ … or ‘’there is nothing valuable to steal from us’’ …

Maybe the management of the organisation consider it as a logic though; still, cyber attackers do not pay any attention on bigger and smaller organisations. It depends on a variety of motives, of intentions. Usually, SMEs / smaller organisations have lower-level measures in relation to large organisations. All organisations do have customer info, financial data, classified documents, special categories of personal data, intellectual achievements, etc. As an example, a small company may be targeted because it is expected that their measures are in a lower level, while at the same time this company belongs to an important sector of Economy and they cannot afford a long-term interruption. Or, the smaller company is targeted because it will give a path to the real target, that is a corporate partner of them; still (the attacker considers) why losing the benefit to take advantages on both of them? As a mater of fact, there is the example of accounting companies. They are targeted even if they are small, because usually, they have passwords of their clients, and sometimes, they store such passwords in plain text, in an excel files!!! According the 2025 Cybersecurity research of IBM, the third-party vendors and supply chain compromission was the 2^nd higher indicator in relation to the cost of an attack measurement.

Last but not least: Even if you are not falling under the aforementioned few examples, you may be targeted just because you are the company you are and not because of your size. According to the same IBM survey, the higher indicator (1^st position) in relation to the cost of an attack measurement, was a malicious insider, usually an unsatisfied employee or former employee.

2. ‘’We have excellent IT support; we are not at risk’’ …

This is a myth. The efforts of the IT department, even if they are really good and have created advanced security measures, may be destroyed in a few seconds by a simple and not intended fault of an employee or even through an employee malicious action. A mistake, a fault by an employee may not be intentional, still it may give path to the attacker. It is a fact, that the fishing attacks targeted to employees have caused during 2024 an average cost of 4.8 million US dollars to the organisation in which the fishing victim was employed (2025 Cybersecurity report of IBM). Even the best security perimeter, may fall down in parts from an employee, that due to the fishing, he/she becomes the ‘’back door’’ (like the back door of Troia in Hommer’s poetry). Additionally, many attacks come from the internal environment. The perception that the organisation is threaten only from the external environment (hackers) is a myth. Malicious person from the internal environment has also the 2^nd longer period of identification (related reference in Myth number 3 below) with an average of identification 194 days according the IBM research mentioned below.

3. ‘’We would know about an attack I would be immediately aware’’ …

This is one of the worst perceptions in the business world. Hacking if not prevented, usually goes undetected for quite long period. The IBM annual report entitled Cost of a Data Breach Report 2025 (https://www.ibm.com/reports/data-breach), indicates that the period within which the organisation becomes aware of the breach, varies from 166 days when the organisation has only on premises storage environment, to 207 days (approximately 7 months) !!! when the organisation is using multiple types of environments i.e., on premises and cloud. This is also varying depending on the type of security problem. In many cases the identification of the attack came through the ransom request !!! Meanwhile, the attacker has theft all the information of the organisation (that usually, are to be sold in dark web too and as a pressure to the organisation providing some screenshot of the stolen information) and in many cases has compromised the organisations backup process in order to harden the ransom request. Without proper perimeter monitoring, audit trails, incident detection, and other measures required, attackers might be inside organisation’s systems without been identified too long and until the decide to ask ransom or been detected by lack!

4. ‘’After setting our measures there is nothing more to do’’ … or differently speaking ‘’Cybersecurity is one time effort’’

Information Security part of which is Cybersecurity, is an ongoing process. The defensive infrastructure of the organisation is aging, new threats are identified, attackers supported by Artificial Intelligence design more sophisticated attacks, software needs to be patched, vulnerabilities need to be early identified and be addressed, employees require continuous awareness and training as in many cases they are the weak link, and infrastructure evolves; the above are some areas of consideration but not the only ones. Measures need to be continuously examined (it is recommended at least on annual basis) in order to address the changing threat environment. So, there are too many things to do on a continuous basis and among these areas of consideration Risk Intelligence is a modern requirement for businesses. Risk Intelligence is simple words is learning about cybersecurity landscape from professionals (through monitoring proper sources) and spreading this knowledge within the organisation.

5. ‘’We have Compliance; thus, we are secure’’ … or ‘’Compliance is equal to security’’

Compliance with legal, institutional and industry requirements, does not mean that the organisation is exempt from further security requirements, and does not mean that organisation’s information security and cybersecurity is the best that could be. Compliance usually set the minimum requirements, not the potential high. Frameworks and industrial requirements usually provide baseline controls, that even if they are valuable are not enough. They provide a bases to build, they should be viewed as the minimum requirements upon which the organisation shall create its own required security policies and procedures, the starting point, not the final goal. Every organization has specific risks and vulnerabilities to address, and this is related to the complexity of its existing infrastructure. The security to be built by the organisation has to be based on the specific risks of the organisation and be adaptable to emerging threats and this cannot be included in any framework. Frameworks cannot intuitively account for specific custom integrations between tools and systems, so further protocols must be established. At the same time, it should be pointed that frameworks are rarely changing while the threat environment is changing day-by-day.

.

Conclusions: In this article we are presenting some the most important myths at the opinion of the writers and taking into consideration their field experiences in supporting organisations to build up their appropriate information security infrastructure. At the end, YES, high profile organisations attract more attention and create headlines, but attackers are targeting anyone and everywhere. Many writers indicate that an attack is not a question of ‘’if it happens’’ but the actual question is ‘’when it will occur’’. Maybe some attacks seem difficult to be prevented or early detected, still doing nothing is the werst scenario. A very important issue this article aims to point out, is that the management in many organisations have a lot of misperceptions with regards to the security their organisation is requiring and this may be the higher risk.

Πηγή: tanea.gr