No cybersecurity incidents means we've no problems -- 15 Dangerous Cybersecurity Myths - Day 2

Hello there. Did you know that small businesses are extremely vulnerable to attack from cybercriminals right now and that most don't survive for more than six months after a cyber incident?

John Byrne here, entrepreneur, insurance professional, online educator, and founder of Surviving Cyber. My goal is to help small business owners and managers like you get to grips with this complex subject of cyber risk.

 15 Dangerous Cybersecurity Myths

You may be struggling now, to clearly see the big picture but once you separate the myth from the truth, you can begin to significantly reduce your risk over the next 15 days through this series, I'm going to walk you through "15 Dangerous Cybersecurity Myths You Probably Believe". I'll explain the thinking behind each myth, why it's dangerous to believe it, and the truth you need to hear so that your small business can stay safe 

Now, before we dive in, I want to give you access to my free cyber resilience workshop. It's a 60-minute video workshop that will show you how to create your first survival plan for your small business in 30 days. It's full of practical tips that you can implement. If you don't already have access, use the link survivingcyber.com/workshop to register now. 

Myth Number 2 - No cybersecurity incidents means we've no problems 

Now today, we're going to explore Myth number two: "No cybersecurity incidents means we've no problems". I hope you're ready to dive in. I'm John Byrne, and this is "15 Dangerous Cybersecurity Myths You Probably Believe. 

So welcome to Myth number two: "No cybersecurity incidents means we've no problems". Now, as you can probably imagine, this is a commonly held view among small business owners. And it's understandable. The thinking goes: "If I've never found anything in my business so far that would indicate that I have a cybersecurity problem, then I really don't have a problem". I'd like to show you some of the thinking behind this.  

  1. The obvious logic is: "We've not been hit with a cyber-attack in the past, so we must be okay. If we haven't seen anything in the past, everything must be fine." Clearly, that's not the case.  However, it's understandable that people would think like that. It's comforting to think “If I haven't found a problem, I don't have a problem”. Sadly, that's not the case with cybersecurity. 
  2. The thinking goes on to say: "I'm not worried about this changing environment. I know that the environment is changing, I know that my business is under attack from cybercriminals, but the rising threat and the rising attacks don't concern me because I've not seen this so far in my business". Clearly, this is a continuation of the same line of thought.  
  3. Business owners may also think: "COVID-19 has had no impact on my business risk. My use of working from home has worked well and it's really just like working in the office. There's no need for a cybersecurity review as the employees gradually returned to the office." You can clearly see the line of thinking here. 


COVID-19 has had a dramatic effect on every business and the method of working has changed for practically every business. The fact that problems have not been detected is being taken as a comfort factor using this line of thinking. The use of working from home has been dramatically different for all businesses than the previous environment of working in a central location, such as an office. 

But many small businesses will take comfort in the fact that they got through the "working from home" phase if they're now at the other end of it, or that they're continuing to work from home and haven't detected a problem. The thinking goes: "If I haven't had a problem and I haven't found it, then I don't have one".

A Dangerous Myth

This is a dangerous myth to believe because it leads to small businesses having a false sense of security based on the fact that they have not detected the cyber incident. It's dangerous because relying on past experience makes these businesses unaware of the changing environment and the increasing risks, especially from remote working.  

Working from home is a dramatically different risk environment than working in an office. The reality is that the threat environment has changed dramatically as a direct result of COVID-19. The fact that we have not been hit in our business as a result of that risk increase means we've been lucky so far, nothing more than that. Basing a sense of security on the lack of an attack in the COVID-19 era is a mistake.  

Truth Number 2  - It's only a matter of when, not if, you will experience a cyber incident in your business 

But let's look at the truth now behind this myth. Truth Number two is: "It's only a matter of when and not if you will experience a cyber incident". This is dramatically different to the view we've just expressed.  

  1. We have said that there is a risk of false comfort in the fact that you have not experienced the cyber incident. The reality is that the environment is getting worse. The past is not an indicator of the future when it comes to cyber risk. Because the environment is changing all the time, the future will be different to the past. The risks, sadly, are only increasing as time goes by. Therefore, basing your comfort on the past is a mistake. 
  2. What a lot of small businesses do not realize is that they may indeed have been attacked already, but don't yet know it. This is another aspect of cyber risk that makes it different to most risks that we would be comfortable with, or at least familiar with. For example, if you've had a fire in your premises, or you've had a lawsuit, you know about it because there's clear evidence of the fact that the event has happened. In contrast, with cyber risk, there is no clear evidence many times. We know that the average time it takes to discover a cyber event is close to nine months. So, you could indeed have been attacked during COVID-19 and could have already suffered a cyber incident, but you've not detected it yet. Your systems may already have been breached. So, you've just not detected it yet. 
  3. Experts agree that it's really only a matter of when and not if the businesses will experience a cyber incident. So, if you're not taking proactive measures to respond to changes in your business and in your business model, brought about by COVID-19 in particular, such as the hybrid working environment that we all are familiar with now, you could be "asleep at the wheel". 
You could be living with that sense of security that's comforting, but sadly, it's not well-founded. So that's Truth Number Two; "It's only a matter of when, not if, you will experience a cyber incident in your business" 

Free Cyber Resilience Workshop 

Thanks so much for reading today's post. I hope you found it helpful in exploding this myth and revealing the truth. Don't forget to register for the video workshop using the link survivingcyber.com/workshop. I hope to see you tomorrow as we dive deeper into "15 Dangerous Cybersecurity Myths You Probably Believe" so we can uncover the truth of how to keep your small business safe.