Cybercriminals threaten your customers, your employees, and your bottom line. Separating fact from fiction will help you protect them.

In July 2017, U.S. credit bureau Equifax made a shocking discovery: Hackers penetrated its computer systems and stole the personal information — including names, Social Security numbers, birth dates, addresses, and driver’s license numbers — of 145.5 million American consumers, The incident is expected to cost hundreds of millions of dollars.

The data breach serves as a cautionary tale for companies of all sizes and in all sectors. The best way to get a grip on your business’s cybersecurity risks and responsibilities? Learn the truth about who’s a target and how prevention works. To help you get to that level of knowledge, here are five of the top myths regarding online security.

Myth: Cybercriminals only target large corporations

There are strategic reasons to attack small companies, according to Don Turrentine, Regions Senior Vice President for Cybersecurity. “Small and midsize businesses may be more vulnerable because they typically don’t have dedicated IT staff and resources,” Turrentine says.

In fact, 61 percent of small and midsize businesses have experienced a cyberattack in the past year, according to the Ponemon Institute. And the size of breaches has almost doubled, the Ponemon Institute study found.

Sometimes the random nature of cybercrime is behind the attacks: Cybercriminals often use computer programs known as bots to automatically scour the web for vulnerable systems, regardless of the size or type of company.

Myth: Small Business Doesn’t Have Anything Worth Stealing 

Small businesses are attractive targets for criminals who want to:

• Steal money and information: Small companies have corporate bank accounts that can be emptied, trade secrets that can be sold, and critical data that can be held for ransom. Also, they have employees. A company with 50 employees, for example, has 50 targets to steal personal and bank account information.
• Conduct distributed attacks: To cover their tracks, cybercriminals often use botnets — networks of infected, internet-connected devices under their command. Their mission: Using your small-business computer, smartphone, or smart-home device to disrupt the internet and infect millions more devices.
• Hack large companies: Small companies have large corporations as customers, partners, and vendors. If their IT systems are in any way connected — through software integration, for example — criminals can use the smaller company’s system as a backdoor into the larger company’s system.

Myth: Basic protections like anti-virus software will keep hackers out

Cybersecurity firm McAfee says 245 new pieces of malware emerge every minute. At that rate, it’s impossible for any one piece of software to provide comprehensive protection.

“You need to have a layered approach to cybersecurity,” Turrentine says. “Anti-virus alone is never enough and serves as just one of the layers.”

The SANS Institute , a provider of cybersecurity training, says effective cybersecurity has five layers:

1. Anti-virus software;
2. Network controls, like firewalls;
3. Reputation assessments, which confirm that files originate from trustworthy sources;
4. Behavioral analysis, which helps organizations detect abnormal behavior within their IT systems; and
5. Remediation, whereby organizations repair and remove threats once they’re detected.

Turrentine says remediation is especially important: “Have a plan so you know how to respond to an attack when it happens, and practice that response plan so it becomes part of your muscle memory,” he says.

Myth: Passwords should be changed regularly for maximum protection

One of the most effective ways to protect data is with strong passwords. For that reason, software vendors and service providers historically have set strict requirements for user passwords. 

Unfortunately, such requirements make passwords hard to remember, which leads many consumers to write their passwords down or to create passwords that are easy to guess.

There’s a better way, according to Turrentine, who recommends using a single 12-character passphrase — a phrase or sentence — for longer periods of time. “Studies have shown that’s stronger than having a six- to eight-character password and changing it every 60 days,” he says.

To make data even more secure, choose vendors that use two-factor authentication. Two-factor authentication means logging in requires a password, plus another, second credential, such as a PIN, one-time passcode via text message or email, or biometric recognition.

Myth: Cybersecurity is the IT department’s responsibility alone.

All employees must work together to prevent cyber incidents, according to Turrentine, who says human error — for example, opening a suspicious email attachment or clicking an untrusted web link — is responsible for the vast majority of cyberattacks against businesses.

“Every employee has a role in cybersecurity,” he says, adding that businesses should offer mandatory cybersecurity training for all employees so they know how to identify, evaluate, and report suspicious people, emails, and websites. “Not everyone needs technical training, but everybody needs cybersecurity awareness training.”