Commercial Insights
5 cybersecurity myths for business

Article 9 min read Updated December 10, 2025

Cybercrime can impact your customers, your employees and your bottom line. Separating fact from fiction is the first line of defense.

Cyberattacks and threats often make headlines—not only due to the size of the attacks, but also the massive damage that some breaches can experience.

When a major automaker was attacked in 2025, it resulted in global production shutdowns across multiple plants incurring estimated costs to the company in the hundreds of millions of dollars.

Another example? In August 2025, a cyberattack targeted a prominent AI chatbot service. This breach exploited authentication tokens used for integration of several major platforms and hundreds of its client organizations, resulting in stolen data, credentials, and internal tokens.

Methods used by cybercriminals can either be wide-reaching and technically complex, or they can focus on deceiving a single employee. Large, headline-grabbing attacks offer cautionary tales for companies of all sizes and in all sectors. So, what are some effective ways to get a grip on your business’s cybersecurity risks and responsibilities?

An important first step is dispelling a few of the most persistent myths about online security. Here are five that are among the most prevalent.

Myth no. 1: Cybercriminals target only large corporations

“Small and midsize businesses may be more susceptible to cyberattacks because they typically don’t have dedicated cybersecurity staff and resources,” says Adam Perino, Regions Vice President for Cybersecurity. “And as large enterprises invest in more comprehensive and sophisticated security controls that can successfully mitigate even highly sophisticated bad actors, it’s logical that the bad actors will pivot to organizations that can’t yet invest in cutting-edge protection.”

Obscurity will not protect your organization from cybercrime. Cybercriminals often use software programs known as bots to scour the web for vulnerable systems, regardless of a company’s size or type. Once a company appears on the radar of cybercriminals, they will then review the compromised systems and data to determine how much you, the victim, will likely pay if extorted. Your data may be hidden or traded on the so-called Dark Web, which is accessible only to certain internet browsers.

“The criminals may not get a multimillion-dollar payoff, but it can be enough to justify their effort, especially if they successfully target large numbers of small and midsize businesses” adds Perino. “And it’s often more than enough to cripple a business.”

Myth no. 2: Greater use of AI will secure our network better

AI is transforming industries with powerful capabilities – from automation to predictive analytics. AI can even help defend a network perimeter by performing analysis on traffic data. This power, however, comes at the cost of increased cybersecurity risk.

“As with previous IT innovations that improved functionality and convenience, companies should consider the security implications. New technology provides new avenues for bad actors to abuse these services to steal data or spread malware,” says Perino.

AI systems can become the target of attacks. When compromised, AI can be used to launch further automated attacks. Additionally, AI can result in several vulnerabilities such as data poisoning and model exploitation, where an attacker tricks AI by modifying its training to perform malicious activities.

While many industries rely on the strengths that AI provides, it comes with the need for additional controls and human oversight.

Myth no. 3: Security tools alone are enough to keep adversaries out

Historically, organizations have overly relied on antivirus software to protect their networks. While that complacency has shifted over time with the advent of firewalls, VPNs, encryption and other security tools, relying on technology alone for cybersecurity remains a potentially costly mistake.

All organizations should consider every aspect of cyber defense to ensure controls are effective. That includes processes, training, vulnerability remediation, additional layers of defense, and – most importantly – people. Those who are entrusted to manage company assets on the day-to-day should be given the knowledge and resources necessary to help defend against the largest attack vector – social engineering.

The National Institute of Standards and Technology has published cybersecurity frameworks to provide insights into how organizations should understand and improve the management of cybersecurity risks.

At the same time, testing cybersecurity controls is especially important. “Routinely testing the effectiveness of your cybersecurity controls will help ensure all aspects of your defense posture are aligned,” says Perino. “Then responding to cyber threats becomes muscle memory.”

Myth no. 4: Multifactor authentication is sufficient for identity management

While strong passwords and multifactor authentication will harden your network, making unapproved access more difficult, a determined adversary may still be able to compromise your network. Social engineering tactics are still highly effective due to the possibility of human error.

As identity has become the new perimeter for organizations, all aspects of authentication, including adding devices to your network and resetting employee credentials, will need extra scrutiny.

“As authentication-related security controls have advanced in recent years, it’s become harder for bad actors to pretend to be an employee,” Perino says. “Instead, this has led to some of the most prominent bad actors relying on effective social engineering tactics. When the bad actors can get employees and help desks to provide them access to the network, they can then defeat expensive cyber security controls with a persuasive phone call.”

Myth no. 5: Cybersecurity is IT’s responsibility alone

To prevent cyber incidents, all employees and vendors must work together. Routine oversights and errors—for example, opening a suspicious email attachment, clicking an untrusted web link or responding to a malicious text message—are responsible for the vast majority of successful cyberattacks against businesses.

“Every employee has a role in cybersecurity,” notes Perino, adding that businesses should require mandatory cybersecurity training for all employees to identify, evaluate, and report suspicious people, emails, texts, calls and websites.

“Not everyone needs technical training, but everybody with access to your network needs cybersecurity awareness training. Some of the most prominent cybersecurity attacks in recent years have involved social engineering attacks on employee help desks to obtain access to a network. No one expects help desk employees to be cybersecurity professionals, but everyone needs to know how to deny bad actors access to the network. Or to not allow company data to move unsecured outside the network.”

Establish industry-suggested practices

Many best practices for cybersecurity—such as scheduling regular data backups to enable quick recovery in the event of ransomware—require the buy-in of business leadership. Another good practice is to use ‘least privileged access,’ which means that you only provide system access to employees based on their job requirements.

And Regions has a wealth of fraud security resources to help your company mitigate risk and limit exposure. By prioritizing cyber preparedness and training, leadership can align these objectives with business outcomes.