Cisco Blogs

Believing These 5 Security Myths Could Put Your Business At Risk

September 20, 2011 - 1 Comment

Learn the truth behind these common misconceptions to rethink your security

Many small businesses have a false sense of security. They’ve been lulled into believing that their companies’ data is more secure than it actually is, because they believe some of the common misconceptions about security. Consequently, these businesses have left themselves open to both data and financial loss.

Don’t put your business at risk. Learning the truth behind these five security myths will help you strengthen your company’s network defenses and protect your critical information.

1. “My small business is not a target.” Actually, your small business is a target. Size doesn’t matter if you have something valuable that a cyber criminal wants, including customer credit card numbers, software license keys, or competitive product data. In fact, many attackers rely on small business believing this myth because it makes them less likely to lock down their networks.

Recent research further dispels this myth. According to The 2011 Verizon Data Breach Investigations Report, cyber criminals have made small businesses a prime target. Attackers are using ”unsophisticated methods“ to break into small business networks with small, opportunistic attacks. Also, the 2010 report found that 63 percent of reported data breaches were at companies with 100 employees or fewer.

Need further proof that your small business could be a target? The Wall Street Journal reported that an estimated 95 percent of the credit card breaches Visa discovers are perpetrated against small companies.

Believe your small business is a target and set up your network security as though you expect a cyber criminal to go after your assets.

2. “We’re safe because we have a firewall.” A firewall is a necessity for controlling access in and out of your network, but it can’t protect your business from every security threat. According to the Verizon report, 96 percent of the reported security incidents could have been prevented by simple, inexpensive security measures like antivirus and antimalware software. So a firewall combined with other threat protection measures is the way to go and for many small businesses, the most efficient way to do this is with an appliance that provides several security functions in a single device, such as the Cisco SA 500 Series Security Appliances.

It’s also important to remember that not only are new security threats always emerging, but as your business changes, your security needs review and adjustment as needed. The firewall settings you originally configured may no longer protect your business. For example, if you need to open up your network to remote access, your firewall needs to be configured to allow authorized traffic in through a virtual private network (VPN).

3. “We don’t need an acceptable use policy.” Even though your company may have only a handful of employees and feel more like family, you still need an acceptable use policy (AUP) to establish rules for using the company network and ensuring that everyone follows those rules. An AUP helps reinforce company security practices and acts as a kind of insurance in case something goes wrong. It outlines what kind of online behavior and network use is appropriate and what the ramifications are for employees who break those rules. The policy also protects against HR liabilities and supports employment laws.

4. “We don’t need a disaster recovery plan.” Every time disaster strikes, from hurricanes (Irene, anyone?) and tornadoes to building fires, companies lose critical data and significant sums of money. Even more companies are impacted by smaller incidents, such as a server that gets stolen or an employee who accidentally deletes a critical file. Yet most small businesses don’t have a disaster recovery plan in place. According to the Symantec 2011 SMB Disaster Preparedness Survey, 50 percent of respondents do not have a plan in place, and 14 percent don’t intend to create a plan. Don’t make that mistake.

A disaster recovery plan, which includes the steps to take to restore your computer systems after a failure, will help your company get back up and running as fast as possible. The plan also includes details for making regular backups and describes how to use those backups to restore or replace systems as necessary. With a disaster recovery plan, you’ll be prepared and ready to act quickly in case of a disaster.

5. “Our data is backed up and secure.” It’s never safe to assume that your data is secure, even if you’ve taken precautions against the previous four misconceptions. The key to securing your data is with clean, tested, and secure backups. If your company loses data due to a security incident or a natural disaster, only your backups will bring you back online. Therefore, it’s important to know how frequently backups are run, how to retrieve your backups, and how to use them to restore your systems. Also, don’t assume your backups will work. Make sure to test them regularly so you know for sure that you’re backing up the correct data, your backup process works as you like and that your employees know how to use the backups.

Network security is always changing. New threats and new ways to thwart those threats is an endless loop, and you need to stay aware of what can possibly penetrate your network defenses. If you don’t have the resources on staff to handle network security, enlist the aid of a local Cisco reseller that specializes in business security issues.

Have you fallen victim to one or more of these myths? What steps have you taken to protect your business?

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


  1. Nice Tips Michael, These handy tips seem routine lessons but if taken seriously will prevent companies from losing valuable data. I agree nowadays hackers have realized the importance of small and medium sized enterprises so they are more tempted to attack the VPN Networks used by small business organisations. In a company we need to have a proper policy and code of conduct to be followed by employees, also the access to critical data like customer credit cards numbers should be limited only to authorized personnel that too only when approved by the Department Manager.