5 myths impacting your cybersecurity posture and business risk management strategy

Nov 28, 2023

Key takeaways

Cybercrime is based on opportunity, not target business size. All companies face risk.

Default SaaS and cloud security features may not offer the full protection that a business needs.

Cybersecurity should be a “day one” priority in all digital transformation initiatives.

Risk consulting Cybersecurity consulting

A common adage among security experts is that businesses need to prepare for when, not if, a breach attempt occurs. Yet amid the pace of digital transformation and technology evolution, it can be difficult to know if your cybersecurity and risk efforts are aligned with what is relevant to your business. It can also be an uphill battle to convince budget-holders to invest in cybersecurity when so many other needs seem more pressing.

To help combat both challenges, here are five common cybersecurity myths and steps to take if your company needs a deeper look at its technology and practices.

Myth 1

On high-pressure projects, security can be dealt with later

One misstep that we see repeatedly is not planning for security requirements—and cybersecurity’s brethren, compliance and risk—from day one on high-profile digital transformation projects. Typically, those stakeholders in the earliest stage focus on business requirements, budget and timing. But if security and risk experts can’t contribute to the design of the solution from the get-go, your organization could face deep financial impact redesigning the solution or accept security risks.

Solutions that aren’t well-architected and purpose-built for your organization’s needs lead to workarounds and bolted-on fixes that increase costs, delay launch dates and cause security or compliance gaps. Worse yet, these “fixes” turn into new technical debt that IT must manage and update—a key problem that should be solved by digital transformation, not worsened. Further defeating the purpose, clunky security integrations can limit digital transformation benefits like seamless interoperability, holistic views and automation.

Ask yourself:

  • Who needs to be at the table for every technology modernization initiative?
  • Do we have in-house expertise that can balance security and compliance needs with business requirements?
lock with start circle


of middle market executives expect to have to comply with GDPR-like requirements at a state or federal level in the next two years.


of middle market executives believe unauthorized users will attempt to access their data or systems this year.

Myth 2

My company isn’t a prime target for cybercriminals

Another common misperception is that cybercriminals only target large multinationals, as only giant breaches of consumer data typically hit the news. Today, every business is a technology business—and financial gain is the key driver of cybercrime. No matter your industry or size, if you have systems that can be exploited for fraudulent purposes or seized for ransom, your business is a target.

Most cyberattacks are crimes of opportunity. While a few cybercriminals (usually state-sponsored) may aim for the big leagues, thousands of others prefer businesses with easily exploitable systems, poor access management and employees who are less savvy about phishing and other social engineering crimes.

Ask yourself:

  • How much money will we lose if our systems go down for a day? For a week? For even longer?
  • How much reputational damage will we suffer due to a customer data breach?
  • Can the business weather regulatory fines or a ransomware demand?


of middle market executives reported a ransomware attack or demand in 2022.


reported that outside parties attempted to manipulate employees by pretending to be a trusted third party or company executive in 2022.

Myth 3

Our cloud providers and SaaS solutions provide all the security we need by default.

Today, most technology providers tout their security capabilities, from encryption to access management. And while these security features are available for use, cloud and software-as-a-service SaaS) security features are not enabled by default. You need to configure security features to align your technology solutions with your business risk appetite and compliance requirements.

To safeguard against cyberthreats and breaches caused by human error, your security architecture, system configurations and monitoring capabilities must provide in-depth visibility across your networks and devices, hybrid and multi-cloud environments, SaaS solutions and your own software and apps. It must ensure you’re meeting regulatory requirements, as well as the security standards expected by your partners and clients. And it should be built based on a risk framework so that your critical data, technologies and processes are protected. It’s up to you to find your company’s weakest points before cybercriminals do, and the security provided by SaaS and cloud vendors won’t cover all your needs.

Ask yourself:

  • Is my business making the most of built-in security features in my tech stack?
  • Where are the weak links in my business processes that fraudsters could exploit?
  • Is my current security architecture meeting regulatory requirements?


of breaches occurred in the cloud.

Myth 4

Cyber insurance will protect my company should a breach or incident occur.

While cyber insurance can be an important investment to back up your security efforts, it isn’t the quick path to protection that some may assume. While the volatile 2022 cyber insurance market has stabilized, prices are still high, capacity is limited and payout limits are judicious. Insurers have enacted stricter baseline control standards for customers. Should your company file a claim, a third party will audit your security program to ensure it meets the criteria you claimed when you applied or it will refuse to pay.

So, yes, cyber insurance can help protect your company from monetary losses due to a cyber incident but only if your security posture is strong enough to meet required standards. That’s why it’s critical to get your security house in order before seeking insurance.

Ask yourself:

  • Can you meet cyber insurance underwriting requirements?
  • Do you have a cyber disaster recovery plan in place to minimize losses and downtime should an attack occur?


of middle market companies surveyed are carrying a cyber insurance policy, up from 61% last year.

The most popular coverage options reported were:

  • data destruction (65%)
  • hacking (62%)
  • business interruption (56%)
  • failure to safeguard data (55%)

Myth 5

Our security/IT team is handling security with a business risk-based approach.

Today’s complex technology environments require deep and broad skillsets that are challenging to fill amid talent shortages and tight budgets. Purchasing cybersecurity solutions isn’t enough. Due to knowledge gaps and a lack of resources, it’s common for security tools to be misconfigured, poorly integrated, and infrequently monitored. IT departments find themselves managing a security stack that provides more complexity than value.

Even more critically, IT departments often take a checklist approach to security, rather than the business risk lens required for a strong security architecture. Whether this is due to a lack of expertise, access, or time, the result is the same: a limited, siloed security approach that leaves businesses open to mistakes, exploitations, and breaches of their most critical systems.

Ask yourself:

  • How many digital transformation projects or new system implementations has your company undertaken where cybersecurity was not discussed before going live?
  • How many tools are in your security stack? Is it too many for your staff to manage?
  • How is your business addressing cybersecurity risks caused by your own people, such as lax remote work security practices and social engineering naivete?
  • Does your security team have expertise in your business processes, current technologies, and industry?


of middle market executives report that the person most responsible for data security and privacy reports directly to the CEO, an increase from 25% in the prior year’s survey.


of companies invested in new hardware in response to publicized data security breaches, up from 40% the prior year.

Put an end to these myths

When using technology environments like cloud, networks, SaaS solutions, regulatory compliance, and specific industry technologies, getting that knowledge gap filled can be challenging.

Our trusted advisors include experienced security, technology and risk professionals who bring their knowledge of different industries, businesses and technologies to bear. Whether you are just beginning your digital transformation journey or want to adjust your current trajectory, we can help you build a secure architecture that can grow and scale with your business.

All data points are drawn from the 2023 RSM US Middle Market Business Index Cybersecurity Special Report, except for the cloud breach data point, which came from the IBM Cost of a Data Breach Report 2023.

Related insights

Featured solution

Are you ready to reduce risk?

Today’s complex technology environments take a tremendous amount of expertise across many different fields that few companies have access to. We can deliver solutions that balance the complexity of efficiency and organizational protection.