Business Topics

Debunking 6 Common Myths to Mitigate Insider Risk

By on
External cybersecurity risks dominate the news. Ransomware, data breaches, social engineering schemes and password hacks all negatively impact businesses of every size. But internal risks also represent a growing share of digital danger.

That’s because cybercriminals increasingly view humans as the most vulnerable point of exploitation. And for good reason: a Gartner survey of 1,310 employees conducted in spring 2022 revealed that 69 percent of them had bypassed their organization’s cybersecurity guidance in the past 12 months. And 74 percent said they would do it again if it helped them or their team achieve a business objective.

“Friction that slows down employees and leads to insecure behavior is a significant driver of insider risk,” said Paul Furtado, an analyst at Gartner. Traditional cybersecurity tools are limited in their ability to block such threats, making extra layers a must to enhance protection.

Is My Business Really at Risk? 
Many companies think their employees could never cause such vulnerabilities. But that’s a myth that needs to be proved false. It’s not that employees will endanger business information or protected data on purpose – it’s that hackers have become exceptionally adept at exploiting normal human behavior. 

This includes the following:
  • Storing weak passwords in unprotected web browsers
  • Using public Wi-Fi connections to conduct company business
  • Forgetting to execute data backups 
  • Accidentally losing important business devices
  • Falling prey to phishing email scams  
Everybody thinks, “It will never happen to me.” That’s another myth that needs to be dispelled. CMIT Solutions collected six of the ones we hear most frequently to demonstrate how such thinking can be dangerous – and how extra cybersecurity protection can help to keep your business safe. 

A strong password can’t be hacked
No matter how unique your password is, bad actors are out there somewhere attempting to crack it. Some use brute force algorithms to try millions of combinations per minute; others steal whatever old passwords they can find on the Internet and then try to test them on multiple accounts and applications. 
The best method of protection is to employ different login credentials for different accounts and different platforms. That way, if one password is stolen, hackers won’t immediately gain access to all of your accounts. 

In addition, multi-factor authentication – logging in with something you know, like your password, and something you have, like a unique code delivered by text message, email or push notification – is a must.

We’ve never gotten a virus
Every computer user thinks that they’ll be fine – right up to the moment they accidentally click an illicit link or open an infected attachment. The best computer viruses are also the most elusive: they don’t announce themselves with a flashing red screen or a warning message. Instead, they’re built to run discreetly in the background stealing your data without raising any red flags. Just because you don’t know about an infection doesn’t mean you haven’t been compromised, which makes proactive monitoring and threat detection a must for any business.

Our data has never been stolen
Like viruses, most data breaches don’t reveal themselves immediately. Even big corporations often don’t discover data compromise until weeks, months or even years after they start, long after private information like passwords, birthdays and even credit card numbers have been stolen. Even then, many companies only reveal the details of data hacks when the public reports them or media pressure forces a response. 

To protect your information, comprehensive, multi-layered security is a must. This includes enterprise-grade antivirus and anti-malware software that keeps up with evolving threats, robust firewalls that monitor and analyze Internet traffic and other tools right-sized for your business. 

Our backups are stored somewhere 
Most businesses acknowledge the immense importance of storing and saving important business information. Many, however, don’t understand the details of regular, remote and redundant data backup services. 

First and foremost, it should execute automatically so that no single employee is responsible for it. Second, saving your data to an external drive positioned next to your computer isn’t safe (imagine what a fire, flood or theft will do to that). Third, data recovery should be an integral part of any backup plan so that saved information can be reinstated quickly in the event of any issue. 

We’re completely covered
Sadly, cybersecurity protection is not all-encompassing. New challenges emerge every day, and new techniques must respond when things change. True protection and preparedness are a dynamic proposition that requires 24/7 monitoring, research that’s ongoing, and education that constantly evolves to meet the needs of today’s employees. Remember, they’re the ones who could represent the biggest insider risk if they’re not trained properly.

Cybersecurity is the IT department’s job – not ours
A trusted IT provider can certainly help your business thrive, mitigating many of the most common IT headaches. But the best kind of partnership requires skin in the game from everyone at your business. While trained cybersecurity experts work in the background to solve complicated problems, employees, managers and executives can serve as the first line of defense against common threats. 

Chris Grumboski is the president of CMIT Solutions of Oak Park, Hinsdale and Oak Brook, Ill., which provides IT services for businesses. He can be reached at 708-919-5132 or by visiting