The cybersecurity myths companies can’t seem to shake

Cybersecurity myths are like digital weeds: pull one out, and another quickly sprouts in its place. You’ve probably heard them before: Macs don’t get viruses, we’re too small to be a target, or changing passwords often keeps us safer. Experts have been busting these myths for years, yet they still stick around and shape bad strategies while giving people a false sense of security.

Myth 1: AI can replace your security team

No matter how much AI is shaking up cybersecurity right now, it’s still just a tool that needs a human behind it. Sure, it speeds things up by automating routine tasks and catching threats faster, but it can still throw out false alarms.

That’s why we still need people to double-check and figure out what’s real and what’s not, so we don’t overreact and can focus on the real issues.

According to a survey by Cloud Security Alliance and Google Cloud, only 12% of security professionals believe AI will completely replace their role.

“AI is designed to assist, not replace, human judgment. From a security perspective, it’s highly unlikely AI will operate independently, without human collaboration. Allowing autonomous AI operation, without human oversight, could lead to unintentional gaps in security posture,” said Doug Kersten, CISO of Appfire.

Myth 2: There’s a massive shortage of cybersecurity professionals

For years we’ve heard about millions of cybersecurity jobs just waiting for candidates. If that were true, anyone with a certification would have a job by now. While there are shortages in some specialized areas, the broader market isn’t as wide open as the ‘millions of jobs’ myth suggests.

Part of the confusion comes from mixed signals. One day it’s headlines about staff shortages, the next it’s news of layoffs at major companies. How can both be true?

The answer is that some roles are simply harder to fill. A position that requires working on-site instead of remotely can turn away candidates who would need to relocate. Some companies decide a role is too sensitive for a beginner and look for someone with years of experience. That leaves many entry-level applicants on the sidelines, certifications or not.

Some cybersecurity experts have already challenged this claim and made others think twice.

Myth 3: Deepfakes are just for entertainment

Deepfakes are often seen merely as a form of entertainment shared on social media or as a tool used in the film industry. However, they can also be viewed as a weapon in the disinformation wars between nations.

That said, deepfake technology has outgrown its harmless entertainment status and has become a tool in the hands of cybercriminals.

People often believe they can spot deepfakes better than they actually can. The reason spotting deepfakes is so difficult is that it’s a new skill for most of us. While we’ve learned to be skeptical of news and bias, questioning whether an image is real goes against how our brains naturally work.

In one case, a deepfake video conference call combined with social engineering caused a multinational company to lose more than $25 million. So, deepfakes are not just funny videos we see on TikTok or YouTube.

“Treat deepfakes like any other cyber threat and apply a zero-trust mindset. That means don’t assume anything is real just because it looks or sounds convincing,” advised Camellia Chan, CEO at X-PHY.

Myth 4: Cyber insurance is a safety net for any breach

Cyber insurance is not a guarantee that every incident will be covered. Most policies now require proof of specific security measures such as MFA, endpoint detection and response, and an incident response plan before coverage begins. Without these controls in place, claims can be denied.

Coverage is also limited. Many policies exclude attacks linked to nation-state actors, incidents caused by unpatched known vulnerabilities, or breaches involving third-party service providers. Even when a claim is accepted, the payout can be less than expected. Sinclair Broadcast Group, for example, is suing its insurers after a 2021 ransomware attack because the payout offered was far below the company’s estimated losses.

“Data breach risks are best mitigated through good cyber hygiene, including strong access controls, database segregation, backups, patching, and training,” noted Michael Daum, Head of Global Cyber Claims for Allianz Commercial.

Myth 5: MFA stops all account takeovers

While MFA enhances security, it’s not secure against sophisticated attacks. Attackers continue to bypass MFA using methods such as MFA fatigue attacks, where users are bombarded with approval requests until they accept one, SIM swapping to intercept SMS codes, and man-in-the-middle phishing techniques that capture authentication tokens in real time.

Even FIDO security keys, have shown vulnerabilities under certain attack scenarios. In 2024, researchers identified a cryptographic vulnerability in Yubico’s FIDO-based YubiKeys, allowing attackers to potentially clone the devices. This flaw could enable unauthorized access if the attacker possesses the physical device and specialized equipment.

“An MFA bypass can be achieved through various strategies, all possible because of one key element: human error,” warned Candid Wüest, VP of Product Management, Acronis.