Cyber security incidents cost small businesses in the UK an average of £4,200 per incident, with lasting imprints on their operations and reputation. Navigating the cyber security landscape is daunting for any SMB, and what makes the journey even more treacherous is the unintentional spread of misinformation – a digital pandemic that can be as costly as the most vicious malware. Below we dissect the risks of misinformation sharing in cyber security, offering insights and strategies to fortify your business against an enemy that can often comes from within.





What Misinformation Looks Like

Before we can root out misinformation, we need to understand it. Misinformation in cyber security takes various forms, from misconceptions about the safety of using “free” software with unverified origins, to the sharing of outdated security protocols, or the misbelief that certain user habits are safe when, in reality, they open a backdoor to risk. This kind of digital hearsay grows from a lack of proper cyber security education and awareness, often stemming from popular yet incorrect “facts” that spread through the business and larger Internet culture.


Case in Point: The Myth of Incognito Mode

Many Internet users have embraced incognito mode as the tool to shield their online activities. While it prevents local browsing history from being saved, it doesn’t hide a user’s online activities from the internet service provider or the websites one visits. Employees who rely on incognito mode could be lurking under a false sense of privacy, potentially exposing business-related information to unseen eyes.




How Missed Red Flags Turn Into Major Incidents

The real peril of misinformation is not just in believing incorrect facts, but in the missed opportunities to detect and respond to real threats. It’s akin to being in a forest fire and mistaking smoke for fog – by the time the flames are undeniable, it’s often too late. In a cyber security context, employees and even managers can inadvertently ignore or downplay the initial signs of a security breach due to an unfounded belief that their systems are secure. This tendency can lead to a delayed or completely absent response, allowing minor incidents to escalate into major breaches.


Case in Point: The Not-So-Secure “Password” Myth

There’s a common misconception that complexity alone guarantees the security of a password. However, a complex password that is rarely changed, or worse, written down, is essentially a digital welcome mat for hackers. The infamous 2021 Colonial Pipeline ransomware attack reportedly began due to the use of a simple, oft-used password within the company’s security setup – a sobering reminder of the vulnerability that misinformation about password security can create.




Combatting the Infodemic: Cultivating a Cyber-Savvy Culture

If misinformation is the disease, education is the cure. SMBs must foster a culture of cyber security awareness, where every employee is empowered through knowledge and equipped with the right tools and protocols to safeguard the business’s digital interests. In today’s world of remote work and limitless digital boundaries, the traditional castle-and-moat security is no longer enough.Knowledge, vigilance, and a proactive stance against misinformation are the new bastions of digital defence.


Inform and Fortify: The Role of Cyber security Training

Regular, engaging training sessions can instil a sense of collective responsibility and preparedness among your team. These sessions should not only cover the basics of cyber security but also discuss current threats, recent incidents, and best practices for prevention and response. Gamification and scenario-based learning can make the training more effective and enjoyable, ensuring that the information shared is both understood and remembered.


Simplify, Don’t Overcomplicate: Making Security Accessible

Cyber security experts sometimes fall prey to the curse of knowledge, inadvertently speaking in jargon that baffles rather than informs. When disseminating security information, strive to make it digestible for all team members. Use analogies, metaphors, and stories that resonate with their experiences. For example, comparing firewall functions to doors and windows can demystify a critical cyber security concept.




Addressing Misinformation from the Top Down

Misinformation within a business environment often trickles down from the leadership team. Top management’s attitudes and beliefs about cyber security can influence the entire company’s stance on the matter. When leaders understaffed or underfund cyber security initiatives or fail to prioritise training, a culture of neglect is born that misinformation thrives in.


Setting the Right Tone: Leading by Cyber security Example

Leaders must lead by example, taking cyber security seriously, and being visible in their commitment to staying informed and following best practices. This can include regular communication about cyber security initiatives, such as new tools or protocols, as well as demonstrating personal adherence to security guidelines. When the C-suite sets a strong precedent, it becomes an expectation that cascades throughout the organisation.


Investing in Robust Systems and Training: The Costly Price of Neglect

For SMBs, investment in cyber security might seem like an expense they can ill afford, particularly when misinformation suggests a lower level of threat. However, the true cost of a breach, both in financial terms and in damaged reputation, far outweighs the investment in preventive measures. Robust security systems, regular updates, and comprehensive training should be viewed as indispensable assets in a volatile digital market.




Building a Response and Recovery Team

No matter how vigilant your employees are, breaches can and do happen. It is therefore crucial to have a designated response team in place, ready to act at a moment’s notice. This team is the front line of defence when misinformation has fostered a breach, and the quality of their response can be the difference between containment and catastrophe.


Embracing the Breach: Crafting a Proactive Response Plan

Instead of operating under the hopeful shroud of ‘it won’t happen to us’, SMBs should approach cyber security with a ‘when it happens, we’ll be ready’ mentality. A response plan should be comprehensive, detailing the steps to be taken from the moment a breach is suspected, through to resolution and recovery. Regular drills can familiarise the response team with their roles and actions, ensuring they can act confidently and swiftly in a real incident.


Learning from the Leak: Post-Incident Review and Continuous Improvement

Every cyber security incident, regardless of scale, should be reviewed with a critical eye to uncover what went wrong and why. This is not a witch hunt but an opportunity to learn and improve. By recognising and addressing the misinformation that contributed to the incident, SMBs can shore up their defences against future threats, enhancing their resilience and knowledge base.



Misinformation – A Risk We Can’t Afford to Take

Misinformation in cyber security is not a mere inconvenience; it’s a clear and present danger with potentially devastating consequences. For an SMB, the journey toward a cyber-informed and cyber-resilient organisation is both a vital mission and an ongoing process. By addressing the root causes of misinformation, investing in education and robust security measures, and nurturing a culture of continuous learning and improvement, you are not just safeguarding your business; you are empowering it to thrive in our increasingly digitised future. Remember, the cost of ignoring this issue is far greater than the investment required to fix it – in cyber security, knowledge truly is power, and sharing it wisely can be the difference between survival and loss.