4 Cybersecurity Myths That Deserve a Reality Check
At Optimal Networks, we’ve been guiding law firms, associations, and consulting firms through technology decisions since 1991.
While technology has never remained stagnant, it did move slower back in the 90s. Today, security best practices are changing so rapidly it’s nearly impossible to keep the facts straight unless technology is your full-time job.
Since technology is our full-time job, we want to help bring some clarity to four of the most common misconceptions and outdated guidance we encounter regarding cybersecurity.
Myth 1: Security Is IT’s Responsibility
It’s tempting to view cybersecurity as something your IT provider “handles.” In reality, security is an organizational responsibility—and leadership sets the tone.
Every employee interacts with systems, data, and communications that could introduce risk. A single phishing email or misused credential can bypass even strong technical safeguards.
What this means in practice:
- Leadership must visibly prioritize security
- Employees need clear expectations and training
- IT should be held accountable for a layered security approach, not a single solution
People and process matter just as much as technology.
Myth 2: MFA Will Prevent an Email Compromise
Multi-factor authentication (MFA) is essential—but it is not foolproof.
We’ve seen firsthand how bad actors use tactics like Adversary-in-the-Middle (AiTM) attacks to bypass MFA. These methods can hijack active sessions or steal authentication cookies, allowing attackers to access accounts without triggering additional prompts.
So while MFA is necessary, it’s not sufficient. A stronger approach includes:
- Monitoring for unusual login behavior
- Implementing conditional access policies
- Conducting ongoing security reviews and threat detection
- Regular security awareness training with phishing simulations
Treat MFA as one layer of security—not the entire strategy.
Myth 3: A Security Incident Is Obvious and Disruptive
Many organizations expect a breach to look dramatic—systems locked, alarms triggered, operations halted. In reality, the most damaging attacks are often quiet and persistent.
On average, it takes about 180 days for organizations to detect a breach. In that time, bad actors may:
- Sit inside an email account unnoticed
- Create forwarding or deletion rules
- Monitor conversations to plan financial or data-related fraud
There’s no immediate disruption; business continues as usual until the damage is done. This subtlety is what makes detection so challenging. It requires:
- Continuous monitoring
- Advanced threat detection tools
- Regular review of user activity and configurations
Just as poor internal systems can quietly erode client experience over time , unnoticed security gaps can quietly erode your organization’s safety. Neither announces itself—but both have real consequences.
Myth 4: Data is Safer On-Premises Than in the Cloud
Many organizations still associate “on-premises” with control—and therefore safety.
But “safe” is not a fixed state, and in many cases, on-premises environments introduce more risk, not less:
- They are often more expensive to maintain properly
- They usually lack the redundancy and uptime of cloud platforms
- Security depends heavily on internal resources and consistency
IBM’s Cost of a Data Breach report found that while 23% of breaches involved data stored in a public cloud environment, 28% involved data stored on-premises.
Moving Forward with Clarity
A good cybersecurity strategy is fluid. Threats and defenses are constantly evolving, which means best practices will change shape, too.
At the time of writing, we’re advising our clients to layer tools, controls, training, and policies while exploring components of a zero-trust approach. More than anything, make sure you can rely on your IT partner to stay informed and agile when it comes to their recommendations.
Stay safe out there!