Numerous harmful myths about IT security are circulating in the small and medium-sized enterprise (SME) sector. It’s common to hear business leaders say, “They won’t attack us, we’re too small,” or “We have antivirus software, we don’t need anything more.” Unfortunately, these assumptions have already led to painful real-world experiences for many companies. According to international statistics, for example, one in five businesses has experienced a cyberattack during their operations. Many of them only realized then that their security concepts, which they had believed to be reassuring, were flawed.
Below, we debunk five common IT security myths, supported by specific Hungarian examples and data, to help business leaders realistically assess the risks and prevent major disasters. Cyberattacks do not spare Hungarian companies either: in 2024, nearly 25% of businesses fell victim to some form of malicious activity. Some attacks caused significant financial damage, especially if the company was not adequately prepared for defense.
1. Myth: “Our company is not an interesting target”
The reality: Every company is a potential victim, including smaller ones.
Many believe that a small business’s data or systems are not valuable enough for hackers to target. However, this is a grave mistake. For cybercriminals, “easy prey” is often more attractive than a big fish. The director of Hungary’s National Cyber Security Institute aptly put it: “There are two types of companies: those that have been hacked, and those that haven’t yet.” In other words, it is only a matter of time before everyone faces this type of attack, regardless of the company’s size or profile.
Statistics support this. In 2023, 43% of cyberattacks worldwide targeted small businesses. And in Hungary, as mentioned in the introduction, one in five companies was successfully attacked last year. These included numerous SMEs, not just large corporations. Attackers often use automated tools to scan the internet for weak points, and a small company’s website or network is just as likely to get caught in the net as that of a larger organization.
Furthermore, cybercriminals often attack through the supply chain. A small company may not be a valuable target on its own, but if it provides access to a larger partner, it can open a gateway for attackers. Cybersecurity expert Olivér Bor has pointed out that hackers prefer to infiltrate an organization through one of its employees or smaller subcontractors, as this is often easier than directly breaching the target’s main systems.
Therefore, no one is safe: any business must anticipate that it will eventually face a cyberattack. This is proven by the case of a well-known Hungarian medium-sized company, UNIX Autó: the company’s systems were recently paralyzed by ransomware, with messages demanding a ransom that doubled in five days appearing on their monitors. If it can happen to them, it can happen to anyone.
What can we do? First, we must recognize that our company can indeed be a target, no matter how small or less-known it is. With this in mind, we must prepare our defenses in advance: have basic technical protections, an incident response plan, and make employees aware of the danger. We should not pay attention to IT security because it is “mandatory,” but because our survival may depend on it. As a recent domestic report states: the annual damage caused by cyberattacks has become one of the most pressing and costly business risks globally, and Hungarian SMEs are also taking their share of this risk.
2. Myth: “Cybersecurity is a technical issue, it’s the IT colleagues’ job”
The reality: The human factor plays a key role, and security is also a leadership responsibility.
A common misconception is that IT security can be solved purely with technological tools: firewalls, antivirus software, encryption, etc. Of course, good defensive software and hardware are essential, but they do not provide complete protection on their own if users are careless or there is no security awareness in the company culture. Attackers often target the weakest link—the human—for example, by tricking them into revealing passwords in a phishing email or persuading an employee to run a malicious program.
According to research, the human factor plays a role in 74% of IT security incidents, whether it’s human negligence, a weak password, abuse of privileges, or psychological manipulation (social engineering). In other words, in 7 out of 10 cases, the problem could have been prevented with some organizational, educational, or other measure. This also shows that cybersecurity is not just “the IT department’s problem,” but also a business risk management task. Management should also be involved: by providing appropriate policies, ensuring resources, and “setting a good example,” they should encourage security-conscious operations.
Continuous training of staff is crucial. The most expensive security system is useless if employees cannot recognize fraudulent calls or emails. Creating a positive security culture, where employees also understand why it is important to follow the rules, is one of the best defenses. A single careless click can be enough for an infection, but if everyone at every level of the company pays attention to defense, many attacks will fail before they can cause harm.
It is therefore important for company management to realize that IT security is everyone’s responsibility. This also includes having a designated person (or team) responsible for security tasks, who monitors new threats, updates policies, and educates colleagues. If there is no such expert in-house, it is worth turning to an external partner. For example, an experienced IT managed services provider can offer continuous monitoring and expert support, so the company management can rest assured that suspicious events will not go unnoticed and they do not have to deal with it on a daily basis. The key is not to treat cybersecurity just as a technology project, but to integrate it into our company’s operations from a human and business perspective as well.
3. Myth: “Antivirus and a firewall are enough, we are 100% protected”
The reality: Basic protections are important, but they are far from providing comprehensive security.
Many SMEs feel they have done their best in terms of IT security because they have installed antivirus software, have a firewall on their network, and perhaps encrypt their Wi-Fi. These basic measures are indeed necessary, but unfortunately, they are far from sufficient against today’s sophisticated attacks. Threats are constantly evolving, and criminals try to bypass standard defense tools.
Traditional, password-based protection has become inadequate against targeted phishing attacks; stronger methods, such as multi-factor authentication, are also needed. The same is true for endpoint protection in general: a simple antivirus program does not necessarily recognize new types of ransomware or attacks based on human deception. Research has shown that almost all Hungarian companies use antivirus software (98%) and firewalls (97%), but the use of more advanced security solutions is much lower. For example, only a small fraction of companies use intrusion prevention systems, advanced network security monitoring, log analysis, or vulnerability scanning. It is also common for organizations not to have a dedicated security expert (in 55% of cases), making it difficult to keep up with the multitude of threats.
All this means that while there is protection on paper, there are actually invisible gaps in the shield. It is a mistake to believe that 100% protection exists or that security is “taken care of” by installing a few products. Defense is a continuous, 24/7 task: we must monitor the integrity of our system, notice anomalies, and react immediately to an intrusion attempt. And for this, the arsenal must be maintained: we must regularly update our software, fix found vulnerabilities, and fine-tune the settings. If we cannot continuously manage this in-house, it is worth entrusting the task to professionals. For example, an external network security provider can operate modern intrusion detection systems on our network and monitor traffic 24/7, immediately signaling if there is a problem.
It is also important to see that using cloud services does not completely exempt us from dangers. Many think that if their data is in a well-known cloud (Google, Microsoft, etc.), the provider is guaranteed to protect it. In reality, security in the cloud is a shared responsibility: the provider offers a certain basic level of protection, but protecting our own accounts and access is our job. So, we should not sit back just because “everything is in the cloud”; strong passwords, multi-factor authentication, and log monitoring are just as necessary as if the data were on our own server.
In summary, traditional tools like antivirus and firewalls are necessary but not sufficient conditions for security. Against today’s complex threats, a multi-layered defense is needed: a combination of endpoint protection, network monitoring, cloud security configuration management, regular audits, and training. Only in this way can it be ensured that an attack does not go unnoticed and is blocked before it causes harm.
4. Myth: “Prevention is too expensive – if we get attacked, we’ll pay the ransom or fix the damages”
The reality: The subsequent cost of a cyberattack is usually much greater than the amount that would have been invested in protection.
Many companies fall into the trap of only starting to scramble after an incident, while previously being reluctant to spend money and energy on security. The temptation is understandable: protection does not directly “generate profit,” whereas a development project or the purchase of a new machine does. However, this short-term saving can easily backfire. Experience shows that rectifying damages after the fact always costs much more than preventing them. Just think about it: after a ransomware attack, the costs include not only restoring our systems but also lost business, damage to partner trust, potential official fines, legal proceedings, and even then, it is not certain that we will get our data or our reputation back.
Specific examples also show how expensive reaction can be instead of prevention. According to a recent survey, 39% of Hungarian ransomware victims preferred to pay the ransom to the attackers. Among them were companies that paid 50–100 million HUF, or even more, after a single incident, and this is only the amount transferred to the extortionists, not including business interruption and other damages. Moreover, according to market information, there were two Hungarian companies that each paid a ransom of 1.7 billion HUF following an attack. These are shockingly high amounts, which could mean a fatal blow for an SME. And what’s worse: there is no guarantee that the fraudsters will return the data or not publish it in exchange for the ransom. So, paying is not only morally questionable but also a risky business move.
Meanwhile, the cost of a well-designed security development or service is dwarfed by these figures. According to IBM’s global survey, the average direct cost of a data breach in 2023 was $4.45 million (approx. 1.5 billion HUF), while a basic cybersecurity protection package costs only a fraction of this. Furthermore, prevention is not only more financially viable, but it also protects the company’s reputation and operational capability. An 8-hour outage (which can easily occur after a serious attack) already generates severe losses on its own. According to a Cisco report, 40% of SMEs that suffered a cyberattack faced at least eight hours of downtime, which is often more damaging than the cost of system restoration itself.
The regulatory environment is also pushing companies not to postpone information security investments. From 2024, the European Union’s NIS2 directive will extend mandatory minimum cybersecurity requirements to many more companies in Hungary. Those who do not comply can expect serious fines, not to mention that it is impossible to “get prepared” after an incident has already occurred. Lawmakers are essentially sending the message: too many have chosen the path of “we’d rather pay the fine or write off the loss than spend money in advance,” and this must change.
The lesson is clear: prevention is always cheaper and gentler than firefighting. It is better to spend X amount annually on security, for example, on up-to-date protection, external IT management, and employee training, than to lose ten times that amount or even the future of our company in a single incident. Forward-thinking business leaders now see this as an investment, not a needless expense. After all, a cyberattack is not just an IT problem, but a business continuity issue: survival, market reputation, and customer trust depend on it.
5. Myth: “Only large corporations or certain industries get hit by cyberattacks, our sector is safe”
The reality: Every sector and every company size is at risk; there are no exceptions in the crosshairs of cybercriminals.
Some decision-makers are inclined to think that their company’s profile is “too mundane” or not IT-centric enough to become a target for hackers. A common example: “we are just a small construction company, what interesting things could they possibly steal from us?” or “attackers prefer to go after banks and IT companies, they are not interested in a waste management company.”
This, however, gives a false sense of security. The reality is that any company can be valuable to criminals, if for no other reason than for their money or the ransom extorted by disrupting their operations. Today, there is no sharp dividing line between industries in cyberspace. Attackers try their luck wherever they find a weak point. There have been examples of hospitals being blackmailed with patient data, municipalities being paralyzed for access to customer portals, and manufacturing companies being shut down by attacks on their production control systems. Public services are just as much targets as the private sector. In 2023 in Hungary, for example, the most frequently attacked sector was public services, and psychological manipulation was used as a method in 35% of the attacks, which can deceive employees of companies in any industry.
It is important to understand that all companies are equal before cyberattacks. There is no such thing as “too small a fish”; cybercriminals attack in large volumes, often automatically, and use the same tools against a small company as against a large one. In fact, one study found that there is no difference in the level of protection needed based on company size or industry, as they are all exposed to the same attacks. Every business should be protected with the most modern technology possible, and today this is by no means unfeasible for smaller companies. In other words, it’s not true that a small retail company can “get by” with basic protection while only a bank needs professional solutions. Everyone needs it, otherwise, the small ones will become the primary targets of hackers precisely because they are the most defenseless.
The good news is that new technologies and services are now available to SMEs as well. It is no longer the privilege of multinational companies to have, for instance, 24/7 security monitoring or an advanced intrusion detection system. Unicorn also strives to make the highest level of protection affordable for small and medium-sized enterprises. Our company’s product portfolio includes enterprise-level firewall and intrusion prevention solutions, as well as cloud security services and managed security operations, which we offer in a customized manner to our smaller clients as well.
Ultimately, it is in every company’s own interest to strengthen its cybersecurity, regardless of the field in which it operates. Let’s not delude ourselves into thinking that “this can’t happen to us,” but rather prepare for what will happen if it does. Past domestic cases show that those who acted in time saved themselves from serious losses, while those who dismissed the danger often paid a painful price for it.
Summary: Let myths become lessons!
Digital security is now a business fundamental, not an optional IT issue. We have examined five common myths that mislead many SME decision-makers: we have seen that “being small” does not mean protection at all; that besides technology, the human factor must also be considered; that there is life beyond basic protective tools; that prevention is far cheaper and safer than damage mitigation; and that every sector is in the crosshairs, not just, for example, the financial one. These lessons are supported by data and domestic examples, and it is worth taking them seriously.
What should a responsible business leader do? First, assess the risks and their own level of protection. If there are shortcomings on any front—be it technical, human, or procedural—act now, do not wait for trouble.
A few suggested steps for decision-makers:
– Increase awareness: Ensure that all employees know the basic security rules and dangers (e.g., signs of phishing). It is worth holding regular training sessions.
– Maintain systems: Regularly update software, fix vulnerabilities, and have up-to-date security backups stored separately.
– Multi-layered protection: Identify your critical data and systems and protect them in multiple layers, e.g., next-generation firewall, intrusion detection, endpoint protection, strong authentication.
– Monitoring and reaction: Ensure continuous monitoring, either with internal resources or an external partner, so you can act immediately in case of an incident. Have an incident response plan!
– Involve an expert: If you do not have adequate in-house capacity, bring in an expert service provider. An external security company or managed service can take a huge burden off your shoulders and provide professional protection.
The key is not to let ourselves be deceived. IT security is not a bogeyman; it repays the care it receives: those who take care of it in time are protecting their own company and customers in the future. In cyberspace, the leader of every company must ask the question: am I ready to face attacks? If the answer is no, then it is time to strengthen defenses, because the danger will surely arrive sooner or later.
Unicorn’s team of experts is at our partners’ disposal to help domestic SMEs keep their business operations secure with the latest defense solutions and experience. Let’s not wait for myths to become irrefutable reality; let’s act in time, with a data-driven approach, wisely!