When our Director and Head of Security Strategy, Jorien Decroos, recently spoke at the Agoria|Sirris Annual Event, she tackled a topic that often causes business leaders to lose interest: cyber security. Instead of presenting another grim outlook on Russian hackers and compliance checklists, she focused on “hacking” the dangerous myths that leave businesses vulnerable.
At Approach Cyber, we regularly encounter the disconnect between cybersecurity reality and business perception. When “cyber security” appears on meeting agendas, most executives don’t exactly lean forward with excitement. The common thinking remains “That’s the IT department’s problem, not ours.”
But here’s what we’ve observed across our client base: while business leaders have been dismissing cyber security as someone else’s concern, cybercriminals have been making serious money. And increasingly, it’s our clients’ money they’re targeting.
The reality is that cyber security has evolved far beyond an IT issue. It’s become a fundamental business challenge that directly impacts growth, reputation, and competitive advantage. Yet many organizations are still operating under misconceptions that could prove catastrophic.
The First Dangerous Myth: “Cyber Security is Just an IT Problem”
This misconception is pervasive across organisations of all sizes. It sounds logical: hire competent IT professionals, purchase security software, check the compliance box, and focus on “real” business issues.
But this thinking nearly cost companies like Sea-Invest everything. When they were hit by ransomware in 2022, the attack didn’t just affect their IT infrastructure. Their entire global port operations — responsible for moving 150 million tons of cargo annually — came to a complete standstill.
The ripple effects were immediate and far-reaching. Colruyt suddenly faced the prospect of empty store shelves. Fruit imports through Antwerp ground to a halt. Oil terminals had to revert to manual processes that hadn’t been used in decades. This wasn’t an IT incident anymore; it was a full-blown business continuity crisis affecting entire supply chains.
What we’ve learned through years of consulting is this: IT teams may support the systems, but businesses run on them. When those systems fail, it’s not the IT department that has to explain to frustrated customers why their orders are stuck in digital limbo.
The truth is, cyber security isn’t about firewalls and antivirus software. It’s about ensuring business continuity tomorrow, next week, and next year. It’s about protecting the foundation that everything else is built on.
The Second Myth: “People Are the Weakest Link”
This narrative dominates boardroom discussions. Yes, it’s true that the vast majority of successful cyberattacks start with human error: someone clicks a suspicious link, downloads a fake CV, or falls for a convincing phishing email. It’s easy to blame human nature and move on.
But this thinking misses a crucial opportunity: people aren’t just vulnerabilities. With proper investment, they become the strongest defence layer.
The numbers tell a compelling story. Security awareness training costs roughly about the price of a business dinner or a weekend getaway per employee annually. Compare that to the average data breach, which costs more then most people’s houses.
Organisations that invest in comprehensive training programs see remarkable results. Phishing click rates drop from approximately one-third of employees down to less than 5%. But the real transformation happens when well-trained employees stop being passive recipients of security policies and become active participants in threat detection.
We’ve observed this transformation across our client base. When employees understand their role in cyber security and feel empowered to act, they become incredibly effective at spotting and stopping threats before they can cause damage. Reporting rates for suspicious emails jump from virtually zero to genuinely impressive levels.
The lesson is clear: people aren’t the weakest link. Untrained people are. There’s a crucial difference, and bridging that gap could save your business.
The Third Myth: “We’re Too Small to Be Targeted”
This might be the most dangerous myth of all. Across countless client consultations, we hear variations of this: “We’re not interesting,” “Hackers have bigger targets,” “We don’t have anything valuable.”
But consider this: every business has money, customer data, and operations that would be seriously problematic to lose. These are exactly what cybercriminals are seeking.
What many business leaders don’t realise is that hackers often aren’t carefully selecting individual targets. They’re running automated attacks, casting wide nets to see what they catch. If defences are weak, smaller organisations become prime targets.
The uncomfortable truth is that being small doesn’t provide invisibility, it creates vulnerability. Small and medium businesses often have valuable data but limited security resources. They’re connected to larger supply chains but have fewer defences. From a cybercriminal’s perspective, they represent the perfect opportunity.
We’ve witnessed municipal governments, local hospitals, and family-owned businesses fall victim to cyberattacks. The attackers don’t evaluate company size; they assess vulnerability and potential return on investment.
Size doesn’t matter to cybercriminals. Vulnerability does. Organisations cannot afford to confuse being small with being safe.
What’s Really at Stake: Beyond Financial Loss
When discussing cyber security risks with business leaders, conversations often focus primarily on financial impact. The numbers are indeed sobering — the average data breach costs €4.5 million globally, with even smaller incidents running €200,000-500,000.
But the financial hit represents just the beginning of the problems.
Since Belgium implemented NIS2, directors now face personal liability for cyber security failures. This isn’t corporate liability where company insurance covers costs — it’s personal liability that could affect individual assets and professional reputations.
The business landscape has shifted dramatically. In merger and acquisition discussions, cyber security factors into valuations in 96% of transactions. Insurance companies are reducing premiums for well-protected businesses while dramatically increasing rates for those without adequate protections. Organisations with strong security postures report twice the customer retention rates of their less-protected competitors.
What’s most striking is how cyber security has become a competitive differentiator. Companies that approach this strategically aren’t just avoiding disasters, they’re positioning themselves as the businesses customers trust, partners prefer, and investors value more highly.
This shift represents a fundamental change in how organisations must think about cyber security.
It’s no longer about disaster avoidance; it’s about competitive advantage in an increasingly digital economy.
Getting It Right: Quality Over Quick Fixes
Organisations ready to take cyber security seriously must commit to doing it properly.
The immediate reaction is often: “But cyber security is expensive!” The response should be: “Not having proper cyber security when you need it is far more expensive.”
Too many organisations attempt to cut corners with discount security solutions. It’s like purchasing bargain safety equipment, it seems financially prudent until it fails when most needed. Quality cyber security requires quality investment.
Effective cyber security demands investment in three critical areas: the right technology, the right processes, the right people.
The key insight is that effective security becomes embedded throughout organisational operations. It lives in employees’ daily habits, systems’ configurations, and business continuity planning. When approached this way, cyber security stops being a bolt-on expense and becomes a competitive advantage that enables confident growth and innovation.
Moving Forward: From Necessary Evil to Strategic Asset
The transformation from viewing cyber security as a cost centre to recognising it as a business enabler starts with changing organisational mindset at the executive level.
Companies that treat cyber security as a strategic investment consistently demonstrate higher valuations, stronger customer loyalty, and superior operational resilience. Those still operating under the “IT problem” paradigm face increasingly existential threats from sophisticated attackers, stringent regulations, and competitive disadvantage.
The next time cyber security comes up in organisational discussions, leadership should resist thinking “IT problem” or “necessary evil.” Instead, consider: business opportunity, competitive advantage, brand protection.
Cyber security should be viewed as the foundation that enables fearless innovation and confident growth in an increasingly digital world.
Organisations are at a critical juncture. The combination of escalating threats, stringent regulations, and unprecedented opportunities means that companies acting decisively will thrive in the digital economy. Those that continue to delay face not just financial losses but potential business failure.
In today’s interconnected world, where a seven-minute malware infection can destroy global operations, cyber security isn’t optional, it’s the foundation of modern business survival.
The myths discussed here — that cyber security is just an IT problem, that people are the weakest link, that small companies aren’t targets — these misconceptions are literally costing businesses millions and threatening their very existence.
It’s time organisations stop hacking around the edges and start addressing these dangerous myths directly. Because when companies are truly ahead of the cyber security game, they’re not just protecting their business — they’re securing their tomorrow, today.
________________________________________
At Approach Cyber, we bridge the gap between business strategy and cyber security implementation. Our team, led by experts like Jorien Decroos, helps organisations transform cyber security from a cost centre into a competitive advantage. Contact us to learn how strategic cyber security investment can drive business value while protecting what matters most.
