Have you made these mistakes in your cyber security strategy?

4 common cyber security mistakes to avoid

Many people often talk about how cyber attacks have increased in sophistication, but what do we mean by this? Ransomware, for example, has actually changed. In the past, a ransomware attack merely encrypted files and held them hostage until the threat actor received payment in exchange for the decryption key. Today’s cyber criminals go further by stealing sensitive information and threatening to release it if they do not receive payment.

In their report covering the 2021-22 FY, the Australian Cyber Security Centre (ACSC) stated that every sector in the Australian economy experienced the impacts of ransomware that year.

As the nature of cyber attacks changes and our dependency on technology grows, cyber security has moved higher on the priority list for many executives. With more companies prioritising cyber security, we are beginning to see many make the same mistakes. What are these common cyber security mistakes?

Leaving cyber security to IT

We see many organisations leave the responsibility of cyber security to their IT departments. This mindset might have been justifiable a decade ago when cyber security was synonymous with firewalls, antivirus solutions, and routine backups. Today, the majority of successful cyber attacks and the ensuing damage largely fall beyond the purview of IT.

Avoiding this mistake requires understanding the importance of distributing responsibility across the organisation. You should view IT as the foundation of your strategy, not the sole barrier against cyber threats. For a more resilient approach to cyber security, it's essential to instil a security-centric culture across all tiers of your organisation, ensuring everyone plays their part.

Relying solely on IT can lead to a restricted viewpoint on possible threats and means potential risks go undetected. Furthermore, it can result in inadequate communication concerning security challenges and the most effective solutions, leaving parts of your business ill-prepared or uninformed.

Lack of visibility over risk

Too many organisations lack visibility over their data and systems, leading to underestimating the ramifications of a cyber security attack or breach. We have seen businesses undervalue their data and fail to grasp the devastation that arises from unauthorised access to a critical business application.

So, building a good cyber security strategy requires you to gain visibility over your entire organisation. When your company has mapped all potential vulnerabilities, you can begin building the appropriate strategies to mitigate these risks.

Your organisation should take proactive steps to enhance visibility over potential risks. Regular risk assessments are pivotal in identifying and addressing vulnerabilities. Staying updated with the latest threat intelligence helps in preempting potential breaches. Additionally, fostering an environment that encourages transparent communication about perceived risks ensures that all stakeholders are aligned and vigilant.

Underestimating the attack surface

Your attack surface includes every device connected to your business that could serve as a gateway for cyber threats – from personal computers, cloud applications, and websites to API integrations and IoT devices. Many organisations fall short in accurately gauging the attack surface, overlooking the breadth and depth of digital assets vulnerable to potential threats.

What makes this such a common mistake? Too many leaders (especially those of small-to-medium businesses) hold the false belief that only high-profile organisations will experience attacks.

To understand your organisation's attack surface, you must gain a holistic view of all digital touchpoints. It's also ideal to map external people and organisations accessing your data. For example, does a vendor have access to company information? Only by accounting for every potential weak link can your business minimise the attack surface.

Overestimating the effectiveness of cyber security controls

When conducting cyber security audits for our clients, we have often discovered that their controls are not as robust as initially believed. This disparity between perception and reality creates the potential for unforeseen risks to impact the organisation.

Overconfidence in cyber security measures often occurs for the following reasons:

  • Senior management does not have a clear understanding of the tactics leveraged by threat actors to breach the organisation.
  • Too much reliance on IT teams that lack the full breadth of cyber security knowledge needed or have not fully voiced their concerns.
  • Senior management could be under the belief that the business is unlikely to experience a cyber attack.

To avoid this mistake, your organisation should commit to consistently testing and revising security controls to address evolving threats. Moreover, it's crucial to remain grounded by understanding the capabilities of your existing measures while acknowledging their limitations. This approach ensures a proactive and realistic approach to cyber security.


Protecting your business from cyber threats goes beyond using the right tools and technology. You will need a holistic strategy that ensures all levels of the organisation take responsibility for cyber security instead of leaving it as a task for the IT department. You will also need to understand the attack surface, the effectiveness of your current cyber security controls and the threats to your business. Your organisation can bolster its defences by addressing these common cyber security mistakes.

If you want more insights into addressing these mistakes, you can download a copy of our latest report on Cyber Security Trends and Actionable Strategies.

VISITS can help you avoid common cyber security mistakes

If these common cyber security mistakes impact your business, VISITS can help. We recognise that not every organisation will have the resources to build an expansive cyber security strategy. Our approach optimises cyber security spending by starting with the threats most likely to impact your business and adding more security controls over time. Visit our CISO as a Service page for more information on how we help our clients strengthen their cyber security posture.

Related blogs

5 small changes that strengthen your company’s cyber security posture

A new era of cyber security with Microsoft Security Copilot

Prepare for the inevitable: Why your business needs a cyber security response plan

Share This!