5 common myths about ransomware

(Image credit: Shutterstock)

Ransomware attacks are a near-daily threat to businesses of all sizes. In 2021, US businesses lost nearly $160 billion to ransomware attacks, and that number is expected to grow in the years ahead.

While many companies may be aware of the threat posed by ransomware, the vast majority are still vulnerable to attack. This is in part because companies easily fall for myths about ransomware, which leads to being underprepared for attacks.

In this article, we’ll debunk five common myths about ransomware that could be leaving your organization exposed to cybercrime.


There will be a new ransomware attack every 11 seconds. Protect your employees and network from ransomware attacks with Zero Trust. Enforce least privilege access policies across your organization in minutes based on user identity to safeguard all critical assets. Protect your business with Perimeter 81 - one of TechRadar’s top choices for Zero Trust providers.

Myth #1: It won’t happen to my organization

One of the most common myths about ransomware is that it only affects enterprise-scale businesses with huge cash flows or highly sensitive data. This couldn’t be further from the truth. In fact, small businesses with a hundred or fewer employees are three times as likely to face ransomware attacks as larger corporations.

From the perspective of cybercriminals, small businesses (and even individuals) are the perfect target. This is because they often don’t have large IT teams, nor advanced network monitoring software that enterprise-scale companies use. Small businesses may also be less likely to use identity management software that could help prevent an attacker from moving through their networks. 

Even though cybercriminals might earn less money from a ransomware attack on a small business, the higher likelihood of success makes small businesses attractive targets.

Small business owners should never assume that they’re too small or too unknown to be the target of a ransomware attack. Every organization is a potential target, and it’s critical to take proactive steps to defend your network.

Myth #2: The ransom is the only cost of an attack

Another common myth about ransomware is that businesses can simply pay the ransom and make the whole thing go away. The ransom may be expensive, this reasoning goes, but it’s part of the cost of doing business.

The reality is that the costs of a ransomware attack can extend far beyond the ransom itself. First, there are costs related to work disruption. Even if your organization pays the ransom and gets your data back quickly, you’re likely to lose several days of work because of the attack.

In addition, there are costs for cleaning up after the breach. It’s often impossible to know if attackers stole sensitive data about your organization’s customers, so your business could face lawsuits, or be forced to pay for credit monitoring for thousands of customers. If protected information such as medical records or credit card numbers are potentially compromised, your business could face fines from regulators.

The reputational costs of succumbing to a ransomware attack can be devastating. Companies that fall victim to ransomware attacks could lose the faith of customers and vendors over the safety of data. If customers don’t trust your company to keep their personal information or credit card data secure, they’re much less likely to do business with you. Over the long run, the reputational damage of a ransomware attack could be catastrophic for small businesses.

Myth #3: Phishing is behind all ransomware attacks

Phishing is behind the majority of ransomware attacks. If an employee clicks on a malicious link in an email, they could be downloading ransomware directly onto their device, or unwittingly providing an attacker easy entry into your organization’s network.

However, educating employees about how to avoid online phishing isn’t enough because phishing isn’t the only way ransomware attacks begin. Many cybercriminals are able to exploit an unpatched piece of software, or weak passwords, to get into networks. It’s extremely important that your company keeps up with security updates, and uses a business password manager to secure your network.

See our pick of the best business password managers around

Myth #4: Antivirus software is enough to defend against ransomware

Having the best antivirus software plays a key role in ransomware defense. Antivirus software does a good job of stopping unsophisticated attacks, and detecting ransomware on your network before it can be activated.

However, antivirus software on its own isn’t nearly enough to stop more advanced attacks. Cybercriminals will often establish a beachhead in your network, and then spend weeks or months figuring out the best way to get around your antivirus software and firewalls. Even the best designed networks have weak points, and attackers will eventually find them if given enough time to probe the limits of your security system.

The only way to defend against these attacks is through active network monitoring. Organizations need to use access management software that can alert IT administrators to unusual activity, such as after-hours logins to critical data servers. Businesses should also consider requiring frequent password changes, and enabling multi-factor authentication for network access.

Myth #5: Backups are always safe

Data backups are the solution of last resort in a ransomware attack. Even if an attack is successful, your organization can avoid paying the ransom or losing data if you have intact backups.

You shouldn’t assume, though, that because your company has backups that they’re immune from attack. Cybercriminals are aware that many companies have data backups, so work to compromise them as part of their attack strategy. If your backups aren’t fully secured, they could be lost along with the rest of your organization’s data.

The best way to approach backups is to take a multi-tiered approach. Your company can use cloud backup software as well as keep physical backups that are disconnected from the network. If you do use backup software, it’s incredibly important to monitor access to your backups, and ensure there’s a strong firewall between your main business network and your backup servers.


These five myths about ransomware are all too common, and falling for them can end up leaving your organization more vulnerable to attack. Businesses should be more proactive in their defense against ransomware, and extra-vigilant to stay safe.

Michael Graw

Michael Graw is a freelance journalist and photographer based in Bellingham, Washington. His interests span a wide range from business technology to finance to creative media, with a focus on new technology and emerging trends. Michael's work has been published in TechRadar, Tom's Guide, Business Insider, Fast Company, Salon, and Harvard Business Review.