Cybercrime as a business model: 3 myths that make companies vulnerable

During European Cybersecurity Awareness Month, the European Commission aims to encourage citizens and organizations to be more mindful of digital security. Yet many misconceptions about cybercrime persist. Some believe that only large companies are targeted, while others place blind trust in purchased tools. Peter Vandeput, Business Unit Lead Cybersecurity at Inetum Belgium, addresses three of the most persistent myths.

Use strong passwords, enable multifactor authentication, learn to recognize and report scams, and keep your software up to date. These four simple practices are hopefully well known to the general public by now. Nevertheless, many false assumptions continue to exist among both businesses and individuals. Meanwhile, the number of cyberattacks continues to rise. In the first half of 2025 alone, Inetum LivesSOC, the company’s Security Operations Center, registered no fewer than 77,093 cybersecurity alerts and 25,171 incidents. Ransomware alone accounted for 2,406 attacks. These are the three biggest misconceptions about cybercrime.

“Hackers only target large companies”

Many businesses still believe that cybercriminals will overlook them. “We are just a small family business; why would hackers target us?” That reasoning is flawed. Hackers do not care what you produce or sell,  they look at how quickly and easily they can extract money from your organization. Cybercrime is, after all, a (profitable) business model.

This makes both large and small companies potential targets. Research by Europol shows that SMEs are increasingly falling victim to ransomware attacks. They often lack the budgets or specialized teams that larger organizations can rely on, leaving their digital doors wide open. Those who consider themselves “too small” or “not interesting enough” underestimate the risks and, as a result, are even more likely to be attacked.

“A few security tools will keep me safe”

Many organizations believe that investing in several detection tools combined with a Security Operations Center (SOC) is sufficient to ensure their safety. But this assumption is not entirely accurate.

An SOC is a service that monitors an organization’s cyberthreats. It detects threats based on collected data and logs, responds to incidents, and works to improve digital resilience. You can compare it to a home alarm monitoring center: it receives signals from sensors and issues alerts for suspicious activities. However, if some windows and doors are still left open, burglars can still walk in. The same applies online: installing AI security software without having people to follow up on alerts and take action creates little more than a false sense of security.

Real protection requires more than just technology. Clear security policies and human awareness remain the most critical factors. In addition, companies should deploy specialized services that provide continuous monitoring and immediate intervention in the event of a threat.

“Working from home poses no cyber risks”

Many employees assume that working from home or in a coworking space is just as safe as working from the office. However, home and public networks are often less secure. Personal devices such as smartphones and tablets typically share the same network as work devices. Since these personal devices are usually less well protected, they offer hackers an easy entry point. Routers also pose a risk: many still operate with default settings or outdated software, making them vulnerable to misuse. Public Wi-Fi is also often unreliable. Combined, these factors significantly increase the risk of unauthorized access to sensitive data.

The issue extends beyond Wi-Fi. It also concerns how employees use their laptops. Are they free to browse with any browser or visit any website? Do they use a VPN? Many companies still provide insufficient protection for their remote workforce, leaving critical data too easily accessible. Businesses must also monitor how employees share data and documents via (genAI) cloud tools, as these can often expose sensitive information.

Without clear policies, continuous monitoring, and additional security layers, remote work remains a weak spot.

Cybersecurity never stops

Cybersecurity extends far beyond technology. It is a mindset that requires continuous awareness among all employees and partners. Companies must establish clear policies on how staff and freelancers work securely, whether in the office or remotely.

Cybersecurity is not a nine-to-five job. It demands constant vigilance.