Myth 3: Our organisation has not been breached before, so we’re still safe.
Often, organisations incorrectly assume their security risks remain relatively static, when they don’t have a way to effectively evaluate those risks. Projecting future risks based on historical events can be dangerous.
Defining the scope of what to secure requires identifying exactly how many applications, servers, network devices, storage devices and more are within an organisation. When faced with either insufficient or overwhelming amounts of data, the scope may be simplified, and assumptions drawn that can lead to vulnerabilities.
Organisations might assume a particular server doesn’t contain sensitive data and is less likely to be the target of an attack. But it might not be data that malicious actors are after, as mentioned; servers might be valuable as a foothold into another environment. Lastly, people often underestimate risk due to future aversion – the problem of assuming that because the future is unknown it cannot be tested.
Source: IT Portal