IT security is certainly a field where myths abound. Here are some of the more prevalent:

Myth 1: On it’s own, an off-the-shelf security product from a well-known brand will keep my PC totally safe
Many users believe that a recognised anti-virus solution is 100% safe and is all that is needed. Off-the-shelf security products use signature scanning technology which is increasingly being circumvented by the latest malware. Even the best anti-virus solution on the market is far from foolproof.

Myth 2: As long as I am careful on the internet, I will be safe
Even an IT security expert often does not notice anything suspicious on the screen when a system is infected. Malware is designed to operate surreptitiously in the background. Often, a drive-by download attack shows no obvious sign. A related myth is that it is possible to spot a phishing attack by looking for spelling and grammatical errors on the webpage.

Myth 3: Passwords are dead
Some have been advocating an end for passwords for years due to their lack of security, however passwords and PINs are still by far the most prevalent access control mechanism. A related concept is that complex passwords are secure and that changing passwords every few months is all that is needed. Neither of these measures improve security against key logger attacks which are a common method of harvesting passwords. The threat of key logging passwords could be more prevalent than brute force attacks and perhaps shoulder surfing. Complex passwords suffer the drawback of having to be written down, introducing additional security risks, and offer no additional security against key loggers. When used with effective anti-key logging measures, passwords and PINs have certainly not exceeded their use-by date, and will remain in widespread use.

Myth 4: There are no significant threats on mobile
Many believe that there is nothing significant that can be stolen from their mobile, and that malware on the mobile is not yet a real threat. The reality is that there are significant threats on mobile and particularly on Android (see here and here).

Myth 5: A secure perimeter will keep my organisation safe
The false premise behind this myth is that a firewall and other gateway security, on their own are sufficient. Unfortunately, mobile devices and BYOD put paid to this approach as they introduce ways around the perimeter.

Myth 6: Only complete fools are taken in by social engineering
The reality is that everyone is susceptible, even IT security experts, and anyone can be taken in by a well-planned and executed social engineering attack. No-one can afford to relax their guard.

Myth 7: Our organisation is not a target for attack
The personal equivalent of this myth is: There is nothing on my PC that anyone would want. The assumption is that only high profile organisations are targeted. Identity theft targets everybody. Second and third tier organisations are now specifically targeted, often because they are less secure.

Myth 8: Most of the security holes in software have been plugged
It is true that security has improved. Many security vulnerabilities have been addressed. However, the attack surfaces are now far larger due to mobile and BYOD. And smart TVs are on the way. Attacks have become more and more frequent. Virus kits and the polymorphic nature of malware means that off-the-shelf anti-virus solutions have become far less effective.

Myth 9: A particular system is 100% secure
The reality is that no system is 100% secure. Security should be a layered approach. The corollary to this myth is that more security is always better. This is not true – there is always a cost to security, and more is not necessarily better.

Myth 10: Cyber warfare is science fiction
Cyber warfare has occurred in the past, is happening now, and cyber warfare attacks will continue to occur in the future. Countries are spending huge sums on cyber defensive mechanisms, and together with politically-motivated groups, committing large resources into offensive cyber warfare measures. The threat of a cyber warfare attack taking out critical infrastructure and affecting civilians is very real (see article).