Myths Busted: The Truth About Cyber Risk Management

It goes without saying, there is no shortage of endless things you could be doing to improve your security posture. The bad actors are getting more efficient and effective. The regulatory landscape is a revolving door, and technology is innovating at the blink of an eye.  

And yet, IT security budgets are flat or shrinking. Tech debt is growing. Tool sprawl is unmanageable, and shadow IT is everywhere.  

In the last 12 months, I’ve spoken to nearly 100 IT security practitioners, and there is one common theme: The need to do more, learn more and support more is exponentially increasing, while the people, process and technology to support organizational needs are stagnant.  

But the reality is, you’re not alone. None of us have unlimited funding, year-over-year headcount growth and more than 24 hours in a day. So how do you prioritize? How do you decide the most important thing you should be doing to manage your organization’s cyber risk?  

Cyber risk assessments help organizations uncover vulnerabilities and weaknesses in their operations, assets, data, and personnel while evaluating the likelihood and impact of potential risks. 

Still not convinced? Here are three myth busters to remember when it comes to your cybersecurity risk: 

Myth

Only organizations that are subject to compliance standards need a cyber risk assessment.  

Reality 

Most organizations are subject to at least one compliance standard, so now is a good time to double check. But, even if you are not subject to GDPR, HIPAA, SOC2, PCI or EdLaw2D, you are responsible for assessing, managing, and mitigating cybersecurity risks effectively. Cyber risk is business risk, as cyberattacks have financial, legal, and reputational consequences. According to the 2025 Global Cybersecurity Outlook-World Economic Forum: 

• In 2025, ransomware remains the top organizational cyber risk with cyber-enabled fraud ranking second.  

• 78% of leaders feel that cyber and privacy regulations effectively reduce risk in their organization’s’ ecosystems. However, two-thirds of organizations admit that complexity and proliferation of regulatory requirements are a challenge to manage. 

With emerging technologies such as generative AI and quantum computing reshaping the landscape, cyber is no longer limited to the CIA triad: confidentiality, integrity and availability of data. Cybersecurity now encompasses human safety and needs to address the real risk to people’s lives when a system is attacked or compromised. 

Myth

Cybersecurity risk assessments are too expensive and time -consuming to be worth the effort.  

Reality 

Organizations that skip risk assessments often do so because they don’t see an immediate return on investment. But cybersecurity is about preventing disasters before they happen—and the financial, operational, and reputational consequences of a breach far outweigh the upfront cost of security. 

Here’s what happens when risk assessments are ignored: 

• Ransomware attacks can cripple an organization, with ransom demands averaging $2 million—a 500% increase from the previous year, according to Sophos’ State of Ransomware 2024.  

• The number of databases for sale on criminal forums increased by 20% last year, according to the 2024 Annual Report Recorded Future, with telecommunications, healthcare and education databases commanding the highest prices. 

• Nonprofits, research institutions, and universities often store valuable intellectual property and sensitive data—making them prime targets for cybercriminals. 

Myth 

We already know we have risks. We don’t need to pay someone to tell us what we already know.  

Reality 

There is no business without risk. Risk is not something you eliminate; it's something you routinely assess and manage. So, how do you know that the initiatives you’re asking your CFO to fund are the most important things you should be spending money on? I once had someone ask me, “If you could spend money on  

one thing and one thing only to improve your security posture, what would it be?” My response was, “It depends,” because it does. It depends on what your control gaps are and what the relative risk exposure is of those gaps to one another.  

A 2024 Ponemon Institute study of CIO’s found that: 

• Most organizations appreciate how exposed they are with just 43% rating their security posture as “very effective.”   

• Less than half of organizations have confidence in their ability to address cyber risk, vulnerabilities, and attacks. 

• 1/2 of the smaller to mid-sized organizations find it challenging to implement company-wide security policies, such as authentication and access controls.  

• 1/3 of the smaller organizations feel senior management doesn’t see cyber attacks as a significant risk, while the larger organizations struggle with a lack of budget (38%) and skilled professionals (35%) to effectively combat it 

Affordable, Actionable Cybersecurity 

At NYSERNet, we understand the challenges that nonprofits, campuses, and research institutions face. Our Cyber Risk Maturity Blueprint is: 

• Tailored to your risk management strategy for your organization’s unique needs. We don’t use a one-size-fits-all approach.  

• Designed for efficiency. We minimize disruptions to your operations. 

• Cost-effective. We focus on right-sized effort for high-impact outcomes without unnecessary expenses. 

If you think risk assessments are too expensive or time-consuming, I’m here to tell you that there’s a better way.  

Don’t wait for a cyber incident to prove the importance of effective risk assessments. Get ahead of threats today and let us help you build your cyber risk strategy.  

Emilyann Fogarty 

Chief Information Security Officer