We also work in cybersecurity on self-hosted programs for large companies as well as private programs offered by major bug bounty platforms.

Cybersecurity myths lead to poor strategic decisions that are costly for businesses.

1. "The risks are under control."

Hackers are constantly finding new ways to exploit systems, both those that have been deemed safe in the past and new environments.

2. "My company is not affected."

All sectors of activity are susceptible to attack as long as one or more threats are applicable. For example, the number of ransomware attacks is increasing on all infrastructures.

3. "Cybercriminals are always outsiders."

Cybercriminals also work with the help of employees and will not hesitate to ensure that the target hires a member of their hacking group to act from the inside.

4. "The most sophisticated security software provides protection."

Although these software cover the main aspects (firewall, antivirus, etc.), they have no abstraction capabilities and are unable to counter a plan.

5. "It's an internal matter, suppliers are not concerned."

Data is a flow that follows an increasingly complex path with different stakeholders and relationships between applications, for example through APIs. Therefore, the entire processing cycle is concerned.

6. "Our security is well prepared thanks to a bug bounty program."

Bug bounty platforms allow access to a community to search for potential vulnerabilities. Depending on an ever-growing list of conditions, successful reports are rewarded according to a compensation scale that takes into account the severity.

The advantage of this offer is a turnkey solution for a limited budget with many free workers.

However, the effect is perverse because the majority of reports presented to the client concern negligible risks, so that over time the company lives in the sweet euphoria that its security is mastered.

The democratization of this market is driving compensation down. It is noted that the reward offered for the discovery of a critical vulnerability is increasingly low, in the order of $1,000 to $2,000.

We are well placed to tell you that engineers will not spend weeks in research and development for such a low rate.

This is why more than 95% of bug bounty programs are ignored by professionals because they focus on the small number that offers a reasonable compensation in view of the work required.

7. "Employees are not cybersecurity specialists."

Cybersecurity is not the exclusive property of a single department in the company. It is a matter that is shared by everyone (users, developers, etc.) with adequate awareness and training activities and, of course, an essential point of DevOps.