However, according to research from number crunchers at Data security outfit Cohesity, that blinkered view flies in the face of reality, as small and medium-sized enterprises continue to offer easy money for cybercriminals.

Even worse, one in six UK workers wash their hands of any cyber security responsibility, insisting it’s down to the IT department alone to fend off the crooks.

Data security outfit Cohesity has revealed these delusions in new research launched during Cyber Security Awareness Month. The firm warns that such misplaced confidence leaves UK companies wide open to digital sabotage that could freeze operations or wipe them out entirely.

The study uncovered the top myths that keep employees dangerously complacent.

More than 60 per cent of employees think only the IT or cyber security teams are responsible for defending the company. In truth, every worker is part of the defence line, whether they like it or not.

A third of respondents still believe ransomware avoids smaller firms. In reality, attackers often prefer them, as they lack the expertise and expensive kit larger companies can afford.

Nearly half of workers wrongly believe Wi-Fi is some kind of digital moat against ransomware, while 33 per cent think paying off cybercriminals is the only way to get stolen data back, despite the National Cyber Security Centre advising firms to rely on backups or decryption tools instead.

The delusions are more obvious in worker's misplaced faith in Apple security. More than half of UK workers assume Macs are hacker-proof because the Tame Apple Press have told them that. Another 51 per cent think the same about mobile phones and 39 per cent about USB sticks. In truth, any connected gadget can be turned into a back door for an attacker.

Cohesity’s GVP Europe Olivier Savornin said: “Despite cyberattacks being in the headlines day in, day out, there’s much to be done when it comes to educating employees about what good cyber hygiene looks like.”

“It doesn’t matter how advanced your cybersecurity solutions are if employees are unable to identify and escalate suspicious activity. Social engineering attacks specifically prey on human error, which means every employee is a potential target and a line of defence,” Savornin said.

He added that proper resilience needs “a three-pronged approach: robust technology, continuous employee training, and a culture that actively promotes vigilance at every level of the organisation.” Without that, companies might as well hang out a welcome sign for hackers.

Cohesity’s research, conducted with OnePoll, surveyed 2,000 full-time UK office workers in June 2025 to gauge their understanding and habits around cyberattacks, including ransomware. The results suggest the message still hasn’t sunk in.