Business leaders have plenty to worry about. From regulations to customer relationships to team management to vendor and supply chains, challenges are never-ending.
IT falls into that category too. IT is a complex, constantly changing field. On the surface, it can seem simple – provide a computer and some applications and get going.
But, scratch a little deeper to uncover the need for access control, reliable backups, failover systems, secure remote access – key components of secure business technology. These all work quietly to provide the foundation for important work to get done.
With all the complexity, it’s normal to feel overwhelmed by technology. It’s also normal to trust that a lack of tangible problems today means that all is well. But, technology failures can be sudden and unexpected. System failures, insufficient capacity, and cyber attacks all happen unexpectedly, and send everything to a screeching halt.
Those that have been lucky enough to avoid cyber attacks tend to think they’ve got secure systems in place. But this is not necessarily the case. So, what causes business leaders’ false security and confidence that they will be protected from cyber incidents?
1. I have a good firewall, so I’m good, right?
The firewall is the outer shield for your on-premise IT systems. Think of a firewall as a locked wall that surrounds your building. As long as the wall is strong and everyone locks the door behind them, no problems!
A strong outer wall that blocks intrusions is a key component to a strong cyber defense. But, no system is fail-proof, and the more valuable the protected items, the more security measures that are used.
Take a bank, for example. A bank doesn’t just use a secure vault, they also employ surveillance systems, alarms, controlled procedures and sometimes armed guards to ensure physical security.
In a similar manner, the purpose of a firewall is to disallow access to any person outside the organization. But, cyber criminals are persistent. While your team is busy fulfilling their roles and responsibilities, hackers are focused exclusively on gaining access. Eventually, the persistence may pay off. And, when it does, businesses need additional security measures to block further actions.
Other versions of this objection might include different aspects of information security, such as backups, VPNs, strong antivirus. Regardless, these objections fall into the same trap. Any one digital security technology is just that – a single security measure.
Comprehensive cybersecurity involves layers of different types of measures – data backups, recovery plans, endpoint protection, encryption, access control, etc… Further, threat actors are continually evolving. Therefore, effective cybersecurity isn’t a single measure, but a set of many measures, guided by an expert that stays up-to-date on the latest defense measures and technologies.
2. Cyber criminals aren’t coming after my business - There are much bigger targets
When businesses reflect on how they rank in terms of assets, market share, revenue and profits, much bigger rivals quickly come to mind. Then, the thinking goes: why steal from our business, when threat actors could get a much bigger payout from bigger businesses?
This is a common misconception. All things being equal, it would make sense to go after a bigger payout. But, in reality, all things are not equal. Bigger organizations, with their bigger budgets, can also invest more in security measures.
Further, larger companies tend to have increased structure and procedures in all areas of the organization, gained as a result of growing and scaling the business. And, this structure which is already in place, can be used to deploy cybersecurity training and requirements to the entire workforce. All this means that smaller companies end up being easier to breach.
Another disadvantage of smaller budgets is a lack of resources, after a breach, to go after the cyber criminals. Smaller budgets mean less access to lawyers and law enforcement, and less time to devote to tracking down and fighting the cyber crime.
On the other hand, smaller budgets do not mean negligible payouts. Compared to individuals, even small companies have better cash flow and greater resources, not to mention connections to other organizations. For hackers, these are great reasons to target smaller businesses.
3. Our computers came with antivirus - We should be fine
Depending on which anti-virus is installed, anti-virus can either do almost nothing or be a powerful defense against hackers. That’s another discussion. For now, we’ll assume we’re talking about the type that ranks highly in industry evaluations, and not the type that came with the computer.
Some of the capabilities of effective and powerful anti-virus (also called EDR/XDR) are:
- AI-powered behavioral engines to detect suspicious actions and attacks from other devices
- Automatic remediation
- File-integrity breach detection
- Forensics and real-time detection
- Device lock-downs to prevent further network infection
These are powerful defenses that we highly recommend, but similar to the first objection, using only EDR/XDR is a single line-of-defense. Because of the persistence of hackers and the evolving nature of technology and digital security, the best strategy is not to rely on a single defense measure.
Even more importantly, remember that multiple defense measures become outdated. So, we recommend not just varied defenses, but also working with an industry expert to guide you on what measures to deploy and when to update them.
4. We can’t afford cyber security
“Cybersecurity is too expensive”. This is one of the most common and understandable objections. Tech-related expenses add up, and there are thousands of more exciting ways to spend the budget.
Marketing promises big rewards. Investments in core business promise growth, greater output, better efficiency. Training promises better morale and more effective staff. But tech-related expenses are a bit like replacing used tires or fixing broken plumbing. It’s necessary, but no fun.
But, just like ignoring a clogged pipe could result in a disastrous backup and overflow that costs far more than fixing the clogged pipe. So too, ignoring the risk of a breach could result in a breach – the cost of which would greatly overshadow the cost of any preventative measures.
And, this is where most articles get into average costs of data breaches and the high likelihood of business failure. But, you’ve heard the numbers. You’re aware of the stats.
In reality, the cost depends on the organization. Once malicious users get into your books, they know how much you have for a ransom. They know from experience how much they can ask for and get away with. And, whatever it is, it will be far more than you want to spend, and far more than the cost of increased cybersecurity.
No leader who finds themselves in that situation would go back and not do more to prevent it from happening. It’s not just the dollar amount. It’s the fear of losing important clients or the business itself. It’s the stress of making decisions while the future of the company hangs in the balance. It’s the worry about losing insurance.
It’s the additional load of helping employees work through what it means for them. It’s the anxiety of every minute the team is not working, while waiting for the forensics team to complete their work, or for the IT team to build or restore systems.
Yes, information security costs money. You may not have planned for it in your budget, and you may not feel a tinge of excitement thinking about the increased security. But, it’s worth it.
5. Cybersecurity measures are inconvenient
Implementing cybersecurity measures means change. And, we all know that most people hate and resist change. From their point of view, the methods they were using were working just fine; there’s no need to change. Change is hard! Even more, it’s an obstacle to getting the real work done.
There will be complaining, pushback and occasionally outright refusal. Sometimes, this is the last thing leaders think of as they consider additional infosec measures. But, while the team’s response is an important consideration, it’s something that should be planned for, rather than a reason to abort increasing cybersecurity.
It’s true that some cybersecurity measures can be inconvenient, but some measures actually increase convenience and ease-of-use. One example of this is a password manager. Password managers can make using hard-to-guess passwords even easier than password reuse. This is because most password managers have browser extensions that automatically insert the selected credentials.
Some cybersecurity measures decrease convenience; some increase convenience, and some are neutral. In most cases, the simple fact that users must change their processes triggers anxiety and resistance. This is true even if the new way of doing something ends up easier.
The real question is: do the risks to business data and customer information outweigh the inconveniences. And, the answer is a resounding ‘yes’.
6. We have an IT guy that handles it
Your IT guy probably does know something about cybersecurity. He’s also likely burdened with a lot of other responsibilities. He has to help users, keep the network up, setup new users, and resolve any number of other IT problems. It’s common for IT personnel to get stretched thin. If you asked his opinion, he’d likely recommend more cybersecurity.
But while they’d recommend increasing digital security, they are also limited in terms of authority. In other words, the IT team is capable of implementing the technologies and initiatives handed down to them. But, they are not granted authority to implement whatever technologies they want or to purchase whatever they deem necessary. It’s beyond their pay grade to make decisions about what protections are critical for the organization.
That’s because increasing digital protection is not a technology decision; it is a decision regarding risk. C-suite leaders make decisions about strategy, including risk management. Every organization has its own risk profile: how much risk is acceptable, and how is that risk mitigated and managed.
This is where the problem comes in. The IT team knows what technology to buy to reduce network intrusions, but they can’t expand their budgets to buy it without approval. So, a meeting is scheduled with the decision makers.
Then, the IT team fails to translate the technology details into a business risk discussion. Business leaders walk away not understanding the true nature of the vulnerabilities and the magnitude of the risks, and withhold approval for the recommended protective measures.
An outside cybersecurity specialist can help with evaluating these decisions. They work directly with leaders and understand their concerns. They can communicate about risk using analogies and stories that break down complicated techologies into understandable concepts. With this understanding, leaders can prioritize actions and purchases that reflect the cost/risk balance they are comfortable with.
7. Our team is smart. They wouldn’t fall for any phishing attempt
Leaders rely on their team to work together, accomplish difficult tasks and ultimately produce the products and services that drives sales and success. If they didn’t have an accomplished team put together, the business wouldn’t succeed.
So, it’s difficult to reconcile that the intelligent people on the team might be vulnerable to phishing attacks. The underlying assumption being that smart people don’t fall for phishing emails.
But, phishing attempts succeed with intelligent people. These individuals are skilled at their jobs, and respected by their peers. Phishing succeeds with CEOs, company presidents, accountants, and at all levels of the business.
Being smart doesn’t protect you from being phished. As with all cyber crime, the criminals are persistent. Not falling for a phishing attempt is more about being 100% alert, 100% on guard, 100% of the time. Anyone can make a mistake, anyone can accidentally click on a link.
So, first, training brings awareness to your team about phishing – how to recognize it, what the end goal is, and what actions to avoid to circumvent phishers.
Not only does training teach your team what types of emails and other threats might look like in the first place. But, training also goes a long way towards keeping them alert and ready to respond to potential threats, (if provided on a regular basis).
So, yes, your team is intelligent. But, at times, they’re also busy, distracted, in a rush, or tired. They could use a little backup because everyone makes mistakes, once in a while.
8. That’s what cyber insurance is for - We don’t need to spend more money on prevention
Cyber insurance is a must in today’s world. With cyber criminals constantly learning and evolving, the risk of a cyber attack cannot be completely eliminated. Reduction of the impact of a cyber incident is achieved by prior planning. Cyber insurance exists because the cost in terms of dollars is high, and in the event of a breach, businesses need assistance to cover the cost.
But, insurance companies only assist with reimbursement in terms of money. The policy will likely cover liability and possible repair costs. But, depending on your policy, it may or may not cover downtime, and may or may not cover operational losses while all systems are down.
Even assuming your policy is top-notch and covers all possible losses, the insurance company will do nothing to alleviate the anxiety and fear of going through the aftermath of a breach. They will do nothing to eliminate the loss of clients due to loss of reputation. And, they don’t pitch in during the long hours of rebuilding under high stress. That’s all on you and your team.
Not only that, but after an incident, you may find that insurers are no longer willing to offer you a policy. Or if they are, the policy premium goes through the roof.
Worse, after an incident, cyber criminals may identify you as an easy target and strike again, causing additional stress, anxiety, fear and reputation loss. No matter how good your policy is, a breach is not something you should take lightly.
9. It’s not that big of a risk
There are risks and costs to action. But they are far less than the long range risks of comfortable inaction.
Whether leaders believe it won’t happen to their organization or the aftermath of a breach won’t be that difficult, denial can spell disaster. Cyber incidents are on the rise, so, the question isn’t if, but when.
Preparing now means not just employing strategies to reduce the likelihood of breach, but also to minimize the impact of an incident. Early detection, recovery plans, redundancy of data and systems, staff training, policies, and technology protections, these all work together to reduce the possibility of cyber crime, as well as limit the damage and increase the speed of recovery.
The question really isn’t, when will a breach occur, but will you be ready? Will you have the right technology in place to limit the impact? Will you have the right systems in place to prevent data loss and assist in a speedy recovery? Will your team recognize attacks and react in a timely manner? Will you have the right policies in place to limit your organization’s liability? Will you have someone to help you through the crisis?
You definitely are at risk of coming under attack, and a successful attack is very, very expensive. What makes your organization so special that you won’t join the hundreds of thousands of businesses that fall victim to cyber criminals every year? To date, more than 40 percent of small businesses around the world have lost data to cyber attacks. Are you still convinced the risk is small?
