By Stewart Walts
VP, Managed IT Services
Incidents like what happened with Microsoft Exchange Zero Day, Solarwinds, and Colonial Pipeline all had common threads. Chief among them being the lax attitude towards cybersecurity. Cybersecurity is no longer a luxury, or a fancy add-on. It is an absolute requirement. You would not leave the doors to your home unlocked and hope the bad guys do not notice. Yet, without effective and thoughtful security measures, you have done exactly that with your business. Still, we often hear objections and here are some of the most common.
Common Objections to the New Reality of Cybersecurity
“I’m too small” – Hackers do not care how small your organization is. Sometimes your organization is a target and sometimes you are just unlucky. Hackers recognize that they can make money regardless. SMBs tend to have less technical safeguards in place and make easier targets.
“No one wants my data” – No matter what industry you are in, your data has value. The value may just be to you and your clients, but hackers will monetize that fact. Data exfiltration is also on the rise. Data exfiltration is a security breach that occurs when a company’s data is copied to an external location. If you do have sensitive information, hackers will threaten to post it online if you do not pay. It does not matter if you have solid backups or not in this case.
“I can’t afford to be more secure” – Ransomware demands continue to increase. According to Coveware, the average ransom payout in the first quarter this year was $220,298. That does not include reputational damage, downtime (average of 23 days!), and the costs to recover. We hear about the big news stories like Colonial Pipeline, SolarWinds, and the Exchange Zero Day attacks. Many more organizations suffer attacks; they just are not big enough (or don’t disclose the attack) to make the news. Because of the reputational damage, most companies work very hard to keep it under wraps.
“I have cyber insurance, so I’m good” – Insurance carriers are reacting to increased breaches and their heavy payouts. We are seeing requirements from carriers become more stringent and more prescriptive. Carriers are not in the business of paying out, so they are going to push back to protect their business. Cyber insurance is meant to mitigate losses, not as a replacement for a good security strategy. Companies need to practice good security hygiene and lower their risk otherwise insurance may be out of reach for them in the future.
Cyber incidents come in all shapes and sizes, yet at their core the objective is always the same- stealing your intellectual property and money. Whether that’s through phishing and social engineering, or ransom, the threat actors find a way. Burying your head in the sand is not an acceptable plan. Only through meaningful strategy around cybersecurity can you hope to minimize risk and be ready for when the worst happens.