In a previous blog article, Marty Kaufman recounts the story of meeting with a business owner who was panicked and in crisis mode because of a cyber attack.
If we could backtrack to the days, weeks, and months before the attack, we’d find that the business owner didn’t pay much attention to cyber security because he thought the odds of a data breach happening to him were low.
As it turned out, the odds were higher than he thought, and it did happen.
We can’t go back in time and undo all the damage this cyber attack has done. But we can help other executives avoid stumbling over some common beliefs that unknowingly increase cyber risk.
Here are the top 5 cyber security myths we commonly hear from business leaders regarding why they don't invest in cyber security protections:
- We’re Not a Target
- We Don’t Have Anything Cyber Criminals Want
- We Don’t Need ...
- We’re Compliant, so We're Secure
- It's Not Worth the Inconvenience
Let’s dive in.
1. We’re Not a Target
(Yes, You Are. We All Are.)
Cyber crime has evolved with the same sophistication and speed that our business world has.
Hackers don’t need to be incredible coders or software developers. They can buy a malware subscription for $50 a month and be in business! It’s an industry of its own.
The result is that attackers are now trying to break into businesses worldwide – and there are countless places where criminals can sell the data they steal, making attacks extremely lucrative.
2. We Don’t Have Anything Cyber Criminals Want
(Yes, You Do.)
Some data has value all by itself – the manufacturing plans for a product, the proprietary process for delivering a service, access to your bank account or credit card information, personal medical records, etc.
Other data gets its value when it's combined with other data points. The more information attackers can gather on a person or business, the greater the potential for a significant payout.
And access to your network could be all they need.
Access to your network is extremely valuable to cyber criminals because it can open up doors you didn’t even know you had. Case in point: the big Target hack in 2013 where hackers got into the Target network through their HVAC vendor, Fazio Mechanical Services.
While you might not be doing business on the level of Target, you still have customers who make payments to you.
What would happen if an email was unknowingly sent from your email account to your customer asking them to send payment to a different account number – and then they paid thousands of dollars to a cyber criminal instead of to you?
These types of scams happen all the time.
🔎 Related: Executive Guide to Cyber Security: Essential Information for Managing Business Risk
3. We Don't Need ____________
(Yes, You Do.)
You can fill in the blank – a firewall, anti-malware software, cyber security awareness training, a security policy, multi-factor authentication, updated software and operating systems, mobile device management, etc.
Remember the business owner in Marty’s story? Unfortunately, he didn’t think he needed the foundational layers of security that could have prevented the cyber attack from happening in the first place either.
What is unfortunate about that story is that the owner was getting this out-of-date, incorrect, and dangerous misinformation from his own IT guy – who was not an expert in cyber security.
🔎 Related: Managed Services Provider (MSP) vs Managed Security Services Provider (MSSP): What’s the Difference?
4. We’re Compliant, so We're Secure
(That May Not Be Enough.)
Compliance doesn’t always equal security. For example, many recorded data breaches have happened to companies verified as being compliant with their industry regulations.
Regulations give organizations guidance in many areas of IT security, but they are not usually comprehensive enough to keep up with the evolving strategies that cyber criminals use to break in and steal data.
Compliance shouldn’t be the only goal. Cyber security should be too.
5. It's Not Worth the Inconvenience
(Are You Sure?)
Decisions about managing risk can appear to conflict with equally positive objectives such as efficiency, productivity, and growth.
Take multi-factor authentication (MFA), for example. Implementing and enforcing MFA is one small layer in the grand scheme of locking the doors to your company data, but staff may push back because it slows them down.
When comparing the hassle of MFA with the potentially disastrous impacts of a cyber attack, can you still say that it’s a risk you want to take?
Cyber security risks have many angles, which is why we consulted with experts in cyber security, legal, PR, and insurance to put together a Cyber Security Risk FAQs guide for business leaders. It has 30 of the top questions and answers business executives want to know about managing cyber risk.
Where Are Your Cyber Security Gaps?
The first step to improving how you manage cyber risk and overall business risk is to get a clear picture of where you are right now. Schedule a cyber security and risk assessment to uncover security gaps and get recommendations on closing them.