09 May Cybersecurity Misconceptions
A Cybersecurity program is vital to the success of your business. Let’s explore some of the common reasons businesses choose not to implement a program to manage cyber risks in their business. This list is not exhaustive, but it focuses on several common reasons business owners don’t do more to protect their business against cyber threats.
5 Common Misconceptions About Cybersecurity
- Cybersecurity is too Expensive
While it’s unlikely that implementing a Cybersecurity program will require zero investment, you can have a strong cyber program without breaking the bank. An experienced and reputable consultant will advise you that a good program is about risk informed decision making. That means, you don’t need to purchase or subscribe to every single solution and recommendation out there… What you do need is to be aware of the relevant threats and risks specific to your business, so you can choose to accept or mitigate them. This is like any other business decision – for example hiring an additional employee. Bringing on additional help may help you scale operations and grow the business, but there is a cost in compensation, benefits, and training. You consider the investment and potential payoff, then make the decision you are comfortable with. Treat cybersecurity the same way, just be aware of the risks. Performing an assessment to benchmark based on a proven Cybersecurity framework is a great place to start, it will show you where you have weak points and help maximize the effectiveness of any investments you choose to make.
- Security Makes Everything Slower
Alright, old-school Cybersecurity did develop a stigma of making everything difficult and conjures images of a grumpy network Admin saying “no” to everything you want to do with technology. That’s not the way it has to be… Building from the risk-based approach described above, the right Cybersecurity program for your business provides the optimal balance of controls without getting in the way of the business mission. Tools like endpoint protection and disk encryption have come a long way and today’s solutions are transparent to the end user. Good cyber professionals understand that the business mission comes first, and they can’t put up roadblocks, instead they give you an armored vehicle to move as quickly as possible, without compromising safety. You don’t need to sacrifice user experience.
- Our Business is too Small to be Targeted
Ok, maybe… Most large-scale ransomware attacks we hear about in the news are conducted against enterprises that have the budget to pay big ransoms to get their data back. That said, there has been a more recent trend of targeting smaller businesses for the purpose of flying under the radar and not garnering so much attention from law enforcement. A few other things to consider include, do you do business with, or would you like to do business with a large company? Several very large companies have been breached after cybercriminals targeted and acquired a foothold with a vendor. To that end, those companies audit vendors as part of the selection process and not having the capability to demonstrate Security and Compliance due diligence may rule you out even if you have the best product. Lastly, the Cybersecurity landscape can shift anytime due to new threat actor tactics, its best to be prepared or at minimum aware.
- We are Compliant, so we are Secure
Compliance is a great start. That’s right, it’s a starting point or the bare minimum you need to protect your business and interact as part of the business ecosystem. If you are in a regulated industry like retail or healthcare, you likely adhere to and report on compliance with a regulatory framework. These frameworks are great and there’s absolutely nothing wrong with following them, it’s just that they don’t always factor in the big picture. For example, PCI-DSS, the framework that governs credit card transaction security, only applies to the segment or portion of your technology that accepts, processes or stores card holder information. What if you have another part of the network with all the personnel files that could be targeted for identity theft? Of what if you store proprietary intellectual property? It’s possible to be 100% compliant, while leaving critical assets unprotected.
- We have Good Technology that Protects Us
Like the Compliance logic above, good technology is a critical pillar for strong Cybersecurity, but technology is only part of a comprehensive program. People, Process and Technology work together for optimized Cybersecurity, just like the three-legged stool provide a stable surface to sit on. A real-world scenario to illustrate this point is the practice of social engineering, or tricking people with an official looking email that’s actual a fake designed to steal their password or make a purchase on behalf of the criminal. Cyber criminals are also actively trying to recruit insiders (employees) for help by paying them large sums of money for confidential information or credentials. Even the best technology, has a difficult time stopping a human action. Going back to a benchmark assessment approach, leveraging a proven cyber framework can help you evaluate the whole picture here and zero in on what needs attention for the complete picture.