“Some people would rather crawl blindly in the dark, rather than turn on the light
and see how close they are to the edge of the cliff.”
— Phineas Bartholomieu Thome, my great-great-great grandfather
Cybersecurity has been on the business world’s radar for at least the past twenty years, and yet some leaders are still caught under mistaken impressions of what’s needed to truly protect themselves from modern threats. In the worst of cases, some business leaders delude themselves with sooth-saying myths which rationalize a lack of any serious cybersecurity posture at all. For these folks, it’s not a matter “if” they’ll come to regret the lackadaisical attitude toward security – but “when“.
Following are 4 myths regarding cybersecurity which – in my experience – are commonly held by leaders of small to medium-sized businesses throughout all industries, why these myths are dangerous, and how to address the risks hidden behind them:
1. “I have an IT team. They’re handling our security and I don’t need to be involved.”
One of the worst assumptions that a business owner/executive can make is to presume that the IT department – whether internal or contract – is completely self-sufficient in terms of security and does not need any accountability.
“C’mon, Austin – I’m a business executive and have way too much to do already. You’re saying I can’t just delegate all that to IT and forget about it?”
I’m saying that you’ll regret it if you do. While the actual hands-on work is obviously going to your IT staff, business leadership needs to hold them accountable on an ongoing basis and play a role in crafting/enforcing cybersecurity policies and procedures. There needs to be regular review of metrics in order to glean useful intelligence toward what threats are facing the business and how the business is faring against them. Leadership needs to know the cybersecurity incident reponse plan and the role they’ll play if anything occurs.
These are just a few examples – the point is this: Leadership needs to know and push to validate that the business cybersecurity posture is in place and working proactively. Otherwise, I can almost guarantee that security posture of the company will languish over time and start to fall out of alignment with business goals, i.e. not focusing on protecting the most sensitive components of the organization.
2. “I’m too small or under the radar to be a target.”
Let me drill this into your head: If there is even the perception of any money to be had, then you WILL be a target. No organization is too small or under the radar. Verizon’s most recent 2020 Data Breach Investigations Report showed that 43% of cybercrime incidents were directed against small and medium businesses in 2019 – demonstrating the general willingness and interest to go after smaller targets.
Why, even though the potential gain is generally much lower? Because many small and medium businesses simply do not invest in their security posture – what they lack in money is made up for in ease-of-exploitation. “Less funding” is not an excuse for having insufficient security, by the way – even the most meager business can implement simple measures like password policies and asset control procedures. I’ve helped non-profits with literally zero room for cybersecurity funding implement real security measures which offer real protection without spending a dime. The lack of security posture is a function of either not knowing, or simply not caring.
If your business is even slightly visible – has a website, LinkedIn page, etc (as most modern businesses will) – then you are destined to be targeted eventually. You can either be ready for it, or get taken advantage of when the inevitable happens.
3. “I’ve known everyone on my team for years – none of my employees could EVER be an internal threat.”
Take it from a seasoned IT professional with experience across hundreds of businesses and tens of thousands of users – ALL USERS constitute a potential threat. I’ve seen decades-long employees – pillars of the company – go rogue and steal money, data, and/or equipment. I’ve seen family members in family-owned businesses decide to split off into their own rival start-ups and abscond with client data as they walk out the door. I hate to paint it like a “trust nobody” scenario, but leaders really do need to be prepared for a threat to emerge from even the most trusted users.
Hold on! Before you descend into abject paranoia, let me assure you: with the proper security policies and controls in place, you can minimize the risk and not need to live in fear of your own people. For starters – and usually cost-free – you can implement the principle of least privilege on user access. This will prevent users from accessing data and/or systems not explicitly needed for their job, which minimizes exposure. You can also leverage Data Loss Prevention software to control and monitor data if necessary – powerful solutions like Safetica provide a tremendously clear view over who is accessing what files, and how they’re allowed to access files. Generally expensive, but may be worth it depending on what is at stake.
4. “We have no data of value to a hacker.”
“C’mon, Austin – we’re not sitting on the secret recipe to Coca Cola or the location of Scrooge McDuck’s secret vault. We’re just (for example) a catering company. What sensitive data could we possibly need to protect?”
Hmmm. Do you have employee information on file? Addresses, contact information, social security numbers? The answer is almost assuredly “yes”. Therefore, you have sensitive information on file by default. You could stand to face serious legal repercussions if any of this data is compromised by way of lax data control.
And even if you don’t think your business data is necessarily valuable, a smart crook can find ways to leverage almost ANY data for their own purposes. Just because your data may not seem valuable from your own narrow business-focused perspective, that doesn’t mean that a hacker can’t find some other nefarious use for material gain. Maybe a hacker isn’t after you, but after your customers – or your business partners. Don’t be the business which becomes a pivot point for hackers to exploit others.
These are only 4 such myths – expect to see more in the coming weeks. Don’t fall prey to cybersecurity myths which put you at a false sense of ease – know the truth about the threats you face and make genuine preparations now!
Categories: Cybersecurity
Austin Thomé - Cloud & DevOps Engineer 