Almost every day, following the news regarding COVID19 and the latest US election shenanigans we hear about a cyber breach or incident or some poor soul being cheated of their life’s earnings and business. All of those cybersecurity-related scary stories bring out all the myths and beliefs you, as a manager, have about IT and security. In this article, we would like to address some common ones and try to dispel them for good.
1. IT security is easy, nothing to worry about
Unfortunately, this is not the case. Most companies lack internal processes, expertise, and resources to handle even the most basic security incidents. To fix this you will need anywhere between 5 and 30 systems working together, as well as a level of cooperation never seen before. With that being said…
2. IT security is too complex, let’s just pray nothing happens
There are incredibly many steps you can take to improve the security of your company with relative ease, even if you don’t have an IT security specialist in place. Start by looking at processes and data and then get a few sessions with a security consultant.
3. Our people know plenty about IT security and we should be fine
As you know, the assumption is the mother of… a lot of things. In today’s cyber-society risks and opportunities change rapidly, meaning that your team members who were „savvy“ last year are no longer. It is not a problem though, as long as you keep your team trained on the most recent risks and practices.
4. I have an IT guy, who can deal with security
Good for you! We assume (?) that your IT manager is a great person with excellent skills. Except, the IT security field and threats change daily. And your IT manager, most likely, is already overloaded with 50 other tasks and projects with businesspeople demanding miracles from him. And when he tries to catch up with security, he gets bombarded by acronyms and words, which weren’t there a couple of years ago. “John, you should definitely invest in CASB! Also, the XDR approach is far superior to your SIEM strategy, especially if complemented with a strong UEBA.”
5. Because business comes first
True! But your business is also highly digital at this point and a serious cyber-security incident can do millions in damages before you even understand what happened. Imagine if your sales force lost access to all their email and files for a week. Or if manufacturing or other equipment stopped operating for several days or weeks.
6. At least we don’t have to worry about GDPR because we don’t have personal data
There is a type of company, which isn’t affected by GDPR. I used to run one when I was 12. It involved me gathering blueberries in the wood and then selling those at a local market for cash. No personal data whatsoever. But if I were to do the same thing today, I would immediately start gathering personal data of my customers (to sell them more berries of different kinds) and hire a few people to help with gathering.
7. We are too small to be hit by cybercriminals
It is possible that large hacking groups, who specialize in attacks against states and multinationals, are not interested in some random EU company. However, there is close to 100 known hacker group in Eastern Europe alone. And many of the smaller ones pray on smaller targets. Why bother with trying to harpoon a whale while you can safely attack smaller companies and extort 5-10k euros per attack?
8. We have spent so much on security 5 years ago that it should last us 5 more
Unfortunately, cybersecurity investments tend to have a high level of depreciation, unless they were incredibly “smart”. Also, if that investment helped protect your company – then it was probably well worth it. As a business leader, you should see cybersecurity as an important risk factor and ensure a long-term mitigation strategy.
9. Most of our computer users are working from home anyway, should be fine
Unfortunately, home networks (and computers) are generally speaking much less protected than office ones. Also, people tend to mix private and business affairs even more at home. Then there are their wonderful family members and kids who casually “borrow” computers from your employees. Home officiation has created one of the biggest security threats we have seen.
10. Now is not the right time. Every penny we have goes to marketing
Here is a fun fact – cybersecurity is part insurance and part – a business enabler. And it makes much more sense to invest in those early, rather than later. The insurance component is there to protect you, so investing after the incident is often done sporadically and without time to work out a strategy. The same applies to business enablement – we have seen plenty of large companies ask their suppliers some profoundly serious questions about cybersecurity (and data protection). If you fail to answer those, you might lose a sale. Do you want to let one incident or large sale slip before starting to deal with the inevitable?
We hope that these myths and thoughts will help you and your colleagues have a fresh perspective on cybersecurity. If you are still in doubt – contact us for a meeting and a preliminary assessment.