THE SECURITY CHALLENGE
What are the biggest misconceptions small and medium business CEOs have about cybersecurity?
One of them is the idea that hackers only go after large companies. In actuality, hackers know that large companies spend millions on defending themselves while smaller companies can’t afford as much protection. This means there is a tremendous amount of opportunistic hacking or “door knob rattling” going on – where hackers attempt to break in quickly using basic techniques. When that fails, this type of hacker moves along to the next company. This is one of the reasons that it pays to be just a little more secure than your closest competitor.
Are you confident your cyber defense strategy fits the level of risk your company faces from cyber threats?
Cyber risk is like many other business risks: too costly to eliminate entirely, but controllable.
By assessing your assets and the current threat environment it’s easy to develop a plan.
It’s important to discover and prioritize security gaps while working to close them.
How do most hackers get in?
Employees have always been the weakest link in the security chain. What they need most is to hear from executive management is that security matters. This perspective should be promoted since an un-breached company is a company that lives to see another day! Believe it or not, the attitude executive management demonstrates with regard to security policy is the single strongest influence on whether employees comply or not.
Hackers are interested in your company if:
You have more than $10,000 in a bank account
You supply a larger company they are trying to hack
You have data for which you are willing to pay ransom
Who’s responsible for a breach? 40% of respondents think it’s the CEO, 35% say the CISO or CIO (Tripwire, 2017). In fact, both CEO and CIO lose their jobs in most large public breaches.
Pushing data to the cloud does NOT mitigate your company’s responsibility legally if the data is breached.
“I’m compliant so I must be secure” – this is a common misconception, but it is not true. Compliance to PCI, HIPAA and many financial regulations are legal requirements which govern a small subset of your business. The cybersecurity of your entire company is much bigger than that.
The current threat environment:
60% of small and medium businesses go out of business after a breach
The supply of new hackers is never-ending: off-the-shelf malware kits make it easy for anyone to get started
Freshly exposed malicious software (malware) can be easily “re-purposed” by hackers (malware is like an indestructible warhead), and new vulnerabilities which are exposed through the publishing of patches are quickly exploited by cybercriminals
There is a worldwide shortage of IT professionals with cybersecurity expertise to the tune of about a million person shortfall, a number which is estimated to increase to over 3 million by 2020
Where can you learn the basics?
A great way to get started is to reach out to us join a “Cybersecurity for CEOs/Executives” awareness training. These are appropriate for boards as well and can run anywhere from 30 minutes to 3 hours.
For employees we recommend a class on Internet Security annually along with quarterly quizzes and updates to serve as reminders of the importance of security policy.