Top 5 Small Business Excuses for not Implementing a Cybersecurity Plan

A hacker up to no good

Cyber Security is currently the biggest elephant in the room.  It’s the one everyone knows about, even talks about, but generally believe won’t sit on them.  In my experience companies believe that they are immune to most of the serious breaches because, “We’re too small of a company to be a target.”, “We have a firewall to protect us.”, “We trust our employees.”, “Upgrading will cost too much.”, or my favorite “We are unhackable”. 

Let me spend a minute with each one of these excuses.

1. “We’re too small to be a target”

“We’re too small” is a very common refrain from companies from 3 to 100 employees.  The causes of a data breach are misunderstood by most people.  Very few companies are directly targeted, more often than not, companies are breached by the “shotgun” approach.  An attacker will send out hundreds of thousands of attacks (sometimes in the form of an email, but can be in another form) and see which one gets a bite.  Then there are the side doors in.  Many of the breaches into larger companies come through smaller companies.  So, while your business may be too small to matter, that breach might give a bad actor access to your larger client.  Vendors that maintain the HVAC, Credit card pads, POS systems, VOIP, or other tools connected to a network are often targets, not because of themselves, but because of who they work for.  In our interconnected world, there is no one too small to be attacked.  It’s always a question of when, not, if.

2. “We have a firewall”

“We have a firewall.”  Great for you.  Even if you keep that firewall up to date with patches, fully monitored, and regularly checked,  a firewall is only one part of the solution.  A firewall can’t stop a phishing email from getting opened, your employee from going to an infected site, or an infected USB drive from being plugged in.  Oh, and did you happen to remember to change the default password on your ISP modem?  How about that ftp port that was opened for the file transfer 2 years ago, did someone close that?  Did someone bring in their personal laptop with who knows what on it, and now they can access your whole network?  Security is about layering the right level of protections; one really good firewall isn’t going to stop many of the more dangerous risks out there.  

3. “We trust our employees”

“We trust our employees.”  I trust mine too. Generally,  I even trust yours.  There might be a few disgruntled employees that want to do damage as they leave, but most people don’t want to hurt others.  People make mistakes though, people get tired, don’t want to always follow the more tedious rules. Some people think they can help by making what they believe to be a minor change to how you store files, or the design department found this one program to help them collaborate that you don’t know about, and it isn’t secure.  People are, at the end of the day, people and that means they are messy and imperfect.  While a security plan can’t stop everything, it should mitigate most risks.

4. “Cost is too high”

“Cost is too high.”  If the cost of cybersecurity is too high, the cost of a breach is way out of your budget. Good security doesn’t mean you have to purchase the latest and greatest everything all at once, nor does it mean hiring a security team full time to monitor everything.  A security plan is strategic not tactical; it focuses on the long view and helps you target risks that are most likely and most damaging.   A good advisor will help you work within your budget.  Of course, it can’t be done on nothing, be prepared to spend money.  Depending on your needs that amount will change.  If you have regulations to follow, enacting a cybersecurity strategy could be the difference between keeping a contract or not, or even staying in business.  Often though, little things over time  can make a big difference.1

5. “We’re unhackable”

“We’re unhackable.”  To be honest I don’t even know what that means. To me that’s like walking around with loose $100 bills sticking out of your pockets and saying you can’t be robed.  It is hubris pure and simple.  No one is unhackable.  In the last 12 months, two of the most secure systems in operation were breached.  Solar Winds and Kaseya managed security for other companies.  Their systems failed, and they were not thinking “we’re unhackable”.  Nothing is perfect and everyone is vulnerable.  

When it comes to cyber security for your Utah business, ignoring it won’t work and even the best protections aren’t a guarantee.  Find an IT company in Utah you trust to go through your risks with you and develop a plan to be as safe as possible.  Review it every 3 or 6 months and don’t ever be complacent.