Top 5 Excuses for Not Having a Cyber Security Program

Ransomware Attack Disrupts Baltimore City Services, Is Your Business Next?

The May 7 2019 Baltimore Ransomware Attack, which disrupted city operations did not impact critical services like 911 and 311 this time. Those critical systems were impacted in an attack last year that shut down the city’s phone system for an entire weekend.

In another article Baltimore Council President claims to have been urging the city to increase funding for the city’s cybersecurity program. This latest hit should make them open their eyes to the risk facing any government or business entity.

I often hear the excuse of ‘We don’t need a cybersecurity plan. We don’t have anything that is of valuable enough to steal.’ Well if this incident doesn’t make you a believer then nothing will.

You see, your company or even you personally, can be targeted. Ransomware can just as easily be aimed toward you or your company as it can toward the city of Baltimore. Fortunately the city likely has more resources available to them than you do. Unfortunately, if you are the target of an attack you probably have few options or resources readily available.

Knowing why cybersecurity is important is key to making good decisions about implementing a cybersecurity program. We have all heard ignorance is no excuse, but what are the most common excuses given?

Here are the top 5 excuses in a report from Pluralsite

    1. We are too small a company to be a target.
    2. We have a firewall to protect us.
    3. We trust our employees.
    4. Upgrading will cost too much.
    5. We are unhackable.

So, what do you think? Do you believe these excuses hold water? Are you using one of these or one of your own?

I am going to tackle these excuses, so read along to see if they are valid reasons to not at least start a cybersecurity program.

  1. We are too small a company to be a target(we don’t have anything a criminal would want).
    Really? Think about this. There are millions of nefarious individuals out there who might think otherwise. While a ‘Big Time’ APT actor may not see you as a target there are many who do. Just like the above mentioned article about Baltimore, it is fairly simple to infect your systems with ransomware. These bad actors probably do not need millions of dollars but would rather go for the low hanging fruit. They may have a ransom of just 10 or 20 thousand dollars. to give your system back to you. You may even have the money to give them, but do you really think your system will be clean after you pay. Think again. You have just become their goose that lays golden eggs.

2. We have a firewall to protect us.
While you may have a Firewall and Anti-virus/Anti-malware software they do not provide bullet proof protection. Numerous strategies such as Firewalking or hiding malware inside encrypted software packages can readily defeat a firewall or anti-malware program. When that happens, well, read the last answer.

3. We trust our employees.
This one never fails to surprise me. I get that you trust your employees to not purposely cause damage. As an employer you kind of have to have some trust in your employees. But if this is you, you may want to reconsider after reading this. Ask yourself this question – If your employees found a problem that would get them fired would they report it? A cybersecurity person/team owns that responsibility. It is their job to mitigate risk and their reputation is on the line.

Then there is the dissatisfied employee who is a weekend hacker and thinks he should have more network rights. Or perhaps an employee leaves and their login is still active. Whoops! They just decided they wanted to take some information with them to their next job…

4. Upgrading will cost too much.
Well it is true that taking your cybersecurity to the next level will come with a cost. However not taking action can cost a lot more.

Think about these numbers from the Ponemon Institute
“a survey examining the state of cybersecurity for small and medium-sized businesses found that these companies are woefully unprepared for threats from the web, with only 14 percent reporting an effective rate of preventing or dealing with cyberthreats. About 55 percent of the companies in the study experienced a cyberattack within the last 12 months and another 50 percent suffered a data breach involving customer or employee information being leaked. These companies spent an average of $879,582 to repair damage to their IT assets and an additional average of $955,429 due to a disruption of normal operations.”

So how much do you think a cybersecurity program would cost to implement? There are many options available that will cost considerably less than the amount above.

5. We are unhackable.
In what world does a statement like this EVER work out well. The thought of invincibility is always too soon proven wrong. Can you say Titanic?

Well the same applies with your cybersecurity program. You may have all the firewalls, IPS and other monitoring systems available to mankind but that is useless unless monitored and updated continuously. That goes for vulnerability scanning as well.

Not sure if you have heard of the WannaCry ransomware attack or not but it was HUGE. As a matter of fact it was a worldwide attack affecting systems across the globe. Firewalls didn’t stand a chance. Today most attacks occur when a trusted employee inserts removable media (USB) or installing infected software with a dangerous payload or simply clicking a link.

These are the top 5 excuses given for why a business does not have a cybersecurity program. I am reasonably confident I have handled all of them well enough to give anyone who has used (or is using) reason to rethink their cybersecurity posture.

Among what I mentioned above when you start or expand your cybersecurity program for your business you also have an opportunity to help keep your most important assets safe as well, your employees. If you want to get started but just don’t know where to begin check out this article. It’s about phishing.