Stop Being Cyber Stupid
Too many businesses fail to properly test and improve their cybersecurity on a regular basis. “Cyber stupidity” comes with serious risks—find out more by watching our latest webinar on-demand.
Are you being cyber stupid?
A worrying number of owners and managers are making dangerous assumptions about their cybersecurity (or refusing to think about it whatsoever). Over 80% of small businesses have never undergone an independent cybersecurity audit.
“They’re not following any kind of data hygiene,” says Mike Shelah, Director of Marketing & Business Development, Advantage Industries.
In honor of Cybersecurity Awareness Month, Mike got together with cybersecurity insurance expert Joe Brunsman, and Nick Espinosa, the CEO & President of Security Fanatics, to discuss the business world’s continuing apathy towards cybersecurity.
Check out the full recording to learn more:
Data Security Is Not The Same Thing As Cybersecurity
You can’t expect a firewall and antivirus to keep you comprehensively secure. Cybersecurity is a holistic consideration that includes much more than data security. After all, the industry-standard NIST framework includes 110 control requirements, only one of which concerns data security.
“You know if your firewall is good or bad, but holistically, you don’t understand the risk to your organization,” says Nick.
Double-checking your protection is only part of an effective cybersecurity posture. You also need to holistically evaluate your IT environment to find potential vulnerabilities, and understand the risks you face.
You can’t limit your scope to the security of your data — your infrastructure, devices (mobile and otherwise), and your staff have to be secure as well. Only with a comprehensive system of technologies and best practices can you achieve a truly confident cybersecurity defense.
Cybersecurity Management Is Daunting
“It’s such a big topic,” says Joe. “Business owners don’t even want to start going down that path because it’s a big unknown.”
Joe estimates that he dealt with an average of two cybersecurity incidents a week with his clients over the past year. Despite the high rate of cybercrime activity, however, business owners continue to ignore their cybersecurity because of its complexity.
With the right approach, however, it can be managed. Experts like Mike and Nick specialize in assisting businesses with their cybersecurity management processes, helping to minimize the time business owners have to personally invest in the work. The point is that you have to start somewhere—the sooner you do, the better.
“It’s like that old adage, ‘how do you eat an elephant?’” says Joe. “One bite at a time.”
The right way to start is with a plan. Nick recommends that his clients limit cybersecurity projects to two years, at most, given the rate at which these types of technologies can change.
“You don’t go from zero to Fort Knox in a day,” says Nick. “It’s a continuous cycle and a continuous process.”
Cybersecurity Isn’t As Expensive as Downtime
Another reason many business owners ignore cybersecurity is because of the cost of management. Buying the right technologies and hiring the necessary expertise is certainly an expensive prospect—but it’s simply not as expensive as the alternative.
Cybercrime will usually result in some degree of downtime. On average, ransomware attacks cause up to 21 days of downtime. Think about how much business you do on an hourly or daily basis, how much you pay in wages and salaries and more. All those expenses continue while your business is stuck at a standstill.
That’s not to mention the cost of recovery or the loss of business after clients find out about the breach. The bottom line is that cybersecurity is a necessary and wise investment.
“When you start running the numbers, investing in cybersecurity makes way more sense,” says Joe.
Don’t Make The Mistake Of Over Relying On Cybersecurity Insurance
A common misconception is that a cybersecurity insurance policy is a catch-all safety net, but that’s simply not the reality. Without a comprehensive cybersecurity strategy in place, a business may not qualify for a policy in the first place. Furthermore, in the event of a hack, a subsequent claim will likely be denied if their cybersecurity standards have lapsed, or if they can be found to be responsible for the incident (whether due to negligence or otherwise).
“The market is shifting, and these guys are losing phenomenal amounts of money providing cyber insurance,” says Joe.
The core issue is that as cybercrime becomes more common and more damaging, insurers are becoming more aggressive in finding ways to deny coverage. It’s in the interest of their business to pay out as little as rarely as possible, which means the policies will tend to rely on a series of complicated clauses and requirements that covered parties have to comply with.
As discovered by Mactavish, the cybersecurity insurance market is plagued with issues concerning actual coverage for cybercrime events.
- Coverage is limited to attacks and fails to address human error
- Claims are limited to losses that result directly from network interruption, and not the entire period of business disruption
- Claims related to third-party contractors and outsourced service providers are almost always denied
All this goes to show why business owners need to look carefully at the fine print of their cybersecurity insurance policy and ensure their cybersecurity standards are up to par. No one should assume they’re covered in the event of a cybercrime attack — after all, for every $1 million paid in premiums, insurance companies only pay out $320,000 in claims.
As Joe notes, the cyber insurance market has been in flux because it can’t operate like any other. It’s extremely difficult for brokers to quantify risk, which is why policies continue to change, become more restrictive, and payout less often. Furthermore, Joe states that insurance premiums are likely to double or triple within the next few years, which is why owners need to start budgeting appropriately now.
“It’s only going to become more expensive and more strict,” says Joe.
You Don’t Have To Be A Cybersecurity Expert
Business owners can be intimidated by cybersecurity’s complexity because they assume it’s something they’ll have to understand personally. But that’s not really how it works—outsourcing skilled work to experts is a common business practice, and it applies to cybersecurity management as well.
“I recognize that I will never do an oil change in my car because I want my car to work and not blow up,” says Nick. “By virtue of that, I have a trusted person that will do the oil change.”
While all users need to understand basic cybersecurity best practices to defend against social engineering and similar tactics, CEOs, managers and other members of an organization’s leadership should not be expected to become experts. It’s simply a matter of finding the right partner to manage the bulk of their digital defenses.
Furthermore, it’s important to understand that not all IT companies can effectively consult on cybersecurity. As a vast and fluid topic, it requires expertise that not all third parties can offer.
“You have this segment of business owners that have hired MSPs, but are they really taking a hard look at this?” says Mike.
Generic IT companies will know enough to install a firewall and antivirus solution, but their cybersecurity support can often end there. Unfortunately, that’s simply not enough—modern cybersecurity requires more advanced capabilities.
The fact is that technology companies in particular need to be prepared to assess and update their cybersecurity standards on a regular basis. Any network will have its blind spots, which is why a second opinion can be so valuable.
“Welcome that external criticism, because it just makes you better,” says Joe.
Cybersecurity Is Constantly Evolving—You Need To Keep Up
Another key characteristic of “cyber stupidity” is reliance on an outdated cybersecurity posture. It can be easy to assume that a single assessment and remediation process will keep you secure. Unfortunately, it’s only a matter of time until current cybersecurity measures become outdated.
“The problem is that if you’re not looking at the latest technology out there in terms of defense, that complacency means you’re behind,” says Nick. “One of the problems that we have is the adoption of new standards and tactics.”
It’s Time To Become “Cyber Smart”
The ongoing conversation about cybersecurity can look like fear-mongering, but, in truth, it’s likely not as dire as it should be. A vast majority of cybersecurity incidents go unreported, which makes it difficult to quantify how serious the dilemma really is.
That’s why you need to smarten up and start developing your cybersecurity plan—and you don’t have to do it on your own. Our team has the expertise and experience you need to totally offload your cybersecurity concerns.
“Place this burden on us—that’s why we are here,” says Mike. “Let us help you be safe.”
Get in touch with the Advantage Industries team to discover more about developing an effective cybersecurity posture.
Advantage Industries is a Managed Security Service Provider (MSSP) providing practical networking and software solutions, as well as web site and application creation services. For nearly two decades, Advantage has worked collaboratively with hundreds of clients in understanding complex business processes, identifying needs, and providing recommendations tied with sound technology solutions custom-tailored to their business.