In his book The Road Less Stupid, Keith Cunningham makes this correct observation about succeeding in business: “I don’t need to do more smart things. I just need to do fewer dumb things.”
When it comes to cyber security, I observe a lot of stupid choices being made by intelligent people due to either blatant ignorance of the potential consequences or a desire to bury their heads in the sand in order to avoid having to invest the time and money necessary to protect their assets.
Thinking you won't be hacked because you're too little or "don't have anything the hackers would want" is one of the greatest misconceptions you can make. To be clear, you are not too small to be hacked, but you are not big enough to create headlines. Every year, millions of small businesses experience hacks, but for fear of being held accountable, receiving negative press, or losing customers and business, many choose not to discuss it. They feel humiliated.
Furthermore, you are correct - hackers generally aren't interested in your data unless you happen to have credit card information, social security numbers, or other sensitive information. These are extremely valuable digital assets that can be purchased and sold on the dark web, and cybercriminals are only interested in making money. But more importantly, they will kidnap your information and hold it for a ransom in order to demand money from you because YOU want your stuff. Not because they want to have a family, kidnappers don't steal children. They kidnap your kids because they know you want them and are willing to do whatever it takes to get them back, unharmed.
The same is true of ransomware. Very few organizations can start from scratch and continue to run without any losses when all of your work files and emails are lost. Maybe the home-based sole proprietor, but definitely not a small business with numerous clients and staff members creating work for customers that has been in operation for years.
I often hear the following justifications for not deploying cyber protections: “Since I’m going to get hacked anyway, why bother spending so much money on cyber security? I’ll just get an insurance policy, back up my data and take the hit.”
While that might sound logical, here’s why it’s a gloriously stupid plan…
Insurance firms are in business to make money, NOT to settle claims under policies. A few years ago, cyber insurance providers only paid out 30% of claims while keeping 70% of premiums as profit. Today, those numbers are completely wrong, forcing carriers to fundamentally alter how cyber liability insurance is purchased and paid for. In fact, the CEO of Zurich Insurance Group recently predicted that cyber-attacks are set to become uninsurable.
Today, you must demonstrate that business have security measures in place, such as multifactor authentication, password management, endpoint protection, and tried-and-true data backup systems, in order to obtain even a basic cyber liability coverage. These carriers want proof that you've completed phishing and cyber security awareness training, and some will demand to see your company's WISP, documented information security program, or business continuity plan. The list may be greater depending on the provider, your unique scenario, and the type of coverage you want.
Additionally, hackers are aware of your backup strategy and develop ransomware attacks to steal your data as well as corrupt your backup. In addition, they threaten to publish your data online for public viewing if you don't pay, including customer contracts, payroll information, and ALL email correspondence. Do you actually want that available to rival businesses and the broader public? That won't be covered by insurance.
The bottom line is that while having cyber-protections in place cannot ensure you won't be hacked, it CAN significantly reduce the harm caused and will absolutely block the majority of attempts, keeping you from becoming a target for hackers.
Wearing a seat belt, driving safely, and abstaining from distractions while behind the wheel do not ensure that you will never be in a car accident, but doing so will significantly reduce your risk of doing so and improve your odds of surviving the collision.
Want a FREE, confidential assessment of your current cyber security status? Click here to schedule a quick 10-minute call to start a discussion and see if you could benefit from a more robust cyber security plan.
