Businesses must plan for and educate about cybersecurity. And it’s not just the “big players” with large-scale security budgets who should worry. Security is everyone’s responsibility and a lack of knowledge is no excuse. Recently, ethical hacking expert and security guru Dale Meredith shared his insights on the real cost of a security breach in a live webinar. Dale’s webinar is available on-demand now, and we asked Dale to share his responses to the 5 most common (and frustrating) misconceptions he hears from businesses when justifying their insufficient cybersecurity budgets. Check out his responses below:
We’re too small of a company to be a target
This mindset will get you into trouble, as attackers are pretty opportunistic when it comes to discovering targets. If they see a weak spot, regardless of the size of the company, their Pavlovian reaction is to exploit it. End of story.
Look at the Target breach of 2013. Attackers first gained access by phishing an employee at a third party vendor that maintained Target’s HVAC systems. That phished email then installed a password stealing bot that exposed their logon credentials onto the Target network. Target’s primary mistake was not properly segmenting their networks to protect themselves, but the point here is that the attackers may or may not have known that Fazio Mechanical Services would lead to accessing Target itself. So even if you might be “too small,” what about your partners or customers?
We have a firewall to protect us
While firewalls are necessary, they don’t protect us from ourselves. Did a firewall stop WannaCry? Breaches today are primarily caused by actions like someone clicking on a malicious link in an email, someone plugging in an infected USB drive, or even software vulnerabilities in operating systems. What’s more, firewalls are only as good as their last update, and it’s amazing how many companies think, “it’s working now, why do I need to upgrade it or pay for a service contact?”
We trust our employees
I trust my employees, too. But I also know people make mistakes. Plus there are those rare instances of “weekend-hackers” who want to see how things work, or cases when employees somehow feel “too restricted” by their current level of access. Watch out for disgruntled employees who may want to serve a cold plate of revenge as they leave the company or even take company resources to a future job.
Upgrading will cost us too much
While cybersecurity can be expensive, you can’t put a dollar figure on your company’s reputation. Most companies don’t recover financially from a data breach. What’s funny is even when it’s free, companies often still don’t upgrade. WannaCry had been patched free of charge by Microsoft, yet thousands hadn’t applied the three-month-old patch when WannaCry hit the wild.
Other costs include the loss of business, the exposure of company assets and the possibility of lawsuits that could hit you down the road. So, how much was the security device again?
That NEVER ends well. When someone makes that statement, it often elevates them to the top of the “Let’s Pwn Them” list for attackers. Keep in mind all the tools that security professionals use are also available to attackers. The invincible mindset is typically disproven given time. And “time” is truly the one resource that attackers have more of than cyber security professionals.
Were some of the excuses above uncomfortably familiar? It’s important ask yourself if the true cost of a security breach is greater than the cost of being extra-prepared and diligent. Get more expert tips and strategies from Dale Meredith in his full on-demand presentation, “Where to spend your security dollars.”