Small and midsize businesses (SMB's) are the backbone of our economy. They account for the majority of U.S. employment, provide most of the goods and services we use, and are absolutely essential for our way of life to exist. We all recognize many of the names of the largest companies, but it is important to realize that they are supported by a supply chain of SMB's.
Unfortunately, an incredible misunderstanding exists among SMB's when it comes to their cybersecurity. Even in 2018, many SMB executives still believe their companies are not exposed to the same cyber threats that large companies recognize.
As a country, we need to have a fundamental shift in our thinking around business risks related to technology. We must embrace technology, as it is an absolute requirement that we leverage it as much as possible. However, SMB leadership must accept the fact that cybersecurity is as much of a requirement as having insurance policies and basic accounting procedures.
These are the four most common cybersecurity myths among SMB's:
MYTH: We don't hold anything a cyber criminal would want.
REALITY: Let's face it, just about all of the personally identifiable information (PII) for U.S. adult citizens is already exposed on the darkweb. It is a commodity at this point as is credit card data. While we still have a duty to protect PII and credit cards, cybercriminals are after something simple - Profit! They're not too concerned with where the money comes from, they just need to make sure it keeps coming. This is why we see many other malicious money making activities conducted by cybercriminals.
Ransomware and cryptocurrency mining are two examples of income producing activities proven to be effective for criminals. Ransomware is simply the act of locking a person or organization out of their data or systems and demanding a fee to release it. Illegal cryptocurrency mining leverages malware placed on a user's computer without their knowledge, in order to gain additional computing power to balance cryptocurrency ledgers.
MYTH: We're too small to be a target for cyber criminals.
REALITY: Automated tools make finding vulnerabilities much easier for cybercriminals and these tools continue to advance in their sophistication. A cybercriminal does not need to target an organization to identify a weak security posture. Their software does the work for them quickly and efficiently. When a vulnerability is identified, they can get to work on exploiting the weakness. They don't necessarily care who's system they're exploiting, so long as there is an opportunity to make a profit.
MYTH: Outsourced and cloud services make security someone else's problem.
REALITY: Outsourced and cloud services do not eliminate the risk of cyber attack. While cloud platforms are essential for most businesses and make absolute sense to leverage in many cases, they have their own security risks. Users must also consider the risk of their data in transit between their host machines and the cloud server. When conducting penetration tests, we often see cloud services hosting applications and data for multiple companies on the same server. This opens risks of compromise of your data from the vulnerabilities of another company's use of the platform. Again, cloud based technologies are essential and can be highly beneficial for most organizations. However, they do not remove make an organization exempt from proper cybersecurity practices. At the end of the day, when a company's data is compromised, their partners and customers don't blame the cloud service provider. The blame is placed on the company they trusted with their business, resulting in lost brand credibility.
MYTH: The IT Team is responsible for cybersecurity.
REALITY: When you get in your car, you know it is your responsibility to put your seatbelt on. It is not considered the responsibility of the auto manufacturer or road construction company. The same is true with technology. We all use technology daily and protecting ourselves ultimately start with each one of us.
From an organizational governance perspective, the idea of cybersecurity being the sole responsibility of the IT Team is a dated concept. Proactive organizations recognize the need for cybersecurity and IT professionals to work together seamlessly, but have very different responsibilities. IT pros focus on maximizing the capabilities and availability of a company's systems, while cybersecurity professionals ensure implementations are not adding unnecessary risk exposure. Considering the two separate allows for proper internal checks and balances, and allows new technology to be implemented quickly with reduced risk.
With these myths dispelled and realities fully understood by executive leaders, SMB's will make better decisions to reduce risk exposure to the continuous threat of cyber attack. We want great organizations to be able to continue focusing on the massive contributions they bring to our society and way of life.
We put together a cybersecurity buyers guide to help. Check it out!