In his book, The Road Less Stupid, Keith Cunningham makes this correct observation about succeeding in business: “I don’t need to do more smart things. I just need to do fewer dumb things.”
When it comes to cyber security, I see a lot of dumb decisions made by smart people based on gross ignorance about what can happen, or the desire to stick their proverbial head in the sand to avoid having to spend the money and time to protect their assets.
One of the biggest mistakes is thinking you won’t get hacked because you’re too small, or because you “don’t have anything the hackers would want.”
Allow me to point out that you’re not too small to get hacked, but you ARE too small to make headline news.
Millions of small businesses get hacked every year – they simply don’t talk about it because of the potential liability, bad PR, and loss of customer and marketplace trust. They’re embarrassed. And we don’t hear about it because, like I said, they’re too small to make headline news.
In one way, though, you’re right – hackers, for the most part, don’t want your stuff, unless you happen to have medical records, credit cards, social security numbers, etc. They want those; those are very valuable digital assets that can be sold on the dark-web marketplace – and cyber criminals are in it for the money.
But more to the point, YOU want your stuff, so they’ll kidnap your information and hold it for a ransom to extort money from you. Kidnappers don’t steal a child because they want to start a family. They steal your children because YOU want your children, and they know you’ll pay anything to get them back, safe and sound.
So, it goes with ransomware. When all of your work files and e-mails go away, very few businesses can pick up from ground zero and keep operating without any losses. Perhaps the solo operator working from home, but certainly not a small business that has been operating for several years with several clients and employees producing work for clients.
Another excuse I’ll hear for not implementing cyber protections is, “Since I’m going to get hacked anyway, why bother spending so much money on cyber security? I’ll just get an insurance policy, back up my data and take the hit.”
While that might sound logical, here’s why it’s a gloriously stupid plan…
Insurance companies are in business to make money, NOT pay out policy claims. A few years ago, cyber insurance carriers were keeping 70% of premiums as profit and only paying out 30% in claims. Fast-forward to today, and those figures are turned upside down, causing carriers to make drastic changes in how cyber liability insurance is acquired and coverages paid. In fact, the CEO of Zurich Insurance Group recently predicted that cyber-attacks are set to become uninsurable.
Today, getting a basic cyber liability policy requires you to attest, in your annual application form, that you have certain security measures in place, such as multifactor authentication, password management, endpoint protection, and tested and proven data backup solutions. These insurance carriers want to see phishing training and cyber security awareness training in place, and some will want to see a WISP (written information security program) and/or a business continuity plan from your organization. Depending on the carrier, your specific situation and the coverage you’re seeking, the list can be longer.
IMPORTANT SIDE NOTE: If you SAY you have these security measures in place on your application, and then you get attacked, you’ll have to PROVE that you actually have had them in place. Unfortunately, I’ve heard from several people that their broker told them to “just answer yes” to all the questions on the application. Yes, that gets your policy written, but it doesn’t get you PAID if you’re attacked. If you answer “yes” to a question and it’s not true, you could invalidate your entire policy and certainly not get paid for your claim.
Also, hackers know all about backup plans, so they create ransomware attacks to not only take your data but also corrupt your backup, thus holding you well and truly hostage.
And not only will they keep you out of your network and unable to serve your clients, pay bills, track your orders, etc. The additional threat is that if you don’t pay, they’ll release your files online for all to see, including payroll information, ALL e-mail communications, customer contracts, and more. Do you really want that in the hands of competitors and the general public? Insurance won’t cover that.
Bottom line: having cyber-protections in place cannot guarantee you will never get hacked, but it CAN dramatically prevent the damage done and absolutely will block the majority of attempts, preventing you from being low-hanging fruit.
Wearing a seat belt, having a safe car, and practicing good driving behaviors (like don’t text and drive) won’t guarantee, you’ll never be in a car wreck – but if you do those things, the risk of getting into crash go down dramatically AND your chances of coming out alive and unharmed will obviously increase.