Why Bother Spending Money on Cyber Security?

Keith Cunningham says this about business success in his book The Road Less Stupid: "I don't need to do more smart things. I just need to do less stupid stuff."

When it comes to cyber security, I see a lot of smart people make stupid choices because they don't know what could happen or because they want to bury their heads in the sand so they don't have to spend the time and money to protect their assets.

One of the biggest mistakes is to think you won't get hacked because you're too small or "don't have anything the hackers would want." You are not too small to get hacked, but you are too small to make the front page of the newspaper. Millions of small businesses get hacked every year, but they don't talk about it because they don't want to get sued, get bad press, or lose the trust of their clients and the market. They feel bad about it.

Also, you're right. Most hackers don't want your stuff, unless you have medical records, credit card numbers, medicare numbers, etc. These are very valuable digital assets that can be sold on the dark-web marketplace, and cybercriminals are in it for the money. But more importantly, YOU want your stuff, so they'll kidnap your information and hold it for ransom to get money from you. Kidnappers don't take a child because they want to have a child of their own. They steal your kids because they know you want them and will do anything to get them back safe and sound.

This is how ransomware works. When all of your work files and emails disappear, there aren't many businesses that can start from scratch and keep going without any losses. Maybe a person who works alone from home, but not a small business that has been open for a few years and has several clients and employees who do work for clients.

Another reason I hear for not putting in place cyber security is, "I'm going to get hacked anyway, so why spend so much money on cyber security?" I'll just buy insurance, back up my files, and take the loss."

Even though that might seem like a good idea, here's why it's a great idea...

The goal of insurance companies is to make money, not to pay out claims. A few years ago, cyber insurance companies kept 70% of the premiums as profit and paid out only 30% of the claims. Now, those numbers are backwards, which is forcing insurance companies to make big changes in how cyber liability insurance is bought and how coverages are paid. In fact, the CEO of Zurich Insurance Group recently said that cyberattacks will soon be impossible to cover.

Even if you just want a basic cyber liability policy, you have to show that you have certain security measures in place, such as multifactor authentication, password management, endpoint protection, and tested and proven data backup solutions. Some of these carriers will want to see that your organisation has a written information security programme (WISP) or a business continuity plan (BCP). They will also want to see that you have phishing training and cyber security awareness training. The list can be longer depending on the insurance company, your situation, and the type of coverage you want.

Also, hackers know that you have a backup plan and use ransomware attacks to steal your data and mess up your backup. The other threat is that if you don't pay, they'll put your files online for everyone to see, including information about your payroll, ALL of your e-mails, client contracts, and more. Do you really want your competitors and the general public to have access to that? That is not covered by insurance.

Bottom line: Having cyber protections in place can't guarantee that you won't get hacked, but it can stop hackers from doing a lot of damage and will block most attempts, making you less of an easy target.

Wearing a seat belt, having a safe car, and practising good driving habits (like not texting and driving) won't guarantee you'll never be in a car accident, but if you do these things, your chances of getting into a crash go way down, and your chances of walking away from the crash alive and unharmed go way up.

Want a FREE, confidential assessment of your current cyber security status? Click Here to schedule a quick 10-minute call to start a discussion and see if you could benefit from a more robust cyber security plan.