… And why most businesses remain vulnerable
Cyber criminals are more advanced today than they ever have been, causing businesses to deal with their cyber security vulnerability. They use AI and Machine Learning, are very well funded, use the highest quality hardware and software. And they attract some of the smartest people in the world to do their dirty work. They are organized … and unfortunately, they are successful.
But even with all of this, the most common and most dangerous vulnerability does not stem from this high level of technology or the cleverness of the cyber criminal. The most dangerous aspect of cyber security is still the attitude of business leaders across the USA. I’d like to say that again …
The 1st Non-Tech Cyber Security Vulnerability–BAD ATTITUDE
(More specifically, the wrong attitude of business leaders)
In our activities each week, we have the opportunity to talk to a lot of business leaders, and it continues to surprise us how consistently we hear business leaders saying things like:
“My business is too small to be the target of a cyber attack.”
“We are a small business. Why would anyone want to hack us?”
“My company works to help our community. We don’t have any enemies. I can’t imagine why we would be the target of any cyber criminals.”
I hate to say it, but …
YOUR BUSINESS IS A TARGET IF IT HAS THESE 2 CHARACTERISTICS
- You connect to the Internet
- You have a bank account with some money in it
I’m sorry, but this means that every business is a target … EVERY business!
The first and most important step in securing a business from cyber crime is for the leadership to fully acknowledge that they are a target. Most cyber security experts have taken this one step further and take the stance that you are a target, and you WILL BE HACKED.
Embracing the idea that your business is a target allows you to build a cyber security strategy that will stand up in this crazy world that we live in.
Understanding the Enemy – Cyber Criminals
- Today’s cyber criminal is not a misguided teen sitting in their parent’s basement with a laptop and a pizza box. Cyber organizations across the globe are highly organized, well-funded, highly strategic, and are very successful. Think of your cyber criminal like this:
- They drive to work in their black BMWs and Volkswagens with hot lattes in their cup holders. The hackers scan their badges to enter the parking garage in the office building they occupy. And they put their leather backpacks on the floor of their modern office space amongst other very successful and very bright teammates.
- At 9:15 AM, they gather in the conference room to talk about their monthly quotas and extortion budgets. The manager then leads the group as they talk about the clever methods that have been most successful in extorting money from small businesses across the globe.
- They conclude the meeting with a celebration of yesterday’s breach into a large corporation that will allow them to monitor all activity and transactions within that corporation for the next few months. They form a strategy group to build a plan to extort as much money from them as possible … and then they all go back to their desks, log in and start their “work.”
- Even a little scarier is to imagine the same sort of organization described above but think of it as an entire military unit of a nation-state Army. These exist today, units of a nation-state army (North Korea) fully dedicated to generating money by successfully hacking and extorting money from businesses across the globe – with an emphasis on American businesses. The success of this Cyber Military Unit funds their other dubious military activities.
- These “businesses” are growing and are becoming more and more successful each year. They will continue to grow and thrive if we (business owners and the employees in these businesses) continue to get hacked and pay the ransoms that they demand.
This needs to STOP!
The 2nd Non-Tech Cyber Security Vulnerability- The (gradual) Development and Deployment of the Security System
There is a very common process that is used once a business commits to building a cyber security program, and it goes something like this:
- The company has an IT firm do analysis and cyber security audits to determine the vulnerabilities and exposures within the business environment.
- An audit is conducted with some physical evaluation of the network and some form of penetration testing.
- Findings are compiled by the IT firm, and a detailed Findings and Recommendations report is developed and shared with the business leaders.
- A roadmap is developed to address the vulnerabilities on the list. The roadmap included a timeline for completing the items on the list with budget considerations and usually include full completion within 12-18 months.
Is this good?
NO! NO! and NO! This is crazy, very, very crazy …
Consider this: A young couple is having their first baby. They decide that they want to bolster the security in their home in preparation for their first child. They talk to a security company that specializes in home security.
The company does a complete analysis of their home and comes back to the young couple with a detailed plan that shows the vulnerabilities and the need to secure the home. The couple looks at the list of vulnerabilities and decides to put a lock on the front door and the garage door but decides that they will wait on securing the back door, windows, and the other 5-6 possible entry points discovered.
Is that a good plan for the young couple? Would the new grandparents agree that this was a wise plan? No, I’m sorry, this is a bad plan, and everyone associated with this young couple would do everything in their power to try and convince a young couple of this. They would encourage the young couple to secure all of the possible points of entry into their home!
You Can’t Leave the Back Door Open and HOPE that the Bad Guys Will Only Try the Front Door!
This same level of concern should apply to building the cyber security defenses for your business. It does not make any sense to identify 10-15 vulnerabilities within your network and then only fix 3-4 of them with plans of improving the others in 12-18 months … I’m sorry, but this does not make any sense.
The business needs to work with the IT company to figure out a way to fix all the vulnerabilities on Day 1 … not 18 months later.
(Shameless sales plug)
Imagine IT has figured this out. Click Here to learn more about Imagine IT’s, Security Shield.
The 3rd Non-tech Cyber Security Vulnerability – END USERS
Errors made by an end-users result in the most successful cyber security breaches. A business can have the finest firewalls, antivirus, and cyber security systems in place, but a poorly trained team will render any cyber security system defenseless.
End Users create a HUGE vulnerability because:
- We want to trust others
- When someone calls from Comcast, we all want to believe that they are from Comcast.
- Everyone wants to avoid conflict.
- When a caller says they are from Microsoft, we want to believe them. Most people don’t want to question their authority or pick a fight with them.
- All of us are “click-happy.”
- End users face tons of information every day, and with the constant flow of info in emails, text messages, and on websites, users get “click-happy” and too often click where they shouldn’t
- All of us are busy
- End users are busy and are constantly facing deadlines or need to get their work completed quickly. This rush to get things done fast can result in poor decisions that can result in cyber breaches.
- Everyone thinks they are “smart” (and we get a little cocky because of it)
- We all know that we need to be careful. We all know that we shouldn’t click on links in emails. We all know all of these things, but we also think we’re pretty smart and probably will not be tricked by the bad guys …
- We all do a lot of work and connect with business resources and clients on our phones.
- Unfortunately, it is often more difficult to identify scams, wrong links, or harmful attachments when we are on our cell phones, creating problems in today’s connected world.
Let’s beat Cyber Crime. It is up to us … all of us!
Together we can stifle the successes of cyber criminals and reduce your cyber security vulnerability at the same time. If we all build systems and develop processes and practices that keep our systems and data secure, we will stop having to pay cyber criminals. We will stop supporting criminals enterprises. Of course, we’ll need to be diligent, and we’ll need to do it together! Let’s do this!
Check out these articles if you would like to learn additional insights into cyber security and cyber resilience.
If you are further along in your search and are ready to talk, click on the link below, and let’s talk: