National Cybersecurity Awareness Month is drawing to a close, and its been a great month to have a lot of conversations with local businesses in the metro Boston area. Threats against big businesses make the headlines, but too many smaller businesses think they're "under the radar". Not true!
Here are some of the common misconceptions:
- I thought we already had security
- The threat level has increased significantly the past few years, and the foundational security (antivirus protection, security patches, etc) which we have always recommended just isn’t enough anymore.
- It’s too expensive
- Businesses need to assess risk level and balance with cost. It is very important to fully understand the cost of down time. What would happen if you didn’t have any of your data for weeks or if you could never restore it? Think through all the costs of NOT taking action. Every business will have a different acceptable risk level, and the time to think this through is BEFORE an event.
- I’ll just pay the ransom
- This should be a last resort. There is no way to know for sure that you’ll get your data back, AND there’s no way to know for sure that your systems are free of threats after the fact. You are paying CRIMINALS.
- I’m not a target. I’m just a small business
- Threat actors don’t care about your data. What matters is how important your data is to YOU. Targeted threats are actually very rare, and most people are hit with automated threats of opportunity.
- My data isn’t that valuable
- Credit card numbers and social security numbers aren’t worth that much to thieves. But how important is access to your data FOR YOU? Can you run your business without your data and your computers? What would your employees do?
- I have insurance so I’m all set
- Check your policy carefully. You may not be fully covered, there may be exclusions, and there may be delays in payment. Far better to avoid the downtime in the first place! Can your reputation be fully restored? Will your clients trust you again?
- A cyber incident wouldn’t really affect my business
- If you don’t have access to your computers or data for weeks or forever, how will you operate? Work through these scenarios BEFORE you have a threat!
There's no such thing as 100% security. It's a moving target and the best you can do is to help reduce your risk. Layers of security or "security in depth" is the best approach. With more technology protecting you, human behavior is key. ONE person clicking on the wrong link can take down your network, and we strongly advise conducting ongoing Security Awareness Training - not just during Cybersecurity Month!