It’s not just the “big players” with large-scale security budgets who should be investing in new skills on their teams. Security should be a top business priority in every industry and a lack of funding is no excuse. In fact, cutting funds from security can lead to a much more expensive security breach later on. Here are the 5 most common (and frustrating) excuses Pluralsight author Dale Meredith hears from businesses when justifying their insufficient cyber security budgets.
1. We’re too small of a company to be a target
This mindset will get you into trouble, as attackers are pretty opportunistic when it comes to discovering targets. If they see a weak spot, regardless of the size of the company, their Pavlovian reaction is to exploit it. End of story.
In recent breach of a major retailer, attackers first gained access by phishing an employee at a third party vendor that maintained the company's HVAC systems. That phished email then installed a password stealing bot that exposed their logon credentials onto the company network. The organization's primary mistake was not properly segmenting their networks to protect themselves, but the point here is that the attackers may or may not have known that the vendor would lead to accessing the target itself. So, even if you might be “too small,” what about your partners or customers?
2. We have a firewall to protect us
While firewalls are necessary, they don’t protect us from ourselves. Did a firewall stop WannaCry? Breaches today are primarily caused by actions like someone clicking on a malicious link in an email, someone plugging in an infected USB drive or even software vulnerabilities in operating systems. What’s more, firewalls are only as good as their last update, and it’s amazing how many companies think, 'it’s working now, why do I need to upgrade it or pay for a service contact?'
3. We trust our employees
I trust my employees, too. But I also know people make mistakes. Plus there are those rare instances of “weekend-hackers” who want to see how things work, or cases when employees somehow feel “too restricted” by their current level of access. Watch out for disgruntled employees who may want to serve a cold plate of revenge as they leave the company or even take company resources to a future job.
4. Upgrading will cost us too much
While cyber security can be expensive, you can’t put a dollar figure on your company’s reputation. Most companies don't recover financially from a data breach. Even when it’s free, companies often still don’t upgrade. WannaCry had been patched free of charge by Microsoft, yet thousands hadn’t applied the three-month-old patch when WannaCry hit the wild.
Other costs include the loss of business, the exposure of company assets and the possibility of lawsuits that could hit you down the road. So, how much was the security device again?
5. We’re unhackable
That NEVER ends well. When someone makes that statement, it often elevates them to the top of the “Let’s Pwn Them” list for attackers. Keep in mind all the tools that security professionals use are also available to attackers. The invincible mindset is typically disproven given time. And time is truly the one resource that attackers have more of than cyber security professionals.
Were some of the excuses above uncomfortably familiar? It’s important ask yourself if the true cost of a security breach is greater than the cost of being extra prepared and diligent. Get more expert tips and strategies from Dale Meredith in his on-demand webina “Where to spend your security dollars.”