How many times have we heard statements like these from our clients and prospects?
- My organization is too small to be a target for hackers
- I rely on my vendors to secure “their” devices
- I’m sure we are secure, we’ve never had a cyber issue
- What’s the use, no one is really secure
We have a responsibility to educate them, help them to identify their areas of risk, and provide recommendations to remediate them. Here are some suggested ways to respond to the statements above.
“Not a target” Have they seen the Identity Theft Resource Center (ITRC) breach list? Every month this list is updated with breaches that don’t make the news. You don’t have to dig too deep to find other organizations of their size, in their sector and often in the same State. The breach list also details how the breach occurred and how many records were affected (when known). This makes it easy to do some simple calculations on the approximate costs of the breach that can be very eye opening for small businesses.
“Vendors are responsible for security” Have the read their vendor agreements? They will quickly see that these agreements are full of disclaimers about responsibility for data. Clients need to validate that the solution has been implemented properly and need to know where the vendor’s responsibility ends and theirs begins aka “the matrix of responsibility” so they can properly secure the data they need to protect.
“We’ve never had a cyber issue” Is this true, or do they just not know what has happened/is happening within their network? We perform Compromise Assessments using log collection and data analysis over a period of 3-4 weeks. We haven’t done one yet where we didn’t find evidence of malware, unauthorized applications, and/or unauthorized access. You don’t know what you don’t know, but don’t assume no news is good news. The news stories about breaches that went undetected for years prove that most go undetected.
“What’s the use, no one is secure” By collecting data, you have the responsibility to protect it. While it is true that 100% security is not achievable, most breaches are caused by known vulnerabilities, simple errors, and bad cyber housekeeping and they ARE preventable. The costs of a breach far outweigh the cost of taking some simple proactive steps to minimize your risk. You will want to be able to show the steps you took to meet your responsibility if the worst does happen and you find yourself facing regulatory fines or litigation, or needing to make a claim with your commercial insurer.
