“I’m not a target” and other lies we choose to believe about cybersecurity
“I’ve never had any problems, I really don’t think the bad guys are wasting their time coming after me,” I was recently told by the founder of a small, but growing business. But the reality is more complex, more nuanced and in stark contrast to this thinking. Much like “Hal the Deer” in the famous Far Side cartoon by Gary Larson, we all have a target on our chests. The sooner we recognize that fact and start doing something about it, the better off we, our customers, our partners and our employees can all be.
No one wakes up in the morning and says “I’m going to be more secure today!” That’s just not how we work. The improvements we make in our “cybersecurity posture” tend to be done incrementally. Sometimes driven by insight, sometimes driven by experiencing an “Oh No!” moment.
But it always makes good sense to take a step back and examine ourselves, our assumptions, our company, our situation. Are there false assumptions we carry with us that can lead to security blind spots? Let’s look at some of the most common lies we tell ourselves.
I’m a small(ish) company – I’m not a target
Assumption: Banks and big retailers are where the bad guys focus. Those are the breaches you see in the papers. I’m so small, I’m not worth their time. I’m safe.
Reality: Depending upon whom you ask, between 43% (SCORE.org) and 58% (AlertLogic) of all cybercrime is aimed at small businesses. There are a number of reasons this is so. First, small businesses are often a softer target than larger organizations who can devote more resources (both people and budget) to protecting digital assets and network access. Why bang against a steel wall when you can step through an unlocked door? Much better to select the weaker, or less defended, target.
Second, the weaponization of cybercrime systems allows criminals to launch attacks cheaply and easily against a myriad of targets in an instant. This “spray and pray” method does not care what size you are. Third, the poor security habits of small businesses can often provide the route into the systems of financial institutions. Because you do business with those large organizations, either as a customer or a partner, hijacking your access may be just the ticket they need.
My stuff is “in the cloud” – I’m not a target
Assumption: I’m paying for my files and applications to be hosted by someone else. That makes security their responsibility.
Reality: Being “in the cloud” can mean a variety of things. At its core, the cloud is nothing more than someone else’s computer. You may, or may not, still be on the hook for how security runs on that computer outside of your own facility.
If you are using a hosting provider such as Amazon AWS, Microsoft Azure or Google Cloud, these providers provide a variety of security tools, but you are responsible for them being deployed and configured. If you utilize a desktop-as-a-service provider, like iNSYNQ, you do have more security systems (automatic system patches, anti-malware, daily backups, etc.) working for you. But not all providers offer the same level of service. Make sure you ask what security features come with your subscription.
On top of that, you need to remember that even in the most secure cloud, individual user behaviors (opening phishing emails, clicking on malicious .exe files, etc.) can still create a cybersecurity event.
I don’t store credit card information – I’m not a target
Assumption: I make sure that my website never takes a customers’ credit card numbers. I’m not subject to PCI regulations. I don’t have anything worth breaking in for.
Reality: Identity theft can be executed without knowing a credit card number and you may be shocked to learn what actually qualifies as personally identifiable information or PII. Your files can be mined for a great deal of data about your customers you may think is only important to the operation of your business, but that criminals can also use to perpetrate fraud. Additionally, the information you are required to maintain for your employees is likely even more sensitive. If you have not already, this would be a great time to map out 1) what information you have for customers and employees, 2) where does it exist, and 3) how is it protected (e.g. is it encrypted?).
If you were to experience a data breach, and it turned out you had the information of one or more persons who reside in the EU, you may also be subject to GDPR regulations. It is very easy for your liability to expand significantly and without your knowledge.
My personal accounts have nothing to do with my business accounts
Assumption: The activity of my personal accounts, like my social media and others, is completely unrelated to the accounts I use to run my business. They don’t have anything to do with each other.
Reality: Often, the very first thing that criminals do with stolen credentials after a breach is attempt to log in to a wide variety of unrelated systems with the exact same username and password. Sadly, this often highly successful as far too many people reuse this same combination in multiple accounts. They opt for misguided convenience at the cost of security.
As a simple test, and perhaps with the promise that no one will get in trouble for telling the truth, ask for a show of hands across the office of those that have used the same username and password across two or more different accounts. If you see hands, or even some uncomfortable laughter, it’s time to consider a password and application access management platform, such as our CloudRunner.
Being honest in self-assessment of your cybersecurity exposure is a strong first step toward better protecting the information that is most valuable to your company. Feel free to talk with one of our Cloud Productivity Specialists if you have any questions.