Criminals make millions of dollars off naïve, unwittingly victims every year because of common myths regarding cybersecurity. The scariest part of cybercrime is that it is mostly preventable and affordable, but SMB owners and executives need to stop pretending like it can’t happen to them.
10 Cybercrime Myths
1. Hackers Only Attack Large Enterprises – Decades ago, hackers used to target large companies for fame and glory, now they attack SMB (Small- and Medium-sized Businesses) because they’re easier targets. For hackers seeking money, it is a numbers game and it is much easier to rob a thousand mom-and-pop businesses than one Fortune 500 corporation. Depending on which report you read, research cites 43-71% of cyber-attacks target small businesses. SMB owners make it easy because they do not fortify their company in cyberspace like they do their physical space. If you lock your office, have an alarm, and use security cameras for your physical property, why do you leave your virtual “doors and windows” open to criminals?
2. Hackers are Unsophisticated and Work Solo – Hackers are not the teenagers typing away in their parent’s American suburban basement that Hollywood stereotyped. Today’s hackers are from every race, religion, gender, and generally work in groups, including nation-states, terrorist groups, and modern-day mafias hailing from every populated continent. They are also well financed with vast expertise and can reap a hefty return for their work. McAfee’s 2016 Threat Report cited an attack cost $27 million, but the criminal still netted $94 million!
3. Repercussions of a Hack Aren’t Expensive – That thought can be partially true if you only look at the ransom itself, which could be just few hundred or thousand dollars. However, what does it cost your company not having access to your data for three days? Ransomware locks up your data and is equivalent to unplugging your server from the network. Even worse, recent ransomware viruses attack your backups making it harder to ignore their threat. (Additionally, according to Datto’s 2017 Cybersecurity Report, 15% of victims didn’t get their data back after paying the ransom.)
4. No ROI in Cybersecurity Protections – You must weigh the cost of downtime from an attack and the cost of remediation against the protection. 60% of small companies go out of business within 6 months of a cyber-attack! Why? The cost of a data breach averages $879,582!
5. Our Firewall will Block Every Attack – A firewall is important in protecting your business from a cyber-attack, but it won’t stop everything. The main reason is an external attack ranks #5 on the cause of a data breach behind negligent employee, third-party mistake, system error, and don’t know the root cause.
6. We Use the Best Anti-Virus Systems and Spam Filters – Those are two necessary components in your cybersecurity protection, but they’re not the end all because today’s hackers can easily get around each of those systems. An employee can click on a link and unwittingly download a virus, which bypasses your spam filter and won’t be detected by your anti-virus for days (if ever). Another common tactic is to spoof an employee of your company, especially your CEO and CFO, and exchange multiple emails with you before sending you an attachment marked something common like “Invoice #___” or requesting you send the company’s W-2 forms. The latter isn’t even a virus, it is tricking the person into thinking the hacker’s email is correct. Eventually your address book overwrites the actual person’s email address with the hacker’s spoofed email, which can be just 1 letter off your company like mimicking IBM.com with 1BM.com.
7. My “IT Guy” has Us Protected – Most single “IT guys” are overwhelmed with your everyday technology errors and live in a break/fix world where they only worry about what is broken. Furthermore, the loudest, biggest client (if outsourced) or highest-ranking person (if in-house) gets fixed first because he can only do one thing at a time and he lives in a constant state of fighting fires, so he can never get ahead and cannot keep up with modern cybersecurity practices. Your company needs a team with cybersecurity experience. A good IT firm will help augment your in-house IT department by crafting policies, building best practices, giving recommendations, and helping to shore up
8. My Insurance Company has Me Covered – Most likely, no. Cyber-attacks are not covered by most property and casualty insurance policies. Luckily, most cyber-risk insurance policies only cost $1,500 for a million-dollar policy. Even with that policy in place, you need to adhere to specific requirements for them to cover the cost of an attack. A good IT firm with cybersecurity expertise can help you to adhere to those standards set by your insurance policy.
9. My Employees are Young & Cautious – Although you may think your “digital native” employees are cybersecurity-savvy, generally, they are the opposite of cautious because they view technology differently. Younger employees tend to connect to unsecure wireless networks, share things more willingly, and do not fear technology like older employees. Hackers don’t care about age, they exploit you missing subtleties because you’re in a rush or trust the sender (that’s why they spoof executives and co-workers). Your employees are your biggest vulnerability and need to be trained to spot and report suspicious things like emails just as they would mention someone odd in the company’s parking lot.
10. Strong Passwords & Password Rotation Protect Me – Strong passwords are important, but most people use the same 3-5 passwords for everything from their work email, personal email, social media accounts, and other logins. If one of those systems is hacked, that password is shared and sold on the Dark Web. The best way to protect your company and yourself is to use multi-factor authentication where you utilize a different medium to verify you have access like getting a special code texted to your phone. Multi-factor authentication is a stronger protection than complex passwords and changing your passwords periodically.
Overcoming the “head trash” about cyber-attacks is one of the best ways to protect yourself because thinking any of these ten myths about cybercrime can desensitize you to the severity of a cyber-attack or to the urgency of needing to protect yourself. Regardless of your company’s size, I suggest talking with a good IT firm to review how you protect your company, even if it is just to get a second opinion. That second opinion can save you from going out of business, which is why banking and medical compliances require periodic assessments and audits.