Cybersecurity is just a technology issue - 15 Dangerous Cybersecurity Myths - Day 4

Hi there. Did you know that small businesses are extremely vulnerable to attack from cybercriminals right now and that most don't survive for more than six months after a cyber incident?

John Byrne here, entrepreneur, insurance professional, online educator, and founder of Surviving Cyber. My goal is to help small business owners and managers like you get to grips with this complex subject of cyber risk.  

15 Dangerous Cybersecurity Myths  

You may be struggling now, to clearly see the big picture but once you separate the myth from the truth, you can begin to significantly reduce your risk over the next 15 days through this series, I'm going to walk you through "15 Dangerous Cybersecurity Myths You Probably Believe". I'll explain the thinking behind each myth, why it's dangerous to believe it, and the truth you need to hear so that your small business can stay safe. 

Now, before we dive in, I want to give you access to my free cyber resilience workshop. It's a 60-minute video workshop that will show you how to create your first survival plan for your small business in 30 days. It's full of practical tips that you can implement. If you don't already have access, use the link to register now. 

Myth Number 4 -   Cybersecurity is just a technology issue

Now, today, as we continue the video series, we're going to explore myth number four: "Cybersecurity is just the technology issue". I hope you're ready to dive in. I'm John Byrne, and this is "15 Dangerous Cybersecurity Myths You Probably Believe".   

Welcome to myth number four: Cybersecurity is just a technology issue. This is a deeply rooted myth in the thinking of a lot of small business owners. And it's understandable because, in the past, many business owners have always felt that "Cyber is an IT issue. There's really nothing more to it than that". I hope to show you that that thinking is mistaken. But let's explore what it's based on.  

  • The thinking goes as follows: "Cybersecurity is a technology issue, and as it is a technology issue, we've taken steps to deal with it". Most small businesses would have some form of anti-virus software in place. Hopefully, they're patching their systems when new versions are released, and they are doing regular backups. So, the thinking is: "If we have anti-virus software in place, and we're patching our software, and we're doing regular backups, surely we're doing enough for a small business?" 
  • The second line of logic here acknowledges: "OK, maybe there's more to it than just IT. Maybe people risk is important. However, our employees are experienced people, and they know what they're doing in our business, so they don't need any special training when it comes to cyber risk". Now this line of thinking ignores or denies the fact that people are involved in most cyber risk incidents and what people do is often the cause of the cyber event in the first place. As you'll see shortly, most cybersecurity experts believe that people risk and people behaviour play a very important role in cyber risk. People need proper and specific training about cyber risk because it isn't intuitive to them. They need to learn how to behave appropriately when dealing with cybersecurity and cyber risk and that needs special training, which often is not provided.  
  • The third line of logic I hear is as follows: “Our business complies with the law. We know that GDPR is in effect, and we've taken steps to comply with it to the best of our ability. That's enough for us. We don't see the need for any form of governance controls in our small business". So again, this line of thinking is focusing on a compliance approach and says, "Okay, we have to comply with GDPR, so we've taken some steps to try and comply with it and as far as we're concerned, that's the end of the matter". It doesn't acknowledge that there's a governance role here involving establishing policies and procedures and cyber risk structures and management that every business should really have, regardless of size.
A Dangerous Myth

Believing the myth that cybersecurity is just a technology issue is dangerous because it's a siloed philosophy that relegates the challenge of managing cyber risks to the IT department. It's just focusing on one aspect of cyber risk. It fails to see its true nature and the need for a holistic approach that considers not just technology risk, but people risk and governance risk. These are the three pillars of overall cyber risk.

Truth Number 4 - Cybersecurity is not just an IT issue, it's a critical business risk.

The truth behind this myth is that cybersecurity is not just an IT issue, it's a critical business risk and it involves people and governance risk, in addition to technology risk. 

  • Relying entirely on IT solutions doesn't address the remaining two pillars. So, you're missing two-thirds of the risk pillars by ignoring people risk and governance risk. An approach that does take all three risks into account is a holistic approach and it's not a siloed approach, which is, sadly, what most companies have in place now. Obviously, Technology risk is an important component of cyber risk but it's not the only component.
  •  Experts estimate that up to 90% of breaches involve human behaviour and this really makes common sense when you think about it. All the recent major threats to small businesses such as ransomware, or phishing attacks, or clicking on the wrong links, and allowing malware into the business, these are all people related. They all result from the activities are people. People don't intuitively know how to deal with cyber risk and in most cases, they've never been trained to deal with it. It is not something that just comes naturally so training that is specific to cyber risk is needed.  
  • Finally, a compliance led approach to cybersecurity only takes you so far, you may indeed feel that you're complying with GDPR, or whatever other standards apply to you. GDPR does place security requirements on all companies to which the law applies but proving your compliance especially after you've suffered a cyber-attack and a breach can be very difficult.

However, if you're able to show evidence that you've had this holistic approach to cybersecurity in place and you've considered technology and people and governance and taken steps; then even if your defences have failed to prevent the event, you will have a defence to present to anybody who's questioning your governance or your stewardship of the risk.

So, this is Truth Number four: Cybersecurity is not just an IT issue, not just a technology issue. It's a critical business risk, and it involves both people risk and governance risk in addition to technology.

Free Cyber Resilience Workshop

 Thanks so much for reading today's post. I hope you found it helpful in exploding this myth and revealing the truth. Don't forget to register for the video workshop using the link I hope to see you tomorrow as we dive deeper into "15 Dangerous Cybersecurity Myths You Probably Believe" so we can uncover the truth of how to keep your small business safe.