Hello there. Did you know that small businesses are extremely vulnerable to attack from cybercriminals right now and that most don't survive for more than six months after a cyber incident?
John Byrne here, entrepreneur, insurance professional, online educator, and founder of Surviving Cyber. My goal is to help small business owners and managers like you get to grips with this complex subject of cyber risk.
15 Dangerous Cybersecurity Myths
You may be struggling now, to clearly see the big picture but once you separate the myth from the truth, you can begin to significantly reduce your risk over the next 15 days through this series, I'm going to walk you through "15 Dangerous Cybersecurity Myths You Probably Believe". I'll explain the thinking behind each myth, why it's dangerous to believe it, and the truth you need to hear so that your small business can stay safe.
Now, before we dive in, I want to give you access to my free cyber resilience workshop. It's a 60-minute video workshop that will show you how to create your first survival plan for your small business in 30 days. It's full of practical tips that you can implement. If you don't already have access, use the link survivingcyber.com/workshop to register now.
Myth Number 5 - Cybersecurity is too complicated for small businesses.
Now, today, as we continue the series, we're going to explore myth number five: "Cybersecurity is too complicated for small businesses”. I hope you're ready to dive in. I'm John Byrne, and this is "15 Dangerous Cybersecurity Myths You Probably Believe".
Welcome to myth number five: Cybersecurity is too complicated for small businesses. Now, this myth is very dangerous because it seeks to avoid responsibility on the grounds of complexity. And there is no doubt that cybersecurity can be a complicated subject. However, I hope to show you that there are responses to this complexity that are within the grasp of every management team. Let's explore the myth first.
- So, the thinking goes as follows: ”I can't understand this complex topic. It's beyond me. I'm not a cybersecurity expert and I don't wish to become one”. That’s very reasonable thinking. Cyber risk is a complex topic. However, it is not beyond the ability of most management teams to come up with a way of dealing with the risk without becoming a cybersecurity expert, as I will show you.
- The thinking goes on to say: “I feel completely out of my depth, and I can't manage what I don't understand”. This is an extension of what we've already said. It is true that it's difficult to manage a risk that you don't understand. However, you do not need to be a cybersecurity expert to manage cyber risk; you simply need to have the right procedures in place to be able to do so, and a basic understanding of the principles involved.
- The third point often made is: “I don't know where to start with this difficult topic. I don't have the framework; I don't have the structure for managing this risk”. And, again, it’s very sense very sensible to feel that a framework and structure is needed. However, the frameworks and the structures don't need to be complicated to give you a reasonable way to manage the risk.
A Dangerous Myth
Believing the myth that Cybersecurity is too complicated for small businesses is dangerous because it's seeking to avoid responsibility for managing the risk because of complexity. Cybersecurity can be complicated, and the urge to avoid the problem is very understandable. However, as we've said in previous points, all risks of the business must be managed, and cyber risk is no different. So, complexity is not a valid reason to avoid the issue.
Truth Number 5 - putting in place the basic technology controls, people training, and governance structures is not complicated.
So, let's look at the truth behind this myth. Truth Number five, putting in place the basic technology controls, people training, and governance structures is not complicated and doesn't need to be.
- As I've said, cybersecurity is a complicated topic, and the environment is constantly changing. However, the basic technology controls that every small business needs to put in place are well known, and they're not in dispute. This is an interesting point. Cyber Essentials, the UK government-backed scheme, proposes five basic technology controls that are well accepted internationally as being very effective.
So, it's not that we don't
understand what needs to be done for small companies to get control over their
technology risk. On the contrary, what needs to be done is very well
understood. Putting these controls in place doesn't need to be complicated.
Adopting Cyber Essentials as the building block of your small company cybersecurity is an excellent start. It reduces the exposure to the most common internet-based threats by 80% - a massive reduction in risk. Furthermore, putting these basic controls in place may convince the opportunist cybercriminal, that they would be better off moving on to another business where these controls are missing.
- The second point to recognize is that people training is a vital component of any cybersecurity approach. The modern approach to people training is provided on cloud-based platforms that provide interactive and engaging video-based education modules. Accessing the platforms is easy and can be within the IT budget, even for a small company. So, there are few excuses for people risk.
- And finally, governance structures don't need to be over-complicated in a small company, but they do need to cover the basics and the essential areas. The principle is that the Board of Directors must lead from the front and lead the cybersecurity efforts by establishing the right mindset, the strategy and then the tactical plan for cyber risk.
Key issues will include ensuring that there is some form of reporting to the Board, some evidence that the Board is managing the risk. Having a cyber incident response plan is critical. It doesn't need to be hugely complicated, but there must be a plan to respond to an incident.
Also important is considering adopting an information security standard for the business, such as Cyber Essentials, or even ISO 27001. Not all companies will get to implement an information security standard at the beginning of the cyber risk management efforts. However, all companies should have reporting and all companies should have an incident response capability.
Free Cyber Resilience Workshop
Thanks so much for reading today's post. I hope you found it helpful in exploding this myth and revealing the truth. Don't forget to register for the video workshop using the link survivingcyber.com/workshop. I hope to see you tomorrow as we dive deeper into "15 Dangerous Cybersecurity Myths You Probably Believe" so we can uncover the truth of how to keep your small business safe.