Cybersecurity is too expensive for small businesses - 15 Dangerous Cybersecurity Myths - Day 7

Hello there. Did you know that small businesses are extremely vulnerable to attack from cybercriminals right now and that most don't survive for more than six months after a cyber incident?

John Byrne here, entrepreneur, insurance professional, online educator, and founder of Surviving Cyber. My goal is to help small business owners and managers like you get to grips with this complex subject of cyber risk.

15 Dangerous Cybersecurity Myths

You may be struggling now, to clearly see the big picture but once you separate the myth from the truth, you can begin to significantly reduce your risk over the next 15 days through this series, I'm going to walk you through "15 Dangerous Cybersecurity Myths You Probably Believe". I'll explain the thinking behind each myth, why it's dangerous to believe it, and the truth you need to hear so that your small business can stay safe.

Now, before we dive in, I want to give you access to my free cyber resilience workshop. It's a 60-minute video workshop that will show you how to create your first survival plan for your small business in 30 days. It's full of practical tips that you can implement. If you don't already have access, use the link survivingcyber.com/workshop to register now.

Myth Number 7 - Cybersecurity is too expensive for small businesses

Now, today, as we continue the series, we're going to explore myth number seven: "Cybersecurity is too expensive for small businesses”. I hope you're ready to dive in. I'm John Byrne, and this is "15 Dangerous Cybersecurity Myths You Probably Believe".

Myth number seven says that Cybersecurity is too expensive for small businesses. When I interview small business owners, I often hear this view expressed. It’s very understandable that people would be reluctant to spend a lot of money on cybersecurity if they feel that it isn't necessary, or that is simply too expensive for their budgets. So,  let's explore this myth.

  • Small business owners sometimes say: “We can't afford good cybersecurity, as we've got no extra budget for spending on this item. We would prefer to run the risk without having any cybersecurity in place”. It's saying that cybersecurity is optional which is using a “roll-of-the-dice” mentality with a catastrophic risk that could be the end of the business. So clearly, it’s not very wise, but it is very often heard among small business owners.
  • A variation on the thinking goes as follows: “We're already spending enough on IT, so how can we be expected to spend more? This is yet another IT expense. How could you expect me to spend more on IT than my existing commitment?” Clearly, this line of thinking sees the problem of cyber risk management as purely an IT problem.
  • And finally, there is the view: “We can't justify spending more money on cybersecurity, because we can't measure the return on investment involved.” This thinking goes beyond saying that we can't afford it, or that we've got no budget for this. Now the thinking is: “We can't see any return on investment, therefore, we're unwilling to spend the money”. As I've explained in previous videos, the return on investment here is the survival of your business, so the potential downside that you're avoiding is enormous and there is practically an infinite return on investment. However, that can be hard to see if you're a small business struggling with budgetary issues.

A Dangerous Myth

Believing the myth that cybersecurity is too expensive for small businesses is very dangerous because it's avoiding responsibility to address the problem based on the anticipated cost and fails to recognize that cybersecurity could be the most important investment that the business should be making, far more important than other investments that fall under “business as usual”. The thinking also fails to recognize that basic cybersecurity can be put in place without major expenditure. 

If a small business owner comes to the view that cybersecurity is a priority issue and something they need to do address, then management will find the budget for cybersecurity measures to ensure that it survives a cyber-attack. The survival of the business should be and always is the top priority. Therefore, refusing to engage with cybersecurity on the grounds of expense is a critical mistake that needs to be avoided.

Truth Number 7 - Putting in place the basic technology controls, people training, and governance structures is not expensive

Let's look at the truth behind myth number seven, which is that putting in place the basic technology controls, some people training, and some governance structures is not expensive.  

  • The percentage of IT spending that's devoted to cybersecurity by small companies is usually very small. So, a certain amount of rethinking is required here. Quite often, cyber risk is the single biggest risk of the company and addressing it should be considered as an investment in business resilience, and not an unwelcome and on budgeted expense. In knowledge-based businesses, knowledge or intellectual property is the main business asset and cyber risk could be the single biggest risk of the business. This group includes firms of accountants, lawyers, architects, engineers, insurance brokers and financial advisors, to name just a few. These knowledge-based businesses are critically exposed to cyber risk and the very survival of the business could be at stake in a cyber incident. For these types of businesses, spending on cybersecurity is an investment in business resilience, not an unwelcome expense.  
  • We should acknowledge that cybersecurity can be a very expensive area for big companies requiring a constant and extensive investment. The threats are constantly changing, and most big companies will require a large budget for cybersecurity, particularly if they are in a highly exposed sector. However, small companies can put in place basic technology controls that every business needs. I've previously explained that the Cyber Essentials framework forms a very good basic starting point for this. And this can be done without an expensive process. In fact, there are many free technology tools available also.
  • For People risk, licenses for cloud-based cyber training and awareness platforms are offered on a “per-person-per-month” basis. This isn't expensive for small companies because of the limited number of people involved. Additionally, there is free training available for people risk. Finally,  for Governance risk, establishing the essential governance structures might require some management time and some effort, at least in the beginning. A limited budget for some external consultancy would be helpful to put in place the framework, processes, policies and procedures.

 So, Truth Number seven is that putting in place basic technology controls, people training, and governance structures, doesn't need to be expensive and is well within the reach of most small companies.

Free Cyber Resilience Workshop

Thanks so much for reading today's post. I hope you found it helpful in exploding this myth and revealing the truth. Don't forget to register for the video workshop using the link survivingcyber.com/workshop. I hope to see you tomorrow as we dive deeper into "15 Dangerous Cybersecurity Myths You Probably Believe" so we can uncover the truth of how to keep your small business safe.