Small businesses don’t need to plan for a cyber incident - 15 Dangerous Cybersecurity Myths - Day 8

Hello there. Did you know that small businesses are extremely vulnerable to attack from cybercriminals right now and that most don't survive for more than six months after a cyber incident?

John Byrne here, entrepreneur, insurance professional, online educator, and founder of Surviving Cyber. My goal is to help small business owners and managers like you get to grips with this complex subject of cyber risk.

15 Dangerous Cybersecurity Myths

You may be struggling now, to clearly see the big picture but once you separate the myth from the truth, you can begin to significantly reduce your risk over the next 15 days through this series, I'm going to walk you through "15 Dangerous Cybersecurity Myths You Probably Believe". I'll explain the thinking behind each myth, why it's dangerous to believe it, and the truth you need to hear so that your small business can stay safe.

Now, before we dive in, I want to give you access to my free cyber resilience workshop. It's a 60-minute video workshop that will show you how to create your first survival plan for your small business in 30 days. It's full of practical tips that you can implement. If you don't already have access, use the link survivingcyber.com/workshop to register now.

Myth Number 8 - Small businesses don’t need to plan for a cyber incident

Now, today, as we continue the series, we're going to explore myth number eight: "Small businesses don’t need to plan for a cyber incident”. I hope you're ready to dive in. I'm John Byrne, and this is "15 Dangerous Cybersecurity Myths You Probably Believe".

Let's explore the thinking behind Myth number eight.

  • The first point often made by small business owners and managers is as follows: “My business has a disaster recovery plan. Surely, that's enough for a small business”. Now, disaster recovery plans are a very good idea and often small businesses will have one. However, the disaster recovery plan tends not to deal with the kind of cyber-related issues that are dealt with by a cyber incident response plan. So there certainly should be a disaster recovery plan but, that’s not enough for a small business. 

  •  This line of thinking continues: “I don't need to plan for a cyber incident. I'll just call the IT guy or the IT service provider to deal with it whenever it happens”. Now, as we've seen in other points in the series, just relying on an IT guy or an IT service provider to deal with a cyber incident is a mistake because of all of the reasons we've already explained. Cyber is not just an IT issue and it cannot just be delegated to an internal or a third-party technology person. In many cases, thinking that I don't need to plan for it is based on the hope that it's not going to happen to me. 

  • A third view I often hear expressed is: “We buy cyber insurance and will rely on the Insurer to react for us in the event of a cyber incident”. Now, cyber insurance is a strong component of any incident response plan, and an Insurer will help if you are unfortunate enough to suffer a cyber incident. But thinking that you've dealt with the problem by buying insurance is a mistake. And we'll explain this in a little detail when we come to revealing the truth behind the myth.

A Dangerous Myth

Believing the myth that small businesses don't need to plan for a cyber incident is dangerous because it really denies the seriousness of the threat that the business faces and leaves the business unprepared for a cyber incident. Once you accept that a serious cyber incident could potentially kill the business, then having a plan to deal with it is a logical and vital response. Failing to prepare by not having a plan is really planning to fail and it could be the entire business that fails.

Truth Number 8 - Every business needs to plan for a cyber incident

So, let's look at the truth behind this myth.

  • The truth is that every business needs to plan for a cyber incident. This is very different to the opinions we've just heard from business owners. Every business needs to plan, and the plan should be appropriate to the business size and complexity. The plan doesn't need to be complicated if the business is not complicated. The disaster recovery plan should be adjusted to integrate your cyber incident response plan. Usually, they're separate plans, but of course, they should work together. The reason every business needs to plan for a cyber incident is that every business is exposed to a cyber incident and small companies need to plan because a cyber event could close the business permanently. 

  • Clearly, if you don't have a plan, you won't know how to respond. Failing to plan for a cyber incident is planning to fail in a cyber incident. Experts accept that “it's not a matter of if your small business will be attacked, it's when your small business will be attacked”. Sadly, it will be too late to react if you wait for the event to happen. Relying on an IT person or any form of IT resource may not be a good idea, because they may not be able to respond immediately, and they may not have the skills to do so. 

  • An immediate response is vital because unlike other events in the life of a business, a cyber event happens very quickly. The damage is done within the first hours and days. In fact, it may be too late to do anything about the cyber event if the response is slow. If the attack was to take place on a Friday evening, all of the damage would be done before the weekend is over. 

  • So, you need to have a cyber incident response plan that can be implemented regardless of the time of day or day of the week. The plan needs to be implemented by an incident response team that can have both employees and external experts as members. It also needs to be tested in advance of being needed. Sadly, most incident response plans are never tested. Once they are drawn up, they're simply put on the shelf as a job done in the hope they'll never be needed.
  • Finally, cyber insurance can be a material part of your cyber incident response plan, as the insurer should have a panel of experts available, who can respond to the cyber incident on your behalf. However, you cannot just give the problem to the Insurer; your business will still need to make decisions during the incident and your incident response team will need to know what actions to take in which order, which levels of authority apply to decision making and what they can and cannot do under the terms of the insurance policy. So, having insurance in place can be a material part of your incident response plan but you cannot just give responsibility to the Insurer. The company remains responsible for making its own decisions and may need to answer for its actions later.

Free Cyber Resilience Workshop

Thanks so much for reading today's post. I hope you found it helpful in exploding this myth and revealing the truth. Don't forget to register for the video workshop using the link survivingcyber.com/workshop. I hope to see you tomorrow as we dive deeper into "15 Dangerous Cybersecurity Myths You Probably Believe" so we can uncover the truth of how to keep your small business safe.