The cybersecurity of others is not our concern - 15 Dangerous Cybersecurity Myths - Day 9

Hello there. Did you know that small businesses are extremely vulnerable to attack from cybercriminals right now and that most don't survive for more than six months after a cyber incident?

John Byrne here, entrepreneur, insurance professional, online educator, and founder of Surviving Cyber. My goal is to help small business owners and managers like you get to grips with this complex subject of cyber risk.

15 Dangerous Cybersecurity Myths

You may be struggling now, to clearly see the big picture but once you separate the myth from the truth, you can begin to significantly reduce your risk over the next 15 days through this series, I'm going to walk you through "15 Dangerous Cybersecurity Myths You Probably Believe". I'll explain the thinking behind each myth, why it's dangerous to believe it, and the truth you need to hear so that your small business can stay safe.

Now, before we dive in, I want to give you access to my free cyber resilience workshop. It's a 60-minute video workshop that will show you how to create your first survival plan for your small business in 30 days. It's full of practical tips that you can implement. If you don't already have access, use the link survivingcyber.com/workshop to register now.

Myth Number 9 - The cybersecurity of others is not our concern

Now, today, as we continue the series, we're going to explore myth number nine: "The cybersecurity of others is not our concern”. I hope you're ready to dive in. I'm John Byrne, and this is "15 Dangerous Cybersecurity Myths You Probably Believe".

Let's explore the thinking behind this myth that says the cybersecurity of others is not our concern. It’s a very understandable myth and it's clear why small companies might wish to believe it. 

• There is a lot of work to be done to get small companies to raise their cybersecurity levels, so having to be concerned about the cybersecurity of other companies may seem like a step too far. The opinion expressed is: “Getting our own house in order is more than enough work for us”. It's very common that small company owners and managers would think this way.

• This line of thinking continues: “No one we deal with cares about the cybersecurity of our small business”. However, it's largely a mistaken view. Small companies trade with larger companies and larger companies certainly care about the cybersecurity of the small companies that are members of their supply chain. So, believing that nobody cares about the cybersecurity of small businesses is a mistake. There are in fact many people who care about your cybersecurity. 

• A third view I often hear expressed is: “We have a very small supply chain of our own, so we're not exposed by the actions of others”. It is true small companies will have a small supply chain of their own, i.e., companies that supply them with goods and services. However, no matter how small the supply chain, there's always a need to review the risk.

In any event, these are the views that I often hear from small companies, when considering whether they should be concerned about the cybersecurity of others.

A Dangerous Myth

Believing the myth that the cybersecurity of others is not our concern is dangerous because it fails to recognize that no business operates in isolation and that all businesses are connected to other businesses. This involves exposing your business to the failings in cybersecurity of companies that supply you with goods and services. It also implies that the companies for whom you act as a supplier will be concerned about the risk you bring to their business through their supply chain. Large companies view small companies as risky components of their supply chain and even small companies have small supply chains of their own that they need to manage.

Truth Number 9 - The cybersecurity of others is not our concern

So, let's look at the truth behind this myth which is that the cybersecurity of third parties is your concern.

• It's true that the cybersecurity of your own business must be your top priority, but an important element of your risk is the risk you acquire through the third parties with whom you trade because those third parties may have access to your data to your systems. You will have ongoing financial transactions with these businesses that can be targeted for fraudulent payments, such as invoice redirection or CEO fraud. These payment frauds are a major problem in both the UK and Ireland right now for small companies. They make the cybersecurity of third parties your concern and make your cybersecurity the concern of the third parties that trade with you. 

Invoice redirection happens when cybercriminals know that there is a supplier payment to be made from your company and arrange for a fraudulent payment request to be sent to you that appears to be from a legitimate supplier. Payment of the invoice is redirected to the bank account of the cybercriminals. 

CEO fraud is a variation on this theme where the company CEO is impersonated, and a payment request is made to the company. An email that appears to come from the CEO saying something like “I want this payment made but I am not contactable right now. Please go ahead and I'll authorize this later”. 

• Surveys have consistently shown that small companies form part of the supply chain of large companies and those large companies are concerned about the risk that your business brings to their cybersecurity. Eventually, your small company will be dropped as a supplier to a large company that is cyber aware if at some stage you cannot evidence that you have an acceptable cybersecurity posture. That's a risk to your business growth and continuity. 

• Finally, the suppliers to your business could represent a small supply chain, but you've still got to manage that risk because it only takes one entry point, one company, to expose your business to risk through their lack of cybersecurity. It's also worth remembering that some of the worst cyber-attacks that we've seen so far have been "supply chain attacks". So, the truth is that the cybersecurity of third parties really is your concern.

Free Cyber Resilience Workshop

Thanks so much for reading today's post. I hope you found it helpful in exploding this myth and revealing the truth. Don't forget to register for the video workshop using the link survivingcyber.com/workshop. I hope to see you tomorrow as we dive deeper into "15 Dangerous Cybersecurity Myths You Probably Believe" so we can uncover the truth of how to keep your small business safe.