We won’t need to provide evidence of our cybersecurity - 15 Dangerous Cybersecurity Myths - Day 15

Hello there. Did you know that small businesses are extremely vulnerable to attack from cybercriminals right now and that most don't survive for more than six months after a cyber incident?

John Byrne here, entrepreneur, insurance professional, online educator, and founder of Surviving Cyber. My goal is to help small business owners and managers like you get to grips with this complex subject of cyber risk.

15 Dangerous Cybersecurity Myths

You may be struggling now, to clearly see the big picture but once you separate the myth from the truth, you can begin to significantly reduce your risk. Over 15 days through this series, I walk you through "15 Dangerous Cybersecurity Myths You Probably Believe". I explain the thinking behind each myth, why it's dangerous to believe it, and the truth you need to hear so that your small business can stay safe.

Now, before we dive in, I want to give you access to my free cyber resilience workshop. It's a 60-minute video workshop that will show you how to create your first survival plan for your small business in 30 days. It's full of practical tips that you can implement. If you don't already have access, use the link survivingcyber.com/workshop to register now.

Myth Number 15 - We won’t need to provide evidence of our cybersecurity

Now, today, as we conclude the series, we're going to explore the final myth - number fifteen: "We won’t need to provide evidence of our cybersecurity.” I hope you're ready to dive in. I'm John Byrne, and this is "15 Dangerous Cybersecurity Myths You Probably Believe".

  • The thinking behind the final myth in the series, that we won’t need to provide evidence of our cybersecurity, is interesting because it looks at the past, the present and the future. It begins by saying: “We've never been asked for evidence of our cyber posture in the past, so we don't need to worry about providing evidence of our cybersecurity now. The current status quo is not a problem and it’s what we expect to continue unaltered." 

  • The second view I often hear is expressed as a question: “Who could ever care enough about our small business to require us to provide evidence of our cyber posture, or to prove our cyber resilience?” It fails to see that there are many people who could require such evidence. The list includes government regulators, large customers with higher cybersecurity standards and any other third party who regards your business as an entry point into their business and requires you to evidence that you are cyber secure. So, the thinking is that our small business is insignificant to the third parties with whom we engage.

  • And a third view I often hear expressed is: “We don't expect any pressure in the future from our customers, our suppliers, our workforce, our regulators or anybody else, to be able to provide evidence of our posture or prove our cyber resilience. We're fine now and in the future.” So, this is the limited view that the past is a very good indicator of the future. It expects that there will be no general increase in cyber standards. I hope that you've seen in this video series that this is a suspect belief system given the extent of digitization in the economy, and the pace of change in the operating model of all small businesses.

A Dangerous Myth

The myth that we won’t need to provide evidence of our cybersecurity is dangerous because it assumes the past is a good guide for the future and fails to acknowledge the global trend of increasing cyber risks and increasing concern by all the stakeholders about the security of systems and data of small companies. It assumes that the cybersecurity of your small company will not grow in importance to your stakeholders (customers, suppliers, regulators, employees), and that evidence of your cyber posture will never be required.  

Truth Number 15 - small businesses will increasingly be asked to provide evidence of their cybersecurity in the future.

So, let's look at the truth behind this myth, which is that small businesses will increasingly be asked to provide evidence of their cybersecurity in the future.

  • We've seen many times in this series that the past is not a good guide for the future when the business environment is rapidly digitizing. The future will be different. Every year brings new and unexpected cyber threats to small businesses. 2021 has been a great example of this, with a massive increase seen in ransomware and phishing attacks against small businesses. This trend of constant change is undeniable and likely to be with us for many years to come. 
  • Large customers are concerned about the cyber risk that your small company poses to them as a member of their supply chain. They are increasingly asking their small company suppliers to provide evidence of their cybersecurity - evidence that they are safe to deal with. Small businesses need to show that they are cyber resilient, i.e., that they could survive a cyber-attack. Currently, this evidence is usually provided through completing questionnaires but scrutiny like this from large companies is likely to increase in the future. 

I believe that it will become common for large companies to use third party services to do passive external scanning of internet facing infrastructure. This means that a third party would be able to scan your IT infrastructure and report back to your customer about any deficiencies in your cybersecurity. If those reports were negative, your business could be dropped from the supply chain of that large customer. This is just one example of how the future will be different.

  • Finally, in the future,  small businesses should expect to receive pressure to be able to prove their cyber resilience. The pressure will come not just from their customers but from their suppliers, their employees (looking for evidence of job security), from regulators, especially in any regulated industry, and from anybody else that they deal with.

So, Truth Number 15, and the final truth in our series, is that small businesses will increasingly be asked to provide evidence of their cybersecurity in the future.

 Free Cyber Resilience Workshop

Thanks so much for reading today's post. I hope you found it helpful in exploding this myth and revealing the truth. Don't forget to register for the video workshop using the link survivingcyber.com/workshop.  

I hope you've enjoyed this blog series "15 Dangerous Cybersecurity Myths You Probably Believe". I hope it has helped you to uncover the truth of how to reduce cyber risk in your small business. I'm John Byrne. I hope to see you again in another article soon.