Choosing to put blinders on is a decision that many business owners make when confronted with a situation that doesn’t fit into the comfort zone. Cybersecurity is a top contender for not fitting that zone. As the blinders increase in size, so do the security gaps and holes, enabling cybercrime opportunities to squeeze right in, undetected.
It makes sense that when a business is operating without any obvious network or computer issues, the leadership team is under the assumption that everything is fine.
The choice not to deal with a problem that they don’t see and only hear about a few times a year on the local news or on google is an easy decision to make. “Cybersecurity Awareness? Opt out!”
This trending thought pattern is more common than one would think and most smaller companies typically fall into the category of assigning network cyber tasks to the guy or gal who knows the most about computers, has a different core job function, and knows very little about cybersecurity.
Case in point, a few years back I met up with an owner of mid-sized $150M company who had a substantial client base, complete with sensitive customer data and compliance issues. Cybersecurity fell into the lap of the office admin because she was a “computer wizard”. Unfortunately the underlying mentality was that cybersecurity was someone else’s responsibility. The owner didn’t want to deal with it and the admin thought the web hosting company, “the cloud”, and the consumer grade router in the closet was protecting their business. Low hanging fruit doesn’t get any lower.
With the increased sophistication of 3rd Party Vendor Risk GRC (Governance, Risk Management and Compliance Management) tools, Enterprise is driving cyber risk awareness. Enterprise is gaining quick visibility into vendors/ suppliers cyber risk and is becoming aware that many data breaches are linked to 3rd parties.
Vendors or Suppliers that pose a threat to the Enterprise Network will have to step up quickly and remediate their cyber issues.
The insurance industry is another driver of increasing cyber risk awareness. The recent rush to get cheap cyber insurance in lieu of a real cyber risk strategy has insurance companies quickly recognizing that writing policies for companies that have little to no security measures in place may not be the smartest business model. Sending self-assessment-cyber risk pdf forms to clients is quickly becoming old hat replaced by next generation cyber risk report tools readily available for underwriters.