Sep 27 2017

Is Cyber Risk Management Like Seat Belts of the 70’s?

In light of the recent string of large-scale cyber attacks we’ve been hearing about in the news, there is an important conversation to be had.

Do we care enough?

Why have Equifax, Deloitte, and others been able to continue about their business with relatively little consequence amidst devastating security breaches? Has the increasing frequency and scale of cyber attacks desensitized us to the gravity of such breaches?

For every cyber attack we see in the news, there are thousands more that go unnoticed. Yet for many companies, cybersecurity remains an ambiguous threat that doesn’t quite pack the same punch as more tangible threats like economic conditions and rising competition. It’s easy to fall into the habit of saying “I know it’s happening, but it’s not happening to me.” Even worse, the rise of cyber attacks can lead us down a path to assuming that there is no way to prevent our data from being compromised, so we might as well not worry about it.

This mentality reminds us of the way car owners viewed seat belts for the first 80 or so years of automobile use. They knew that seat belts could dramatically increase driver and passenger safety, but unless a car accident caused devastation in their own lives, they saw seat belts as unnecessary.

Cybersecurity is commonly listed among the very top threats that every business—large and small—is facing and will continue to face. The good news is that there are very real steps that every organization can take to assuage the risk of these attacks occurring and minimize the impact they will have on the company. However,  these steps are most effective when they are enacted before a breach (seatbelt already on!). It is not enough to wait until your company’s data is compromised and then seek mitigation services. You’ll pay 5x more that way <– Business Driver!

Equifax and Deloitte should serve as reminders that the harm a cyber breach can cause is very real and very expensive. However, to a corporation that large, the risk of closing down business is small.  Equifax and Deloitte are not going to go bankrupt over their respective hacks, but that shouldn’t be taken as an indicator that cyber attacks are no big deal. For small business, the impact can be much more devastating.

When a small business suffers a cyber attack, the likelihood is 60% that they will be shut down within 6 months. The question is not “can you afford to start worrying about cyber security.” It’s “can you afford not to.”

PS – In real time, as this blog was written, the CEO of Equifax was fired. After his CIO and CISO were in the previous days. Hmmmm….