Despite evidence of multi-billion-dollar cybersecurity vulnerabilities in some of the world’s most trusted organizations, businesses still aren’t taking cybersecurity seriously. Big corporations are finding reasons to skimp on their cybersecurity budgets, cutting costs rather than investing in their infrastructure, and small business owners are simply negligent of the threat that cybersecurity issues present.
So why is cybersecurity still so underutilized and underappreciated, and what are the most common mistakes business owners are making?
One of the biggest issues here is that business owners continue to not take cybersecurity seriously—or at least not take it seriously enough. For big businesses, this is due to a combination of factors. For example, they may already be spending millions of dollars on IT teams and cybersecurity tools, and they may not have a barometer for whether or not this investment is “enough.” They may also struggle to see the results of their investments; after all, if your cybersecurity strategy is working, you won’t be the target of any major attacks or hacks.
On top of this, big organizations often struggle with departmental silos. Cybersecurity experts find themselves isolated from the rest of the organization, unable to provide direction or advice or limited in their abilities to influence the organization. Accordingly, people in other departments don’t give cybersecurity much thought.
For small businesses, the prevailing attitude is “we’re too small to be a target,” even though small businesses are some of the most common targets for cybercriminals. When faced with a steep bill for even the most basic cybersecurity measures, small businesses are disinclined to spend the money.
In any case, if a business doesn’t treat cybersecurity as important, they aren’t going to do enough to protect themselves.
For cybersecurity to be effective, it needs to be done proactively. You need to put in the work long before you suffer from a data breach or opportunistic attack; if you wait until you know for sure you’re a possible victim, it will already be too late.
This is the difference between proactive and reactive cybersecurity. After suffering a data breach, companies are much more keen to invest in the infrastructure necessary to prevent another, similar attack in the future; but if they had done this in the first place, they could have saved millions, if not billions of dollars.
It’s much better to make cybersecurity a routine—something you invest in and improve continuously, even when things seem quiet.
It’s tempting to think of cybersecurity as its own department, or as a subsection of your IT department. This approach allows you to hire experts in the field, and funnel funding specifically toward this cause. While this isn’t necessarily a bad strategy, this can be misleading—and possibly leave you open to attacks in other areas.
Instead, cybersecurity is something that’s best executed with teamwork and collaboration. For example, teams employing DevOps practices often work hard to ensure that security is incorporated into every stage of the development process—and isn’t simply shoehorned in at the end.
The big problem you’re trying to solve is that security vulnerabilities exist everywhere, in every department of your organization and with every individual. Only by working together will you be able to reduce these vulnerabilities to a minimum.
Speaking of individual vulnerabilities, too many modern organizations still suffer from bad password practices. The majority of cyberattacks and digital breaches aren’t because of an insanely skilled hacker, but instead are due to an individual (possibly an unskilled one) finding, guessing, or stealing a password. With the right login credentials, anyone can be considered a “hacker.”
Password strategies can go wrong in many ways. Your people may choose weak or easy-to-guess passwords, like those that feature common words or predictable series of numbers. They may fail to update those passwords on a regular basis. Or they may have bad habits related to password storage; for example, they may keep a list of passwords written down on a sticky note by their desk.
Some organizations also use organization-wide passwords, copying and pasting the same sequences for all people across all platforms. This leads to a massive vulnerability.
There’s also something to be said for choosing the “right” software for your organization. Most companies need a variety of different tools to operate effectively, including CRM platforms, project management platforms, and communication platforms. Each of these is going to represent a potential point of vulnerability; these apps store information related to your business, and if breached, could represent a real problem for you.
Accordingly, you’ll need to think carefully about the tools you use. Pay attention to the reputation of the developers, and find out what kind of security measures are available; for example, some apps will employ features like AI designed for cybersecurity, or robust encryption standards.
No matter how skilled a developer is, no software is perfectly coded. No matter what, there are going to be security vulnerabilities and issues with long-term integrity. If and when someone figures this out, they can take advantage of the flaw.
Fortunately, most development teams and open source communities are constantly on the lookout for new potential threats—and when they find one, they implement a patch to fix it.
Here’s the thing—the patch only works if you download it. Yet, many organizations fail to update their software or devices consistently. The easiest approach here is to mandate automatic updates, but many businesses simply allow their employees to update as they see fit—which isn’t as often as it should be.
There are several products and services that can minimize your security vulnerabilities, including firewalls, antivirus software, and virtual private networks (VPNs). However, too many business owners pin all their hopes on a single solution. They believe that since they’re using a firewall, they’re practically bulletproof.
However, complete data protection requires you to pay close attention to a number of potential threats, studying the landscape and employing unique solutions to guard against them. If you’re only using one or two techniques, you’re probably leaving yourself open to attack in some other way.
Most businesses these days have some variant of a bring your own device (BYOD) policy. This works well for both businesses, which can save money on purchasing employee devices, and employees, who can exercise more control over what type of devices they use and how they use them. However, personal devices brought onto your network can pose a major security risk if your employees aren’t managing their devices correctly.
Additionally, employees may use their devices (with company accounts) or company devices on public Wi-Fi networks that are unsecured—a major risk for attacks.
One of the most common reasons for small business cyberattacks is simple employee mistakes. Most cybercriminals aren’t sophisticated hackers, but instead are opportunists—looking for ways to exploit basic ignorance or errors. For example, they may try to trick your employees into giving up their login credentials, or they may simply wait for an opportunity to conveniently learn more about your organization through social engineering. The better informed your staff members are, and the more trained they are in cybersecurity practices, the fewer vulnerabilities you’ll face. Unfortunately, most business owners neglect this.
There’s no easy way to get business owners to take cybersecurity seriously, especially when there are already many examples of businesses losing billions of dollars because of lax security habits. However, the more you know about the common failings of cybersecurity in businesses, the more proactively you’ll be able to work to prevent such disasters from happening to you.
Frank is a freelance journalist who has worked in various editorial capacities for over 10 years. He covers trends in technology as they relate to business.