Q: I have a client with a complex network, but they spend almost nothing on cybersecurity. How do I persuade them that allocating some of their operating budget for cybersecurity expenses is worthwhile?
That’s a good question and the answer is multilayered. Here’s a typical scenario: A client has made only rudimentary investments in cybersecurity. So far, they have not experienced any notable cybersecurity breaches.
Their manufacturing facility is running smoothly, there have been no successful phishing attempts, no server-hungry cryptojackers lurking, and no data breaches. Because of the smooth sailing, your client has become complacent and complacency is dangerous when it comes to cybersecurity. “Nothing’s happened so far, we’re not Target or Equifax, no one is interested in hacking into us,” is a typical comment from recalcitrant clients.
They’re wrong.
The 2019 Ponemon Report on the state of cybersecurity shows that 76 percent of SMBs in the United States have suffered some sort of cyberattack during the past 12 months.
And even more alarming, is that the consequences of cyberattacks continue to grow. According to insurance carrier Hiscox, digital incidents are now costing businesses of all sizes $200,000 on average and sixty percent of victims go out of business within six months of an attack.
Those sobering statistics should be enough to persuade a client. Also, the potential for lawsuits and reputational damage. However, even all that isn’t enough sometimes.
Vance Saunders, director of the cybersecurity program and computer science instructor at Wright State University, says that in persuading businesses to invest more in cybersecurity, one must take a holistic approach. The reasons for investing more go beyond the purely technical.
“Businesses have a moral and ethical obligation to protect data,” states Saunders. Before moving to academia, Saunders spent over 30 years working in aerospace defense, industry, and IT.
The roots of reluctance
There are other reasons beyond the “nothing’s ever going to happen to me” attitude that causes some businesses to be lax about allocating some of their operating budget for security.
“We are in a globally connected world which no one saw coming or is prepared for. That is the environment we find ourselves in,’” explains Saunders.
But technology, in the span of a generation, has become so much more. Saunders points out that technology has permeated organizations in all kinds of ways. Even with that, businesses are reluctant to invest in anything that takes away from their core missions. A mom and pop restaurant would be more likely to invest in another soft-serve machine than upgrade their cyber defenses. Companies, however, can no longer afford to ignore cybersecurity.
“There are repercussions,” admits Saunders.
Why invest?
Legal requirements: Saunders points out that if the moral and ethical reasons aren’t enough to persuade a business to get on board with cybersecurity, then the law should be a reason. More compliance laws are being implemented that require specific cybersecurity standards.
It’s all about the data: “What no one saw coming was the value of information,” recalls Saunders. Propriety information like military secrets or banking records have long been safeguarded, “but nobody thought that your credit card or social security number would have so much value,” admits Saunders.
The valuable data goes beyond numbers and into realms like a consumer’s shopping habits or lifestyle. Businesses, whether that is with the help of in-house personnel or an MSP, must view the data they have now and safeguard it accordingly.
Planning for cybersecurity
Saunders says that businesses that are reluctant to invest more in cybersecurity need to be shown the consequences of their decisions. MSPs need to help their clients, or potential clients, plan.
“Identify assets, prioritize, and identify vulnerabilities,” instructs Saunders, adding that most businesses don’t even know what their top assets and critical vulnerabilities are. He recommends MSPs and companies work together to identify their top 5 vulnerabilities and then develop plans to mitigate them. Those plans should be a blend of process, policy, and technology.
Then comes budgeting in the cybersecurity.
“Many companies will say `as long as I am compliant, I am ok,’ but that minimalist approach creates trouble,” warns Saunders.
“You’ll spend all this time being compliant, and then the rules will change,” says Saunders. Instead, he advises businesses to invest in areas that will give you the most significant returns while minimizing risks. Even the most reluctant businesses need to be persuaded to implement MFA, encryption, and automatic updates.
“There is an absolute value in having an MSP involved in cybersecurity,” notes Saunders, if businesses do their due diligence.
The key is to persuade businesses that cybersecurity isn’t a luxury, it’s a necessity.
“Cybersecurity needs to be approached as part of your overall responsibility as a business,” advises Saunders.
Photo: welcomia / Shutterstock.
I have found time and time again the best way to move companies forward with additional layers of security is to show they have an overwhelming risk. There are several ways to discover and present the risk findings. The most powerful way is to show the risk impact in total dollars. The conversation needs to move from a technical conversation to a protecting the business conversation. You can’t discuss reducing risk until a client knows what’s at risk!