Stupid, Dumb Luck
Being an IT services provider specializing in small and medium businesses is a pretty neat gig. On a slow week - I’ll have the opportunity to speak to a dozen business owners or leaders about so much more than just technology. We’ll often have chats about business growth and strategies, marketing, and so much more.
I also get the opportunity to chat with three or four prospective clients every week and I often find myself questioning the level of common sense of some business leaders. More specifically, I had the opportunity to meet a prospect last week that was looking for help since they had just been a victim of a cyber attack that cost them over $250,000 - not including lost time and billable labour over a two week period - or the ransom paid by their insurance provider.
This is a smaller office with an in-house technician. At first impression - I assumed the technician was at fault since there were no functional backups, aging infrastructure, outdated software, mediocre virus protection, zero staff training, etc. But a few minutes into the conversation made it clear that technology and security was a complete afterthought.
Cybersecurity was an expense - and nothing else. Perhaps it wasn’t the technician’s fault since the business owner clearly was not allowing him to do invest in securing the network since a price point of less than $100/staff for our cyber security services was unreasonable. That’s usually less than 2% of the cost of a salary to increase security, prevent potential disasters and protect their data.
But worst of all - you would think that someone that personally experienced a massive, expensive data breach would understand why this was important. His response was simply that his cyber insurance had just renewed prior to the breach so luckily for him - he had cybersecurity insurance that ended up paying the ransom and getting some of his contaminated data back - without a rate increase for the next year.
If anything, this conversation alone made me understand why getting cyber insurance is increasingly harder to do. I used to think insurance companies were making it harder to get cyber insurance since you need to ensure that you have not only the basic security protocols in place - but more often than not - also need to have what used to be enterprise-grade solutions that used to be mostly common for larger banks or government institutions. But it also made me angry that business leaders can have such blind faith in dumb luck and little concern about your personal data for when they do get breached.
We met another larger-sized company that had complete faith in all of their staff. Enough to allow everyone 100% full access to install and access anything on their computers and network. When you consider that 95% of cybersecurity breaches are caused by human error and 88% of organizations worldwide experienced a spear-phishing attempt in 2019 - I wonder how these types of practices are still considered satisfactory. (Check out 134 Cybersecurity statistics here: [https://www.varonis.com/blog /cybersecurity-statistics/]).
Often times the argument is simply that they have never experienced an attack (that they know of) or that their market simply is not a target. If you ask me - it’s just plain stupid, dumb luck. Luck that will run out sooner or later.