Like every other complex topic that most people don’t have an in-depth understanding of, the I.T. and cybersecurity world is filled with countless myths and misunderstandings that oftentimes lead to businesses making unwise decisions. Additionally, many I.T. consultants, managed services providers (“MSPs”), and managed security service providers (“MSSPs”) don’t do a great job of educating their communities about technology and cybersecurity due to how often it changes. However, with just a basic understanding of the logic, big picture, and motivations of bad actors, business decision-makers can see beyond the myths and steer their organization towards best practices.
Myth: Ransomware is the greatest threat to my business.
For years, businesses have been terrified of becoming a victim of a ransomware attack, and for good reason. Up until 2021, ransomware was the #1 threat. As this method of cyber-attack gained the attention of news organizations and governments around the world, though, bad actors started to realize the giant target on their back was no longer worth it. Trying to fly under the radar once again, bad actors switched their focus to Business Email Compromise (“BEC”). In fact, in 2021, BEC surpassed ransomware as the #1 attack strategy by bad actors.
Myth: All my files are saved in the cloud, so they’re already backed up.
When most people think about backup, they imagine a disaster type of event where their computer dies or their building burns down. Moving your files to the cloud certainly delivers a continuity solution if one of those disaster events were to occur. But what happens when your business becomes a victim of a cyber-attack? Or what happens if an employee deletes your business data, and you don’t realize it until months down the road? In those situations, even if you had all your data in the cloud, there is no way of getting your data back. In a recent blog post, we explained the difference between disaster recovery and backup, and what cloud file sharing providers expect of you with regard to backup.
Myth: I can stop most cyber-attacks by just protecting my email.
There is no question that businesses are being attacked from all angles. To truly protect your business, you need multiple layers of cyber-defenses. Each layer doesn’t provide an equal amount of protection, though. While many businesses, I.T. consultants, and MSPs will focus on endpoint security or endpoint detection and response (“EDR”), this defense layer only accounts for less than 5% of cyber-attacks. If a business’s budget is limited, a mature MSSP will recommend that cybersecurity investments be steered towards email threat protection and multi-factor authentication (“MFA”) first and foremost. This is because email phishing and business email compromise account for over 90% of successful cyber-attacks against small businesses.
Myth: My business is too small to be the target of a cyber-attack.
This is one of the most common objections small businesses make to investing in cybersecurity. This is not surprising. In the news media and even in movies, hackers are portrayed as hooded figures hammering away at their keyboard and breaking through firewalls. While this does happen, this method of cyber-attack accounts for less than 1% of total cyber-attacks. It’s simply too much effort for the typical financial payout. Instead, bad actors leverage large networks of computers (“botnets”) to automatically scour the internet for vulnerable systems. They will also use credentials exposed in data breaches, as well as brute-force software programs, to automatically break into accounts. Bad actors simply launch the program and let it do all the heavy lifting for them. Once it successfully breaks into an account, then the bad actor swoops in to do the real damage. This cast-net approach is particularly effective against small businesses since many still believe that they need to be a big company or have a large amount of money to be targeted.
Myth: The ideal ratio of full-time I.T. staff to employees is between 1:10 – 1:20
Outside of a business’s core product or service offering, I.T. is the most resource-intensive department in any organization. Today’s businesses depend heavily on technology, and today’s technology is far more complex than it was just five years ago. On top of the complexity of today’s technology, cyber-attacks are increasingly impacting small businesses with substantial financial consequences. Managing all this technology and defending against this onslaught of attacks requires far more I.T. staff than it did just a few years ago. Several years ago, it wouldn’t be uncommon for a 50-employee small business to staff a single full-time I.T. person. Today, that same 50-employee small business typically employs 3 to 5 full-time I.T. people. In a recent blog post, we explain how many cyber liability insurance providers are now asking businesses to justify how they are able to adequately protect their business if they do not staff at least one full-time I.T. person for every 10 employees. For this reason, most small businesses are turning to MSSPs to protect their organization since it is more cost-effective than continuing to run those operations in-house.