Having trouble convincing clients to spend on cybersecurity? Dispel the cyber myths

Are you frustrated that your clients aren’t taking the issue of cyber security seriously?

Chances are high that those resistant to purchasing your security products still believe the common myths that have led to many organisations falling victim to cybercrime.

In this article, we will address the most common myths and do our best to dispel them. If you can prove to your clients that these misconceptions are just as dangerous as any cybercriminal then perhaps they will be more receptive to purchasing your cybersecurity products.

The ‘We’re too small or unimportant to become a target’ myth

This is probably the most common cyber myth that you’ll come across and frustratingly it seems as though the message that everyone is a target just isn’t getting through to people.

If a client doesn’t think they’re important enough to be a target for cybercrime they’re very much mistaken. Just having a presence online means that they are a potential target.

You need to explain to a client that it doesn’t matter how small their business is, if they have something to sell or store customer data then they have something to steal.

Intellectual property and even business connections all have value for cybercriminals. Share this stat with them if they don’t believe you – ‘43% of all cybercrime occurs against small businesses and around half of all global cyber-attacks are reportedly against organizations with fewer than 250 employees.’

With the increase in the use of automated hacking tools, no organisation is safe. A machine doesn’t discriminate but instead will seek out any vulnerable network regardless of size. Hacking by hand is increasingly less common due to the rise of Exploit Kits and cybercrime as a service.

Most of the users of these services aren’t geniuses or making millions from hacking big corporations. In reality, they use Exploit Kits and rented attack services at random in the hopes of getting lucky by making some cash from as many victims as possible. They can scan huge numbers of connected devices and servers as they seek a vulnerability that they can exploit.

With smaller organisations often being part of a supply chain, they are a prime target for hackers seeking an easier way to attack a much bigger target. Smaller businesses tend to have less ability to implement effective cybersecurity either due to a lack of knowledge, lack of skills, resource and/or a small budget.

The ‘We’re powerless to do anything myth’

Once you’ve explained the need for cybersecurity by demystifying one myth there’s a chance you’ll then run into another, which is; ‘There’s nothing we can do’.

This attitude of feeling powerless is understandable due to the cybersecurity sector at times being its own worst enemy. A combination of poor communication and scaremongering by the industry and the mainstream media has done significant harm to people’s perception of cybersecurity.

Often, they will feel helpless in the face of the cyber threat; believing that it is beyond the realm of comprehension by non-technical experts. This attitude is perfectly understandable, especially as hackers and the cybercrime industry are often perceived as evil masterminds that can only be stopped by security geniuses.

To dispel this myth, you need to get across that in reality, cybercriminals are just like any other in that they seek out the easiest targets and tend to avoid the hard to crack places. By implementing cybersecurity basics such as implementing software updates and using good password hygiene, they’ll be in way better shape and less likely to be exposed to the cyber attacker's radar.

Check out some great password advice at - https://www.ncsc.gov.uk/guidance/password-guidance-simplifying-your-approach

Once the myth has been busted that they are not powerless you can then convince them to at least take a look at your products.

The next hurdle you may then encounter is the common myth; ‘As long as we protect ourselves we will be fine’. Ensuring that their organisation is protected against cyber threats is all well and good but what about the other businesses in their supply chain or the third-party assets they use?

Even if the client has all the cybersecurity tools in place and claims to have the best cybersecurity in the world you should point out that if they’re part of a supply chain or use third-party assets they are still vulnerable.

You need to make the customer aware of the other organisations in their community and how those are acting when it comes to cybersecurity. Some of the biggest headline-grabbing breaches of recent years have involved third parties or organisations subordinate to an entity that suffered a breach.

Use real-world examples

Probably the most infamous instance of an organisation being attacked via a third party is the Target breach. Hackers breached the company by stealing credentials from a 3rd party heating company who had access to Target’s networks to monitor their systems. The company fell victim to a phishing attack a few months before the main attack on Target. The hacker used malware which should have been detected but wasn’t (because they didn’t have a properly configured Anti-Virus). The attacker then used a different type of bespoke malware on Target’s point of sale systems that stole customer credit card details and sent them to a compromised Target server. The data was then sent overseas. Overall 1-3 million credit card details were stolen costing the business hundreds of millions of Dollars in damages and reparations as well as the negative impact on its reputation.

Emphasising that everything in your customer's ecosystems such as subcontractors, subsidiaries, vendors, accounting firms and even the third-party apps used by their web dev team for their company website can be a threat vector. Security is only as strong as the weakest link, and often that weak link is outside of their immediate control.

The main message you need to get across is that just like other criminals, cybercriminals are opportunists on the lookout for weaknesses and easy prey. All businesses are a target no matter their size or budget. In this increasingly connected world, the need for cybersecurity has never been greater.

*First published at - https://www.channelfutures.com/security/hard-convince-clients-they-need-cybersecurity-dispel-cybermyths