Business Owners in Denial
In my line of work I encounter a lot of Business Owners in Denial. It surprises me every time although I guess it shouldn’t.
You see Cybersecurity is a MAJOR issue for every business that uses technology, which is almost all of them. For some reason they have the ‘It won’t happen to me’ attitude but when – and i do mean WHEN and not IF – it does happen they get angry and upset at everyone.
- Like when their employees for click a link in a phishing email.
- Their IT service provider for not knowing it happened and not stopping it sooner.
- Their Insurance company for denying their cyber-insurance claim because they did not know about that clause.
- The state or government for enforcing regulations and laying a hefty fine on their doorstep.
- Even the client or customer who files a negligence law suit against them.
There are many more, including the Cybersecurity Consultant who called on them to let them know about compromised credentials.
That last one is the one that really chafes me. Case in point if you will indulge me.
I recently called on a business to notify them about exposed credentials – email addresses, login names and associated passwords, Personal Information. It actually went well at first, M.(that is how I will refer to the individual CEO) agreed to have a more comprehensive scan and trial monitoring. M also was interested in a phishing simulation for employees. I was to have an online meeting, that would take no longer than 20 minutes at their upcoming team meeting the following week. I got this email shortly after:
Thank you for taking the time to review your findings and offerings.
I appreciated the questions that you prompted me to ask. It is always helpful – cause you don’t know what you don’t know.
The next day I get the following in an email
After further consideration I do not wish to move forward with your offer.
My decision is based on two points.
One, I believe that the MCompany’s systems meet the necessary security levels needed based on the current provisions of our IT vendor, regular maintenance, and compliance protocols.
Secondly, given the demands of our staff at this time I prefer to focus our energies on other issues.
I do appreciate your advice to establish password protocols and will address that.
Thank you for your time and consideration.
I do appreciate the quick notification to cancel, and the response was apparently well thought out in M’s mind. You may wonder what I am going on about and I will tell you. First for some reason M believed that compliance protocols were in question. I had never mentioned compliance at all. M also preferred to focus on other issues, relaying that security and credentials that were compromised within the previous couple weeks were of little concern and that the employees are operating in a secure minded fashion. This was apparently not the case as employees are using company emails to sign up for things that have nothing to do with company business.
But M did also bring up compliance. So let’s wander down that path a bit. Compliance would have to do with government regulations such as HIPAA and PCI. I get it that they use a third party to process payments, and that is great. But M also stated appreciation of advice to establish password protocols. As far as government regulations most require password policies to be implemented and enforced. This would mean minimum length and complexity as well as mandatory maximum password age and reuse requirements. M told me they had none.
While I cannot say for a fact but this sort of reaction usually comes about when the person/owner is concerned and then contacts their IT services provider. It is understandable that when contacted about this kind of information they are defensive and will likely claim they ‘have it all covered’. The Owner wants to believe they are telling the truth and sometimes they are. They do have it all covered and that is great.
The problem is when the IT guy makes this claim and it is not true. The Owner does not know they are being misled. How would they. They have had the same IT guy for a long time. They have no reason to believe otherwise. So rather than think about why they are making the call in the first place, they put the blinders on because it is easier and faster. If they were to think just for a few minutes they would ask why there is no password policy or other security measures that were brought up to them or the questions they were prompted to ask.
I do understand the position of the IT guy. He is kinda between a rock and a hard place. He feels he is being attacked about how he operates his business and the services he provides. He likely feels that his account is being threatened and may lose it. Quite understandable that he should feel this way. And to alleviate conflict of interests with what I do, I do not market or otherwise sell IT hardware or software. My only focus is on Cybersecurity, working with clients and their current IT provider or in-house team to ensure their exposure is as small as possible.
Anyway, If you are of the school and feel your IT provider or in-house IT team has your cybersecurity covered I implore you to ask yourself the following questions.
- Do we get weekly and monthly reports about what needs to be done in regards to cybersecurity policy and compliance as well as new threats and what the path forward is.
- Do we get at a minimum Quarterly Cybersecurity Reviews from the IT Guy/Team?
- Do we review policies at least annually?
- Do we get at least a monthly clean bill of health or action items and their potential severity?
- Do we have a patch and update plan that is implemented – is everything up to date at least within the last 30 days?
- Do we get a verified good working weekly(minimum) back-up report.?
If you do not get the above items or you are told it is all taken care of, I would suggest your IT Guy/Team provide proof of their claims. Obviously if it is true then the reports mentioned above should be no problem to provide. Request the reports to be put into your hands within the next 5 days.
You should be clear with them that your intention is not to trap them but rather to ensure your business cybersecurity is taken care of.
If they tell you that your SLA does not cover cybersecurity It should be refreshing they are not afraid to tell you the truth. They still should be able to give you an update/patch report for all computers, mobile devices, servers and other network appliances and the back up report.
Hopefully M has implemented a password policy and does in fact have the appropriate security measures in place.
If you have questions or concerns please feel free to reach out. I will do everything I can to help you address your concerns.