People make a lot of excuses for avoiding cybersecurity assessments and getting third party help to build effective security teams. “My IT guy does that for me” and “It’s too expensive” are automatic, followed by “We’re just a small business, our data doesn’t matter.”
As cybersecurity has become more complex, traditional methods do not account for the wide range of issues related to securing corporate data and handling privacy concerns, according to new research report from CompTIA.
In the association’s report titled 2018 Trends in Cybersecurity: Building Effective Cybersecurity Teams, barely a quarter of those surveyed are satisfied with their current security posture and only 26 percent have a dedicated security team. On one hand, companies complain that good cybersecurity is too time consuming and not in the budget. At the same time, decision makers are scared to death of developing and executing a good cybersecurity plan and make lots of excuses to avoid it.
When you run into excuses like “There’s no HIPPA police,” or “I have cybersecurity insurance,” here are some measured ways you can respond.
‘Cybersecurity’s not in the budget.’
The CompTIA cybersecurity search report says nearly 60 percent of companies don’t have top notch IT security because it costs too much. When you hear “It’s not in our budget,” help them develop a better budget, said Neal Bradbury, vice president of channel development for Barracuda MSP and vice chair of CompTIA’s IT Security Community.
Bradbury advises asking clients: “Is downtime or data loss in the budget? What about the cost of a break in?” For clients that deal with patients, like hospitals, a data breach can cost $400 per head. Clients who bill by the hour will lose money every minute the system is down. Get your client to quantify their risk, he recommended, and then offer to do a free data assessment. Show clients the real cost of a security breach and make your price tag look like a bargain.
‘We’re just a small business.’
People think their data isn’t valuable to hackers because they have small client lists and data that doesn’t appear valuable from the outside. Convince your clients that all data is valuable — even data from small businesses — and point out that small businesses can be an easier target for hackers. As more and more companies get hacked, you’re going to be challenged by your customers to see that you’re complying, Bradbury said.
‘We just did a cybersecurity assessment. Why do we need another?’
Information and networks change daily, and a security assessment is a snapshot in time. Because security changes frequently, assessments truly should be a lifecycle done periodically, said Andrew Bagrin, CEO of OmniNet Inc., also a member of CompTIA’s IT Security Community.
“By the time you present a pen-test to a customer, things have already changed,” Bagrin said. “You can say, ‘Here’s your risk today, that changes tomorrow.’ And the longer you wait to do an assessment, the more risk and change there is.”
Every time you do a risk assessment it’s a snapshot in time that helps IT security experts remain proactive, which is why Bagrin sells clients on security assessments as a lifecycle.
“They need to be done periodically,” he said. “It’s not a one-and-done activity.”
‘My people know cybersecurity. We don’t need outside help.’
CompTIA’s new cybersecurity research reports 43 percent of companies use third-party firms for security projects. From the half that tries to make do with security in-house, you’ll hear a lot of “My IT guy already does our security” or “Security is everyone’s responsibility.”
“Ask yourself: If your people found a problem that would get them fired, would they tell you?” Bradbury said. Specialized security teams have a responsibility to mitigate risk and their own reputation to uphold. It’s their job to protect your employees.
‘I have cybersecurity insurance.’
Some companies think they can insure themselves against hackers, but buying a policy isn’t enough, Bradbury said. “The chances are it doesn’t really cover everything you’re looking to prevent from happening,” he said.
When clients bring up cyber-insurance over IT security, ask if they know what the policy covers and if they had a security assessment prior to purchasing the policy. As a third-party security team, you can work with insurance providers to help clients understand and implement a cybersecurity plan that complies with the coverage.
For more on how companies are building third-party IT security teams and how you can offer services companies want to hire, click here to download 2018 Trends in Cybersecurity: Building Effective Cybersecurity Teams and here to get involved with CompTIA’s IT Security Community.
Michelle Lange is a writer and designer living in Chicago.