In his book The Road Less Stupid, Keith Cunningham makes this correct observation about succeeding in business: “I don’t need to do more smart things. I just need to do fewer dumb things.”

When it comes to cyber security, we see a lot of dumb decisions made by smart people based on gross ignorance about what can happen or the desire to stick their proverbial head in the sand to avoid having to spend the money and time to protect their assets.

One of the biggest mistakes is thinking you won’t get hacked because you’re too small, or because you “don’t have anything the hackers would want.” Allow us to point out you’re not too small to get hacked, but you are too small to make headline news. Millions of small businesses get hacked every year – they simply don’t talk about it because of the potential liability, bad PR, and loss of client and marketplace trust. They’re embarrassed.

Further, you’re right – hackers, for the most part, don’t want your stuff, unless you happen to have medical records, credit cards, social security numbers, etc. Those are very valuable digital assets that can be sold on the dark-web marketplace – and cyber criminals are in it for the money. But more to the point, YOU want your stuff, so they’ll kidnap your information and hold it for a ransom to extort money from you. Kidnappers don’t steal a child because they want to start a family. They steal your children because YOU want your children and they know you’ll pay anything to get them back, safe and sound.

So it goes with ransomware. When all of your work files and e-mails go away, very few businesses can pick up from ground zero and keep operating without any losses. Perhaps the solo operator working from home, but certainly not a small business that has been operating for several years with multiple clients and employees producing work for clients.

Another excuse we’ll hear for not implementing cyber protections is, “Since I’m going to get hacked anyway, why bother spending so much money on cyber security? I’ll just get an insurance policy, back up my data and take the hit.”

While that might sound logical, here’s why it’s a gloriously stupid plan…

Insurance companies are in business to make money, NOT pay out policy claims. A few years ago, cyber insurance carriers were keeping 70% of premiums as profit and only paying out 30% in claims. Fast-forward to today, and those figures are turned upside down, causing carriers to make drastic changes in how cyber liability insurance is acquired and coverages paid. In fact, the CEO of Zurich Insurance Group recently predicted that cyber-attacks are set to become uninsurable.

Today, getting even a basic cyber liability policy requires you to prove you have certain security measures in place, such as multifactor authentication, password management, endpoint protection, and tested and proven data backup solutions. These carriers want to see phishing training and cyber security awareness training in place, and some will want to see a WISP, or written information security program, or a business continuity plan from your organization. Depending on the carrier, your specific situation and the coverage you’re seeking, the list can be longer.

Also, hackers are onto your backup plan and create ransomware attacks to not only take your data but also corrupt your backup. The additional threat is that if you don’t pay, they’ll release your files online for all to see, including payroll information, ALL e-mail communications, client contracts, and more. Do you really want that in the hands of competitors and the general public? Insurance won’t cover that.

Bottom line: having cyber-protections in place cannot guarantee you will never get hacked, but it CAN dramatically prevent the damage done and absolutely will block the majority of attempts, preventing you from being low-hanging fruit.

Wearing a seat belt, having a safe car, and practicing good driving behaviors (like don’t text and drive) won’t guarantee you’ll never be in a car wreck – but if you do those things, the risk of getting into crash go down dramatically AND your chances of coming out alive and unharmed will obviously increase.


Want a FREE, confidential assessment of your current cyber security status? Click here to schedule a quick 10-minute call to start a discussion and see if you could benefit from a more robust cyber security plan.

TOSS C3 is the trusted Cyber Technology Services provider in Massachusetts specialized in serving law firms, libraries, local governments, and healthcare providers throughout the USA.