Addressing Excuses for not Investing in Cybersecurity

Addressing Excuses for not Investing in Cybersecurity

We all know cyber-attacks are on the rise in today’s digitalized world. More importantly, it’s the small and medium-sized businesses that are being affected more than their counterparts. While talking to them we found that they strongly agreed that IT security is an important issue for their organization, however fail to see cybersecurity as a priority or think they don’t need to pay more attention. Based on their responses, here are a few common excuses and how we are addressing them with some practical examples.

It’s not in our budget

Excuse 1. It’s not in Our Budget:

The cost to a business that is affected by a cyber-attack can be measured by loss of valuable customers, interruption to business operations or reputation damage. Protecting the business from potential cyber-attacks needs to be seen as a business imperative, not just discretionary spending. In simple words, the response to “we can’t afford to” can be “you can’t afford not to.”

We are not that big

Excuse 2. We are Not That Big:

By its very rule of nature, small and medium-sized organizations have less robust cybersecurity defenses than big corporations, making it much easier and less expensive for cybercriminals to break through. Make no mistake; every business (no matter small or big) has potentially valuable information, including sensitive client or financial data, intellectual property, or simply holds the recipe to grow into a larger business.

Our employees are smart enough

Excuse 3. Our Employees are Smart Enough:

For most of the cyber-attacks in history, human error and ignorance have been identified as the #1 vulnerability to cybersecurity; no matter how robust cyber defenses are. It’s sobering to know that users are not able to identify such disguised attacks and end up opening phishing e-mails and clicking on spam links, making it very easy for cyber criminals to enter a company network and launch a cyber-attack.

It’s an IT problem, not a business matter

Excuse 4. It’s an IT Problem, Not a Business Matter:

Cyber risks need to be incorporated within an organization-wide risk management strategy. It might sound obvious, but when a business is forced to shut down or its crucial business functions are crippled after a cyber-attack, you can hardly call cybersecurity an IT problem.

Our IT security practices are foolproof

Excuse 5. Our IT Security Practices are Foolproof:

Executives counter that they have Intrusion Detection Systems (IDS) installed and no such major incidents have been detected for years. Hence they are safe and there is little need.  It’s risky to assume IT network security is perfect. All security measures have varying degrees of effectiveness, and these can change over time, due to new threats and vulnerabilities. Don’t be the same. Be better.

We’re not a potential cyber-attack target

Excuse 6. We’re not a Potential Cyber-Attack Target:

Just because a company does not accept online payments or store personal information, does not mean they will be immune to a cyberattack. Think of the financial information, key strategies or important documents, the loss of which can cripple your business.


We know it all, but will do it later. Currently we are focused on something else

Excuse 7. We know it all but will do it later. Currently, we are focused on something else:

In a recent article, an FBI cybercrime official was quoted saying: “There are two categories of people: those who have been hacked and those who are going to be hacked.” Essentially it’s not a matter of if, but when. A company with the expertise of its IT team or third-party IT security services provider determines risks and mitigation strategies.

Implementing cybersecurity is cumbersome

Excuse 8. Implementing Cybersecurity is Cumbersome:

The cost and pain of clean-up and recovering data, lost productivity and downtime, not to mention a tarnished reputation and potential legal actions can be devastating for a business. Sow the right seeds, toil hard in cultivating the land and harvest the fruits of securing your organization. Engage a capable partner who shares the load and simplifies IT security for you.

We have anti-virus/malware software and firewall, isn’t that enough?

Excuse 9. We have Anti-virus/malware Software and a Firewall, isn’t that Enough:

Undoubtedly, these traditional tools are effective, but you should see them more as reactive/damage control tools rather than as your whole proactive cyber defense system. Again their effectiveness depends on their staying up-to-date. With employees bringing their own laptops and mobile devices to work and using web applications and heavily browsing the internet, attacks can come from a wider number of places, like email phishing, malicious advertising on a website, or unpatched business systems.

I don’t know where to start

Excuse 10. I Don’t Know Where to Start:

  • Learn where your blind spots are and understand your cyber ecosystem
  • Identify your most valuable data and its access aspects
  • Implement suitable controls over the most sensitive data and ensure proper backup
  • Train your employees as your first line of defense. Most breaches are driven by insiders; many companies never conduct formal cybersecurity employee training
  • Invest in a legal and genuine operating system and anti-virus

You might agree with me that many of these excuses seem related. But they’re all poor substitutes for actual cyber defenses. To thrive in today’s rapidly changing risk landscape, companies need a well-thought-over and meticulously architected cybersecurity strategy, along with the right tools, skills and resources to implement it. As a business owner, it’s up to you to decide how much risk exposure you are willing to accept, and what practices you will implement in your organization to be a harder target to reach. You probably don’t want to bet on those excuses and prioritize the implementation of a cybersecurity strategy that protects critical assets and data.

Remember that no organization can be 100% protected, but the right combination of tools, skills, processes and training can make it much harder for your business to be cyber attacked, and criminals more likely to go to hunt the next easier target.

If you have any further questions on how to develop an end-to-end cybersecurity strategy for your organization, please get in touch with our cybersecurity experts.

The first step to cybersecurity is gaining visibility into the vulnerability of your IT network. If a cyber-attack hits your organization, will you be ready? You can check on your cyber defenses by taking our complimentary Cybersecurity Risk Assessment, which gives you a quick expert opinion on whether your security is as good as you think.