The Expert Podcast

Look, whether you're a big company or a small company, you certainly have had the idea of cybersecurity come on your radar screen. You may have been a victim of some type of a cyber event or loss. You may have been made aware of it by your I.T. person. Maybe a client has required it. What do you need to do? Well, let's take a look at the biggest mistakes that companies make with cybersecurity. We'll take the lead from The Wall Street Journal on this. Even though we've talked about this in other videos, cybersecurity isn't just about an I.T. person locking down your network. It's not about passwords per se. It's not even about cyber insurance—which is an important part of it. The biggest parts are human.

Let's take a look at what those are. One mistake is to focus on tech instead of employees. So yeah, you can have all the platforms, all the password monitors, all the firewalls you want. But if your people in your company are accidentally—obviously they wouldn't do it on purpose—leaving vulnerabilities, leaving opportunities to get in, it defeats the purpose of all those firewalls. For example, if your employee opens up an email that has an attached file, that can get right through your firewall. So if your I.T. person has done a great job in putting together firewalls and systems and procedures and monitoring, but you have an employee who's working from home that opens up a malicious file—all that gets thrown out the window. So make sure that the human part of it is taken care of.

Now let's take a deeper dive into the human part. Training is one part of it, but the bigger part is changing attitudes. And the attitude is being aware that these things can happen. Look, if you just train somebody to fill out a form or do things a certain way or do a checklist, that's boring. And just like, you know, you've seen the movie Office Space, filling out TPS reports—nobody likes TPS reports. If you're just doing training for cybersecurity, that cybersecurity training is going to become a TPS report. And if that's like watching a video, or even if it's once a month talking to a manager in a meeting, it's not going to work all the time.

But you want to build a culture and have employees see security as part of their job. Part of it might mean seeing the benefit to them. Maybe cybersecurity will get you more sales somehow. Maybe it'll get you more customers. Maybe it'll be a selling pitch that you can add to your pitch deck that says, “Hey, here's what we do for cybersecurity. Your client information is safe. You're not gonna have to worry about us going down from a ransomware attack. We protect your information as well. We protect your downstream, your supply chain.” Maybe the cybersecurity can be part of your selling features. Maybe if you're a client to a supplier, you can tell your supplier, “Look, we want to get a little bit better deal because you don't have to worry about us voiding our contract because of cybersecurity.”

Number three according to the article is: Make sure your leadership—whether it's you or your managers—do and not just say. And have them demonstrate that using two-factor authentication, do other things, and even talk the talk, right? Make sure that in all the meetings that you have, you're mentioning it and how important it is and, you know, have the belief in it as well. It's kind of boring, and it's a little bit kind of cliché, but make sure that that's part of your corporate culture.

And this is a little bit counterintuitive—you might think that, well, worry about prevention and not recovery. Well, that's true. But if all you're doing is worrying about, let's say, fire prevention, and you have fire extinguish... and you have safety in your company and no open flames—but have no fire extinguishers—you're going to burn down. Because at some point something will happen. You want to have both. You want to have prevention but also recovery. So plan, maybe do drills—what would happen if you had a cyber attack? What would happen if you had ransomware? Check your backups, make sure they exist. Check your resiliency. Check your redundancy. Make sure everything works properly. Make sure you can restore your accounts payable if you need to.

And this last one is really what I think a duplication of number three: missing the competitive advantage. If you just view cybersecurity as a cost, then it's going to be a cost, and no one's going to like it. But look at it as a competitive advantage. You can gain an edge with customers looking for safety. You can also save money on your P&L. Sometimes cybersecurity things actually reduce your expenses. It may seem like something that's not interesting, sexy, you know, important to the business development—but in the long run, little bits and pieces of cybersecurity as part of your corporate culture, even if it's one percent, two percent, four percent of your attention span, will eventually help you with business development. And on the day that you would have had a hack—that you don't, that you don't even know about—it will be the difference between your business existing or being destroyed by a hacker.