[Reading time: 1 minute 48 seconds]
I believe there are two reasons why you may choose not to worry about cybersecurity.
#1: You believe you can bear the impact of an attack.
What do you think the likely cost of an attack would be for your organisation?
- €1 million?
When you estimate the likely cost, make sure you consider all of the factors that feed into this cost.
- The cost of the staff time that is consumed in the response and recovery effort. Time that they were supposed to be spending on their real job.
- The cost of the business disruption caused while your systems are offline, or data has to be recreated.
- The cost of getting outside expertise to investigate the cause of the attack, and to help you respond and recover.
- The cost of getting legal advice to ensure you stay on the right side of the law.
- The cost of getting communications advice to ensure you communicate clearly with interested stakeholders – e.g. staff, clients, and regulators.
And depending on your specific circumstances, the costs may also include:
- The cost of the ransomware payment, if you have no other option but to pay the ransom.
- The cost of payment fraud, because payments from your clients to you, or payments from you to your suppliers, ended up in the cyber-attacker’s account.
- The cost of facilitating any investigation by regulators.
- The cost of getting outside help to handle interactions with the regulator(s) and to defend your historical decisions and (in)actions.
- The cost of any regulatory sanctions.
And don’t forget the hidden, longer-term costs.
- Things like the psychological impact on everyone involved in the response and recovery.
- And your tarnished reputation.
Whatever you think the cost will be…
If the cost sounds bearable, you may not need to worry about your cybersecurity defences.
And even if the cost causes you discomfort, you may still not need to worry.
And this brings us to reason #2.
#2: You believe the likelihood of an attack is low.
Many people, including me, will tell you that the likelihood is higher than you think.
Especially if there are some obvious red flags.
But this is ultimately your decision*.
You could decide not to worry about cybersecurity because you feel you will be able to bear the impact of an attack.
You could decide not to worry about cybersecurity because you feel the likelihood is low.
Or, you could decide to do something now to reduce the likelihood and/or impact of an attack in the future.
Whatever you decide*…
You will reap the benefits, or suffer the consequences, of your decision.
So, what’s your decision?
* Doing nothing is still a decision.