Betting against the house, only worse!

I enjoy a little gambling from time to time. My game of choice is blackjack and there’s nothing quite like having a few dollars riding on the flip of a card. I’ve never had a huge win, but I’ve never lost much either. That’s because I wager within reason. Nothing outside of what I would regret losing.

Most business leaders are more conservative than me. The best ones run tight ships and limit unreasonable risk in their operations. They make careful, incremental investments, and there’s always a “Plan B” should any of their initiatives come up short.

That’s why it surprises me that so many of these same people gamble with their companies. This particular gamble has terrible odds — much lower than betting against the house in Vegas. Less than 40 percent of companies survive this gamble, yet 100 percent of organizations will face this exposure. Still, very few companies take proactive stances, putting their entire entity at risk.

Of course, I’m talking about cybercrime and its impact. Almost every company is under attack every day. In fact, the director of the FBI said, “There are two kinds of big companies: Those that know they’ve been hacked by the Chinese and those that don’t.” Everyone is affected by expanding cybercrime and the criminal industry behind it.

I hear many of you say, “I’m too small for them to be after me. I don’t have anything they want.” That was a good defense several years ago, but the threat changed. In bygone days, these were targeted attacks, aimed at specific companies and opportunities. Now, these attacks are mass-produced with much broader reach, can be made for free, and are designed to harvest funds from many sources. These criminals want your money, not necessarily your data.

It’s frustrating watching so many smart people get burned. There are many examples — both inside and outside Wisconsin — where intelligent folks were victimized. Some are amusing, like the cybersecurity expert locked in a clients’ computer room for 16 hours. He went on site to test physical security and employees led him into the inner sanctum, but a double lock prevented him from leaving. In another, an auditor clicked on her company’s test attack. As a result, she’s in remedial training to avoid future phishing attacks.

Other examples are world serious. In one, a manufacturer sent $250,000 to establish a new supplier in the Far East. The incident ended when the firm’s banker asked an astonished CEO why he was wiring so much money to an unknown address. Other scams divert company receivables by directing customers to pay a new lockbox without company knowledge. We know companies that lost hundreds of thousands of dollars in that scheme. As you can see, stolen data is just a fraction of the attacks. We’ve seen multiple situations. It frustrates me because we can’t help unless we’re asked.

Why do so many companies ignore such a real threat? We continue to see it all over Wisconsin. Cybersecurity rarely makes it to the top of the priority list. Then, one of two things happen: companies in the Department of Defense (DoD) supply chain will have a supply contract come up for renewal and then discover they are not in compliance with the NIST Cybersecurity Framework — a requirement for over a year — and their contract is not renewed, or companies not supplying the DoD usually get religion when one of their friends’ companies is breached. Suddenly, cybersecurity becomes important.



Of course, all action becomes reactive under these scenarios — more expensive and less effective than taking a proactive stance. Often the damage is done and hopefully it’s “just” the loss of a contract or a little cash, as opposed to the entire company.

This is incredibly disappointing to me because it’s so easy to be proactive. Everyone should engage a professional guide. The right firm will help you act faster, cheaper, and more effectively than any internal resource. First steps cost much less than $10,000. If someone wants to charge you more than that for an initial screen, find another resource! They either don’t know what they’re doing or they’re working on the wrong things. Next, if you’re a DoD supplier, use your guide to become compliant with the NIST Cybersecurity Framework.

If you’re not required to comply with the Framework, please act anyway. Every company should take four critical actions:

  1. Install an effective firewall. Think of it as a security fence around your systems.
  2. Use multifactor authentication. Usernames and passwords are better than no protection at all, but not much!
  3. Run current software and install the updates. Pack away the Windows XP and its ilk.
  4. Train your employees. They want to do a good job for you. Help them understand the threat and how to identify various attacks. Lessen the likelihood someone will inadvertently make a mistake.

Experts tell us that taking these four steps neutralizes 75 to 85 percent of cyberthreats and provides the opportunity to address more complicated threats.

It rarely makes sense to bet the farm on anything in life. It should never be done when there is nothing meaningful to be gained. We know that’s true in the casino. It’s certainly true with cybersecurity.

Bet on it!

Click here to sign up for the free IB ezine — your twice-weekly resource for local business news, analysis, voices, and the names you need to know. If you are not already a subscriber to In Business magazine, be sure to sign up for our monthly print edition here.