Five Cybersecurity Myths Small Companies Might Still Believe

In this Businessweek piece, Adam Epstein of Third Creek Advisors does some myth-busting. The myths? Cybersecurity myths that many small companies still believe.

  1. 1) Cyber breaches are preventable: He says they’re not. “Breaches are a matter of when, not if… If Fortune 50 companies with nine-digit annual cybersecurity budgets can’t prevent breaches, neither can you. Effective cybersecurity is more about identifying corporate ‘crown jewels,’ making it as difficult as possible for them to leave the building, and having a thoughtful plan for post-breach resilience.”
  2. 2) The IT team is on it: Here’s what Epstein has to say about cybersecurity being just an IT issue. “Boardroom cybersecurity oversight generally consists of inviting the head of IT to make a periodic presentation on the company’s firewalls and antivirus software. Lacking security experts, most boards collectively exhale on hearing the IT update. Unfortunately, cybersecurity is only partially an IT issue. It’s also a matter of corporate culture, employee training, and physical security. You need to worry about disgruntled employees and your supply chain, not to mention that little company you just acquired. That’s way beyond IT.”
  3. 3) Cyber theft is about credit cards: Yes it is, but that’s not the only thing cyber thieves are after. Epstein says that while credit card information is a target, so are personal information, intellectual property, strategy memos, customer lists and other non-public information.
  4. 4) Always disclose cyber incursions immediately: Epstein says, “While it’s admirable to want to get out in front of breach incidents and voluntarily disclose them, this can sometimes put a board at a disadvantage. Consider the Target breach, where the size and nature of the crisis expanded substantively with each press release. Malware can morph after being detected and wreak further havoc. It’s often unlikely that the first information received by the board about a breach will be accurate and comprehensive, so exercise caution not to complicate a crisis by voluntarily misrepresenting it.”
  5. 5) Insurance will cover it: Epstein says insurance “cyber coverage” often comes up short, not taking into account all that goes into a company’s comprehensive cybersecurity plan. He advises, “Make sure the policy is underwritten after extensive, informed security assessments of your company – not just a standardized form sent via e-mail.”


For more information, see the original article here: