How to
Jonathan Crowe
Dec 2015

The 2nd Day of Breach-mas: Two Negative Attitudes to Overcome to Improve Security Buy-in

Photo by Source


Note: This is the second post in our "12 Days of Breach-mas" series. For a full summary, see the first post here.

When it comes to security, the only universally wrong answer is doing nothing.

For all the security challenges your business may face, the biggest threat isn’t a sophisticated piece of malware, it’s unawareness, ambivalence, and complacency. Nothing strips the efficacy from existing security initiatives faster, and nothing makes it more difficult to adopt anything new. Nothing makes companies more vulnerable, and nothing is more important or challenging to overcome.

It can be easy to think of security as a technical problem, but the truth is any meaningful solution requires not only the adoption of new software and techniques, but new mindsets and habits, too. In order to overcome the crippling inertia that’s holding back many of your peers, you’ll have to take on two negative attitudes in particular.


Two Negative Attitudes to Overcome

1) We’re not a top target, so security isn’t as important for us

The first (and arguably biggest) challenge you’ll face as a security advocate at your company is that many businesses simply don’t think cyber attacks will happen to them. Sure, everyone’s read all about the big public breaches at Sony and Anthem, but unfortunately those stories don’t do much to dispel the misconception that it’s only large companies that get hacked.

While many small businesses may assume they don’t warrant much attention from attackers the fact is small- and medium-sized businesses bore the brunt of targeted attacks (60%) in 2014.

Many of today’s cyber attacks can be broadly directed and indiscriminately applied. The victims are not targeted because of where they work per se, they are just vulnerable places to land and expand from (case in point: hackers gained access to Target by breaking into an HVAC company first).

As long as a “Why us?” attitude exists in your organization you’ve got an uphill battle on your hands. Until you’re able to break through to executives and employees and establish a sense of urgency, sadly, security is going to be one of those things they don’t fully appreciate until it’s gone. The key is to start building a shared sense of ownership and buy-in before you get to that point. And to do that, you need to find ways to do the following:

  • Drive the point home with truly relevant examples. That means pointing to competitors or other companies in your space who have either had success stories or suffered through security incidents, themselves.  
  • Make it personal: Help employees and executives connect the dots between strong security and their other day-to-day priorities and goals.

In other words, you need to make it real. For more tips on how to engage and empower employees see our eBook, The Realist's Guide to Cybersecurity Awareness. 

2) Complete security isn’t possible, so let's just focus on compliance

"Security is not equal to compliance" is a well-trodden topic, but for good reason. In many ways it's easier for a company to focus on the latter — compliance is something they can actually achieve by following specific requirements. Figuring out what it takes to be legitimately more secure, on the other hand, is complicated. There is no one tried-and-true path. Needs and priorities vary from organization to organization. 

The problem with taking a "let's check all the boxes" approach is that doing the bare minimum won't safeguard you and your customers from today's rapdily evolving threats. And as recent high-profile breaches have demonstrated, customers find little solice in knowing a breached organization was compliant when they discover their personal information has been exposed.


The Cost of Doing Nothing 

When it comes to security, companies can’t afford business as usual. Cost per cyber attack has more than doubled in just two years, rising from $8,699 in 2012 to $20,752 in 2014. With limited resources and security expertise at their disposal, small businesses in particular have become big targets.

The good news is you don’t have to take things lying down, and over the course of these "12 Days of Breach-mas" we'll provide you with tips for fighting back. Stay up-to-date with all the posts in the series by subscribing to our blog below.

Jonathan Crowe

Jonathan Crowe

Jonathan covers the latest threats and cybersecurity trends from a practical perspective.


Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.