It’s human nature to underestimate the power of looming, obvious problems. Nobody can claim ignorance to the threats posed by cybercriminals and state actors, or or the ransom payments that abound. There’s also greater overall understanding and knowledge about how to mitigate the risks. Yet, many small and medium-sized enterprises (SMEs) aren’t investing in better security.
This article explores the reasons why, addressing both qualitative research and those grounded in organizational psychology. It also prescribes solutions for leading organizational change that IT teams, managed service providers (MSPs), and other professionals can deploy to “get to yes” before the inevitable happens. Idle SMEs are facing headwinds from an intensifying regulatory environment, a significantly higher level of scrutiny from insurers, more sophisticated attacks, and the economic impact of breaches. Deferring action on cybersecurity is a losing proposition that’s compounding costs as more time passes.
If your organization has the mindset of “insurance will take care of it,” then be sure to listen up. Those days are ending, and your next breach could make future coverage unattainable.
Why Security Is Often Postponed
Running an SME isn’t trivial, and every dollar and every minute counts. You shouldn’t judge organizations that don’t have the resources or opportunities to focus their efforts on improving their security. However, there are firms that have a solid grasp on the threats posed by cyber criminals, yet still opt to do nothing “right now.” Unfortunately, it never seems to be a good time to get started … for one reason or another, such as:
- Fiscal costs
- Lack of time
- Undervaluing anything that’s not directly associated with “the business”
- The notion of “we don’t click on emails” serving as sufficient security
- Executives (or owners) who don’t understand technology very well
- Lack of a financial incentive for MSPs to score one-time revenue on a project versus managing users over the long haul for recurring revenue
These “excuses” were encountered by this writer, working as a consultant, and they were by no means just a few isolated encounters; instead, they reflect the balancing act of security versus productivity at many SMEs. A recent conversation highlighted how security is seen as a “nice to have” versus a “must have” in many organizations.
A busy lawyer, speaking on the topic (and on time client), acknowledged as much:
It’s [security] not a function of the principal business, so it appears ancillary when it should be part of the primary industry. IT needs to learn to market to the people establishing the budget that it’s not an ancillary function. I understand [security] but still have a difficult time stressing that it’s a main part of the legal business.
Security researchers are generally agnostic as to whether organizations should pay ransoms or not, but there’s consensus that ransoms and related “fees” are now topping $790,000. That’s just the onset: penalties from new regulations and legal consequences are becoming the aftermath. Transferring the cost of bad security is becoming more and more likely as time goes on. Conversely, a security program bears more fruit, and mitigates more risks, over time.
Evolving Threats in the Cloud, Identity
CrowdStrike, a leader in cloud-delivered protection of endpoints, cloud workloads, identity and data, observed that the attack surface is increasing as infrastructure expands into the cloud. Criminal groups are more specialized, work faster and more efficiently, and are conceiving potent new methods of attack that evade detection by traditional measures. 71% of attacks are malware free once an adversary is in your environment, cloud, or on premises.
There’s a growing need to merge IT and security operations and to implement Zero Trust security controls, with identity serving as the new security perimeter. That’s bad news for organizations that are postponing their efforts to improve security, not only because a breach becomes more likely without due diligence, but also because regulators are reacting by enacting tougher laws.
Regulators Are Responding
California has instituted privacy laws, California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CCPR), where violators are subject to civil penalties. It’s often observed that U.S. national standards are sometimes derived from what the states implement. California laws mirrors the European Union’s General Data Protection Regulation (GDPR), which is enforced when breaches occur. Court case law may determine when and how future penalties are imposed and what level of due diligence will be expected from SMEs in the near future.
No Security Controls, No Insurance
The private sector is also expecting greater diligence from SMEs. Ransomware and email compromise is ebbing, but more sophisticated attacks that require a baseline of security controls is emerging. Identity is becoming the new perimeter to prevent cloud breaches, and it’s being heavily emphasized by insurers, along with many others. Underwriting is beginning to consider how potential customers handle evolving adversarial tactics and techniques and if they’ve been breached. Failure to manage cyber risk can and will impact future insurability. Think of breaches as the new “pre-existing condition” that will establish high-risk pools.
These trends are converging to dramatically upend the economics of cyber incidents for SMEs. Fortunately, there are steps that you can take to start the process to achieve better security with buy-in, trust, and clear alignment with corporate goals. Your job is to “get to yes.”
Getting to Yes
“Those who defer doing something about cybersecurity have elevated other interests or concerns above it. Using a ‘getting to yes’ approach means understanding their interests,” said Dr. Art Hochner, professor emeritus of management at the Fox School of Business at Temple University. Dr. Hochner specializes in teaching negotiation skills to thousands of students.
He continued, “Maybe they are sold on the idea, but don’t have time to implement, don’t have a good grasp on what exact steps to take, or would benefit from some hand-holding along the way. The key is to find out what they see as their key interests — e.g., meeting deadlines, managing their time, knowing how to avoid pitfalls and large expenses, etc.”
That can’t be done by trying to sell them on cybersecurity alone. For a more effective negotiating strategy, Dr. Hochner recommends following these steps instead:
- The Jedi mind trick: Make it their idea. Your end goal should be for the decision makers themselves to believe that security is vital to their interest, versus a “good to have.” For instance, Hochner noted that the best car salespeople were the ones that allowed him to take vehicles out for a test drive to sell himself. “[I] didn’t need them to tell me anything much. But, of course, I wanted to buy a car, so I took the time to seek them out,” he said.
- Listen: Your initial task is to actively listen and learn why they’re deferring action. Hochner recommends asking them why directly and then, “just shut up and listen … you can learn a lot by staying silent.” The FUD approach isn’t going to be successful.
- Guidance: Transform excuses into guidance by helping them define their interests. For example, respond to excuses such as, “I don’t have the time,” with a collegial mindset that respects their interests but moves the ball down the field:
- What would help you find the time?
- Is there something I could do to help you clear your schedule?
- Can we agree on a specific time for us to reconnect?
- Social proof: Show them what your peers or competitors are doing and ask questions such as, “Do you want to know more about how they were able to do it?”
- Empathy: Utilize emotional intelligence by emphasizing that your organization isn’t alone in its constraints and experiences, but that there’s a “well-worn path” to achieving better security. Consider sharing endorsements from people that they may know.
- Reciprocity: Think of something meaningful that you have to offer such as a free consultation that could trigger a “reciprocation response” that evokes an obligation to give something of value back to you.
- Liking: According to Hochner, “Show them how much you are like them. People don’t care how much you know until they know how much you care.”
- Authority: Establish yourself as a trustworthy messenger. For example, consider the tactic of admitting any known flaws and weaknesses before the other party seizes on those. Security teams should emphasize solutions, not problems and establish risk-based programs that are defensible and can demonstrate success.
- Consistency: Leverage their past statements to move them to actions consistent with their prior commitments. “Small steps enable you to get a series of yeses, leading to a real commitment,” Hochner shared.
Hochner bases his recommendations on the research of American psychologist Dr. Robert Cialdini, a Regents’ Professor Emeritus of Psychology and Marketing at Arizona State University. Cialdini has identified several principles of persuasion that can guide human behavior.
University of Pennsylvania professor Dr. Karren Knowlton recommends:
- “Switch,” by the Heath Brothers
- “Drive,” by Dan Pink
- “Leading Change,” by John Kotter
Take the First Step, Today
Become an authority on identity and try JumpCloud today. Your account includes 10 users and systems free of charge to get you started, and isn’t functionality limited in any way. You also get 10 days of premium 24×7 in-app chat support.
Sometimes self-service doesn’t get you everything you need. If that’s how you’re feeling, schedule a 30-minute consultation to discuss options for implementation assistance, migration services, custom scripting, and more.