Addressing Excuses for not Investing in Cybersecurity

Addressing Excuses for not Investing in Cybersecurity

We all know cyber-attacks are on the rise in today’s digitalized world. More importantly, it’s the small and medium sized businesses that are being affected more than their counterparts. While talking to them we found that they strongly agreed that IT security is an important issue for their organization, however fail to see cybersecurity as a priority or think they don’t need to pay more attention. Based on their responses, here are a few common excuses and how we are addressing them with some practical examples.

It’s not in our budgetExcuse #1: “It’s not in our budget.”

The cost to a business that is affected by cyber-attack can be measured by loss of valuable customers, interruption to business operations or reputation damage. Protecting the business from potential cyber-attacks needs to be seen as a business imperative, not just discretionary spending. In simple words, the response to “we can’t afford to” can be “you can’t afford not to.”

We are not that big

Excuse #2: “We are not that big.”

By its very rule of nature, small and medium sized organizations have less robust cybersecurity defenses than big corporations, making it much easier and less expensive for cyber criminals to break through. Make no mistake; every business (no matter small or big) has potentially valuable information, including sensitive client or financial data, intellectual property, or simply hold the recipe to grow into a larger business.

Our employees are smart enough

Excuse #3: “Our employees are smart enough.”

For most of the cyber-attacks in history, human error and ignorance have been identified as #1 vulnerability to cybersecurity; no matter how robust cyber defenses are. It’s sobering to know that users are not able to identify such disguised attacks and end up opening phishing e-mails and click on spam links, making it very easy for cyber criminals to enter a company network and launch a cyber-attack.

It’s an IT problem, not a business matter

Excuse #4: “It’s an IT problem, not a business matter.”

Cyber-risks need to be incorporated within an organization wide risk management strategy. It might sound obvious, but when a business is forced to shut or it’s crucial business functions are crippled after a cyber-attack, you can hardly call cybersecurity an IT problem.


Our IT security practices are foolproofExcuse #5: “Our IT security practices are foolproof.”

Executives counter that they have Intrusion Detection Systems (IDS) installed and no such major incidents have been detected since years. Hence they are safe and there is a little need.  It’s risky to assume IT network security as perfect. All security measures have varying degrees of effectiveness, and these can change over time, due to new threats and vulnerabilities. Don’t be the same. Be better.

We’re not a potential cyber-attack target

Excuse #6: “We’re not a potential cyber-attack target.”

Just because a company does not accept online payments or stores personal information, does not mean they will be immune to a cyberattack. Think of the financial information, key strategies or important documents, loss of which can cripple your business.


EWe know it all, but will do it later. Currently we are focused on something elsexcuse #7: “We know it all, but will do it later. Currently we are focused on something else.”

In a recent article an FBI cybercrime official was quoted saying: “there are two categories of people: those who have been hacked and those who are going to be hacked.” Essentially it’s not a matter of if, but when. A company with the expertise of its IT team or third-party IT security services provider, determine risks and mitigation strategies.

Implementing cybersecurity is cumbersome

Excuse #8: “Implementing cybersecurity is cumbersome.”

The cost and pain of clean-up and recovering data, lost productivity and downtime, not to mention a tarnished reputation and potential legal actions can be devastating for a business. Sow the right seeds, toil hard in cultivating the land and harvest the fruits of securing your organization. Engage a capable partner who shares the load and simplify IT security for you.

We have anti-virus/malware software and firewall, isn’t that enough?

Excuse #9: We have anti-virus / malware software and firewall, isn’t that enough?

Undoubtedly, these traditional tools are effective, but you should see them more as reactive/damage control tools rather than as your whole proactive cyber defense system. Again their effectiveness depends on their staying up-to-date. With employees bringing their own laptops and mobile devices to work, and using web applications and heavily browsing the internet, attacks can come from a wider number of places, like email phishing, malicious advertising on a website, or unpatched business systems.

I don’t know where to start

Excuse #10: “I don’t know where to start.”

  • Learn where your blind spots are and understand your cyber ecosystem
  • Identify your most valuable data and its access aspects
  • Implement suitable controls over the most sensitive data and ensure proper backup
  • Train your employees as your first line of defense. Most breaches are driven by insiders; many companies never conduct formal cybersecurity employee training
  • Invest in to a legal and genuine operating system and anti-virus

You might agree with me that many of these excuses seem related. But they’re all poor substitutes for actual cyber defenses. To thrive in today’s rapidly changing risk landscape, companies need a well thought-over and meticulously architected cybersecurity strategy, along with the right tools, skills and resources to implement it. As a business owner, it’s up to you to decide how much risk exposure you are willing to accept, and what practices you will implement in your organization to be a harder target to reach. You probably don’t want to bet on those excuses and prioritize implementation of a cybersecurity strategy that protects critical assets and data.

Remember that no organization can be 100% protected, but the right combination of tools, skills, processes and training can make it much harder for your business to be cyber attacked, and criminals more likely to go to hunt the next easier target.

If you have any further questions on how to develop an end-to-end cybersecurity strategy for your organization, please get in touch with our cybersecurity experts.

The first step to cybersecurity is gaining visibility into vulnerability of your IT network. If cyber-attack hits your organization, will you be ready? You can check on your cyber defenses by taking our complimentary Cybersecurity Risk Assessment, which gives you a quick expert opinion on whether your security is as good as you think.

The following two tabs change content below.

Zenul Jinwala

Marketing Strategist at Dev Information Technology Ltd.
I am passionate, a dynamic thinker and team player responsible for planning, developing, managing and executing marketing strategies to enhance the brand value for DEV IT.

2 thoughts on “Addressing Excuses for not Investing in Cybersecurity

  1. You are right cyber attacks increased these days and every small and big business is on the radar. Companies are taking this serious and finding the solution and trying to secure system. Your blog explains with points and that is great. I learned lots of things and which are really important for all. Thanks for your great work.

    • Thank you for taking time for reading the blog. Thank you for your feedback. It surely goes a long way as an inspiration for me to write more on the subject.

Leave a Reply

Your email address will not be published.