By Matthew Olney

Are you frustrated that your clients aren’t taking the issue of cybersecurity seriously? Chances are high that those resistant to implementing security products still believe the common myths that have led to many organizations falling victim to cybercrime.

Let’s address and try to dispel the most common myths. If you can prove to your clients that these misconceptions are just as dangerous as any cybercriminal, then perhaps they will be more receptive to beefing up protection.

The ‘We’re Too Small or Unimportant to Become a Target’ Myth

This is probably the most common cybermyth that you’ll come across. Frustratingly, it seems the message that everyone is a target just isn’t getting through to people.

If a client doesn’t think they’re important enough to be a target for cybercrime, they’re very much mistaken. Just having a presence online means that they are a potential target.

You need to explain to a client that it doesn’t matter how small their business is; if they have something to sell or store customer data, then they have something to steal.

Intellectual property and even business connections all have value for cybercriminals. Here’s a statistic to share with customers: 43% of all cybercrime occurs against small businesses, and around half of all global cyberattacks are reportedly against organizations with fewer than 250 employees, according to Symantec.

With the increased use of automated hacking tools, no organization is safe. A machine doesn’t discriminate but instead will seek out any vulnerable network, regardless of size. Hacking by hand is increasingly less common due to the rise of exploit kits, toolkits cybercriminals use to attack system vulnerabilities so they can distribute malware, and to cybercrime-as-a-service.

Most of the users of these cybercrime services aren’t geniuses, nor are they making millions from hacking big corporations. In reality, they use exploit kits and rented attack services randomly in hopes of getting lucky by making some cash from as many victims as possible. They can scan huge numbers of connected devices and servers as they seek a vulnerability they can exploit.

Smaller organizations that are part of a supply chain often are a prime target for hackers seeking an easier way to land a much bigger target. Smaller businesses tend to have less ability to implement effective cybersecurity, due either to a lack of knowledge, skills, resources and/or a small budget.

The ‘We’re Powerless to Do Anything’ Myth

Once you’ve explained the need for cybersecurity by demystifying one myth, there’s a chance you’ll then run into another, which is “there’s nothing we can do.”

This attitude of feeling powerless is understandable due to the cybersecurity sector at times being its own worst enemy. A combination of poor communication and scaremongering by the industry and the mainstream media has done significant harm to people’s perception of cybersecurity.

Often businesses feel helpless in the face of the cyberthreats, believing the attack is beyond understanding by nontechnical experts. This attitude is understandable, especially as hackers and the cybercrime industry are often perceived as evil masterminds that can only be stopped by security geniuses.

To dispel this myth, you need to get across that cybercriminals, in reality, are like any other criminal in that they seek out the easiest targets and tend to avoid the hard-to-crack places. By implementing cybersecurity basics such as patching and properly configuring their networks, they’ll be in better shape and are less likely to be exposed on the cyberattacker’s radar. Once the myth has been busted that they’re not powerless, you can then convince them to at least look at your products.

The next hurdle you may encounter is the common myth of “As long as we protect ourselves, we will be fine.” Ensuring that their organization is protected against cyberthreats is well and good, but what about the other businesses in their supply chain or the third-party assets they use?

Even if the client has all the cybersecurity tools in place and claims to have the best cybersecurity in the world, it’s worth noting that they’re still vulnerable if they’re part of a supply chain or use third-party assets.

Make the customer aware of how other organizations in their community are acting when it comes to cybersecurity. Some of the biggest headline-grabbing breaches of recent years have involved third parties or organizations subordinate to an entity that suffered a breach.

Use Real-World Examples

Probably the most infamous instance of an organization being attacked via a third party is the 2013 Target data breach. Hackers breached the company by stealing credentials from a third-party heating company who had access to Target’s networks to monitor their systems. That company fell victim to a spear-phishing attack a few months before the main attack on Target.

The hackers then installed malware onto Target’s point-of-sale systems that stole customer credit card details from between 1 to 3 million cards and sent them to a compromised Target server. The data was then sent overseas. The breach cost the business hundreds of millions of dollars in damages and reparations as well as the negative impact on its reputation.

Emphasize that everything in your customer’s ecosystems, from subcontractors, subsidiaries, vendors, accounting firms and even the third-party apps used by their web dev team for the company website, can be a threat vector. Security is only as strong as the weakest link, and often that weak link is outside of their immediate control.

The main message? Just like other criminals, cybercriminals are opportunists on the lookout for weaknesses and easy prey. All businesses are a target, no matter their size or budget. In this increasingly connected world, the need for cybersecurity has never been greater.

Matthew Olney has worked as a content creator in the cybersecurity sector for three years. He is content manager for XQ Cyber, creators of the CyberScore security testing and rating service.