How many times have you said that or heard it in an office environment? Probably more often than you care to admit. When that statement is made, it usually applies to the costs associated with initiatives that sit on the budget bubble. These items or initiatives teeter on the brink of being shelved, usually as a result of a lack of enthusiasm or support.

Regrettably, IT security has more commonly become an initiative that businesses discuss year-round but fail to act upon, instead waiting til next year to address the topic. That sense of urgency to act, to be proactive isn’t triggered, and most often it takes a devastating event such as a cyberattack to force businesses to act.

Why the complacency?

Cybersecurity is often seen as one of those big problems that only large corporations (i.e., banks, tech companies, governments) must worry about.  It is assumed that only these larger entities have the resources, time and budget to address such initiatives come budget time. In fact, more people should be concerned with cybersecurity at their workplaces, and not just the big corporations. It’s the smaller businesses (SMBs)—companies with less than 1000 employees—that are at the greatest risk.  And, they represent the largest number of businesses in the US, which only increases the likelihood of becoming a target for a cyberattack.

So, even though companies realize the inherent risk in being a target ripe for exploiting, there are a great number who shun enhancing their IT security in favor of other projects and initiatives. There is also an increasing pool of SMB targets for cybercriminals—more than at any time on history. As a result, cyberthreats flourish, becoming more sophisticated and developing new attack vectors for invading a businesses’ infrastructure and IT systems/applications.

“Wait till next year” wins again – and then there’s a cyber-attack

A phishing email is sent, malicious code deployed and your businesses’ IT systems brought to a full stop.  Your IT perimeter has been breached, your data and applications hijacked. Everything is being held for ransom. What happened?

An employee tells the “IT person” they’re unable to unlock their laptop. They remember reading an email and clicking on a link that supposedly led to an invoice marked “PAY TODAY.” Then, all went blank on the screen.

The IT staff are responding but unable to react fast enough. Your IT systems are completely shut down, inaccessible, held for ransom. Productivity has slowed to a snail’s pace and the increased effort leads to increased costs. The public now finds out about the successful attack or breach, and your company’s reputation takes a hit.

Then, your customers and vendors are affected by the breach.  Cyberattackers have found their way into your financial information and your customer’s/vendor’s financial/transactional data. And that’s how it starts.

Cybercriminals knock on as many doors as possible. They assume you’re one of those small- to medium-sized businesses who’s “waiting till next year” to address their emailweb and data security.

Cybercriminals thrive because of the lack of ongoing IT security initiatives this year, not next year.  Cybercriminals look for any open door, any weak spot. They simply don’t stop.  They’re developing new, sophisticated threats that learn from their mistakes with AI and machine learning.

These new, cultured threats only exacerbate the problem and exploit our laziness.

Here are just a few statistics published on that demonstrate the stark reality of today’s malware cyber threats:


  • 155 events in April 2019—a 10% increase compared with March, when the total was 141.
  • Top Three Attack Motivations – In April, Cyber Crime ranked #1 with a slight increase (81.9%) compared with 79.4% recorded in March 2019. Cyber Espionage was 14.2% and Cyberwarfare dropped to 2.6% (from 4% in March 2019)
  • Top Three Attack Methods in April 2019 – Ransomware, Account Hijacking and Targeted Attacks

There is also the Top 10 Malware Activity to consider, published by it accurately portrays the collection of dangerous malware variants that led to more than half of all malware notifications sent in January of 2019:


The MS-ISAC Top 10 Malware

    1. Emotet
    2. WannaCry
    3. Kovter
    4. ZueS
    5. Dridex
    6. IcedID
    7. Gh0st
    8. Mirai
    9. NanoCore
    10. Pushdo

So, there’s no question that there is a constant threat. Malware and ransomware are working harder than ever to get inside your IT security perimeter. And the threat is getting smarter, banking on our vast gullibility to ensure we will make a mistake. That mistake may come in the form of a dismissive delay, a “wait till next year” mentality. But be forewarned, stifle the urge to be (pro)active about your IT security for yet another year, and the results could be disastrous.


Why assume that risk for yet another year?


One misstep, like the urgency over an invoice attached to an innocuous email, could open the door for a cybercriminal. Now repeat that a million, gazillion times. Because that’s how often business gets done over email.  As of 2018, there are about 124.5 billion business emails sent each day. The average office worker receives 121 emails per day. Add in the growing number of SMBs in the US market alone. That’s one appetizing bowl of fresh meat for any cybercriminal.

So, what can SMBs do to reduce the risk of cybercrime?

Start a conversation about your needs, and then act. First and foremost, uncover where you are vulnerable in relation to your IT security.  Listen to experts in your field who are well trained and certified/accredited to provide the right IT security solutions.

These things involve time, but I can assure you that talking about your IT security and beginning to act is far better than delaying it till next year. Those few initial steps are crucial; it means you are acting and simply not reacting to a potential cyber-related event at your SMB.  It displays you’re being proactive about your businesses’ defenses, data and e-communications.