Why are you Playing with Murphy’s Law?

The original Murphy’s Law reads: “If there are two or more ways to do something, and one of those ways can result in a catastrophe, then someone will do it.”

Adobe, 2013 up to 150M customer records including credit card information hacked.

Equifax, 2017–150M records including SSN/DOB hacked.

Puzzling, Marriott 2014–2018, yes correct, it went undetected for 4 years, even after their Starwood Hotel acquisition and lead to 500M records being compromised over that period.

Solar Winds, 2020 — Data breach undetected for up to 9 months, including the US government, UK & European agencies.

Microsoft, 2021–30K customers still using on-prem exchange had their emails compromised.

And of course — Colonial Pipeline, 2021 — $5M paid in Ransom, I think you all know the details.

I am not saying Murphy’s Law would not have held true in some of these cases, but working in the IT space, there are hundreds of thousands of individuals and companies that you have never heard about who fell victim to cyber attacks as well. I have seen studies where 1 in 8 companies go bankrupt after a cyber attack. That stat is hard to validate but certainly wouldn’t be surprised. Many professionals have stated “it is not if but when” you will get hacked.

“It won’t happen to us” — I am just hopeful if you have already thrown this philosophy out the window, if not, you should after reading this blog and doing some research. For years, I have sat in conference rooms with our internal management team, and I whole heartedly agree, we can’t scare customers into buying our services to protect them. Some have compliance needs around cyber and some have taken this seriously for years, and we have protected them. Others took the above quote and a wait and see attitude to save on their budget, only to call us back 3 months later to help them with incident response.

My hope is that you no longer think like this, if you are one of the culprits of this attitude, I am optimistic you will reassess. Look, cars sales people have a sleazy reputation, force customers to buy, tell you about the greatest deal ever, etc. Well guess what, you’re buying the car. Maybe not from that dealership but if you need a car, and have the financing to do so, you will buy a car. Well, treat cyber in a similar fashion. Another thing to keep in mind, like your car, your cyber can breakdown: an employee clicks on something they shouldn’t, a Zero-Day virus comes out, a key vendor is used to get to you, an AP person accidently pays a bill from a spoofed email, and the list goes on. However, you need to get ahead of it and buy from the company you trust, buy from the company who has a history of protecting its clients, go grab a coffee or lunch to learn more, watch one of the 7,000,000 webinars we get invited to about cyber protection, but please, please, please, figure out how to buy.

What should you buy: if you don’t know what MFA, end-point protection, vulnerability management, cyber risk assessment, security awareness training and dark web research is, please give your current IT provider a call. You may see them as slimy sales people but trust me, you need the car. Just do your research and figure out what your company needs to remain as protected as they can be. There is tons of information and products out there, let’s find out what is right for you.

You have an IT budget for a reason. There is plenty of Software-as-a-Service out there that can help, other software connected through applications sitting in the cloud and cost-effective strategies. Is it cheap, no, it’s not, but neither is your business, your best employees, the company you want to acquire, the beautiful view from your office (Oh wait, you don’t need that anymore).

You can buy the $100K Range Rover if you want, but the $40K Honda Pilot may work just great as well or maybe even the $20K used Ford Explorer. Only you and your trusted partner can figure that out. But please, buy the car. The time is now.