It is common for small business owners and executives to adopt a “wait and see” stance toward investing in cybersecurity. After all, the threat of a cyber attack is just that, a threat, until it actually happens to you. And being fully prepared can be a big investment. Many executives just plan to hold those dollars in reserve to clean things up, rather than spending a bunch of money to protect against something that might or might not, happen. Sounds like a good plan, doesn’t it? Not necessarily. Here’s why.

To use a simple example, let’s compare waiting until a cyber attack happens to address cybersecurity to waiting for your refrigerator to completely stop working before considering a replacement. Inevitably, your refrigerator will die at an inopportune time. You lose everything in it just when you’ve stocked up on frozen foods, and taking care of the mess and calling the repairman or shopping for a new refrigerator takes time away from work. But the real problem is that you have become an appliance dealer’s dream client. You are in a situation where you have to buy a new refrigerator, right away.  Your choice is limited to the small, expensive pool of appliances that are available for immediate delivery. Any possible savings are lost.

Now imagine that same scenario, but this time it’s a cyber attack on your company. Out of the blue, your servers have been hacked. Your customers’ data is in danger. Just like the broken refrigerator, you’re dealing with an emergency situation, but this one has much more frightening consequences. Not only does an attack take up valuable time and resources from your business, it can lead to serious problems, such as:     

  • Employees stop working for days while you negotiate with a cyber-criminal.  
  • A damaged reputation lets your competitors swoop in and take away your key clients. (Read more about Cyber Security and your Brand here
  • You end up dealing with a class-action lawsuit over private records that got leaked as a result of the attack.

Think about it, can your business really afford long term damage to its revenue stream?

The second problem with the wait-and-see approach is that now you are a sitting target. These fears of damaged reputation and potential loss of revenue lead to knee-jerk spending. You’ve become a dream client for vendors that want to sell you clean-up and protection services. Not only is there a greater likelihood of overspending, but there is also the fact that every other potential threat gets little to no coverage because all your security dollars have been spent on this one terrifying incident.  

Cybersecurity Risk Plan

Stephen VanHorn/

The third reason, and perhaps most compelling, not to adopt the wait-and-see approach is that many of the tools you need to limit the damage of a cyber incident have to be purchased before the event occurs. In fact, according to Ponemon’s 2015 Cost of Data Breach Study, just getting the board level executives involved will lower the overall cost of a breach by 3.57%. From the perspective of your IT staff, or vendor, if you didn’t invest enough in off-site data backups, there is not much they can do after the fact. Likewise, insurance policies and legal disclaimers cannot be purchased, or applied, retroactively.

Effective protection against cyber attacks means being proactive, not reactive. Threat Sketch risk assessment tools are designed to help small business owners and executives make better proactive decisions. These tools help executives understand and quantify the potential business losses from a cyber attack, which helps budget cybersecurity expenses and prioritize the effort before an attack happens. A Threat Sketch Risk Assessment is like a Rosetta Stone that lets strategic business owners and executives see for themselves the full impact of a cyber attack and the gravity of not spending enough money up front to prevent attacks and mitigate damage.  

A Threat Sketch Risk Assessment is also the best tool available to ensure alignment between those charting the business strategy and the tactical team tasked with protecting it. We believe a cybersecurity risk assessment is a critical part of every cyber security effort, and Threat Sketch offers both free and premium Cyber Security Risk Assessments that are tailored to small and medium businesses. Please check out our product page to learn more.

About the Author: Rob Arnold, founder and CEO of Threat Sketch, has worked in internet security for over 20 years, including launching his own consulting firm to provide executive IT and security consulting to small, medium and Fortune 100 companies.