There’s an old saying that goes like this: “Wherever you are, that’s where you are.” We could never decide whether that’s really profound or really obvious. But it doesn’t matter. What does matter is a question we get all the time.

Whenever we talk to companies about cybersecurity, someone always asks, “Where do we start?” The answer is, “Wherever you are.” That means — whether you’ve done a little or a lot to protect your company from cyber attack — the best place to start is with the next logical step.

If you haven’t done anything, we’ll start with a gap analysis: How prepared are you for an attack? What’s your ability to recover? We’ll assess the level of vulnerability of your remote access points and the ease with which your networks and systems could be compromised. Then we’ll categorize your risks and prioritize our remediation efforts.

Next, we’ll act like hackers and do our darnedest to breach your environment. That will enable us to evaluate your network, your software, your security controls, and your defenses. Beyond that, we’ll keep an eye on your IT infrastructure to make certain it remains secure and compliant. We’ll even monitor dark web data for evidence of data theft, immediately reporting breaches or abnormalities. And we’ll help you prevent or minimize risks to your operation and your reputation from hacked or exposed credentials.

If You Already Have Some Protection

If it ain’t broke, there’s no need to try to fix it. Start from the most recent thing you’ve done and build on it. Fortify your defenses. Shore up your firewall. Replace your end-of-life network equipment. Check all of your perimeter and internal defenses and system configurations to ensure they’re as tight and secure as they were when you put them in place. And make sure you keep them up to date.

Attempted cyberattack is no longer if. It most definitely is when. You owe it to yourself, your company, your people, and your customers to make sure you’re prepared to ward off those attacks and to recover from them should they occur.

Wherever you are on your journey to cybersecurity, that’s where you start your efforts to become more secure.

We don’t know if that’s profound. But it’s necessary, now more than ever.

We remember a wise man once saying to us, “Never trouble trouble, till trouble troubles you.”

We thought of that during a conversation with a prospect the other day. He asked if we thought adding cybersecurity protection — and buying the cyber liability insurance for which his protection would qualify him — was inviting trouble.

“How so?” we asked.

“Well,” he said, “if hackers know I’ve gone to the trouble of securing my network and my data — and if they know I’ve purchased cyber liability insurance — they’ll think I have something valuable to protect.”

“You do have something valuable to protect,” we said, “your business, your assets, and your working relationships with your customers and partners.”

“Yeah,” he said. “But if I advertise that fact with all these cybersecurity measures and an insurance policy, won’t they think I’ve thrown down the gauntlet?”

“No,” we said. “They’ll think you’ve gotten smart and safe.”

Better Safe …

We also remember the line from Batman, in which Bruce Wayne says to Vicki Vale, “It’s not a perfect world.”

The fact is the world becomes less perfect as it becomes more complex. It also becomes more dangerous for the vulnerable and more advantageous for those who choose to prey on the vulnerable.

According to Statista:

Between November 2020 and October 2021, there were almost 24 thousand cyber security incidents worldwide. from this total, 2,065 incidents were detected in small companies. The professional and public administration sectors were the most targeted with 3,566 and 2,792 reported incidents respectively.

Also according to Statista:

Between November 2020 and October 2021, 5212 organizations worldwide experienced data breaches. Among selected industries, financial firms saw the highest number of data violations. Regarding organization size, smaller ones were victimized by data breaches more than large companies.

The common thread there is smaller companies.

Don’t Settle

If you’re a smaller company, you don’t have to settle for inadequate cybersecurity protection. You don’t have to settle for the exorbitant cyber liability insurance premiums you’ll be charged if you’re not adequately protected. You don’t have to settle for being vulnerable in a world of increasing risk and proliferating cybercrime. And you don’t have to be like the guy in the comic strip at the top of this post.

Be smart. Be safe. Be protected.

Okay. We admit the title of this post is a gotcha. But it’s also relevant to cybersecurity. How? We thought you’d never ask.

Consider: If the earth were flat — and unless it was two-sided like a sheet of plywood — it would always be daylight because it would never turn away from the sun. We suppose, on the other hand, that if the earth were more like a flying carpet and the sun rotated around it, the top would be light at times and the bottom would be light at other times. This is exactly why we’re not astronomers.

But because we’re cybersecurity professionals — and even if we weren’t reasonably sure the earth is round (we are) — the fact is while it’s light here, it’s dark there (wherever here and there are) and vice versa. And that brings us to relevance.

Let There Be Light
There’s a common misconception that the majority of cyberattacks are undertaken at night. That’s not true. But even if it were, it means somewhere in the world, in broad daylight, bad dudes are working hard to hack your digital environment while you’re sleeping. Since that’s true, the reverse is also true: Somewhere in the world, under cover of darkness, bad dudes are working hard to hack your digital environment while you’re wide awake.

To us, it really doesn’t matter if it’s dark or light. We don’t want bad dudes breaching our customers’ digital environments at any time of day or night. That’s why we do what we do.

Here are a few more thoughts: Viruses and ransomware don’t carry watches. They don’t care what time it is or that the earth is round. Neither does risk. That’s why it’s constant. You shouldn’t care, either. Regardless of what time it is, breaches and data theft are devastating and costly.

The actual time of day notwithstanding, if your environment is hacked, it’s going to be 0-Dark-30 for you, your business, your reputation, and at least some of the companies with which you do business.

We grant our bias, but that’s not a risk worth taking, day or night.

We don’t mean to be alarmist, but if you haven’t tightened up your cybersecurity, there may be millions of individual reasons to do so. Here’s one, from Ars Technica: “Hackers hammer SpringShell vulnerability in attempt to install cryptominers.” The article says this, in part:

“Malicious hackers have been hammering servers with attacks that exploit the recently discovered SpringShell vulnerability in an attempt to install cryptomining malware … SpringShell came to light late last month when a researcher demonstrated how it could be used to remotely execute malicious code on servers that run the Spring model-view-controller or WebFlux applications on top of Java Development Kit versions 9 or higher.”

If you’d like to read more about SpringShell vulnerability, you can start here.

It Doesn’t Stop There

Here’s another one from Ars Technica: “Hackers are exploiting 0-days more than ever.” That one is even more chilling:

Previously unknown “zero-day” software vulnerabilities are mysterious and intriguing as a concept. But they’re even more noteworthy when hackers are spotted actively exploiting the novel software flaws in the wild before anyone else knows about them.

Ouch. If you’d like to read more about zero-day vulnerabilities, you can start here.

And from Forbes, there this: “When Botnets Attack.” Brace yourself:

“Cybersecurity attacks can come in many forms and with various technical approaches. Breaches are constant among industry and government being targeted. One method of exploit used by criminal hackers can be deployed with devastating and widespread consequences, botnets … Such orchestrated Botnet cyber-attacks are not new and have been going on for almost two decades, but they are proliferating and pose major threats. They are not only carried out by state sponsored intelligence actors, but also by organized criminal hacking groups.”

Should you be scared by all of that? Yes. But not as scared as you should be if you don’t take the appropriate cybersecurity measures.

Bad News/Good News

The bad news there are bad dudes out there making very handsome livings by hacking systems for any number of reasons and many forms of data. The good news is you don’t have to risk being vulnerable.

If you don’t do it soon, it may be too late.

The money — and the business — you save may be your own.