Yesterday we published an article outlining the top 25 cybersecurity bad practices demonstrated by businesses today. To accompany this post, we wanted to add one more risky bad habit to his list.

It’s something we commonly see being practiced by too many businesses, allowing old company budgeting habits to dictate what a cybersecurity offering should look like.

In light of the recent REvil ransomware attack on Kaseya, we feel Decision Makers should consider the way they allocate budgets and dictate what they will and will not pay for when it comes to preventing, mitigating, and recovering from a security attack.

The IT Support and Managed Services Industry needs to modernize and standardize the basic support offered to clients in order to improve their overall effectiveness in preventing and recovering from an attack.

But often, businesses we have spoken to with would pre-object that they couldn’t make the required changes to their cybersecurity programs like they wanted because their managers or bosses wouldn’t agree to paying extra, or more, for the new recommended services.

Should we accept here that the customer is “ALWAYS” right?

In this particular circumstance, when it comes to cybersecurity and what is needed to best protect and mitigate security attacks, the customer is NOT always right, hence we as your Managed IT Services Provider have stepped up our skills to educate as many people as possible on why these changes are critical for everyone involved.   

Hoping that a breach will never occur or thinking you will just pay the ransom if you do get breached does not make for a good strategy.  So, when your line managers or business owners object to the new security offerings, instead of conceding and allowing them to maintain the status quo, here are some potential responses you can use to help manage those objections internally and turn them into wins for you. They will thank you for making the right decisions when they did, whilst other peers may suffer the consequence of making the wrong decision.

1. “I thought I was already protected with our security suite of services.  Now you are saying I’m not?”

A good response to this common objection would be: You were; but as the threat landscape evolves, so does the technology required to continue providing protection in order to keep ahead of the bad actors. This is a business to them, and they are making a lot of money as result. For example, in the recent REvil ransomware attack, they asked for the largest ransom payment ever—to the tune of $70 million! So, to ensure this doesn’t happen to you and your business, our security packages needed to change, and we now need to enforce stronger measures—not with you, but this is being recommended to all of our customers, suppliers and businesses in general  – not only in our industry.

2. “Aren’t I already spending enough on IT? I don’t have the budget for that. The new program sounds too expensive.”

In the recent Coveware Consulting 2020 Ransomware Report, it stated the average ransomware payment in Q3 2020 was $233,817, while the average length of downtime was 19 days. These are startling statistics many business owners are likely not aware of. As the person responsible for IT and Network Security, you need to educate you’re the decision makers in the business on what the true cost of an attack would be and have the ROI discussion around the complications and other costs that can arise by NOT enrolling in required new cybersecurity program. The monthly cost of your new security program will be peanuts compared to the business getting breached, having their data be unrecoverable, and potentially being put out of business due to collateral damage and loss of reputation in their marketplace.   

3. “I can get this program cheaper elsewhere.”

This is likely not the case since it is unlikely that you are comparing apples to apples. My fear would be that the competitor’s program is missing key features and services in their offering, resulting in significant gaps in the overall protection coverage for the SMB. There are five key layers that need to be considered when it comes to protecting an organization’s critical data:

1) The Perimeter/Internet level;

2) The Network level;

3) The End-User level;

4) The Applications level; and

5) The Device level.  

And when developing a comprehensive cybersecurity program, all five layers need to be addressed, where each layer requires its own set of specific security toolsets and services.

So, if a IT Services Provider is saying they can deliver a cybersecurity program for far less than what we offering, do consider what is actually being done across all five levels.

4. “I’m too small to be attacked. Something like that wouldn’t happen to my business.”

The idea here is that EVERYONE is vulnerable to being attacked—no business is immune. The SMB may not be the intended target, but bad actors might want access to the suppliers and vendors, you have business dealings with causing you to act as a potential gateway.

So, in this instance, you will need to harden your network security to avoid becoming the weak link in the chain to your suppliers and business partners.

It is important to note that if one of them is attacked, and it is discovered the perpetrators were able to access the network and data via one of their partners.

It could be that you could be dropped by that vendor, resulting not only in loss of revenue, but suffering the ramifications of a potential loss of reputation, trust, and respect within their marketplace.

So, if you find yourself practicing any one of these 26 risky bad habits as it relates to cybersecurity, my hope is that you can carve out time and commit to resolving them—not only for your sake, but for the safety, security, and longevity of your entire supply chain from manufacturer, service provider to the end client as well.

Failing to stand your ground when it comes to implementing your desired and recommended cybersecurity programs and best practices could lead to a potential extinction event.

If you would like to have a more in-depth conversation about any of the cybersecurity bad practices listed, please reach out via the contact information below.

You can follow us on

Twitter: @hiteishee

LinkedIn: KumarBhimjiyaniHiteishee

For more information about our IT support packages that include Security, please contact us. You can call us free on 0800 999 8080, or email us at  and we’ll be in touch as soon as possible.

© 2021 Hiteishee Ltd, All rights reserved.

The Hiteishee trademarks, service marks, and logos are the exclusive property of Hiteishee Ltd.  All other trademarks are the property of their respective owners.

This document is provided for informational purposes only. Information and views expressed in this document may change and/or may not be applicable to you.  Hiteishee makes no warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information contained herein.

Leave a Reply

Your email address will not be published. Required fields are marked *