I enjoy reading about people whose convictions impacted the world. Some of you may remember the story of Eric Liddell from the movie Chariots of Fire. He famously refused to run in the Olympic heats for his event, the 100M dash, since they were scheduled on Sunday, which he observed as a day of rest. This disqualified him from running the 100M race, so he focused on the 400M, which nobody expected him to do well in. He set the world on fire when he not only won this race at the 1924 Paris Olympics but also set a world record of 47.6 seconds.

I was thinking about this story, and it occurred to me that the record is probably no longer notable. In fact, over the years, that record has been repeatedly broken and now stands at 43.03 seconds. If Eric Liddell had not stood up for his beliefs, he would not even be remembered now. Instead, he made a mark in the world about the value of standing up for what you believe.

This lesson is by far the most important in Liddell’s story, but there is an underlying message we can highlight as well. Very clearly, what was victorious and record-setting in 1924 is no longer enough. In fact, Liddell’s record has now been broken many times each year by world-class athletes who run the 400M. What was amazing is no longer enough to make a mark on the world stage.

There are so many parallels here in both business and tech. Today, I’d like to focus on how this applies to cybersecurity.

It is very easy to grow complacent with cybersecurity. Sometimes we grow weary of talking about the negative side of technology and begin to think that what we have in place now is good enough. The reality is that we can never sit still, because the mark is always changing. What was solid security is no longer enough.

Here are a Few Things We Hear From People About Cybersecurity:

• They can have it all. I don’t have anything secret or that I couldn’t reproduce!
• I’m not a target. I don’t keep private information on my systems.
• We are not doing rocket science here; they don’t want to break into our system.
• We have the stuff our IT person recommended… a few years ago. That should be enough.

The Reality About Cybersecurity Is:

• If they get in, you will not be okay with them having it all, publishing it, and locking you out.
• You are a target just because you are on the Internet. They scan for openings without regard to who you are and what you have, and if they find a weakness, they exploit it to the full degree.
• Small businesses are targets, even the low-tech ones. They want to exploit your data, your bank accounts, and your reputation for their gain.
• What got you here WILL not get you there. Every year, the question should be, “What else should I be doing to protect us from cyber threats?”

I recently had the opportunity to work with two very different companies that both experienced cyber events. They each had very different results.

One company had many of the more recent and advanced tools in place to detect and block a cyber intrusion. Unfortunately, the threat actor did gain access to their system, but their EDR and the attached 24×7 SOC detected the intrusion and blocked several attempts to gain control of their network resources. The SOC then tracked down the source of the intrusion and helped their IT block further intrusion and remove any entry points. Without this advanced service, the threat actor would most certainly have gained full access and likely perpetrated a ransomware attack.

The second organization believed their IT person had addressed general cyber hygiene, and that they had the necessary prevention mechanisms in place. Unfortunately, their trust in their IT manager was misplaced. They lacked adequate firewall and endpoint protection, as well as a 24/7 SOC. They also lacked any monitoring of the MS365 cloud for identity compromise.  The result was that they arrived at the office one morning to find pop-up messages on their screens indicating they had been the target of a ransomware attack. This attack forced them to bring their network down, brought in forensic investigators, necessitated a complete rebuild/restore of their network, and caused immense downtime. In addition, they fear that information was stolen and will be published on the dark web, ultimately causing them serious reputational issues.

These organizations both have very different stories. The first one made significant updates to its cyber prevention strategies, while the second one assumed what it had been doing was good enough. The reality is that what was record-breaking protection a year or two ago won’t get you across the finish line now.

Please re-evaluate your cybersecurity strategy at least once a year! Yes, there is lots of tech jargon, maybe even some annoying acronyms, and maybe even some expense, but it is so much better than the alternative.  And, if you need some help evaluating the right protection for you, with people who speak plain English, don’t hesitate to reach out for a conversation!