Microsoft, Google, and Amazon spend billions of dollars on cybersecurity, and I’m with them, so I’m secure. 

The major cloud providers do spend billions of dollars on cybersecurity tools to help secure your data, but that doesn’t ensure that using them makes you secure out of the box.  It is your responsibility to configure their cloud systems securely, a concern raised by the SEC.  Even when you do that, even an optimally managed cloud system only addresses a portion of your cybersecurity risk, leaving you open to other challenges.

All my data is in the cloud, so my endpoint security doesn’t matter. 

Most major cloud productivity services (including Microsoft 365), synchronize data between your computers and the cloud.  As a result, most users have copies of their critical data including email, contact information, and files stored locally on their computers. In the past, this data might have only existed on highly secured servers, but now it travels with us everywhere, making endpoint security even more important for cloud users, not less!

We are small and operate under the radar, so criminals don’t care about us. 

Many cyber attacks don’t discriminate.  Opportunistic attackers are constantly looking for weaknesses, and many less sophisticated hackers don’t care if you are small or large, if you are a hedge fund, a car dealership, or a charitable organization.  Being small doesn’t mean that you are safe from targeted attacks, either.  Thanks to AI and automation tools, cybercriminals can now profitably target smaller organizations with sophisticated attacks.  Many of these focus on new employees and new launches.  For example, emerging managers are often targeted with sophisticated impersonation emails and texts even prior to launch.  If you have employees on LinkedIn, are talking to investors, or are active enough that service providers are marketing to you, you are also likely to be on cybercriminals’ target lists. Given the smaller cybersecurity budgets that small firms have relative to their larger peers, cybercriminals typically have a greater chance of success in compromising smaller firms, even if the value per attack is lower.

It’s fine to use our personal devices for work.

Properly managed personal mobile devices are usually acceptable for business, but Windows and Mac computers are another story.  Securing a computer for business requires a lot more than just adding antivirus software and changing a couple of settings. Many of these robust security requirements are fundamentally incompatible with personal use.  Personal devices can be made reasonably secure, but only at the cost of requiring a level of corporate oversight and management that compromises employees’ privacy and ability to control their own devices, which can easily expose the firm to unwanted liability.  It may be tempting to start with personal devices and plan to change to corporate devices later, but changing later is always disruptive and expensive. In addition, staff may be more likely to share their personal computers with family members including children, creating increased risks for malware, account compromise, and commingling of personal and business data.

Most breaches come from someone clicking on an email they shouldn’t, so there’s no point investing in some other control.   Or, conversely, I have a firewall and antivirus, so why should I worry about what I click on?

Most breaches come from a combination of factors.  For example, a user may click on a malicious link, which is not blocked by web filtering software, which then downloads malware that evades antivirus and takes advantage of an unpatched vulnerability.  Foiling these attacks isn’t a matter of user education OR other security measures; it’s about layering on as many protections as possible in a strategy cybersecurity professionals term “defense in depth.” When securing valuables at home you don’t choose between locking your safe or locking your front door, you do both. Because no security measure is infallible, and few attacks can be blocked in only one way, each additional layer of security control provides another opportunity to stop an attack. The more layers of security you have in place, the less likely it is that a cyberattack will succeed in compromising your firm.

I can handle my IT without a professional.

Many think Microsoft and other companies handle security for you, but that’s not the case. Your cloud provider and other tools need configuration and management, including endpoint security, internet filtering, mobile device management, threat monitoring, and more. Not many companies have the expertise to manage all this internally. Even if they do have the expertise, most companies lack effective IT management software and utilize employees whose time is more valuable than the cost of professional IT support.

My IT provider has me covered. 

Investment managers are fortunate to be serviced by many of the most sophisticated outsourced IT providers in the market, and most of them do a great job.  But they don’t do everything, and it’s important to understand their limitations.  They might do a great job of producing reports about who in your organization has access to what data, but only you know who should have access to what data.  IT providers operate under strong business pressures to prioritize reactive tasks and emphasize strategies that minimize support overhead.  As a result, you may not always get the best results for your business without asking the right questions and providing the right oversight to make sure you stay aligned.