Given the recent headlines of massive data breaches and business compromises, many business owners, partners, and managers are rightfully concerned about losing cash for payroll and sensitive information and being unable to serve customers. Many address this problem with hopes and dreams. There are many who do not address this concern at all.

The following is a short guide outlining what should be done to avoid addressing this concern. You could also consider this a method to help you move from theoretical concern to reality.

If you take away nothing else, there are three things to remember:

1. Luck will keep you safe. Bury your head in the sand; don’t think about what’s important or whether something could go wrong.
2. Be brittle. Follow no best practices or guidance - no controls or training.
3. Trust. Don’t verify. Allow your vendors to grade their own homework without accountability.

Let’s take a deeper dive into each of those items.

1. Luck will keep you safe

The FBI crime statistics say Business Email Compromise (BEC) is a problem. Over half a million businesses report cybercrime to the FBI every year. Businesses lose at least 3 billion dollars a year to cybercrime.

But. It might not happen to you.

The Verizon data breach report says people fall for phishing emails in less than 60 seconds, and that ransomware extortion costs are averaging $50,000 each, and that vendors and supply chain failures are leading to more and more breaches.

Don’t worry about it. Luck will keep you safe.

The seldom-spoken feelings of anxiety, stress, shaky suspicions, and sleepless nights with a sinking pit of stupor don’t happen to most people most of the time. In reality, there are many more businesses than hackers or scammers. Enjoy the thrill of the odds.

Relying purely on luck is step one to losing money and data.

2. Become Brittle

Some businesses and people like to be robust and resilient—able to bounce back and recover from impact. However, this is not recommended if you’re following this guide.

There are many cybersecurity best practices and resources on configuring technology, providing guidance to employees and accounts payable/receivable departments, and training employees about scams. However, to become brittle, these guides should be avoided.

If you work in a regulated sector holding financial or sensitive customer information, like in health, finance, or defense, you’ll want to avoid your regulatory obligations under the HIPAA Security Rule and FTC Safeguards Rule. And the Cybersecurity Maturity Model Certification (CMMC) rules for defense and exporters, and the IRS rules for accountants, and the formal opinions for law offices.

If you have a budget for technology and cybersecurity or are considering spending there, rethink and reallocate that as soon as possible. Remember, we’re relying on luck.

Many people talk about becoming reasonably secure. Now, the definition of “reasonable security” is emerging, but let’s write one for “Unreasonable Security,” considering our requirement for becoming brittle.

1. Never consider how things can go wrong with your business processes, people, technology, and information.
2. Do not take security measures on things you’ve accidentally identified as important. Remove them if they’ve been implemented.
3. After you’ve removed those controls, make sure they’re gone. Password to access something? Remove it. Role-based access? No - use a shared admin account.
4. Occasionally, double-check that no controls have been put in place. If no one else has access to your systems, websites haven’t been defaced, or money isn’t leaving your accounts unexplained - you’re doing it wrong.

This is also a great way to stay on the wrong side of the courts when breached since they’re typically looking for reasonable security.

You might ask, “How do I ensure I’m not accidentally considering how things can go wrong?” or inadvertently creating a robust organization?

First. Ask no questions. Sometimes people mistakenly think about important things like email account security, business application access, online practice management software security, other software-as-a-service platforms, and servers and laptops with data and accounts.

This is a mistake as you’ll gain a deeper understanding of what is important to business operations and where your critical interactions, dependencies, and vendors are.

Second, and this should be easier: don’t consider how things can go wrong.

For example, sometimes people realize their admin Microsoft email accounts are extremely important to the business and should be protected with two-step verification. They’ll create an admin-use-only account and make their everyday account a standard user. This is a mistake since it makes it harder for an attacker to do significant damage.

Sometimes, people realize that they can't serve customers if the internet stops working at their office. And then they’re off to the races, considering a backup internet provider and automatic fail-over so they can keep business operations going—this is not brittle.

Even worse, we’ve seen people go to great lengths to have policy guidance on how to configure their technology safely, train their employees to use technology safely, and have processes to protect themselves from making payments to scammers. This is dangerously close to a resilient system and should be avoided at all costs.

Third, and this is quite easy: make sure things are ill-maintained and become insecure over time.

Every so often, double-check that no controls have been put in place. Occasionally, resilient businesses will test that their controls are doing what they’re supposed to, or they’ll realize that their environment or technology has changed and reassess their exposure. But this is a recipe for resilience, and that won’t do for a brittle business.

You may be asking, what specifically can I do? Here are a few specific tasks:

1. Remove all passwords. If those pesky requirements force their use - you can typically settle for “CompanyName2024!” or sometimes “Password123”. Reuse these on all accounts.
2. Google and Microsoft keep pushing two-step verification. Decline it. Disable it. We’re looking for unauthorized access, and those typically make that harder. Completely avoid passkeys and USB Yubikeys.
3. Ensure your computer's data is not scrambled (or encrypted). This helps thieves recover your data and passwords when they steal your computers.
4. Any time you see browser security warnings, ignore them and continue on. Don’t update software at all, in fact.
5. Speaking of browsers, don’t use ad-blockers like uBlock Origin Lite since those make it harder for people to see scam sites and for phishing sites to load.
6. Make sure no processes exist for accounts payable to verify who they’re talking to and before payments go to new ACH and wire destinations.
7. Disable antivirus solutions, ignore all security warnings, open all email attachments, provide any caller with your passwords and verification codes, and give them remote access to your systems.

And don’t get cyber insurance or data breach insurance. You might not need to take action here since business liability insurance often excludes hacking and email compromise events. Plus, you might not have sensitive user data, and on the low end, you might only have to lose $8,000. On average, it’s closer to $80,000, but it might not happen today.

3. Trust, Don’t Verify, Your Vendors. Let them grade their own homework.

Having a complex business without any IT resources is an excellent way to stay brittle and a great step for a risky business.

And if you do have a managed technology provider, let them grade their own homework. Just like if you ask a car salesman which car is best for you, there’s no incentive for them to sell you more than you need. Or, like when a health provider prescribes procedures or treatments that they benefit from, it can’t go wrong in any way.

Sometimes, people are encouraged to buy an expensive firewall and leave security at that. This is another great move for a risky business since it adds attack surface and can be misconfigured to decrease security. Installing a firewall still allows computers to be insecure, processes to be non-existent, and people without training. And since they cost a lot of money, it feels like security is happening!

In unfortunately resilient cases, some businesses find qualified and knowledgeable consultants with deep cybersecurity expertise who understand their industry, business needs, risks, and technology - similar to a fractional CFO or retained attorney. This is not suitable for a brittle and risky business.

Since there’s a tension between making things work and making them work securely, you’ll want to ensure things are set up once and never looked at again.

You can also make assumptions about what vendors do, such as ensuring your business procedures are resilient, taking steps to go above and beyond with complex configurations, auditing the security of your publicly accessible technology, and ensuring your business applications have controls.

Finally, they should be relied on for compliance obligations that the business is ultimately responsible for. This is a great way to ensure that no one is holding the ball when it comes to protecting information.

And there you have it—three key steps to creating a brittle, risky business.

1. Rely on Luck
2. Be Brittle
3. Trust. Don’t Verify.

This is a nearly foolproof way to ensure that an organization will eventually lose cash and customer information, be unable to serve customers, and even end up on the wrong side of a regulatory fine.

On a serious note: if you'd like some free resources to get started, check these out:

• https://securemyapps.io/
• https://cyberpolicies.io/
• https://www.ftc.gov/business-guidance/small-businesses/cybersecurity

We’re building a day when data breaches and business compromises are no longer the norm. If you’d like help following the exact opposite of this guide, Adversis helps businesses become resilient, facilitate conversations with technology vendors, and solve cybersecurity challenges.