It is a shame yet often, it seems like a constant. Companies invest in cybersecurity AFTER they have had an attack. Even then, quite often, they don’t take the threat seriously. They spend the least amount possible on IT services and then hope for the best.

The challenge with this approach is every company will be attacked – repeatedly.

When a single click by an employee can take down an entire company, business leaders need to start taking the threat more seriously.

In our experience – even when companies take the threat more seriously, this is only to appease regulators or compliance auditors. They do the minimum possible to show the outside person they are in compliance – yet they don’t take any of it seriously.

We say this because regulators are often there to ensure companies are secure.

Companies have an obligation to focus on security first and compliance second.

We heard many years back that the difference between a good and excellent worker when you ask them to mail an important letter is as follows: The good worker puts it in the outgoing mail pile, the excellent worker, gets in their car and drives the envelope to the post office and gets it marked return receipt requested.

Applying this to cybersecurity – the good company follows the bare minimum to get by. The excellent company looks for areas of vulnerability, consults with experts, develops a culture of cybersecurity, engages in phishing simulation for the office, etc.

Then, they ensure they do whatever else the regulators ask for.

Getting to New Orleans – we have covered their attack and nd their state of emergency thanks to ransomware. We called them a week ago and they still haven’t responded as to the state of their IT systems.

Now, the New York Post reports they have $1 million in damage. 4,000 computers were infected. In our estimation, the attack will cost a lot more over time.

Mayor LaToya Cantrell said the city was considering the security breach as an active attack. Though as of Monday the city said it had not received any demands for a ransom.

“This security breach is one of public safety and we are taking it just as that—very serious,” said Cantrell. “This is not only the new normal, but it is a priority for the administration to invest in our infrastructure. That includes cybersecurity.”

A city can get away with investing in cybersecurity after an attack because they are spending someone else’s money and can raise taxes at will.

Companies aren’t as lucky.

Quite often, after an attack, there is a loss of customers, massive increase in cybersecurity insurance rates, class action lawsuits, Attorneys General lawsuits, class action lawsuits, credit card company lawsuits, etc.

Still, too many companies look at IT this way… Get a few bids, pick the lowest and hope for the best.

Hope has never been and never will be a solid strategy.

Luck however, favors the prepared.

How do you stay secure or at least drastically reduce the risk? Follow these three steps to start:

1) Read cybersecurity essentials – a simple list which will help most organizations become far more secure.

2) Go to a phishing simulation vendor now and sign up for one of their offerings. Phishing Box, KnowBe4 and Phish360; are all great. This is needed to train workers by testing them without their knowledge by sending real-looking emails to their inboxes. If they click, they are immediately trained on what not to do.

3) We also recommend you get a free evaluation of your cybersecurity risk from an MSP/MSSP immediately – they can also help you build in the needed compliance to reduce the risk of being fined