A data breach is the last thing any business leader wants associated with their company. The media frequently highlights the devastating impact of cyber incidents—yet many leaders still believe, “It won’t happen to us.”
As a business owner who has spoken with thousands of executives over the years, I’ve consistently heard the same five objections when asking why a company hasn’t invested in cybersecurity technologies and processes:
- “We’ve Never Had a Problem”
This is by far the most common response—and a clear sign of an avoidance mindset. The reality is, if a company isn’t actively looking for cybersecurity issues, it probably won’t find them… until it’s too late. It’s also important to remember that the average data breach takes over 9 months to discover. A business may already be compromised and not even know it.
- “It’s Too Expensive”
Too expensive—compared to what? With the average cost of a data breach exceeding $5 million, the real question is: how much is it worth to avoid being impacted? Cybersecurity doesn’t require massive capital investments. In fact, some of the most effective steps, such as security awareness training, can be implemented with minimal cost.
- “We Don’t Have Time for It”
What this really means is that cybersecurity hasn’t been prioritized. Like any strategic decision, investing in security is about weighing potential outcomes. From my experience working with companies post-breach, I can say with certainty: the cost of prevention is a fraction of the cost of recovery.
- “Our IT Firm (or Team) Has It Handled”
This is a personal favorite. If you ask your IT team how cybersecurity is going, are they likely to say, “It’s a mess”? Probably not. While your IT team plays a critical role in keeping systems running, there’s often a conflict of interest when the same group is also tasked with securing those systems. Just as businesses separate financial duties between a CFO and an external CPA, the same logic applies to cybersecurity oversight.
- “Nobody Cares About Our Data”
Maybe. But threat actors may not care what your data is—they care that you care about it. The goal of many ransomware attacks isn’t to steal your data, but to encrypt it and hold it hostage. Could your company operate without access to its systems and records? In 2024, more than two-thirds of organizations were affected by ransomware. It’s not about who you are—it’s about how vulnerable you are.
At the root of these objections is a dangerous belief: that it’s easier to avoid investing in cybersecurity than to face potential threats head-on. But the truth is, it’s far easier—and far more cost-effective—to build a basic cybersecurity program incrementally than it is to recover from a breach or ransomware attack.
Whether public or private, every company is ultimately responsible for protecting customer data. The only question is whether you’ll make that investment before or after an incident occurs.