A hospital administrator told me recently that he’d been informed by his IT team not to put in too many security defenses because this would attract hackers.

Rationale: The more you give hackers something to crack, the more they’ll want to have a go at you.

Unfortunately, hackers looking for a challenge are no longer the real threat. Cybercrime is a mega-business worth billions. These folks aren’t doing it for bragging rights. They want data they can sell, like social security numbers, customer databases, company credit cards, the health records of employees — information every business has on hand.

Better than nothing

To his credit, the hospital administrator actually had a security policy: Don’t do too much in the way of security.

Foolhardy, yes — but at least he’d thought about what his security policy should include. Which is more than can be said for too many CEOs and CFOS, especially at small/medium-sized companies.

I think the single most preventable misstep CEOs and CFOs make regarding security is not talking about what they want to protect.

I’m not referring to a conversation about how to protect the data — that’s for technical folks. I mean a higher-level conversation about what should be protected, who should have access.

If you’re not comfortable starting a security policy conversation, get help from a trusted partner. Do it now. In this new world of stealth malware, every company is a target.