A recent Global SMB Ransomware survey finds that nearly half of small and medium-sized businesses (SMBs) have experienced a ransomware attack, yet the majority aren't sure they are a target, and most are not confident they can fend off such an attack. Since 60% of SMBs are known to go out of business within six months of being hacked, it is a very troubling state of affairs. In this episode, Grayson Milbourne, Security Intelligence Director at OpenText Security Solutions, joins me in discussing the security challenges faced by SMBs and sharing success factors and best practices.
Time Stamps
02:21 -- Before we get into the details of SMB information security challenges and best practices, let's talk about you a bit. Share with listeners some highlights of your professional journey.
04:19 -- From a cybersecurity risk resiliency and defense standpoint, small and medium-sized businesses (SMBs) are often the most vulnerable and least mature. As one CIO of a midsize bank put it, "many cybercriminals are specifically targeting midsize companies that are in the cybercrime sweet spot. They are big enough to have significant bank accounts, but they often don't use the latest cybersecurity defenses. Also, middle market firms are often the gateway to bigger targets for cyber thieves." Your thoughts and reactions?
10:53 -- In a study that my colleague, Mike Benz and I published, we noted that 95% of the surveyed SME IT leaders believe they have an above-average security posture. And so the concern is when you think you are prepared, but actually, you are not, that is a bigger problem. Don't you agree?
17:38 -- Grayson, I'd like to go back to the ransomware report, the survey report that your organization published. It's concerning that nearly half of SMBs have experienced a ransomware attack. And yet the majority still don't think or aren't sure they are a target. Why don't you expand on this?
23:57 -- Grayson, what are the top three things that you would recommend SMBs do to protect themselves from, say, ransomware attacks, what would be those top three things?
30:43 -- My research finds that time, and again, a lot of planning happens, and a lot of documentation is maintained. But when it comes to execution, that's where organizations fail time and again. Your thoughts?
36:05 -- I'd like to give you the floor to wrap things up for us.
Memorable Grayson Milbourne Quotes/Statements
"What we see in the SMB spaces is that if they encounter ransomware, they don't report it. And they want to sweep it under the rug, move on and pretend it didn't happen. And unfortunately, that has other consequences that come along with it."
"One of the biggest things that causes a headache during a ransomware incident is that it's a timed attack. They don't give you a lot of time to pay the ransom before they increase the demand because they know you're going to start scrambling, you're going to start thinking, Okay, what backups do I have in place? If you rehearsed the plan, at least you have a battle card to go to, you have some steps, and you're not scrambling because this is the worst time to be scrambling."
"I think one thing that insurance probably doesn't look at is your readiness plan."
"It comes down to reacting properly in that critical amount of time when you face one of these types of attacks."
"Average downtime can be several weeks. It is right to look at cyber risk as any other risk to your business's continuity."
"As your business grows, I think there's tremendous benefit in having an internal security-focused resource."
"Ransomware reporting is vastly underreported. People don't want to have that black eye, they don't want to; it's bad for the customers. If it's not reported, it creates an even fuzzier picture for law enforcement that has resources to go after these organized groups."
"The vast majority of attacks succeed because of a human error of somebody falling for something, clicking on a link, giving away too much information. And so I think education and awareness are really important."
"It's a living and continuous cycle of identifying your assets, protecting them, detecting and looking for active infections, having a response plan in play, learning from your mistakes, and educating."
"Having a plan is very different from having a fire drill with your plan."
"If something bad happens, that's okay; come forth with the information and share it so that we can, as a community, defend ourselves better."
Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast
Please subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.
Connect with Dr. Chatterjee on these platforms:
LinkedIn: https://www.linkedin.com/in/dchatte/
Website: https://dchatte.com/
Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338
https://us.sagepub.com/en-us/nam/cybersecurity-readiness/book275712
Latest Publication: https://www.imd.org/ibyimd/magazine/preventing-security-breaches-must-start-at-the-top/
Welcome to the Cybersecurity Readiness Podcast
Introducer:Series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of
Introducer:the book Cybersecurity Readiness: A Holistic and
Introducer:High-Performance Approach, a SAGE publication. He has been
Introducer:studying cybersecurity for over a decade, authored and edited
Introducer:scholarly papers, delivered talks, conducted webinars and
Introducer:workshops, consulted with companies and served on a
Introducer:cybersecurity SWAT team with Chief Information Security
Introducer:officers. Dr. Chatterjee is Associate Professor of
Introducer:Management Information Systems at the Terry College of
Introducer:Business, the University of Georgia. As a Duke University
Introducer:Visiting Scholar, Dr. Chatterjee has taught in the Master of
Introducer:Engineering in Cybersecurity program at the Pratt School of
Introducer:Engineering.
Dr. Dave Chatterjee:Hello, everyone, I'm delighted to
Dr. Dave Chatterjee:welcome you to this episode of the Cybersecurity Readiness
Dr. Dave Chatterjee:Podcast Series. Our discussion today will focus on the
Dr. Dave Chatterjee:challenges and best practices associated with securing
Dr. Dave Chatterjee:small-to-midsize businesses. We will be using the acronyms SMBs
Dr. Dave Chatterjee:or SMEs during the course of the discussion. SMB stands for
Dr. Dave Chatterjee:small-to-midsize businesses, SME stands for small-to-midsize
Dr. Dave Chatterjee:enterprises, I think it's okay to use these terms.
Dr. Dave Chatterjee:synonymously; a quick definition small businesses are usually
Dr. Dave Chatterjee:defined as organizations with fewer than 100 employees.
Dr. Dave Chatterjee:Midsize enterprises are organizations with 100 to 999.
Dr. Dave Chatterjee:Employees. This should be a very interesting and useful
Dr. Dave Chatterjee:discussion because the attacks on SMBs are growing and survey
Dr. Dave Chatterjee:finds that 60% of small and medium sized businesses go out
Dr. Dave Chatterjee:of business within six months of being hacked. Grayson Melbourne,
Dr. Dave Chatterjee:Security Intelligence Director at OpenText Security Solutions
Dr. Dave Chatterjee:is our guest for this episode. I'm delighted to have him join
Dr. Dave Chatterjee:me in having this very important conversation. Greyson, welcome.
Greyson Milbourne:Hey, thank you, David. Glad to be here.
Dr. Dave Chatterjee:So before we get into the details of SMB
Dr. Dave Chatterjee:information security challenges and best practices, let's talk
Dr. Dave Chatterjee:about you a bit. Share with listeners some highlights of
Dr. Dave Chatterjee:your professional journey.
Greyson Milbourne:Yeah, thanks, Dave. So I have about a little
Greyson Milbourne:over 18 years of experience within the cybersecurity space,
Greyson Milbourne:I began my career as a threat analyst and studied malware a
Greyson Milbourne:really fun part of my career where I come in, put some
Greyson Milbourne:headphones on and really just observe and see how malware
Greyson Milbourne:authors were trying to be creative and trying to be
Greyson Milbourne:evasive, which was really important back in the mid early
Greyson Milbourne:2000s. And ever more so important today. But as my
Greyson Milbourne:career grew, I eventually became the manager and the director of
Greyson Milbourne:the threat research operations for our endpoint team. And that
Greyson Milbourne:led me just to discover more and more. And I guess we have one of
Greyson Milbourne:my real proud accomplishments is being chosen to speak at RSA on
Greyson Milbourne:several occasions and kind of gave me my foot into public
Greyson Milbourne:speaking and just more thought leadership to talk about the
Greyson Milbourne:problems that we face in cybersecurity, just drive
Greyson Milbourne:awareness of these problems so that we can act and measure risk
Greyson Milbourne:accordingly. And I did that for a while and kind of burnt out a
Greyson Milbourne:little bit on the on the conference. There's so many
Greyson Milbourne:conferences. And so now I work more on the cybersecurity front
Greyson Milbourne:and I work with the product teams to ensure the efficacy of
Greyson Milbourne:our products. I stay very close to the threat research teams and
Greyson Milbourne:evolutions and how malware functions and invasive
Greyson Milbourne:techniques and just how that threat landscape continues to
Greyson Milbourne:evolve. And so that's what I do today primarily is is, right,
Greyson Milbourne:track that make sure our products, stay capable. And then
Greyson Milbourne:join you for podcasts like this and spread the good word of why
Greyson Milbourne:it's important to be aware of the risks that we face and not
Greyson Milbourne:just be aware, but you know what know what steps you can take to
Greyson Milbourne:actively improve your defense, you know, now because you know
Greyson Milbourne:what our data will show, and what we'll talk about throughout
Greyson Milbourne:this this podcast here is that the problem is, is unfortunately
Greyson Milbourne:getting worse, and it's somewhat moving down market and we're
Greyson Milbourne:seeing smaller and smaller businesses become more and more
Greyson Milbourne:of the focus, especially of ransomware attacks.
Dr. Dave Chatterjee:Great to hear about your journey. You're
Dr. Dave Chatterjee:doing great. And I appreciate you taking time out of your busy
Dr. Dave Chatterjee:schedule to talk to my listeners. I couldn't agree with
Dr. Dave Chatterjee:you more than we are discussing a very important topic. And it's
Dr. Dave Chatterjee:not enough just to talk about the challenges or the realities
Dr. Dave Chatterjee:of what the SMBs face when it comes to securing their
Dr. Dave Chatterjee:organization securing their data, but what can they do? How
Dr. Dave Chatterjee:can they do better? That really needs to be the focus and I'm
Dr. Dave Chatterjee:sure we will talk a lot about that. But let's begin by sharing
Dr. Dave Chatterjee:with the listeners some facts and stats. A couple of years ago
Dr. Dave Chatterjee:I authored a paper along with Mike Benz, who's the partner and
Dr. Dave Chatterjee:fractional CIO at Fortium Partners. The paper is titled
Dr. Dave Chatterjee:Calculated Risk? A Cybersecurity Evaluation Tool for SMEs. It's
Dr. Dave Chatterjee:published in Business Horizons in 2020. It's been cited
Dr. Dave Chatterjee:heavily, been very well received. So there when we were
Dr. Dave Chatterjee:authoring the paper, we shared some facts. And I'd like to hear
Dr. Dave Chatterjee:your reactions to some of them; will not go through all of them.
Dr. Dave Chatterjee:The first one is SMBs are among the least mature and most
Dr. Dave Chatterjee:vulnerable, in terms of their cybersecurity risk and
Dr. Dave Chatterjee:resilience. As one CIO of a midsize bank put it, "many cyber
Dr. Dave Chatterjee:criminals are specifically targeting midsize companies that
Dr. Dave Chatterjee:are in the cybercrime sweet spot. They are big enough to
Dr. Dave Chatterjee:have significant bank accounts, but they often don't use the
Dr. Dave Chatterjee:latest cybersecurity defenses. Also, middle market firms are
Dr. Dave Chatterjee:often the gateway to bigger targets for cyber thieves." Your
Dr. Dave Chatterjee:thoughts, your reactions?
Greyson Milbourne:Yeah, I mean, I think this is an unfortunate
Greyson Milbourne:reality. But our data shows the same and that as I mentioned, we
Greyson Milbourne:see a continued downward trend in the median size of a business
Greyson Milbourne:that suffers a ransomware attack. And when we look back
Greyson Milbourne:over time, this number is now just over 100 is the average so
Greyson Milbourne:far in 2022. But at this time last year, it was over 200. And
Greyson Milbourne:so we've seen a very significant shift downmarket. And along with
Greyson Milbourne:that we've actually seen the median ransomware payment has
Greyson Milbourne:also dropped. And so I think you know what misconception a lot of
Greyson Milbourne:times is that ransomware demands, what we see maybe in
Greyson Milbourne:the media are these seven figure, maybe even eight figure
Greyson Milbourne:ransoms. But what we really see for the vast majority people who
Greyson Milbourne:are getting infected and then deciding to pay, or some do,
Greyson Milbourne:some don't. But the ransoms are less than $50,000, I think we're
Greyson Milbourne:now somewhere around 38 or so $1,000, which again, if you
Greyson Milbourne:compare that to last year, was considerably higher, closer to
Greyson Milbourne:$100,000, then but again, you're those businesses are larger. So
Greyson Milbourne:I think in some ways, the ransom average demands reflect the size
Greyson Milbourne:of the business. Because I mean, let's face it, this is a
Greyson Milbourne:business to them. And the only way that they make money is if
Greyson Milbourne:you pay, and so they know what you can pay, a lot of times
Greyson Milbourne:they've been inside your environment and have have a good
Greyson Milbourne:enough idea to set a ransom that has a chance of being paid. But
Greyson Milbourne:I think that makes it a problem because these are people who've
Greyson Milbourne:who've come forward and told their story. But I think a lot
Greyson Milbourne:of times also, what we see in the SMB spaces, especially in
Greyson Milbourne:the smaller sizes of businesses is that if they encounter
Greyson Milbourne:ransomware, they don't report it. And they just want to sweep
Greyson Milbourne:it under the rug, move on and pretend it didn't happen. And
Greyson Milbourne:unfortunately, that has its other consequences that come
Greyson Milbourne:along with it.
Dr. Dave Chatterjee:Indeed, very unfortunate. Sweeping under
Dr. Dave Chatterjee:the rug is not the way to deal with this problem, Organizations
Dr. Dave Chatterjee:will have to proactively prepare for ransomware attack scenarios.
Dr. Dave Chatterjee:As you know, the threat actors have upped their game, and are
Dr. Dave Chatterjee:now engaging in double, triple and quadruple extortions. Along
Dr. Dave Chatterjee:with encrypting systems and data, they are now doing
Dr. Dave Chatterjee:something called double extortion. They're stealing the
Dr. Dave Chatterjee:data before they encrypt it. So even if the organization can
Dr. Dave Chatterjee:recover the systems and recover data from their backups, and
Dr. Dave Chatterjee:disaster recovery methods, they're still forced to
Dr. Dave Chatterjee:negotiate to get an agreement from the hackers, that they are
Dr. Dave Chatterjee:not going to post the stolen data. They engage in triple
Dr. Dave Chatterjee:extortion when they launch a denial-of-service attack, so the
Dr. Dave Chatterjee:business is no longer able to function. And now we are also
Dr. Dave Chatterjee:seeing something called quadruple extortion, where
Dr. Dave Chatterjee:they're not only engaging in the first three types of attacks I
Dr. Dave Chatterjee:talked about, they're also communicating with customers
Dr. Dave Chatterjee:whose data they have stolen, and telling them to put pressure on
Dr. Dave Chatterjee:the breached organization to pay up. So all organizations should
Dr. Dave Chatterjee:be prepared for such eventualities and they should
Dr. Dave Chatterjee:have a plan in place. And they should regularly rehearse the
Dr. Dave Chatterjee:plan to build organizational memory.
Greyson Milbourne:Yeah, I mean, I think it's the unfortunate
Greyson Milbourne:nature that these threat actors there, they're being
Greyson Milbourne:advantageous with what they're there after. Right. And
Greyson Milbourne:unfortunately, they don't care about your small business
Greyson Milbourne:potentially going under. And they know that these are softer
Greyson Milbourne:targets. And plus there's definitely a benefit to flying
Greyson Milbourne:under the radar. We've seen some examples of like Colonial
Greyson Milbourne:Pipeline, for example, brought a lot of attention to dark side.
Greyson Milbourne:And these guys didn't really like their business model wasn't
Greyson Milbourne:really going after critical infrastructure. They had this
Greyson Milbourne:ransomware-as-a-service model, and they have affiliates who
Greyson Milbourne:happened to deploy their variant of ransomware into an
Greyson Milbourne:environment that drew a lot of attention. And eventually, their
Greyson Milbourne:operation was disrupted. So there's a lot of added benefit
Greyson Milbourne:to going after smaller businesses. And the reality is,
Greyson Milbourne:right, is that most small businesses don't have dedicated
Greyson Milbourne:security individuals, IT has been outsourced to an MSP and
Greyson Milbourne:these cases, it can be much more time consuming to get back
Greyson Milbourne:online. So I think it's it's, it's an unfortunate reality, but
Greyson Milbourne:it is, especially for smaller companies need to have a plan in
Greyson Milbourne:place. As you mentioned, I agree. One of the biggest things
Greyson Milbourne:that causes a headache during a ransomware incident is that it's
Greyson Milbourne:a timed attack. They don't give you a lot of time to pay the
Greyson Milbourne:ransom before they increase the demand because they know you're
Greyson Milbourne:gonna start scrambling, you're gonna start thinking, Okay, what
Greyson Milbourne:backups do I have in place? And this is where if you have that
Greyson Milbourne:plan in place, if you rehearsed the plan, at least you have a
Greyson Milbourne:battle card to go to you have some steps and you're not
Greyson Milbourne:scrambling because this is the worst time to be scrambling.
Dr. Dave Chatterjee:Well said! To avoid scrambling, to avoid a
Dr. Dave Chatterjee:chaotic response, which is often the case, the organization needs
Dr. Dave Chatterjee:to be prepared. But preparation begins at the top management
Dr. Dave Chatterjee:level, the top management sets the tone for the entire
Dr. Dave Chatterjee:organization, sets the ball rolling for the entire
Dr. Dave Chatterjee:organization. So if top management is under an illusion,
Dr. Dave Chatterjee:is under the mistaken impression that the organization is in good
Dr. Dave Chatterjee:shape from a cybersecurity defense standpoint, the
Dr. Dave Chatterjee:organization suffers. And that is often the case with midsize
Dr. Dave Chatterjee:enterprises. Research finds that midsize organization leaders are
Dr. Dave Chatterjee:overly confident about the level of preparedness and defense
Dr. Dave Chatterjee:capabilities. In a study that my colleague, Mike Benz and I
Dr. Dave Chatterjee:published, we noted that 95% of the surveyed SME IT leaders
Dr. Dave Chatterjee:believe they have an above average security posture. And so
Dr. Dave Chatterjee:the concern is when you think you are prepared, but actually
Dr. Dave Chatterjee:you are not, that is a bigger problem. Don't you agree?
Greyson Milbourne:Oh, absolutely. I mean, that's the
Greyson Milbourne:exact posture that a cyber attacker is looking for somebody
Greyson Milbourne:who believes they're there, they're much more defended than
Greyson Milbourne:they are and their guard is down. I think it absolutely
Greyson Milbourne:you're absolutely right. And that it does need to start from
Greyson Milbourne:the leadership level. And it needs to sort of be the ethos of
Greyson Milbourne:your company needs to be around security and around around that.
Greyson Milbourne:And I think so much so that it can even be a selling factor,
Greyson Milbourne:right? I mean, you can be proud of your your ability to have a
Greyson Milbourne:secure posture. I mean, we see this actually, in cyber
Greyson Milbourne:insurance, for example, you know, they price-based on this,
Greyson Milbourne:right, but depending on how I mean, you can't just get it
Greyson Milbourne:right. It's not just oh, I'm gonna buy cyber insurance. It's,
Greyson Milbourne:well, let's look at the policy. And let's look at your current
Greyson Milbourne:posture, and more mature, more established postures get better
Greyson Milbourne:rates with what's not too different from a credit score.
Greyson Milbourne:But the consequences are much more damaging. They all say,
Greyson Milbourne:having your identity stolen is really inconvenient, you're
Greyson Milbourne:having your business hit with ransomware even more
Greyson Milbourne:inconvenient. So there's a reason that these ratings exist.
Greyson Milbourne:And there's a reason that layered security matters. And,
Greyson Milbourne:and having a plan really matters. And I think one thing
Greyson Milbourne:that insurance probably doesn't look at is is your readiness
Greyson Milbourne:plan, they'll probably look to say these are the layers you
Greyson Milbourne:have in place. But really, it comes down to reacting properly
Greyson Milbourne:in that critical amount of time when you face one of these types
Greyson Milbourne:of attacks,
Dr. Dave Chatterjee:I couldn't agree with you more. In fact, as
Dr. Dave Chatterjee:you were talking about preparedness, and what what
Dr. Dave Chatterjee:surprises me again, is the fact that how can top management look
Dr. Dave Chatterjee:the other way when cybersecurity is increasingly being recognized
Dr. Dave Chatterjee:as a strategic competency. And there's another startling data
Dr. Dave Chatterjee:that 60% of small and medium sized businesses are known to go
Dr. Dave Chatterjee:out of business within six months of being hacked. And the
Dr. Dave Chatterjee:reason I bring it up is because, let's put myself in the CEO
Dr. Dave Chatterjee:shoes, I obviously have to run the organization, make money, I
Dr. Dave Chatterjee:have to follow through with the vision of the organization. And
Dr. Dave Chatterjee:cybersecurity doesn't quite fall within that vision. But the
Dr. Dave Chatterjee:unfortunate reality is, unless I am secure, organizationally,
Dr. Dave Chatterjee:infrastructure-wise, in many other ways. I may not be in
Dr. Dave Chatterjee:business for very long. So having that recognition, having
Dr. Dave Chatterjee:that foresight that is so important for the leadership to
Dr. Dave Chatterjee:sit up and say, You know what, we got to do something about it.
Dr. Dave Chatterjee:It's not enough just to outsource it. Let's get some
Dr. Dave Chatterjee:intelligence and in let's do an assessment of where we are, what
Dr. Dave Chatterjee:we need to do. And yes, we will do the best we can with the
Dr. Dave Chatterjee:resources we have because there's no expectation that you
Dr. Dave Chatterjee:have to have a security setup that befits a large
Dr. Dave Chatterjee:organization. I've had the pleasure of talking with several
Dr. Dave Chatterjee:legal experts and they have said consistently, that when a cyber
Dr. Dave Chatterjee:attack allegation is being reviewed in a court of law, the
Dr. Dave Chatterjee:judge looks very favorably at an organization, as long as they
Dr. Dave Chatterjee:can prove that they did the due diligence, and they did
Dr. Dave Chatterjee:everything they could, and maybe even with beyond to try and
Dr. Dave Chatterjee:secure their strategic assets. So the intent needs to be there.
Dr. Dave Chatterjee:But the intent needs to be followed by, by actions.
Greyson Milbourne:Yeah, no, definitely makes sense. And I
Greyson Milbourne:mean, that's quite an alarming statistic. I mean, 60% is, is a
Greyson Milbourne:huge number, and a lot of these small businesses get are
Greyson Milbourne:attacked. And we know like, the average downtime is can be
Greyson Milbourne:several weeks. And so it right having looking at like cyber
Greyson Milbourne:risk as any other type of risk to your business's continuity, I
Greyson Milbourne:think is the smart play, and just anticipating if what
Greyson Milbourne:happens if this goes offline? How do I survive? can I survive?
Greyson Milbourne:And then again, to the other point, I think having like, it's
Greyson Milbourne:a complex thing. And for really small businesses, outsourcing to
Greyson Milbourne:an MSP a service provider is sometimes your only option. But
Greyson Milbourne:I do think not all businesses are equal. And as your your
Greyson Milbourne:business perhaps grows, I think there's there's tremendous
Greyson Milbourne:benefit in having an internal security focused resource. And
Greyson Milbourne:that resource will probably still be overwhelmed and will
Greyson Milbourne:liaison with MSPs. But that's probably better than your your
Greyson Milbourne:CEO or your your COO being that person, right. And this gives
Greyson Milbourne:somebody who can stay on top of the trends. You know, a lot of
Greyson Milbourne:times people ask me what, what's a good resource. And I like to
Greyson Milbourne:point back towards the CISA, the government cybersecurity
Greyson Milbourne:information sharing platform that that does a good job of
Greyson Milbourne:sending out bulletins and like keeps you at least aware of, of
Greyson Milbourne:things that might change. And let me give you just one really
Greyson Milbourne:good example, earlier this year we are Microsoft had a
Greyson Milbourne:vulnerability in Exchange, and everybody uses Microsoft
Greyson Milbourne:Exchange, or a lot of people have moved to cloud, but a lot
Greyson Milbourne:of people still host their own Exchange servers for email. And
Greyson Milbourne:it was a bad vulnerability about as bad as it gets right allows a
Greyson Milbourne:hacker to remotely execute code on your system through a
Greyson Milbourne:vulnerability in Exchange. They posted about this and what you
Greyson Milbourne:should do and the steps you should take. But a lot of
Greyson Milbourne:businesses still didn't follow this to the point that the FBI
Greyson Milbourne:actually practically hacked in and patched many environments
Greyson Milbourne:that they found vulnerable. And because at least if they if
Greyson Milbourne:they're able to get in, they know that they can do the right
Greyson Milbourne:thing and fix it, as opposed to who knows who gets in, and then
Greyson Milbourne:does what. So it's a complex thing. And I know sometimes
Greyson Milbourne:small businesses definitely get overwhelmed when they think
Greyson Milbourne:about just all the complexity and the different services and
Greyson Milbourne:things that go into it, which again, is why once you're over,
Greyson Milbourne:I think a certain size in the low 20s to above, it does make
Greyson Milbourne:sense to have a dedicated individual, and then accordingly
Greyson Milbourne:scale that to larger company seat sizes.
Dr. Dave Chatterjee:That's great. In fact, I'd like to add
Dr. Dave Chatterjee:to what you said about having a dedicated individual or maybe a
Dr. Dave Chatterjee:couple of a couple of people, it might be unfair to have
Dr. Dave Chatterjee:expectations of a large team in a small or medium sized
Dr. Dave Chatterjee:organization. But again, it's not the matter of size, it comes
Dr. Dave Chatterjee:down to how thorough and rigorous the planning is, and
Dr. Dave Chatterjee:how precise and consistent is the execution and what my work
Dr. Dave Chatterjee:finds, and in my book on Cybersecurity Readiness, I talk
Dr. Dave Chatterjee:about creating and sustaining a high-performance information
Dr. Dave Chatterjee:security culture. I use the word culture because unless there is
Dr. Dave Chatterjee:a change in the mindset of the leadership, unless there's a
Dr. Dave Chatterjee:change in the mindset of the organizational members, you're
Dr. Dave Chatterjee:unlikely to get that kind of buy-in, you're unlikely to get
Dr. Dave Chatterjee:everyone doing their part over a long period of time. What
Dr. Dave Chatterjee:generally happens is all of a sudden, a company gets really
Dr. Dave Chatterjee:big on something and then they start acting extensively. And
Dr. Dave Chatterjee:then after a while, again, things quieten down, and then
Dr. Dave Chatterjee:they're back to their usual ways. And then they may not be
Dr. Dave Chatterjee:as rigorous. And once again, something happens. And again,
Dr. Dave Chatterjee:they sit up and take note. So unfortunately, we are in a very
Dr. Dave Chatterjee:reactive culture, we are not proactive by nature. If the
Dr. Dave Chatterjee:pandemic has taught us anything, it's definitely taught me that,
Dr. Dave Chatterjee:that we have been very, very reactive. So even from the
Dr. Dave Chatterjee:standpoint of securing organizations, whether it's for
Dr. Dave Chatterjee:ransomware, or for any other type of attack, being proactive,
Dr. Dave Chatterjee:being ahead of the curve, leveraging resources, internal
Dr. Dave Chatterjee:and external, is so, so important. And and it all starts
Dr. Dave Chatterjee:with the intent of the leadership that yes, I want to
Dr. Dave Chatterjee:know, I want to know where we are, I want to be periodically
Dr. Dave Chatterjee:updated. And that timetable is entirely up to the organization
Dr. Dave Chatterjee:every week or every month and of course there will be exception
Dr. Dave Chatterjee:reporting, but cybersecurity metrics should feature
Dr. Dave Chatterjee:prominently alongside the other business management metrics.
Dr. Dave Chatterjee:That's how important security has become. It's not because you
Dr. Dave Chatterjee:and I are in this field. And we are trying to tell the world
Dr. Dave Chatterjee:hey, take note. But that's the reality of it, is that
Dr. Dave Chatterjee:businesses in today's day and age where we are highly
Dr. Dave Chatterjee:digitized, we have to give the security infrastructure, focus
Dr. Dave Chatterjee:attention, the right kind of nurturing, or you kind of get
Dr. Dave Chatterjee:into trouble. So Grayson, I'd like to go back to the
Dr. Dave Chatterjee:ransomware report, the survey report that your organization
Dr. Dave Chatterjee:published, and and I want to share with the listeners a few,
Dr. Dave Chatterjee:but I don't want to steal the thunder, I'll let you share most
Dr. Dave Chatterjee:of it. But it's really concerning that nearly half of
Dr. Dave Chatterjee:SMBs have experienced a ransomware attack. And yet the
Dr. Dave Chatterjee:majority still don't think or aren't sure they are a target.
Dr. Dave Chatterjee:Why don't you expand on this?
Greyson Milbourne:Yeah, so I mean, so this survey was
Greyson Milbourne:conducted over 1300 businesses all under 1000 endpoints, or
Greyson Milbourne:1000 seats, and so it's not evenly distributed. There's many
Greyson Milbourne:more that are that SMB, so probably 100 or less, but a
Greyson Milbourne:really good array of different companies. And I think it is
Greyson Milbourne:concerning. I mean, we know that ransomware has been around for a
Greyson Milbourne:while. And so, you know, I think it was 46% of businesses already
Greyson Milbourne:admit to having encountered ransomware, at least to some
Greyson Milbourne:degree, I think that number if we pull next year is only going
Greyson Milbourne:to be higher, because year over year, it's not really an if it's
Greyson Milbourne:a when type of scenario. And I think unfortunately, our data
Greyson Milbourne:still supports that. And it's because of the posture, or the
Greyson Milbourne:denial of the risk that we still see largely the SMB space. And I
Greyson Milbourne:think it's a challenge because one of the other things that
Greyson Milbourne:we're queried on is small and medium sized businesses and
Greyson Milbourne:their anticipation of the economic future and potential
Greyson Milbourne:recession or cuts in spending. It kind of just makes this
Greyson Milbourne:problem worse. And so we see a) we see the threat actors are
Greyson Milbourne:100% moving downstream. And so we know that there's many more
Greyson Milbourne:businesses in the 100 seats and less than there are the one to
Greyson Milbourne:1000. So there's much more opportunity. These at the same
Greyson Milbourne:time people are being squeezed, right, they have shrinking
Greyson Milbourne:budgets, and are making tough decisions as to where the
Greyson Milbourne:dollars go. And cybersecurity, unfortunately, it applies to
Greyson Milbourne:every business that has a digital footprint, which is
Greyson Milbourne:pretty much every business today has at least a website and
Greyson Milbourne:stores customer information. And these are the targets that are
Greyson Milbourne:deciding against an improvement to their their sales and
Greyson Milbourne:marketing efforts. Or maybe cybersecurity. Oh, and guess
Greyson Milbourne:what cybersecurity does nothing, which is the point, right? Like
Greyson Milbourne:you're paying for something that kind of does nothing? And you're
Greyson Milbourne:like, oh, great, like, what has it done for me recently? And now
Greyson Milbourne:you're happy about that? Right? So, so it's kind of a perfect
Greyson Milbourne:storm. And I think what our data shows is that the risk awareness
Greyson Milbourne:is still really lacking, based on just the stats of how many
Greyson Milbourne:people have encountered this. And I'll leave you with one more
Greyson Milbourne:thing is that this is 46% of people admit to it. But we know
Greyson Milbourne:that ransomware reporting is vastly underreported. People
Greyson Milbourne:don't want to have that, that black eye, they don't want to
Greyson Milbourne:it's bad for the customers. And as you mentioned, I mean,
Greyson Milbourne:different levels of extortion that we've seen in the past
Greyson Milbourne:year, right? It used to be, oh, just give me a ransom payment,
Greyson Milbourne:then it was, well, there's GDPR and other data leakage fine. So
Greyson Milbourne:we're gonna leak your data, okay, if you don't pay us, and
Greyson Milbourne:then that it's like, yeah, we're gonna go after your customers,
Greyson Milbourne:and we're gonna sully your reputation, we're gonna go to
Greyson Milbourne:the media with this. So like, these are all reasons that
Greyson Milbourne:people pay. But it's unfortunate, but I don't blame
Greyson Milbourne:companies for not wanting to disclose it. But what that does
Greyson Milbourne:is it says the difficulty of attribution. And even though
Greyson Milbourne:this is something that's still very much lacking with respect
Greyson Milbourne:to cyber crime and punishment, if it's not reported, it creates
Greyson Milbourne:even even fuzzier picture for law enforcement that has
Greyson Milbourne:resources to go after these organized groups, the more
Greyson Milbourne:information that they are provided about your encounter
Greyson Milbourne:only helps strengthen our ability to strike back and, and
Greyson Milbourne:try to take some of these organizations that have been,
Greyson Milbourne:you know, up till today's largely resilient to any sort of
Greyson Milbourne:multinational organized shutdown. We've seen some
Greyson Milbourne:examples, but largely, it's a highly competitive space that
Greyson Milbourne:thrives today.
Dr. Dave Chatterjee:Yep. Unfortunately, those are all
Dr. Dave Chatterjee:realities. As you and I have been talking, I am thinking of
Dr. Dave Chatterjee:what are a list of challenges that SMBs in encounter. Starting
Dr. Dave Chatterjee:with the lack of awareness, a bit of this 'ignorance is bliss'
Dr. Dave Chatterjee:kind of a scenario, inadequate resources, lack of top
Dr. Dave Chatterjee:management involvement, and then during our discussion planning
Dr. Dave Chatterjee:meeting, you talked about the training is not very
Dr. Dave Chatterjee:satisfactory. So there is a probably a list of of things
Dr. Dave Chatterjee:that SMBs could do better. But I think what might be helpful to
Dr. Dave Chatterjee:the listeners, many of whom are probably working for SMBs is to
Dr. Dave Chatterjee:let's say, if I were to ask you, Grayson, what are the top three
Dr. Dave Chatterjee:things that you would recommend SMBs do to protect themselves
Dr. Dave Chatterjee:from say, ransomware attacks, what would those top three
Dr. Dave Chatterjee:things?
Greyson Milbourne:Okay, and I'll put these in no particular
Greyson Milbourne:order because I think they're all very important, but I'll
Greyson Milbourne:start with education. Because I think education is one of the
Greyson Milbourne:there's almost always a human element. This isn't always the
Greyson Milbourne:case, right? Sometimes like software is vulnerable. And a
Greyson Milbourne:hacker is able to exploit something that is very difficult
Greyson Milbourne:to defend against that. But the vast majority of attacks succeed
Greyson Milbourne:because of a human error of somebody falling for something,
Greyson Milbourne:clicking on a link, giving away too much information that begins
Greyson Milbourne:the attack, right. And so I think education and awareness is
Greyson Milbourne:is really important. And that it's not something like PCI DSS
Greyson Milbourne:where it's an annual, everybody knows how to store credit card
Greyson Milbourne:information. Okay, this is not that right? This is much more
Greyson Milbourne:complex. And it has a lot of variety and trends and trends
Greyson Milbourne:shift pretty quickly. And so we advocate for like quarterly
Greyson Milbourne:updates, because things shift from the end of the year and the
Greyson Milbourne:tactics and what we think the scams that are very prevalent in
Greyson Milbourne:this time of year are typically prevalent at this time of year.
Greyson Milbourne:So so that goes a long way, and just eliminating whatever might
Greyson Milbourne:happen after a human mistake. Right. So education, I think is
Greyson Milbourne:really important. I think the other one is, is identifying
Greyson Milbourne:your assets. And I like cyber resilience as a as an approach
Greyson Milbourne:to layered security that fits nicely with a zero trust
Greyson Milbourne:approach to cybersecurity. And really, it's just a cycle. It's
Greyson Milbourne:a living cycle of, of identifying your assets,
Greyson Milbourne:protecting them detecting and looking for active infections,
Greyson Milbourne:having a response plan in play, learning from your mistakes, and
Greyson Milbourne:educating it's a continuous cycle. But the first part of
Greyson Milbourne:that is identification. And I think every business really
Greyson Milbourne:needs to understand their internal assets. And this
Greyson Milbourne:includes people, right, this isn't just your PCs that are
Greyson Milbourne:critical. But hey, if you know, this single source of failure as
Greyson Milbourne:an individual leaves, my business might equally be as
Greyson Milbourne:disrupted as if I get hit with ransomware. So identify your
Greyson Milbourne:risks and what those are, and then apply proper risk
Greyson Milbourne:mitigation strategies to those things. And so if it's, if it's
Greyson Milbourne:data, have backups, and make sure that your backups are air
Greyson Milbourne:gapped are not capable of being compromised by ransomware.
Greyson Milbourne:There's lots of great technology that does this automatically.
Greyson Milbourne:But if it's people, right, I think, again, staffing is a
Greyson Milbourne:tough thing sometimes, but identify and understand your
Greyson Milbourne:your assets and then defend them. So educate, identify, and
Greyson Milbourne:defend, those would be the three things that I would look at.
Dr. Dave Chatterjee:Totally agree, totally agree. So there
Dr. Dave Chatterjee:are a couple of things I'd like to add to that. And one of that
Dr. Dave Chatterjee:is how do you incentivize proper security behavior, we all need
Dr. Dave Chatterjee:motivation to do things which are, where, especially when we
Dr. Dave Chatterjee:are not seeing the ROI directly. If you're if you're talking to a
Dr. Dave Chatterjee:non-security professional in an organization, who has a
Dr. Dave Chatterjee:particular type of work, and you have certain security do's and
Dr. Dave Chatterjee:don'ts, kind of expectations of that person, you have to be able
Dr. Dave Chatterjee:to convince that person that this is if they followed through
Dr. Dave Chatterjee:with that cyber discipline with that cyber hygiene, the end
Dr. Dave Chatterjee:result, overall end result is good, and that's going to help
Dr. Dave Chatterjee:them. So you have to keep showing them the big picture.
Dr. Dave Chatterjee:Yep. Along similar lines, even to get the top management
Dr. Dave Chatterjee:attention, present the scenarios, the consequences of
Dr. Dave Chatterjee:the different types of attacks and breaches, and what happens
Dr. Dave Chatterjee:after that what the organization has to deal with. So make it as
Dr. Dave Chatterjee:realistic as possible to get the attention because that's gonna
Dr. Dave Chatterjee:lead to some actions, maybe some change in behaviors, and
Dr. Dave Chatterjee:absolutely means I cant agree with you more that while humans
Dr. Dave Chatterjee:are the greatest assets, they're also a great vulnerability. So
Dr. Dave Chatterjee:the best way of addressing that is through regular training
Dr. Dave Chatterjee:sessions. And these training sessions should not be the check
Dr. Dave Chatterjee:the box approach, okay, I met the requirements, but it should
Dr. Dave Chatterjee:be continuous. And it should be incremental. I often use the
Dr. Dave Chatterjee:analogy of people do this nerdles and wordles on a daily
Dr. Dave Chatterjee:basis. And I have shared with organization that how about
Dr. Dave Chatterjee:every day, an email goes out with a security little puzzle or
Dr. Dave Chatterjee:a security game that people have to solve, kind of make it fun.
Dr. Dave Chatterjee:At the same time you are impacting the mind. On a day to
Dr. Dave Chatterjee:day basis, you're sowing that security seed. And over a period
Dr. Dave Chatterjee:of time, everyone has a certain level of awareness, as opposed
Dr. Dave Chatterjee:to the current approach where we go through this security
Dr. Dave Chatterjee:training for say, 30-35, 40 minutes, we take a quiz. And
Dr. Dave Chatterjee:then after six months, we again do it. And it's also not
Dr. Dave Chatterjee:customized. So we have to make security training role-based we
Dr. Dave Chatterjee:have to make it more immersive. So a lot of thought has to go
Greyson Milbourne:Yeah, I totally agree. I think along
Greyson Milbourne:into it.
Greyson Milbourne:with training, one of the things I support is doing simulated
Greyson Milbourne:attacks. So you can send out a phishing and so we do this
Greyson Milbourne:internally and we we quite literally take from the wild and
Greyson Milbourne:examples and create templates so that you can test using the most
Greyson Milbourne:recent techniques and imagery, and I think that that helps. I
Greyson Milbourne:think the other thing that you definitely touched on is like
Greyson Milbourne:engagement with IT. And I know for a lot of companies that have
Greyson Milbourne:an IT department, sometimes there's the there's a
Greyson Milbourne:hesitation, we've always tried to foster that IT is a fun and
Greyson Milbourne:loving place, and they are going to be much, much more fun and
Greyson Milbourne:loving when you ask them in advance of something as opposed
Greyson Milbourne:to saying, so I opened that email, and I clicked this thing,
Greyson Milbourne:and now I have ransomware in my computer, then your IT guy is
Greyson Milbourne:gonna be grumpy. But if you're like, Hey, I got this email. And
Greyson Milbourne:it just seems weird. Before I open it, I thought I'd ask you,
Greyson Milbourne:I hope I'm not wasting your time, they're gonna be like not
Greyson Milbourne:wasting my time at all, thank you for I think creating that
Greyson Milbourne:kind of culture to have a do suspicion but also having a
Greyson Milbourne:right place to go that it's not going to make you feel like
Greyson Milbourne:you're you're going to be shunned for for asking that
Greyson Milbourne:question.
Dr. Dave Chatterjee:I'm so glad you mentioned that, because I
Dr. Dave Chatterjee:was having this discussion with another subject matter expert.
Dr. Dave Chatterjee:And he talked about creating a culture of empathy, where people
Dr. Dave Chatterjee:are not scared to report that look, yes, I made a mistake. I
Dr. Dave Chatterjee:clicked on this. And yes, now we are dealing with the
Dr. Dave Chatterjee:consequences, as opposed to trying to hide and waiting to be
Dr. Dave Chatterjee:caught. And hopefully, so changing that approach and and
Dr. Dave Chatterjee:recognizing that, yes, we will do our best we will learn. But
Dr. Dave Chatterjee:if you make mistakes, just fess up and just let us know what
Dr. Dave Chatterjee:happened. So we can start doing damage control sooner than
Dr. Dave Chatterjee:later. So creating that environment, that culture, is so
Dr. Dave Chatterjee:important, where they're not looking at IT or security as a
Dr. Dave Chatterjee:stumbling block, as a hurdle. But more as a partner. You know,
Dr. Dave Chatterjee:that's why there's that phrase out there that cybersecurity is
Dr. Dave Chatterjee:everybody's business, it is not just the business of the
Dr. Dave Chatterjee:information security function. But to be able to develop that
Dr. Dave Chatterjee:mindset, you have to create and nurture that culture where you
Dr. Dave Chatterjee:have to incentivize certain behaviors, there has to be
Dr. Dave Chatterjee:shared responsibility and accountability. So everyone,
Dr. Dave Chatterjee:everyone has a stake in the game, you can just put your
Dr. Dave Chatterjee:hands up and say, well, something has happened. It's the
Dr. Dave Chatterjee:CISOs problem, the CISO should get fired, that doesn't really
Dr. Dave Chatterjee:solve the problem, you may have a symbolic reaction, you might
Dr. Dave Chatterjee:impress some external folks. But have you really taken a deeper
Dr. Dave Chatterjee:look at your processes, at your systems, to identify what the
Dr. Dave Chatterjee:real issues are. So again, I emphasize an in-depth systematic
Dr. Dave Chatterjee:approach, you don't have to be an expert. I don't expect the
Dr. Dave Chatterjee:leadership team to be cybersecurity experts. But they
Dr. Dave Chatterjee:if they have the real intent of securing the organization as
Dr. Dave Chatterjee:best they can, and they want to have the best-in-class security
Dr. Dave Chatterjee:practices, they can absolutely get it. There are resources out
Dr. Dave Chatterjee:there, they can bring in, leverage, like you talked about
Dr. Dave Chatterjee:earlier, there are the cyber insurance companies, who will
Dr. Dave Chatterjee:absolutely help them get to a certain point in terms of
Dr. Dave Chatterjee:maturity to be eligible for certain amounts of insurance. So
Dr. Dave Chatterjee:seek the help. There are lots of guidance out there, you talked
Dr. Dave Chatterjee:about CISA you talked about NIST. There's lots of guidance
Dr. Dave Chatterjee:out there, it's a matter of really getting it, pulling it
Dr. Dave Chatterjee:all together, and having a plan in place. I know it sounds kind
Dr. Dave Chatterjee:of mundane. And it sounds like stating the obvious. But my
Dr. Dave Chatterjee:research finds time and again, a lot of planning happens, a lot
Dr. Dave Chatterjee:of documentations are maintained. But when it comes to
Dr. Dave Chatterjee:execution, that's where organizations falte time and
Dr. Dave Chatterjee:again, but I don't want to monopolize the conversation, I'd
Dr. Dave Chatterjee:like to send it back to you your thoughts and reactions.
Greyson Milbourne:You make a very good point, right? Like
Greyson Milbourne:having a plan is very different from having a fire drill with
Greyson Milbourne:your plan. And again, I think it's so critical, especially for
Greyson Milbourne:ransomware. I mean, this is important to have, meaning you
Greyson Milbourne:like there's lots of different types of response plans. But
Greyson Milbourne:when you have limited amounts of time to respond, this is where
Greyson Milbourne:it's most important that you practice these things. So maybe
Greyson Milbourne:think when you're speaking before, I'm like, one of my
Greyson Milbourne:passions is aviation. And so I'm a private pilot and pilot, like
Greyson Milbourne:aviation is like very, very safety driven. And one of the
Greyson Milbourne:great things about just the story of aviation is from the
Greyson Milbourne:beginning till now is just how well aviation did at sharing
Greyson Milbourne:mistakes and learning from mistakes and embracing that
Greyson Milbourne:mistakes happen and life and death mistakes happen. And so
Greyson Milbourne:let's do our best to learn from everything from a community
Greyson Milbourne:based all engaged approach. And I look at like, I'm like, Wow,
Greyson Milbourne:this works so well. And I look at cybersecurity and my career
Greyson Milbourne:that I've spent here trying to get like a similar sort of
Greyson Milbourne:benefit of of so many adjacent mistakes, right? So like company
Greyson Milbourne:A company B, C, all suffer the same mistake, right? Like they
Greyson Milbourne:all got breached the same way. Like why are companies making
Greyson Milbourne:the same mistakes that other companies have already made on?
Greyson Milbourne:How do we do a better job of? Well, so like, right, as you
Greyson Milbourne:mentioned, there's this stigma, right like If you make a
Greyson Milbourne:mistake, it can be bad for the brand, it can be bad for your
Greyson Milbourne:trust, but it can have a rippling effect. But if we
Greyson Milbourne:change the culture and acknowledge that we live in a
Greyson Milbourne:world where mistakes happen, and as long as you're doing your due
Greyson Milbourne:diligence, you're trying to prevent them, like good job. And
Greyson Milbourne:if some bad thing happens, that's okay, come forth with the
Greyson Milbourne:information and share it so that we can, as a community can
Greyson Milbourne:defend ourselves better. And of course, it's more complex, and
Greyson Milbourne:we have our own individual corporate networks. But again,
Greyson Milbourne:if you kind of look to where the world is moving, the boundary of
Greyson Milbourne:the network is becoming fuzzier and fuzzier. So I guess I was
Greyson Milbourne:just reflecting that
Dr. Dave Chatterjee:No, this is great. In fact, when you when
Dr. Dave Chatterjee:you mentioned about flying the plane, that's such a powerful
Dr. Dave Chatterjee:metaphor, that immediately immediately makes me think that
Dr. Dave Chatterjee:when you are in a cockpit, you have to be absolutely prepared,
Dr. Dave Chatterjee:you must have to be on top of things
Greyson Milbourne:We prepare, like when the engine goes out at
Greyson Milbourne:like all the time, right? And it's because you want it to be
Greyson Milbourne:automatic, because you have like, seconds really matter that
Greyson Milbourne:okay. Like, you don't want to be thinking like, Oh, let me pull
Greyson Milbourne:up the checklist. And like, what do I do? No, no, you like, know
Greyson Milbourne:that the six things to do immediately, in which order? You
Greyson Milbourne:could do it all in three seconds, right? And then you can
Greyson Milbourne:start looking around and figuring out, where am I gonna
Greyson Milbourne:go? So, you know,
Dr. Dave Chatterjee:And that's it. It's the fear of, of loss of
Dr. Dave Chatterjee:life, fear of loss of the lives of the passengers. And if we
Dr. Dave Chatterjee:were to scale it to small to medium sized enterprise, what
Dr. Dave Chatterjee:are we talking about, we're talking about the demise of the
Dr. Dave Chatterjee:organization, if proper security practices are not in place, and
Dr. Dave Chatterjee:that's precisely why the leadership has to recognize
Dr. Dave Chatterjee:that, that cyber cybersecurity governance is not something
Dr. Dave Chatterjee:unfortunately, we have to do. It's a pain. It is distracting
Dr. Dave Chatterjee:us, but it is significant, it is centric to our survival. And if
Dr. Dave Chatterjee:I may add one more thing here, the last episode we published,
Dr. Dave Chatterjee:we had a senior and a senior leader as my guest. And he made
Dr. Dave Chatterjee:a very important point he said, Dave, we should look at
Dr. Dave Chatterjee:cybersecurity as a strategic opportunity, not as a stumbling
Dr. Dave Chatterjee:block. When organizations, when the leadership takes that
Dr. Dave Chatterjee:approach, has that mindset, then miracles happen because then
Dr. Dave Chatterjee:they're saying, You know what, we're going to be so secure. And
Dr. Dave Chatterjee:given the nature of our business, we can put it out
Dr. Dave Chatterjee:there that if store your data with us, you are safe, because
Dr. Dave Chatterjee:we are really the best in the business when it comes to
Dr. Dave Chatterjee:securing your data. So there are different ways that
Dr. Dave Chatterjee:organizations can play up their security strengths, and get an
Dr. Dave Chatterjee:edge in the business. And I wish more the leadership thought
Dr. Dave Chatterjee:along those lines, as opposed to treating it as a separate
Dr. Dave Chatterjee:function, but making it more making it part of the the
Dr. Dave Chatterjee:overall goals of the organization. So that's kind of
Dr. Dave Chatterjee:the way I see see things here. But since but we are coming to
Dr. Dave Chatterjee:the end of our time, unfortunately, this was
Dr. Dave Chatterjee:fascinating. But I'd like to give you the the floor to wrap
Dr. Dave Chatterjee:things up for us.
Greyson Milbourne:Yeah. Thanks, Dave. And thank you everybody
Greyson Milbourne:who's listening today. From a thought leadership perspective,
Greyson Milbourne:I like to drive awareness of what the risk is. And I hope to
Greyson Milbourne:from this presentation or this this talk today, we've made it
Greyson Milbourne:pretty clear that I mean, this is in our opinion, what the data
Greyson Milbourne:really shows us as it this risk is here to stay, things are
Greyson Milbourne:likely to get worse before they get better. And SMBs, small
Greyson Milbourne:businesses are really going to be in the crosshair. And so the
Greyson Milbourne:risk is real. But we've provided hopefully some steps to help you
Greyson Milbourne:understand what you can do some good resources of how to better
Greyson Milbourne:understand where you might need improvement. And if you're here
Greyson Milbourne:today, you're already taking the right step because again, I'm a
Greyson Milbourne:firm believer that you need to know about the things you need
Greyson Milbourne:to defend the events. And so you've hopefully learned today a
Greyson Milbourne:bit more about what's going on in the threat landscape and how
Greyson Milbourne:to stay secure. So with that, David, I'll turn it back to you.
Greyson Milbourne:Thanks for being here. I'm honestly this has been a ton of
Greyson Milbourne:fun.
Dr. Dave Chatterjee:We'll said, you couldn't have wrapped it up
Dr. Dave Chatterjee:better. Thank you again, Grayson, for your time. It's
Dr. Dave Chatterjee:been a pleasure.
Greyson Milbourne:Thanks Dave.
Dr. Dave Chatterjee:A special thanks to Grayson Melbourne for
Dr. Dave Chatterjee:his time and insights. If you like what you heard, please
Dr. Dave Chatterjee:leave the podcast a rating and share it with your network. Also
Dr. Dave Chatterjee:subscribe to the show, so you don't miss any new episodes.
Dr. Dave Chatterjee:Thank you for listening, and I'll see you in the next
Dr. Dave Chatterjee:episode.
Introducer:The information contained in this podcast is for
Introducer:general guidance only. The discussants assume no
Introducer:responsibility or liability for any errors or omissions in the
Introducer:content of this podcast. The information contained in this
Introducer:podcast is provided on an as-is basis with no guarantee of
Introducer:completeness, accuracy, usefulness or timeliness. The
Introducer:opinions and recommendations expressed in this podcast are
Introducer:those of the discussants and not of any organization.