A recent Global SMB Ransomware survey finds that nearly half of small and medium-sized businesses (SMBs) have experienced a ransomware attack, yet the majority aren't sure they are a target, and most are not confident they can fend off such an attack. Since 60% of SMBs are known to go out of business within six months of being hacked, it is a very troubling state of affairs. In this episode, Grayson Milbourne, Security Intelligence Director at OpenText Security Solutions, joins me in discussing the security challenges faced by SMBs and sharing success factors and best practices.

Time Stamps

02:21 -- Before we get into the details of SMB information security challenges and best practices, let's talk about you a bit. Share with listeners some highlights of your professional journey.

04:19 -- From a cybersecurity risk resiliency and defense standpoint, small and medium-sized businesses (SMBs) are often the most vulnerable and least mature. As one CIO of a midsize bank put it, "many cybercriminals are specifically targeting midsize companies that are in the cybercrime sweet spot. They are big enough to have significant bank accounts, but they often don't use the latest cybersecurity defenses. Also, middle market firms are often the gateway to bigger targets for cyber thieves." Your thoughts and reactions?

10:53 -- In a study that my colleague, Mike Benz and I published, we noted that 95% of the surveyed SME IT leaders believe they have an above-average security posture. And so the concern is when you think you are prepared, but actually, you are not, that is a bigger problem. Don't you agree?

17:38 -- Grayson, I'd like to go back to the ransomware report, the survey report that your organization published. It's concerning that nearly half of SMBs have experienced a ransomware attack. And yet the majority still don't think or aren't sure they are a target. Why don't you expand on this?

23:57 -- Grayson, what are the top three things that you would recommend SMBs do to protect themselves from, say, ransomware attacks, what would be those top three things?

30:43 -- My research finds that time, and again, a lot of planning happens, and a lot of documentation is maintained. But when it comes to execution, that's where organizations fail time and again. Your thoughts?

36:05 -- I'd like to give you the floor to wrap things up for us.

Memorable Grayson Milbourne Quotes/Statements

"What we see in the SMB spaces is that if they encounter ransomware, they don't report it. And they want to sweep it under the rug, move on and pretend it didn't happen. And unfortunately, that has other consequences that come along with it."

"One of the biggest things that causes a headache during a ransomware incident is that it's a timed attack. They don't give you a lot of time to pay the ransom before they increase the demand because they know you're going to start scrambling, you're going to start thinking, Okay, what backups do I have in place? If you rehearsed the plan, at least you have a battle card to go to, you have some steps, and you're not scrambling because this is the worst time to be scrambling."

"I think one thing that insurance probably doesn't look at is your readiness plan."

"It comes down to reacting properly in that critical amount of time when you face one of these types of attacks."

"Average downtime can be several weeks. It is right to look at cyber risk as any other risk to your business's continuity."

"As your business grows, I think there's tremendous benefit in having an internal security-focused resource."

"Ransomware reporting is vastly underreported. People don't want to have that black eye, they don't want to; it's bad for the customers. If it's not reported, it creates an even fuzzier picture for law enforcement that has resources to go after these organized groups."

"The vast majority of attacks succeed because of a human error of somebody falling for something, clicking on a link, giving away too much information. And so I think education and awareness are really important."

"It's a living and continuous cycle of identifying your assets, protecting them, detecting and looking for active infections, having a response plan in play, learning from your mistakes, and educating."

"Having a plan is very different from having a fire drill with your plan."

"If something bad happens, that's okay; come forth with the information and share it so that we can, as a community, defend ourselves better."

Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast

Please subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.

Connect with Dr. Chatterjee on these platforms:

LinkedIn: https://www.linkedin.com/in/dchatte/

Website: https://dchatte.com/

Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

https://us.sagepub.com/en-us/nam/cybersecurity-readiness/book275712

Latest Publication: https://www.imd.org/ibyimd/magazine/preventing-security-breaches-must-start-at-the-top/

Welcome to the Cybersecurity Readiness Podcast

Series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of

the book Cybersecurity Readiness: A Holistic and

High-Performance Approach, a SAGE publication. He has been

studying cybersecurity for over a decade, authored and edited

scholarly papers, delivered talks, conducted webinars and

workshops, consulted with companies and served on a

cybersecurity SWAT team with Chief Information Security

officers. Dr. Chatterjee is Associate Professor of

Management Information Systems at the Terry College of

Business, the University of Georgia. As a Duke University

Visiting Scholar, Dr. Chatterjee has taught in the Master of

Engineering in Cybersecurity program at the Pratt School of

Engineering.

Hello, everyone, I'm delighted to

welcome you to this episode of the Cybersecurity Readiness

Podcast Series. Our discussion today will focus on the

challenges and best practices associated with securing

small-to-midsize businesses. We will be using the acronyms SMBs

or SMEs during the course of the discussion. SMB stands for

small-to-midsize businesses, SME stands for small-to-midsize

enterprises, I think it's okay to use these terms.

synonymously; a quick definition small businesses are usually

defined as organizations with fewer than 100 employees.

Midsize enterprises are organizations with 100 to 999.

Employees. This should be a very interesting and useful

discussion because the attacks on SMBs are growing and survey

finds that 60% of small and medium sized businesses go out

of business within six months of being hacked. Grayson Melbourne,

Security Intelligence Director at OpenText Security Solutions

is our guest for this episode. I'm delighted to have him join

me in having this very important conversation. Greyson, welcome.

Hey, thank you, David. Glad to be here.

So before we get into the details of SMB

information security challenges and best practices, let's talk

about you a bit. Share with listeners some highlights of

your professional journey.

Yeah, thanks, Dave. So I have about a little

over 18 years of experience within the cybersecurity space,

I began my career as a threat analyst and studied malware a

really fun part of my career where I come in, put some

headphones on and really just observe and see how malware

authors were trying to be creative and trying to be

evasive, which was really important back in the mid early

2000s. And ever more so important today. But as my

career grew, I eventually became the manager and the director of

the threat research operations for our endpoint team. And that

led me just to discover more and more. And I guess we have one of

my real proud accomplishments is being chosen to speak at RSA on

several occasions and kind of gave me my foot into public

speaking and just more thought leadership to talk about the

problems that we face in cybersecurity, just drive

awareness of these problems so that we can act and measure risk

accordingly. And I did that for a while and kind of burnt out a

little bit on the on the conference. There's so many

conferences. And so now I work more on the cybersecurity front

and I work with the product teams to ensure the efficacy of

our products. I stay very close to the threat research teams and

evolutions and how malware functions and invasive

techniques and just how that threat landscape continues to

evolve. And so that's what I do today primarily is is, right,

track that make sure our products, stay capable. And then

join you for podcasts like this and spread the good word of why

it's important to be aware of the risks that we face and not

just be aware, but you know what know what steps you can take to

actively improve your defense, you know, now because you know

what our data will show, and what we'll talk about throughout

this this podcast here is that the problem is, is unfortunately

getting worse, and it's somewhat moving down market and we're

seeing smaller and smaller businesses become more and more

of the focus, especially of ransomware attacks.

Great to hear about your journey. You're

doing great. And I appreciate you taking time out of your busy

schedule to talk to my listeners. I couldn't agree with

you more than we are discussing a very important topic. And it's

not enough just to talk about the challenges or the realities

of what the SMBs face when it comes to securing their

organization securing their data, but what can they do? How

can they do better? That really needs to be the focus and I'm

sure we will talk a lot about that. But let's begin by sharing

with the listeners some facts and stats. A couple of years ago

I authored a paper along with Mike Benz, who's the partner and

fractional CIO at Fortium Partners. The paper is titled

Calculated Risk? A Cybersecurity Evaluation Tool for SMEs. It's

published in Business Horizons in 2020. It's been cited

heavily, been very well received. So there when we were

authoring the paper, we shared some facts. And I'd like to hear

your reactions to some of them; will not go through all of them.

The first one is SMBs are among the least mature and most

vulnerable, in terms of their cybersecurity risk and

resilience. As one CIO of a midsize bank put it, "many cyber

criminals are specifically targeting midsize companies that

are in the cybercrime sweet spot. They are big enough to

have significant bank accounts, but they often don't use the

latest cybersecurity defenses. Also, middle market firms are

often the gateway to bigger targets for cyber thieves." Your

thoughts, your reactions?

Yeah, I mean, I think this is an unfortunate

reality. But our data shows the same and that as I mentioned, we

see a continued downward trend in the median size of a business

that suffers a ransomware attack. And when we look back

over time, this number is now just over 100 is the average so

far in 2022. But at this time last year, it was over 200. And

so we've seen a very significant shift downmarket. And along with

that we've actually seen the median ransomware payment has

also dropped. And so I think you know what misconception a lot of

times is that ransomware demands, what we see maybe in

the media are these seven figure, maybe even eight figure

ransoms. But what we really see for the vast majority people who

are getting infected and then deciding to pay, or some do,

some don't. But the ransoms are less than $50,000, I think we're

now somewhere around 38 or so $1,000, which again, if you

compare that to last year, was considerably higher, closer to

$100,000, then but again, you're those businesses are larger. So

I think in some ways, the ransom average demands reflect the size

of the business. Because I mean, let's face it, this is a

business to them. And the only way that they make money is if

you pay, and so they know what you can pay, a lot of times

they've been inside your environment and have have a good

enough idea to set a ransom that has a chance of being paid. But

I think that makes it a problem because these are people who've

who've come forward and told their story. But I think a lot

of times also, what we see in the SMB spaces, especially in

the smaller sizes of businesses is that if they encounter

ransomware, they don't report it. And they just want to sweep

it under the rug, move on and pretend it didn't happen. And

unfortunately, that has its other consequences that come

along with it.

Indeed, very unfortunate. Sweeping under

the rug is not the way to deal with this problem, Organizations

will have to proactively prepare for ransomware attack scenarios.

As you know, the threat actors have upped their game, and are

now engaging in double, triple and quadruple extortions. Along

with encrypting systems and data, they are now doing

something called double extortion. They're stealing the

data before they encrypt it. So even if the organization can

recover the systems and recover data from their backups, and

disaster recovery methods, they're still forced to

negotiate to get an agreement from the hackers, that they are

not going to post the stolen data. They engage in triple

extortion when they launch a denial-of-service attack, so the

business is no longer able to function. And now we are also

seeing something called quadruple extortion, where

they're not only engaging in the first three types of attacks I

talked about, they're also communicating with customers

whose data they have stolen, and telling them to put pressure on

the breached organization to pay up. So all organizations should

be prepared for such eventualities and they should

have a plan in place. And they should regularly rehearse the

plan to build organizational memory.

Yeah, I mean, I think it's the unfortunate

nature that these threat actors there, they're being

advantageous with what they're there after. Right. And

unfortunately, they don't care about your small business

potentially going under. And they know that these are softer

targets. And plus there's definitely a benefit to flying

under the radar. We've seen some examples of like Colonial

Pipeline, for example, brought a lot of attention to dark side.

And these guys didn't really like their business model wasn't

really going after critical infrastructure. They had this

ransomware-as-a-service model, and they have affiliates who

happened to deploy their variant of ransomware into an

environment that drew a lot of attention. And eventually, their

operation was disrupted. So there's a lot of added benefit

to going after smaller businesses. And the reality is,

right, is that most small businesses don't have dedicated

security individuals, IT has been outsourced to an MSP and

these cases, it can be much more time consuming to get back

online. So I think it's it's, it's an unfortunate reality, but

it is, especially for smaller companies need to have a plan in

place. As you mentioned, I agree. One of the biggest things

that causes a headache during a ransomware incident is that it's

a timed attack. They don't give you a lot of time to pay the

ransom before they increase the demand because they know you're

gonna start scrambling, you're gonna start thinking, Okay, what

backups do I have in place? And this is where if you have that

plan in place, if you rehearsed the plan, at least you have a

battle card to go to you have some steps and you're not

scrambling because this is the worst time to be scrambling.

Well said! To avoid scrambling, to avoid a

chaotic response, which is often the case, the organization needs

to be prepared. But preparation begins at the top management

level, the top management sets the tone for the entire

organization, sets the ball rolling for the entire

organization. So if top management is under an illusion,

is under the mistaken impression that the organization is in good

shape from a cybersecurity defense standpoint, the

organization suffers. And that is often the case with midsize

enterprises. Research finds that midsize organization leaders are

overly confident about the level of preparedness and defense

capabilities. In a study that my colleague, Mike Benz and I

published, we noted that 95% of the surveyed SME IT leaders

believe they have an above average security posture. And so

the concern is when you think you are prepared, but actually

you are not, that is a bigger problem. Don't you agree?

Oh, absolutely. I mean, that's the

exact posture that a cyber attacker is looking for somebody

who believes they're there, they're much more defended than

they are and their guard is down. I think it absolutely

you're absolutely right. And that it does need to start from

the leadership level. And it needs to sort of be the ethos of

your company needs to be around security and around around that.

And I think so much so that it can even be a selling factor,

right? I mean, you can be proud of your your ability to have a

secure posture. I mean, we see this actually, in cyber

insurance, for example, you know, they price-based on this,

right, but depending on how I mean, you can't just get it

right. It's not just oh, I'm gonna buy cyber insurance. It's,

well, let's look at the policy. And let's look at your current

posture, and more mature, more established postures get better

rates with what's not too different from a credit score.

But the consequences are much more damaging. They all say,

having your identity stolen is really inconvenient, you're

having your business hit with ransomware even more

inconvenient. So there's a reason that these ratings exist.

And there's a reason that layered security matters. And,

and having a plan really matters. And I think one thing

that insurance probably doesn't look at is is your readiness

plan, they'll probably look to say these are the layers you

have in place. But really, it comes down to reacting properly

in that critical amount of time when you face one of these types

of attacks,

I couldn't agree with you more. In fact, as

you were talking about preparedness, and what what

surprises me again, is the fact that how can top management look

the other way when cybersecurity is increasingly being recognized

as a strategic competency. And there's another startling data

that 60% of small and medium sized businesses are known to go

out of business within six months of being hacked. And the

reason I bring it up is because, let's put myself in the CEO

shoes, I obviously have to run the organization, make money, I

have to follow through with the vision of the organization. And

cybersecurity doesn't quite fall within that vision. But the

unfortunate reality is, unless I am secure, organizationally,

infrastructure-wise, in many other ways. I may not be in

business for very long. So having that recognition, having

that foresight that is so important for the leadership to

sit up and say, You know what, we got to do something about it.

It's not enough just to outsource it. Let's get some

intelligence and in let's do an assessment of where we are, what

we need to do. And yes, we will do the best we can with the

resources we have because there's no expectation that you

have to have a security setup that befits a large

organization. I've had the pleasure of talking with several

legal experts and they have said consistently, that when a cyber

attack allegation is being reviewed in a court of law, the

judge looks very favorably at an organization, as long as they

can prove that they did the due diligence, and they did

everything they could, and maybe even with beyond to try and

secure their strategic assets. So the intent needs to be there.

But the intent needs to be followed by, by actions.

Yeah, no, definitely makes sense. And I

mean, that's quite an alarming statistic. I mean, 60% is, is a

huge number, and a lot of these small businesses get are

attacked. And we know like, the average downtime is can be

several weeks. And so it right having looking at like cyber

risk as any other type of risk to your business's continuity, I

think is the smart play, and just anticipating if what

happens if this goes offline? How do I survive? can I survive?

And then again, to the other point, I think having like, it's

a complex thing. And for really small businesses, outsourcing to

an MSP a service provider is sometimes your only option. But

I do think not all businesses are equal. And as your your

business perhaps grows, I think there's there's tremendous

benefit in having an internal security focused resource. And

that resource will probably still be overwhelmed and will

liaison with MSPs. But that's probably better than your your

CEO or your your COO being that person, right. And this gives

somebody who can stay on top of the trends. You know, a lot of

times people ask me what, what's a good resource. And I like to

point back towards the CISA, the government cybersecurity

information sharing platform that that does a good job of

sending out bulletins and like keeps you at least aware of, of

things that might change. And let me give you just one really

good example, earlier this year we are Microsoft had a

vulnerability in Exchange, and everybody uses Microsoft

Exchange, or a lot of people have moved to cloud, but a lot

of people still host their own Exchange servers for email. And

it was a bad vulnerability about as bad as it gets right allows a

hacker to remotely execute code on your system through a

vulnerability in Exchange. They posted about this and what you

should do and the steps you should take. But a lot of

businesses still didn't follow this to the point that the FBI

actually practically hacked in and patched many environments

that they found vulnerable. And because at least if they if

they're able to get in, they know that they can do the right

thing and fix it, as opposed to who knows who gets in, and then

does what. So it's a complex thing. And I know sometimes

small businesses definitely get overwhelmed when they think

about just all the complexity and the different services and

things that go into it, which again, is why once you're over,

I think a certain size in the low 20s to above, it does make

sense to have a dedicated individual, and then accordingly

scale that to larger company seat sizes.

That's great. In fact, I'd like to add

to what you said about having a dedicated individual or maybe a

couple of a couple of people, it might be unfair to have

expectations of a large team in a small or medium sized

organization. But again, it's not the matter of size, it comes

down to how thorough and rigorous the planning is, and

how precise and consistent is the execution and what my work

finds, and in my book on Cybersecurity Readiness, I talk

about creating and sustaining a high-performance information

security culture. I use the word culture because unless there is

a change in the mindset of the leadership, unless there's a

change in the mindset of the organizational members, you're

unlikely to get that kind of buy-in, you're unlikely to get

everyone doing their part over a long period of time. What

generally happens is all of a sudden, a company gets really

big on something and then they start acting extensively. And

then after a while, again, things quieten down, and then

they're back to their usual ways. And then they may not be

as rigorous. And once again, something happens. And again,

they sit up and take note. So unfortunately, we are in a very

reactive culture, we are not proactive by nature. If the

pandemic has taught us anything, it's definitely taught me that,

that we have been very, very reactive. So even from the

standpoint of securing organizations, whether it's for

ransomware, or for any other type of attack, being proactive,

being ahead of the curve, leveraging resources, internal

and external, is so, so important. And and it all starts

with the intent of the leadership that yes, I want to

know, I want to know where we are, I want to be periodically

updated. And that timetable is entirely up to the organization

every week or every month and of course there will be exception

reporting, but cybersecurity metrics should feature

prominently alongside the other business management metrics.

That's how important security has become. It's not because you

and I are in this field. And we are trying to tell the world

hey, take note. But that's the reality of it, is that

businesses in today's day and age where we are highly

digitized, we have to give the security infrastructure, focus

attention, the right kind of nurturing, or you kind of get

into trouble. So Grayson, I'd like to go back to the

ransomware report, the survey report that your organization

published, and and I want to share with the listeners a few,

but I don't want to steal the thunder, I'll let you share most

of it. But it's really concerning that nearly half of

SMBs have experienced a ransomware attack. And yet the

majority still don't think or aren't sure they are a target.

Why don't you expand on this?

Yeah, so I mean, so this survey was

conducted over 1300 businesses all under 1000 endpoints, or

1000 seats, and so it's not evenly distributed. There's many

more that are that SMB, so probably 100 or less, but a

really good array of different companies. And I think it is

concerning. I mean, we know that ransomware has been around for a

while. And so, you know, I think it was 46% of businesses already

admit to having encountered ransomware, at least to some

degree, I think that number if we pull next year is only going

to be higher, because year over year, it's not really an if it's

a when type of scenario. And I think unfortunately, our data

still supports that. And it's because of the posture, or the

denial of the risk that we still see largely the SMB space. And I

think it's a challenge because one of the other things that

we're queried on is small and medium sized businesses and

their anticipation of the economic future and potential

recession or cuts in spending. It kind of just makes this

problem worse. And so we see a) we see the threat actors are

100% moving downstream. And so we know that there's many more

businesses in the 100 seats and less than there are the one to

1000. So there's much more opportunity. These at the same

time people are being squeezed, right, they have shrinking

budgets, and are making tough decisions as to where the

dollars go. And cybersecurity, unfortunately, it applies to

every business that has a digital footprint, which is

pretty much every business today has at least a website and

stores customer information. And these are the targets that are

deciding against an improvement to their their sales and

marketing efforts. Or maybe cybersecurity. Oh, and guess

what cybersecurity does nothing, which is the point, right? Like

you're paying for something that kind of does nothing? And you're

like, oh, great, like, what has it done for me recently? And now

you're happy about that? Right? So, so it's kind of a perfect

storm. And I think what our data shows is that the risk awareness

is still really lacking, based on just the stats of how many

people have encountered this. And I'll leave you with one more

thing is that this is 46% of people admit to it. But we know

that ransomware reporting is vastly underreported. People

don't want to have that, that black eye, they don't want to

it's bad for the customers. And as you mentioned, I mean,

different levels of extortion that we've seen in the past

year, right? It used to be, oh, just give me a ransom payment,

then it was, well, there's GDPR and other data leakage fine. So

we're gonna leak your data, okay, if you don't pay us, and

then that it's like, yeah, we're gonna go after your customers,

and we're gonna sully your reputation, we're gonna go to

the media with this. So like, these are all reasons that

people pay. But it's unfortunate, but I don't blame

companies for not wanting to disclose it. But what that does

is it says the difficulty of attribution. And even though

this is something that's still very much lacking with respect

to cyber crime and punishment, if it's not reported, it creates

even even fuzzier picture for law enforcement that has

resources to go after these organized groups, the more

information that they are provided about your encounter

only helps strengthen our ability to strike back and, and

try to take some of these organizations that have been,

you know, up till today's largely resilient to any sort of

multinational organized shutdown. We've seen some

examples, but largely, it's a highly competitive space that

thrives today.

Yep. Unfortunately, those are all

realities. As you and I have been talking, I am thinking of

what are a list of challenges that SMBs in encounter. Starting

with the lack of awareness, a bit of this 'ignorance is bliss'

kind of a scenario, inadequate resources, lack of top

management involvement, and then during our discussion planning

meeting, you talked about the training is not very

satisfactory. So there is a probably a list of of things

that SMBs could do better. But I think what might be helpful to

the listeners, many of whom are probably working for SMBs is to

let's say, if I were to ask you, Grayson, what are the top three

things that you would recommend SMBs do to protect themselves

from say, ransomware attacks, what would those top three

things?

Okay, and I'll put these in no particular

order because I think they're all very important, but I'll

start with education. Because I think education is one of the

there's almost always a human element. This isn't always the

case, right? Sometimes like software is vulnerable. And a

hacker is able to exploit something that is very difficult

to defend against that. But the vast majority of attacks succeed

because of a human error of somebody falling for something,

clicking on a link, giving away too much information that begins

the attack, right. And so I think education and awareness is

is really important. And that it's not something like PCI DSS

where it's an annual, everybody knows how to store credit card

information. Okay, this is not that right? This is much more

complex. And it has a lot of variety and trends and trends

shift pretty quickly. And so we advocate for like quarterly

updates, because things shift from the end of the year and the

tactics and what we think the scams that are very prevalent in

this time of year are typically prevalent at this time of year.

So so that goes a long way, and just eliminating whatever might

happen after a human mistake. Right. So education, I think is

really important. I think the other one is, is identifying

your assets. And I like cyber resilience as a as an approach

to layered security that fits nicely with a zero trust

approach to cybersecurity. And really, it's just a cycle. It's

a living cycle of, of identifying your assets,

protecting them detecting and looking for active infections,

having a response plan in play, learning from your mistakes, and

educating it's a continuous cycle. But the first part of

that is identification. And I think every business really

needs to understand their internal assets. And this

includes people, right, this isn't just your PCs that are

critical. But hey, if you know, this single source of failure as

an individual leaves, my business might equally be as

disrupted as if I get hit with ransomware. So identify your

risks and what those are, and then apply proper risk

mitigation strategies to those things. And so if it's, if it's

data, have backups, and make sure that your backups are air

gapped are not capable of being compromised by ransomware.

There's lots of great technology that does this automatically.

But if it's people, right, I think, again, staffing is a

tough thing sometimes, but identify and understand your

your assets and then defend them. So educate, identify, and

defend, those would be the three things that I would look at.

Totally agree, totally agree. So there

are a couple of things I'd like to add to that. And one of that

is how do you incentivize proper security behavior, we all need

motivation to do things which are, where, especially when we

are not seeing the ROI directly. If you're if you're talking to a

non-security professional in an organization, who has a

particular type of work, and you have certain security do's and

don'ts, kind of expectations of that person, you have to be able

to convince that person that this is if they followed through

with that cyber discipline with that cyber hygiene, the end

result, overall end result is good, and that's going to help

them. So you have to keep showing them the big picture.

Yep. Along similar lines, even to get the top management

attention, present the scenarios, the consequences of

the different types of attacks and breaches, and what happens

after that what the organization has to deal with. So make it as

realistic as possible to get the attention because that's gonna

lead to some actions, maybe some change in behaviors, and

absolutely means I cant agree with you more that while humans

are the greatest assets, they're also a great vulnerability. So

the best way of addressing that is through regular training

sessions. And these training sessions should not be the check

the box approach, okay, I met the requirements, but it should

be continuous. And it should be incremental. I often use the

analogy of people do this nerdles and wordles on a daily

basis. And I have shared with organization that how about

every day, an email goes out with a security little puzzle or

a security game that people have to solve, kind of make it fun.

At the same time you are impacting the mind. On a day to

day basis, you're sowing that security seed. And over a period

of time, everyone has a certain level of awareness, as opposed

to the current approach where we go through this security

training for say, 30-35, 40 minutes, we take a quiz. And

then after six months, we again do it. And it's also not

customized. So we have to make security training role-based we

have to make it more immersive. So a lot of thought has to go

Yeah, I totally agree. I think along

into it.

with training, one of the things I support is doing simulated

attacks. So you can send out a phishing and so we do this

internally and we we quite literally take from the wild and

examples and create templates so that you can test using the most

recent techniques and imagery, and I think that that helps. I

think the other thing that you definitely touched on is like

engagement with IT. And I know for a lot of companies that have

an IT department, sometimes there's the there's a

hesitation, we've always tried to foster that IT is a fun and

loving place, and they are going to be much, much more fun and

loving when you ask them in advance of something as opposed

to saying, so I opened that email, and I clicked this thing,

and now I have ransomware in my computer, then your IT guy is

gonna be grumpy. But if you're like, Hey, I got this email. And

it just seems weird. Before I open it, I thought I'd ask you,

I hope I'm not wasting your time, they're gonna be like not

wasting my time at all, thank you for I think creating that

kind of culture to have a do suspicion but also having a

right place to go that it's not going to make you feel like

you're you're going to be shunned for for asking that

question.

I'm so glad you mentioned that, because I

was having this discussion with another subject matter expert.

And he talked about creating a culture of empathy, where people

are not scared to report that look, yes, I made a mistake. I

clicked on this. And yes, now we are dealing with the

consequences, as opposed to trying to hide and waiting to be

caught. And hopefully, so changing that approach and and

recognizing that, yes, we will do our best we will learn. But

if you make mistakes, just fess up and just let us know what

happened. So we can start doing damage control sooner than

later. So creating that environment, that culture, is so

important, where they're not looking at IT or security as a

stumbling block, as a hurdle. But more as a partner. You know,

that's why there's that phrase out there that cybersecurity is

everybody's business, it is not just the business of the

information security function. But to be able to develop that

mindset, you have to create and nurture that culture where you

have to incentivize certain behaviors, there has to be

shared responsibility and accountability. So everyone,

everyone has a stake in the game, you can just put your

hands up and say, well, something has happened. It's the

CISOs problem, the CISO should get fired, that doesn't really

solve the problem, you may have a symbolic reaction, you might

impress some external folks. But have you really taken a deeper

look at your processes, at your systems, to identify what the

real issues are. So again, I emphasize an in-depth systematic

approach, you don't have to be an expert. I don't expect the

leadership team to be cybersecurity experts. But they

if they have the real intent of securing the organization as

best they can, and they want to have the best-in-class security

practices, they can absolutely get it. There are resources out

there, they can bring in, leverage, like you talked about

earlier, there are the cyber insurance companies, who will

absolutely help them get to a certain point in terms of

maturity to be eligible for certain amounts of insurance. So

seek the help. There are lots of guidance out there, you talked

about CISA you talked about NIST. There's lots of guidance

out there, it's a matter of really getting it, pulling it

all together, and having a plan in place. I know it sounds kind

of mundane. And it sounds like stating the obvious. But my

research finds time and again, a lot of planning happens, a lot

of documentations are maintained. But when it comes to

execution, that's where organizations falte time and

again, but I don't want to monopolize the conversation, I'd

like to send it back to you your thoughts and reactions.

You make a very good point, right? Like

having a plan is very different from having a fire drill with

your plan. And again, I think it's so critical, especially for

ransomware. I mean, this is important to have, meaning you

like there's lots of different types of response plans. But

when you have limited amounts of time to respond, this is where

it's most important that you practice these things. So maybe

think when you're speaking before, I'm like, one of my

passions is aviation. And so I'm a private pilot and pilot, like

aviation is like very, very safety driven. And one of the

great things about just the story of aviation is from the

beginning till now is just how well aviation did at sharing

mistakes and learning from mistakes and embracing that

mistakes happen and life and death mistakes happen. And so

let's do our best to learn from everything from a community

based all engaged approach. And I look at like, I'm like, Wow,

this works so well. And I look at cybersecurity and my career

that I've spent here trying to get like a similar sort of

benefit of of so many adjacent mistakes, right? So like company

A company B, C, all suffer the same mistake, right? Like they

all got breached the same way. Like why are companies making

the same mistakes that other companies have already made on?

How do we do a better job of? Well, so like, right, as you

mentioned, there's this stigma, right like If you make a

mistake, it can be bad for the brand, it can be bad for your

trust, but it can have a rippling effect. But if we

change the culture and acknowledge that we live in a

world where mistakes happen, and as long as you're doing your due

diligence, you're trying to prevent them, like good job. And

if some bad thing happens, that's okay, come forth with the

information and share it so that we can, as a community can

defend ourselves better. And of course, it's more complex, and

we have our own individual corporate networks. But again,

if you kind of look to where the world is moving, the boundary of

the network is becoming fuzzier and fuzzier. So I guess I was

just reflecting that

No, this is great. In fact, when you when

you mentioned about flying the plane, that's such a powerful

metaphor, that immediately immediately makes me think that

when you are in a cockpit, you have to be absolutely prepared,

you must have to be on top of things

We prepare, like when the engine goes out at

like all the time, right? And it's because you want it to be

automatic, because you have like, seconds really matter that

okay. Like, you don't want to be thinking like, Oh, let me pull

up the checklist. And like, what do I do? No, no, you like, know

that the six things to do immediately, in which order? You

could do it all in three seconds, right? And then you can

start looking around and figuring out, where am I gonna

go? So, you know,

And that's it. It's the fear of, of loss of

life, fear of loss of the lives of the passengers. And if we

were to scale it to small to medium sized enterprise, what

are we talking about, we're talking about the demise of the

organization, if proper security practices are not in place, and

that's precisely why the leadership has to recognize

that, that cyber cybersecurity governance is not something

unfortunately, we have to do. It's a pain. It is distracting

us, but it is significant, it is centric to our survival. And if

I may add one more thing here, the last episode we published,

we had a senior and a senior leader as my guest. And he made

a very important point he said, Dave, we should look at

cybersecurity as a strategic opportunity, not as a stumbling

block. When organizations, when the leadership takes that

approach, has that mindset, then miracles happen because then

they're saying, You know what, we're going to be so secure. And

given the nature of our business, we can put it out

there that if store your data with us, you are safe, because

we are really the best in the business when it comes to

securing your data. So there are different ways that

organizations can play up their security strengths, and get an

edge in the business. And I wish more the leadership thought

along those lines, as opposed to treating it as a separate

function, but making it more making it part of the the

overall goals of the organization. So that's kind of

the way I see see things here. But since but we are coming to

the end of our time, unfortunately, this was

fascinating. But I'd like to give you the the floor to wrap

things up for us.

Yeah. Thanks, Dave. And thank you everybody

who's listening today. From a thought leadership perspective,

I like to drive awareness of what the risk is. And I hope to

from this presentation or this this talk today, we've made it

pretty clear that I mean, this is in our opinion, what the data

really shows us as it this risk is here to stay, things are

likely to get worse before they get better. And SMBs, small

businesses are really going to be in the crosshair. And so the

risk is real. But we've provided hopefully some steps to help you

understand what you can do some good resources of how to better

understand where you might need improvement. And if you're here

today, you're already taking the right step because again, I'm a

firm believer that you need to know about the things you need

to defend the events. And so you've hopefully learned today a

bit more about what's going on in the threat landscape and how

to stay secure. So with that, David, I'll turn it back to you.

Thanks for being here. I'm honestly this has been a ton of

fun.

We'll said, you couldn't have wrapped it up

better. Thank you again, Grayson, for your time. It's

been a pleasure.

Thanks Dave.

A special thanks to Grayson Melbourne for

his time and insights. If you like what you heard, please

leave the podcast a rating and share it with your network. Also

subscribe to the show, so you don't miss any new episodes.

Thank you for listening, and I'll see you in the next

episode.

The information contained in this podcast is for

general guidance only. The discussants assume no

responsibility or liability for any errors or omissions in the

content of this podcast. The information contained in this

podcast is provided on an as-is basis with no guarantee of

completeness, accuracy, usefulness or timeliness. The

opinions and recommendations expressed in this podcast are

those of the discussants and not of any organization.