The Importance of Cybersecurity Strategies in Small Businesses with Trava Security CEO, Jim Goldman

Jara Rowe: Gather around as we spill the Tea on Cybersecurity. We're talking about the topic in a way that everyone can understand. I'm your host, Jara Rowe, giving you just what you need. This is the Tea on Cybersecurity, a podcast from Trava. You've made it to episode three of the Tea on Cybersecurity. If you've listened to the previous episodes, I hope you aren't feeling as lost in this cybersecurity world. So far, we have answered the question, what is cybersecurity? We have even gone over some key cybersecurity terminology. During this episode, we will learn about why cybersecurity is important for businesses and why it should be top priority for small and medium sized businesses in particular. I have Trava CEO and co- founder, Jim Goldman, with me again. Hi, Jim, how are you today?

Jim Goldman: Hi, Jara. I'm very happy to be here.

Jara Rowe: On our previous episodes, we've gone over cybersecurity basics. We've learned about phishing, as well as the difference between threats, risks, and vulnerabilities. Now we're getting into why cybersecurity matters to businesses. Why do you think that companies feel like they aren't targets?

Jim Goldman: First of all, I think it's naivete. But also, I think part of it is the old adage of burying their heads in the sand. They convince themselves that they don't have anything of value that a cyber criminal would be interested in. Then they convince themselves that therefore they don't really need to do anything about it. I think part of that line of reasoning comes from if they felt like they had to do something about it, they wouldn't even know where to start. They wouldn't even know what to do. They almost back it up and justify their inaction by saying, " It's okay because I don't really have anything of any value that a cyber criminal would want to get."

Jara Rowe: I'm sure you have seen various attacks throughout your time in the field. Why are small and medium sized businesses such easy targets for attackers?

Jim Goldman: I definitely have, to your first point. I think they're easy targets because they're just not as well protected as larger enterprise customers in general. In my time at the FBI, the one thing that I realized was that in one sense, cyber criminals are no different than any other criminal in that they're basically lazy. They're trying to find the easy way out. If you go back to a burglary model before the days of cyber, which storefront is going to most likely be burglarized? The answer is the one that inadvertently somehow left their front door unlocked. The physical environment criminal is lazy, just like the cyber criminal. Automobile theft, people leave their handbag in plain view in their driveway in an unlocked car. Then they're shocked that there's was the car that got broken into. What is the easiest... We use the word" attack vector." What is the easiest attack vector for the criminal? It's the same thing in cyber. The reason why small and medium sized businesses are so frequently attacked is, it's a generalization, in general, they're the least protected. They're the ones leaving their handbags, if you will, in plain view, in an unlocked car.

Jara Rowe: I think too that they are such easy targets for attackers is because the first question I asked you, they just feel like they don't have anything of value. I think some attackers probably know that if they're a SaaS company that's only been around for a year, of course, they have people's data. But that attacker may know, " Of course, they have people's data." But cybersecurity isn't a priority for them, so it's easy for them to just get in there.

Jim Goldman: That's a very good example. But another one that I've seen before is something called a watering hole attack. Let's just assume that this company really didn't have any data that was of particular interest or value, but they've got a website. A lot of people come to that website, and that website isn't secure. What the cyber criminal does is launches what's called a watering hole attack. He puts malicious software on this company's website. Then maybe it's a TV news station, not that I've seen that before in previous cases. I'm just saying. It's an example. Somebody wants to check the weather or the news. They go to this TV news station. It's not connected to any data. But unfortunately, there's an invisible malicious piece of software. When they go to check the weather, that malicious software gets automatically downloaded onto their computer. They happen to work for a bank. All of a sudden, the TV station didn't have any data worth protecting. But this person who logged in from a bank computer now has this malicious software that came from the cyber criminal.

Jara Rowe: Oh my gosh. Watering hole?

Jim Goldman: It's called a watering hole. Picture all the different animals innocently coming to a watering hole. They think they're just getting a drink of water.

Jara Rowe: Everyone, don't let this be you. Make sure you're secure. Wow. SaaS companies have access to lots of data, like we just talked about, from their customers, then all the way to their customers' customers, depending on what their product or software is. Getting a risk management plan seems like a no brainer to me. But it is still not as top of mind or priority for some of those companies. Can you talk about that a little bit?

Jim Goldman: It's an approach that really hasn't caught on yet. I think part of it is a lack of education, a lack of communication, or maybe there's a perception that it's difficult. But it really comes down to this, every small business is different. Every business, regardless of size, is different. Yet there's this notion that, "If I just buy this tool, I'll be secure." That's crazy in that one size is not going to fit all. It's like saying every human being in the world wears the same size clothing. No, we don't. If we live in different climates, we need different type of clothing, et cetera. It's the same thing for businesses. Every business, depending on the environment that they operate in, depending on the nature of the data that they gather, store, et cetera, every business is different. Therefore, every business faces different cyber risks. That's the purpose of the risk assessment. What I often joke is if the check engine light in your car went on, probably wouldn't pull into the nearest auto parts store, grab a shopping cart, and just throw random parts into a shopping cart without knowing what the check engine light was really telling you. The same thing with a business. Why do business owners think it's okay to just randomly grab cybersecurity tools that they saw on the internet, install them, and think they're secure if they never looked into the diagnostics of what their particular problem, what their particular risks are? That's why our approach is always don't spend any money on any tools or any solutions until you get a risk assessment done and you know where your highest priority risks are. What are the biggest holes, if you will, that need to be plugged, and plug them in order.

Jara Rowe: You did mention risk assessments. Can you just go over what that is a little more just for people that may not be that familiar with the term?

Jim Goldman: Again, there's nothing particularly mysterious about it. In other words, risk assessments have been done in a variety of context for a variety of years. These just happened be cyber risk assessments. Much like other risk assessment, whether it be trying to protect a jewelry store or trying to make sure that a public office building is safe from fire, you go against the known set of best practices. The first thing we do when we do a risk assessment is we're trying to compare it to a particular framework. Depending on the nature of the business, we may use one framework or another. If it's something related to healthcare, it may be what we call a HIPAA framework that we use. If it's an online business, it what might be what we call a center for internet security framework. In any case, there's a list of best practices. We call them control families. " You really ought do this, you really ought to do that." Then we say, " Do you do that at all? Do you do that a little? You really do that well." That's the qualitative assessment against the known framework. That's the, " How mature is your security program overall?" The other thing we look at is a more technical assessment. You could think of this, if you go to the doctor, you had a physical, and you had blood work done. Now we're going to look at the blood work. What we're doing there is we're going to do what are called scans. Think of it like a CAT scan, a PET scan, or something like that, an x- ray. Instead of doing scans on your body, we're going to scan your cyber environment in different ways. We're going to look at the edge of the network, we're going to look on your servers. If you're in the cloud, we're going to look at your cloud environment. But we're going to look for flaws in those environments. We're going to look for holes. We're going to look for insecure configurations. We're going to look for vulnerable inaudible devices that haven't been patched. These are the more technical things that quite frankly can often be more quickly and easily fixed than the lack of a whole process or control family in the more qualitative part of the assessment.

Jara Rowe: You mentioned previously about some companies buying multiple tools, doing bandaid approach of their cybersecurity. When should a small to medium size business leadership really invest time, resources, money, everything into developing a cybersecurity plan or strategy?

Jim Goldman: I think day one. I think there's this bias or this thought that says cybersecurity is this whole different thing over there that isn't like any other part of business. That's not the truth. It's very much like any other part of business. Business management is all about risk management really. inaudible cyber part again, right? Business financial management is risk management. Company leaders are doing risk assessment on a daily basis. They just may not call it that, but that's what they're doing. Again, to your point about, do they have a plan, do they have a strategy? Believe me, they're doing planning and strategy on the business part of their business, on production environment. If it's a manufacturing facility, they're worried about supply chains, et cetera. There's a lot of planning and strategy there. All we're saying is use those same basic techniques to secure your cyber environment.

Jara Rowe: I saw a stat that stated 60% of small businesses will go out of business following a cyber attack.

Jim Goldman: That's right.

Jara Rowe: Why do you think that is?

Jim Goldman: It's an interesting statistic. The flip side is a relatively small percentage of larger, what we call enterprise companies, go out of business after a cyber attack. What happens there, especially if they're publicly traded, they may take a hit on their reputation, they hire a PR firm or they give free credit checks to all their customers. Then in 18 months, nobody even remembers that they had an incident, everything's fine, and they go on their merry way. What happens with the smaller businesses is they often don't have cyber insurance, for one thing. Then they often just don't have the capability to recover quickly. As a result, the customers that depended on them leave. They don't have the luxury of having several million customers. They have 50 customers or 100 customers. If the bulk of them leave and they didn't have cyber insurance, they could be down for a long time. They're having to pay for restoring the systems. They have to find the cash to do that. What I saw in my time in investigating these crimes is unfortunately, not only do the businesses fail, but the individuals or the proprietors of the business, the co- founders of the business, because they have their personal finances tied up with the business as well inaudible personally, financially devastated as well.

Jara Rowe: You mentioned with the enterprise companies, when they're attacked, they typically do have the funds and resources to get a PR team to help change the story or narrative or to help them get back on their feet. But I do know the smaller companies don't necessarily have that same set of resources to help change their image a little bit. That could be one of the reasons.

Jim Goldman: Once trust is eroded, it's very hard to get back.

Jara Rowe: For sure. Trust is very important for small businesses. Definitely, if your customers can't trust you, then unfortunately, you don't have a business.

Jim Goldman: Especially cyber based small businesses.

Jara Rowe: For sure. You mentioned cyber insurance a minute ago. Can you just walk me through what cyber insurance is and why it's important for companies?

Jim Goldman: I won't go into a lot of detail, but I'll just give you an introduction about why inaudible ought to investigate it. I'll preface it by saying it is an industry in upheaval now. Because of losses that have been suffered related to ransomware, cyber insurance has become difficult to get, very expensive, et cetera. I don't mean to say it's some kind of nirvana, just go out and get yourself insurance, and that's all you need. Someone's going to write you a big check inaudible. That's not true. However, the thing that is important for people to understand about cyber insurance is there's almost a branch at the top that people need to understand as they look at a potential cyber insurance policy. There is something called first party losses and first party coverage. Then there's something called third party losses, third party coverage. First party losses and coverage have to do with the company itself getting funds from the insurance company to recover the company to get things back to normal. That's what first party coverage does. The part that people often miss is the need for third party coverage because as you pointed out, there are customers that depend on this company. They may depend in a very big way. People's health may be at risk because they've got to access some service that this company offers. People's financial health may be at risk because they have to be able to access this company's resources. What happens is it's not just a matter of having insurance coverage to recover the first party or the company itself. You have to realize that you as the company owner over here of the first party, you could well get sued by people that are dependent on your service. They may have suffered devastating financial losses as well. They may not have been able to conduct their business because they couldn't access the service that they were supposed to be able to get from you. The kind of insurance to cover those costs is called third party insurance. My only point is make sure you look into the availability of both of those kinds of coverage.

Jara Rowe: Very helpful. If you had one solid piece of advice for, let's say a SaaS startup when it comes to cybersecurity, what would that be?

Jim Goldman: What I would say is if you were walking in the wilderness and wanted to climb a mountain, you'd probably start with a trail map. You probably wouldn't just start walking around in the wilderness without a map and a compass. I would say the same thing is true for cybersecurity. Don't start on a journey and don't start buying cybersecurity tool without your map and your compass. In the case of cybersecurity, that map and compass is what we call a cyber risk assessment.

Jara Rowe: Back to cyber risk assessments, we talked about that earlier. Thanks so much for your time and insights, Jim. Is there anything else you would like to drive home?

Jim Goldman: I think the last point, and it's a reiteration, is this is not scary. This is not complicated. It's not some mysterious thing, totally different from a normal way of planning any other aspect of your business.

Jara Rowe: Do not let cybersecurity scare you away. It is very important and should be top priority for everyone.

Jim Goldman: It's approachable. That's right.

Jara Rowe: It is approachable for sure. Now that we've spilled the tea, it's time to go over the receipts. One major takeaway that I got from that, especially being from a marketing and public relations background, is that one mistake can seriously end a small business. Even if you don't feel as if your business is in the line of an attacker or a cyber criminal, a hacker wants to get your information, you should still take it very seriously because you do not want to be hit by something that could literally end your business overnight. For my small and medium sized business owners and leaders, unfortunately, you all are easy targets. One of those reasons is because it's easy to just throw in a bunch of random solutions that may not even work very well together. Like Jim pointed out, if we are going to an auto store just because our check engine light was on, we would not just go in there and throw in a bunch of things into our cart like oil and things because we really don't know what the issue is. We haven't done any diagnostics. You should treat your business the same way. If you don't know what the diagnostics are or the risks that you have, do not just jump haphazardly into getting solutions that you think may help. One final receipt that I have, criminals are lazy and will always take the easy way out. Again, we have to make sure as business owners, as individuals, that we are doing our due diligence to keep us and the companies we work for safe. It could be one minor slip up on our behalf that just lets that lazy criminal get right in and disrupt so much. Take cybersecurity seriously. I hope you've learned something during this episode of the Tea on Cybersecurity. Next episode, we will be discussing the weakest links in companies. It could be you. That's the Tea on Cybersecurity. If you like what you listen to, please leave a review. If you need anything else from me, head on over to Trava Security. Follow wherever you get your podcasts.