Why aren't SMBs investing in Cyber Security? [ML B-Side]

Attacks against Small-to-Medium size businesses currently represent roughly 40% to 50% of all data breaches. Josh Ablett, founder and CISO of Adelia Risk, speaks with Nate Nelsn about the kind of security he usually finds in SMBs when he’s called in to make an initial security assessment - spoiler: not a pretty picture - the impact of data breaches on SMBs, and what role do insurance companies play in improving the state of security in that often overlooked segment of the industry.

Hosted By

Ran Levi

Exec. Editor @ PI Media

Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 14 million downloads as of Oct. 2019.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.

Special Guest

Josh Ablett

founder and CISO of Adelia Risk

Cybersecurity expert who makes small, highly regulated companies secure simply and easily.

Episode Transcript:

Transcription edited Krishnendu Sarkar

[Ran] Hi, and welcome to Cyebereason’s Malicious Life B-Sides. I’m Ran Levi.

Most stories we tell in Malicious Life involve large companies, enterprises, multinational or governmental organizations. The reason is simple. Attacks against big organizations attract media attention, and so there’s usually plenty of investigative reports, interviews and the like for us to work with. And to be honest, stories about attacks against big organizations also tend to be more interesting. There’s usually more money involved and more clients, and there’s also inherent drama in the mental image of a lone hacker or small cybergang taking on a behemoth like Microsoft or the US government.

But in focusing on the bigger companies, we miss an important part of the bigger picture. According to several state-of-the-industry reports, attacks against small to medium-sized businesses represent roughly 40 to 50% of all data breaches, and many times a cyber attack against small business can have a devastating impact on that company.

Our guest today is Josh Ablett, founder and CISO at Adelia Risk, a cybersecurity agency specializing in small but high-value businesses in highly regulated industries, such as the medical and financial sectors. Josh spoke with Nate Nelson about the kind of security he usually finds in SMBs when he’s called in to make an initial security assessment – spoiler, not a pretty picture – the impact of data breaches on SMBs, and what role do insurance companies play in improving the state of security in that often overlooked segment of the industry.

Enjoy the interview.

—-

[Nate] You know, Josh, as I was preparing for this interview, there was one nagging thought in my mind the whole time, so I’m going to ask you about it right up front, which is this. If I’m an attacker and my goals are, say, financial or political emotive, I’m going after large companies, I’m going after governments. Why is it that a cyber attacker would go after a smaller mid-sized business in the first
place?

[Josh] Oh, absolutely. Well, first off, small businesses are juicier, right? It’s easier to get in as the large enterprises have hardened their  ecurity and got more and more testing in place to confirm that their security is working. It’s also a numbers game, right? There’s almost 32 million small businesses just in the United States alone. So that’s a sexy target. In my experience, what I’ve seen is that it’s less about data,  ight? They’re not going to get the millions and millions of records like they got at Equifax. But if they’re patient and hang out on the network  or in the email long enough, you know, they’re going to walk away with five, six, even seven figures of dollars drained from business accounts.

[Nate] Okay. And are these the same kinds of attacks that we hear about a lot on Militias Life or on the news?

[Josh] Great question. I have been really surprised to learn over the past few years while I’ve been working with these small and mid-sized  businesses, the attacks aren’t all that different. You know, I was expecting that maybe there’d be shorter dwell time because they would need
to make their money and move on. But these hackers are just as patient with these small and mid-sized businesses as we’ve seen in the large enterprise space. For example, CPA firms and wealth management firms are just really juicy targets these days and even the clients of CPA firms and wealth management firms.

So for example, a hacker gets access to a small business’s email and they’re in there for months. They’re looking at all the emails that are coming in, just watching and waiting. Eventually, they learn the name of the small business’s CPA firm and they go out and they do a little typo squatting. You know, they register a domain that looks a lot like the CPA firm’s domain and then they just sit and wait. If a CPA firm sends something like, hey, please wire $150,000 for taxes to this account at Bank of America, then the hacker is going to jump right in with that lookalike domain and say, oh, I’m sorry. No, no, no. I forgot we’re changing banks. Please send that 150 grand to Barclays instead. And then the money is gone because a lot of businesses don’t reconcile their tax statements for months.

So we’re seeing a lot of attacks like that where they’re just sitting and waiting. And when the opportunity presents itself, it strikes. And of course, I’m skipping over some of the obvious stuff, right? Your listeners have been hearing about ransomware for years and online banking Trojans and those sorts of things. And those certainly happen to small and mid-sized businesses. And I think that one of the really  challenging things for these small businesses is these attacks can have a tremendous impact on their entire business operation, right? If you’re the COO of a small company or the CEO of a small company and suddenly you have to spend 100 or 200 or even 300 hours after a breach dealing with the lawyers and dealing with the incident response team and so on and so forth, in a large enterprise, that’s
not that big of a deal. But if you think about it for a small business, taking your top people and having them be that unfocused for weeks and even months, it can really set the company back.

This reminds me of an example, your CEO was having problems with their computer and they called up their IT company and said, hey, could you temporarily disable multi-factor authentication, right? I mean, this happens all the time. And if you could see me, I’m putting temporarily in winky fingers because temporary lasted way too long. And of course, a Nigerian hacker got in, used the CEO’s account to send phishing emails to all of the company’s clients. Again, that dwell time, right? They’re sitting in there being patient. But their top people, this company was just so distracted for months dealing with the lawyers, dealing with the clients. It was a big embarrassment, but it really set their overall business back in a lot of ways.

[Nate] You work with small and mid-sized businesses like this every day. Tell me what you typically see when you first start working with new clients. So how is their security set up before you get there? How are they thinking about security? How do your conversations usually go?

[Josh] It’s pretty scary. When I first go into small and mid-sized businesses, they don’t have a lot of what you and probably your listeners would recognize as even decent cybersecurity. They often have antivirus, but it’s a free version. It’s not centrally managed. Most of them have never even heard of EDR or MDR. Backups are inconsistent. Computers are never locked down. It’s kind of left to the devices of each person to figure out their own computer. So it’s incredibly laissez faire. It’s very Wild West. If we’re lucky, we find that their cloud services have  multifactor authentication, but that’s kind of all they’ve set up. So it’s very much, you know, everyone’s left to their own devices. And if anything, COVID has kind of made this worse, right? Because a lot more people are using personal devices from home, which I know something that this is something that small and large businesses are wrestling with, but it’s definitely presenting a special challenge in the SMB market.

[Nate] And I imagine much of the issue is just that smaller mid-sized businesses are spending less on cybersecurity, right?

[Josh] That’s a great point. And I think the more interesting question for me is why aren’t they, right? Because they’re spending money on other things. So why not IT and cybersecurity?

[Nate] Right. So then why aren’t they?

[Josh] The way I think about it is really three reasons. One, no one’s telling them they have to, right? I was mentioning financial services before. That’s my background. If you work in a bank, nothing frees up cybersecurity budget like the FDIC said so or the OCC said
so. For most of these small businesses, it’s almost like car insurance. Back in the 30s, 40s, and 50s, most people didn’t pay into car insurance before it came mandatory in the 50s. So I think they’re thinking about it that way that the cost of having an incident is cheaper than what their IT people are asking them to do, which as we know, as your listeners know, really isn’t the case.

I think the second reason, there’s this interesting culture of mistrust. And I think part of this is caused by us, by the cybersecurity vendors.
When an IT firm tries to sell something like an EDR solution or an MDR solution, all the business owners here is the vendors trying to make more money off of them. And it’s unfortunate because in the small to midsize business space, the discussions aren’t really risk based.
They more tend to be around, oh, you need this tool for this thing. And you miss a lot of that more mature conversation that happens at larger enterprises. And to that point, I think the third reason is that there’s not enough of that tension or dissonance in small businesses.

I’m sure many of your listeners work in large enterprise and they find it tiring and stressful to always be in these battles between IT and security and privacy and legal. But at the end of the day, that debate leads to much better security. And without that friction, if there’s a CEO who’s the entire owner of the company and they’re only making the decision based on what’s in front of them in their pocketbook at the time, they’re not making great decisions, which is just as bad.

[Nate] And yet I can understand making those decisions, as you said, just based on your pocketbook. Most small businesses, most midsize businesses aren’t going to have the money to hire those experts to pay for those expensive security solutions like large corporations and governments can. So how can we expect a business owner to prioritize what is fundamentally a theoretical problem, cyber attacks, when they have plenty of real and present threats to their bottom lines?

[Josh] Yeah, that’s a great question. And I think that’s the million dollar question that a lot of cybersecurity practitioners wrestle with when working with small and midsize businesses. And I think that the standard answer is probably, oh, we need more education and we need to
teach them more about the risks. We need to do more risk assessments. We need to do quantitative risk assessments as opposed to qualitative risk assessments, all of which is fantastic. But I think even with all that, security is largely going to stay in the domain of warriors and companies who have experienced recent breaches, at least for the near future.

What I’m hoping will happen over time is that we’re going to see more of these kind of outside bodies, whether it’s regulatory bodies or insurance companies who make this more and more of a priority. I’ve been super excited to see what’s coming out of the cyber breach insurance industry in that insurance companies, their losses are going up so, so quickly because they’re insuring companies that don’t even have basic cybersecurity measures in place. So they’re not coming out and saying, hey, fill out this form. You don’t want to buy a centrally managed antivirus, then that’s fine. You’re not getting a policy. You know, best of luck to you.

So I’m hoping that we see a lot more of that over the years and that the insurance companies and the regulations are going to consistently raise the bar of what these companies need to do.

[Nate] Isn’t the kind of company that would be shopping for cyber insurance the kind of company that would have the basics like antivirus already covered?

[Josh] You’d hope so, but I haven’t found that to be the case. I think a lot of people do the math where they say, okay, is the amount that I’m going  to spend on even something ridiculously inexpensive like antivirus going to offset the insurance payment delta? The answer is usually probably not. People are almost thinking of it more like a homeowner’s insurance where, yeah, you know you should get a burglar alarm or a monitored smoke alarm, but the cost delta is not enough to justify the cost of the improvement, so they’ll just accept the risk.

[Nate] So if small and mid-sized businesses are sort of starting by without much in the way of security, is that a function of not being subject to the kind of regulations that we all know that large organizations are? Are the regulations not the same for everyone?

[Josh] Yeah, absolutely, and that’s a lot of the challenge, right? Any healthcare company is subject to HIPAA, whether it’s a hospital network or whether it’s a three-person doctor’s practice down the road. Same is true for wealth management firms. We work with a lot of wealth management firms. Once they reach a certain level of assets under management, they’re all under the umbrella of the SEC cybersecurity standards, again, whether they’re a multinational wealth management firm or whether they are a five-person firm in your town.

Now to be fair, if these companies were audited, they probably wouldn’t be assigned a particularly sophisticated auditor, but the regulations that they need to follow, the things that they need to do are exactly the same, and I don’t know if your listeners follow this at all, but I and a number of other cybersecurity practitioners were really excited, believe it or not, when the Department of Defense announced the CMMC, the Cybersecurity Maturity Model Certification Process. That was meant to be a standard that was going to apply to tens of thousands of companies that sell to the Department of Defense, and I can tell you firsthand that it’s sorely needed, right? There are so many companies in this country that build things that directly affect the lives of our soldiers, and their security is not much better than you’d find it at your
grandmother’s house.

[Nate] Wait, wait, wait. Josh, you can’t move on from that point without explaining it. How is that even possible?

[Josh] When I think about the defense-industrial base, it’s tens of thousands of companies that are selling really important things to the Department of Defense. They’re making things that directly affect the lives of soldiers. Oftentimes when we first engage with these companies, as I was talking about before, they only have very remedial security in place. It’s kind of antivirus firewall, not particularly tightly  controlled, and that’s about it. Personally, I find that scary because while they’re not handling classified information, that follows a whole other path of security requirements, they are handling information that if it fell into the hands of foreign attackers, could be of value to our military adversaries.

[Nate] Okay. Your point is that CMMC would solve this?

[Josh] The regulation like that would have really forced a lot of companies to get their act together. There was even some talk in the early days that the CMMC might eventually evolve into a single standard that could apply to multiple industries, but CMMC version two came out last year and it looks like they’re backing off some of the plans to roll out such a stringent cybersecurity framework in the US.

[Nate] From what I’m gathering, are you suggesting that CMMC was originally going to be some sort of singular nationwide broad brush standard for everybody?

[Josh] Yeah. There was some talk about that early on and I don’t think it’s going to happen. I think a number of cybersecurity people would welcome a single nationwide cybersecurity regulation. I’m sure your listeners appreciate this, but there are so many super talented cybersecurity professionals who are just wasting their time on the bureaucracy of tracking how they satisfy each regulation as opposed to taking a step back and thinking about the risks.

So I think anything that our government can do to simplify that situation will let us free up people from their bureaucracy and instead focus on fighting the bad guys in a time when we already have a shortage of cybersecurity talent, but I’m not naive enough to think that any government can just wave a wand and make cyber attacks magically disappear and I definitely don’t want to get into the politics of government overreach, especially these days, but I do think that this is a problem that’s much bigger than one company can solve and then whether it’s, again, like I said before, whether it’s regulators or industry groups or insurance companies, these small and midsize businesses need that help and motivation to up their game.

[Nate] And I understand the problem, but cybersecurity is a complex thing, right? It doesn’t look the same for, I don’t know, a startup in Chicago and an oil refinery in rural Texas, plus the threat environment as you and I and our listeners will know is constantly evolving, so is a single national standard a realistic or productive solution to the kinds of problems we’ve been talking about?

[Josh] Yeah, I think it would and actually you’d be surprised when you’re looking through the lens of small and midsize businesses and this is one thing that I really enjoy about working with small and midsize businesses. I’d say 80 to 90% of the stuff they need to do, the technology that they need is going to be the same regardless of industry and actually some regulatory bodies are starting to wake up to this fact.

The Department of Health and Human Services released two publications. It was, here are the cybersecurity things that small and midsize businesses do and here are the cybersecurity things that large healthcare organizations need to do and if you look at the things that the small organizations need to do, it’s largely going to be the same list that I’d want to see at a wealth management firm, at a CPA firm, at any number of small and midsize businesses.

So we have this difference in the language and the regulations and the way it’s being audited but the things that we need to do are pretty consistent and some vendors are actually leaning into this which is really exciting to see. They’re seeing the opportunity of these small and midsize businesses and they’re making some excellent products that are affordable to any small business. I mean 24 by 7 managed EDR for less than $10 a seat is a hell of a deal.

[Nate] Yeah, and to that end, what are some of the other security solutions that are available to small and midsize businesses right now that could help improve the situation in the interim?

[Josh] I think by far the most important one is to really focus on companies cloud security. I think that’s the biggest hole that I’m seeing commonly across all of these small and midsize businesses.

You know, they’ve migrated their email either themselves or with the help of their IT service provider to a service like Microsoft 365 or Google Workspaces or their CRM to Salesforce which is great because these services have way better security than these small businesses can afford on their own but they have this assumption that because they’re working with a big name company like Microsoft or Google that their stuff is secure and they don’t realize and their IT services don’t realize that there are dozens and dozens of security settings that it’s their responsibility to configure and oftentimes they don’t configure it.

I’ll give you an example. We were working with a company a few weeks ago. They had thought they had turned on multi-factor authentication in Microsoft 365, right? Good basic cybersecurity control that we all need but Microsoft has made the configuration so confusing that they had actually created two different rules that canceled each other out and the client had no idea that their multi-factor authentication just wasn’t turned on because of that. They had no idea in about five minutes of doing some simple testing, we realized what was going on. So the first thing that these businesses should really focus on is kind of getting their cloud security under control.

The second thing, again, most of these companies are working with IT service providers. These companies need to start asking their IT service providers some difficult questions, right? Get the sense that maybe your IT service provider isn’t doing everything they should be around
cybersecurity. Lean into that. Start asking them for reports and proof that you have antivirus on every computer, that you’ve got the latest patches installed on every computer. There’s a lot of assumptions that seem to be made between IT companies and their clients.

I think the clients just assume because they like their IT firm that their cybersecurity is handled. And I think if you talk to the IT firms, especially over a beer or two, they’ll tell you, hey, we’re only doing the really basic stuff. There’s all this other stuff that we could be doing.
And they sort of assume that the client knows that they’re missing a lot of this stuff. So you’ve got this weird dynamic where nobody’s talking about it. And that’s really the second thing that these businesses need to grab the bull by the horns and start really asking difficult questions about security.

[Nate] Josh, is there a final word that you would like to leave with our listeners?

[Josh] I think my final point is that all of this pain is so preventable. I’m sure that every cybersecurity professional feels that way. It’s not like these small and mid-sized businesses need sophisticated threat intel or enterprise UEBA to fight these attacks. This is very much within reach if it’s a function that the small business decides to actively manage.

And I’m really hopeful that we’re going to get to the point, whether it’s the rising tide of regulation or insurance requirements or just IT  companies coming up the stack with their security expertise that’s going to make it a lot harder for attackers to go after small businesses.
And I’ll leave you with this. Again, I want to reiterate this. If there are any small business owners out there listening, please take the time to have a serious conversation with your IT company this week about the security of your cloud configuration. That’s going to be your most important thing.