Season 3 / Episode 153
Attacks against Small-to-Medium size businesses currently represent roughly 40% to 50% of all data breaches. Josh Ablett, founder and CISO of Adelia Risk, speaks with Nate Nelsn about the kind of security he usually finds in SMBs when he’s called in to make an initial security assessment - spoiler: not a pretty picture - the impact of data breaches on SMBs, and what role do insurance companies play in improving the state of security in that often overlooked segment of the industry.
- Episode 22
- Episode 23
- Episode 24
- Episode 25
- Episode 26
- Episode 27
- Episode 28
- Episode 29
- Episode 30
- Episode 31
- Episode 32
- Episode 33
- Episode 34
- Episode 35
- Episode 36
- Episode 37
- Episode 38
- Episode 40
- Episode 42
- Episode 43
- Episode 44
- Episode 45
- Episode 46
- Episode 47
- Episode 48
- Episode 49
- Episode 50
- Episode 51
- Episode 52
- Episode 53
- Episode 54
- Episode 55
- Episode 56
- Episode 57
- Episode 58
- Episode 59
- Episode 60
- Episode 62
- Episode 63
- Episode 64
- Episode 65
- Episode 66
- Episode 67
- Episode 68
- Episode 70
- Episode 71
- Episode 72
- Episode 73
- Episode 74
- Episode 75
- Episode 77
- Episode 78
- Episode 79
- Episode 80
- Episode 81
- Episode 82
- Episode 83
- Episode 84
- Episode 85
- Episode 86
- Episode 87
- Episode 88
- Episode 89
- Episode 90
- Episode 91
- Episode 92
- Episode 93
- Episode 94
- Episode 95
- Episode 96
- Episode 97
- Episode 98
- Episode 99
- Episode 100
- Episode 101
- Episode 102
- Episode 103
- Episode 104
- Episode 105
- Episode 106
- Episode 107
- Episode 108
- Episode 109
- Episode 110
- Episode 111
- Episode 112
- Episode 113
- Episode 114
- Episode 115
- Episode 116
- Episode 117
- Episode 118
- Episode 119
- Episode 120
- Episode 121
- Episode 122
- Episode 123
- Episode 124
- Episode 125
- Episode 126
- Episode 127
- Episode 128
- Episode 129
- Episode 130
- Episode 131
- Episode 132
- Episode 133
- Episode 134
- Episode 135
- Episode 136
- Episode 137
- Episode 138
- Episode 139
- Episode 140
- Episode 141
- Episode 142
- Episode 143
- Episode 144
- Episode 145
- Episode 146
- Episode 147
- Episode 148
- Episode 149
- Episode 150
- Episode 151
- Episode 152
- Episode 153
- Episode 154
- Episode 155
- Episode 156
- Episode 157
- Episode 158
- Episode 159
- Episode 160
- Episode 161
- Episode 162
- Episode 163
- Episode 164
- Episode 165
- Episode 166
- Episode 167
- Episode 168
- Episode 169
- Episode 170
- Episode 171
- Episode 172
- Episode 173
- Episode 174
- Episode 175
- Episode 176
- Episode 177
- Episode 178
- Episode 179
- Episode 180
- Episode 181
- Episode 182
- Episode 183
- Episode 184
- Episode 185
- Episode 186
- Episode 187
- Episode 188
- Episode 189
- Episode 190
- Episode 191
- Episode 192
- Episode 193
- Episode 194
- Episode 195
- Episode 196
- Episode 197
- Episode 198
- Episode 199
- Episode 200
- Episode 201
- Episode 202
- Episode 203
- Episode 204
- Episode 205
- Episode 206
- Episode 207
- Episode 208
- Episode 209
- Episode 210
- Episode 211
- Episode 212
- Episode 213
- Episode 214
- Episode 215
- Episode 216
- Episode 217
- Episode 218
- Episode 219
- Episode 220
- Episode 221
- Episode 222
- Episode 223
- Episode 224
- Episode 225
- Episode 226
- Episode 227
- Episode 228
- Episode 229
- Episode 230
- Episode 231
- Episode 232
- Episode 233
- Episode 234
- Episode 235
- Episode 236
- Episode 237
- Episode 238
- Episode 239
- Episode 240
- Episode 241
- Episode 242
- Episode 243
- Episode 244
- Episode 245
- Episode 246
- Episode 247
- Episode 248
- Episode 249
- Episode 250
- Episode 251
- Episode 252
- Episode 253
- Episode 254
- Episode 255
- Episode 256
- Episode 257
Hosted By
Ran Levi
Exec. Editor @ PI Media
Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 14 million downloads as of Oct. 2019.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.
Special Guest
Josh Ablett
founder and CISO of Adelia Risk
Cybersecurity expert who makes small, highly regulated companies secure simply and easily.
Episode Transcript:
Transcription edited Krishnendu Sarkar
[Ran] Hi, and welcome to Cyebereason’s Malicious Life B-Sides. I’m Ran Levi.
Most stories we tell in Malicious Life involve large companies, enterprises, multinational or governmental organizations. The reason is simple. Attacks against big organizations attract media attention, and so there’s usually plenty of investigative reports, interviews and the like for us to work with. And to be honest, stories about attacks against big organizations also tend to be more interesting. There’s usually more money involved and more clients, and there’s also inherent drama in the mental image of a lone hacker or small cybergang taking on a behemoth like Microsoft or the US government.
But in focusing on the bigger companies, we miss an important part of the bigger picture. According to several state-of-the-industry reports, attacks against small to medium-sized businesses represent roughly 40 to 50% of all data breaches, and many times a cyber attack against small business can have a devastating impact on that company.
Our guest today is Josh Ablett, founder and CISO at Adelia Risk, a cybersecurity agency specializing in small but high-value businesses in highly regulated industries, such as the medical and financial sectors. Josh spoke with Nate Nelson about the kind of security he usually finds in SMBs when he’s called in to make an initial security assessment – spoiler, not a pretty picture – the impact of data breaches on SMBs, and what role do insurance companies play in improving the state of security in that often overlooked segment of the industry.
Enjoy the interview.
—-
[Nate] You know, Josh, as I was preparing for this interview, there was one nagging thought in my mind the whole time, so I’m going to ask you about it right up front, which is this. If I’m an attacker and my goals are, say, financial or political emotive, I’m going after large companies, I’m going after governments. Why is it that a cyber attacker would go after a smaller mid-sized business in the first
place?
[Josh] Oh, absolutely. Well, first off, small businesses are juicier, right? It’s easier to get in as the large enterprises have hardened their ecurity and got more and more testing in place to confirm that their security is working. It’s also a numbers game, right? There’s almost 32 million small businesses just in the United States alone. So that’s a sexy target. In my experience, what I’ve seen is that it’s less about data, ight? They’re not going to get the millions and millions of records like they got at Equifax. But if they’re patient and hang out on the network or in the email long enough, you know, they’re going to walk away with five, six, even seven figures of dollars drained from business accounts.
[Nate] Okay. And are these the same kinds of attacks that we hear about a lot on Militias Life or on the news?
[Josh] Great question. I have been really surprised to learn over the past few years while I’ve been working with these small and mid-sized businesses, the attacks aren’t all that different. You know, I was expecting that maybe there’d be shorter dwell time because they would need
to make their money and move on. But these hackers are just as patient with these small and mid-sized businesses as we’ve seen in the large enterprise space. For example, CPA firms and wealth management firms are just really juicy targets these days and even the clients of CPA firms and wealth management firms.
So for example, a hacker gets access to a small business’s email and they’re in there for months. They’re looking at all the emails that are coming in, just watching and waiting. Eventually, they learn the name of the small business’s CPA firm and they go out and they do a little typo squatting. You know, they register a domain that looks a lot like the CPA firm’s domain and then they just sit and wait. If a CPA firm sends something like, hey, please wire $150,000 for taxes to this account at Bank of America, then the hacker is going to jump right in with that lookalike domain and say, oh, I’m sorry. No, no, no. I forgot we’re changing banks. Please send that 150 grand to Barclays instead. And then the money is gone because a lot of businesses don’t reconcile their tax statements for months.
So we’re seeing a lot of attacks like that where they’re just sitting and waiting. And when the opportunity presents itself, it strikes. And of course, I’m skipping over some of the obvious stuff, right? Your listeners have been hearing about ransomware for years and online banking Trojans and those sorts of things. And those certainly happen to small and mid-sized businesses. And I think that one of the really challenging things for these small businesses is these attacks can have a tremendous impact on their entire business operation, right? If you’re the COO of a small company or the CEO of a small company and suddenly you have to spend 100 or 200 or even 300 hours after a breach dealing with the lawyers and dealing with the incident response team and so on and so forth, in a large enterprise, that’s
not that big of a deal. But if you think about it for a small business, taking your top people and having them be that unfocused for weeks and even months, it can really set the company back.
This reminds me of an example, your CEO was having problems with their computer and they called up their IT company and said, hey, could you temporarily disable multi-factor authentication, right? I mean, this happens all the time. And if you could see me, I’m putting temporarily in winky fingers because temporary lasted way too long. And of course, a Nigerian hacker got in, used the CEO’s account to send phishing emails to all of the company’s clients. Again, that dwell time, right? They’re sitting in there being patient. But their top people, this company was just so distracted for months dealing with the lawyers, dealing with the clients. It was a big embarrassment, but it really set their overall business back in a lot of ways.
[Nate] You work with small and mid-sized businesses like this every day. Tell me what you typically see when you first start working with new clients. So how is their security set up before you get there? How are they thinking about security? How do your conversations usually go?
[Josh] It’s pretty scary. When I first go into small and mid-sized businesses, they don’t have a lot of what you and probably your listeners would recognize as even decent cybersecurity. They often have antivirus, but it’s a free version. It’s not centrally managed. Most of them have never even heard of EDR or MDR. Backups are inconsistent. Computers are never locked down. It’s kind of left to the devices of each person to figure out their own computer. So it’s incredibly laissez faire. It’s very Wild West. If we’re lucky, we find that their cloud services have multifactor authentication, but that’s kind of all they’ve set up. So it’s very much, you know, everyone’s left to their own devices. And if anything, COVID has kind of made this worse, right? Because a lot more people are using personal devices from home, which I know something that this is something that small and large businesses are wrestling with, but it’s definitely presenting a special challenge in the SMB market.
[Nate] And I imagine much of the issue is just that smaller mid-sized businesses are spending less on cybersecurity, right?
[Josh] That’s a great point. And I think the more interesting question for me is why aren’t they, right? Because they’re spending money on other things. So why not IT and cybersecurity?
[Nate] Right. So then why aren’t they?
[Josh] The way I think about it is really three reasons. One, no one’s telling them they have to, right? I was mentioning financial services before. That’s my background. If you work in a bank, nothing frees up cybersecurity budget like the FDIC said so or the OCC said
so. For most of these small businesses, it’s almost like car insurance. Back in the 30s, 40s, and 50s, most people didn’t pay into car insurance before it came mandatory in the 50s. So I think they’re thinking about it that way that the cost of having an incident is cheaper than what their IT people are asking them to do, which as we know, as your listeners know, really isn’t the case.
I think the second reason, there’s this interesting culture of mistrust. And I think part of this is caused by us, by the cybersecurity vendors.
When an IT firm tries to sell something like an EDR solution or an MDR solution, all the business owners here is the vendors trying to make more money off of them. And it’s unfortunate because in the small to midsize business space, the discussions aren’t really risk based.
They more tend to be around, oh, you need this tool for this thing. And you miss a lot of that more mature conversation that happens at larger enterprises. And to that point, I think the third reason is that there’s not enough of that tension or dissonance in small businesses.
I’m sure many of your listeners work in large enterprise and they find it tiring and stressful to always be in these battles between IT and security and privacy and legal. But at the end of the day, that debate leads to much better security. And without that friction, if there’s a CEO who’s the entire owner of the company and they’re only making the decision based on what’s in front of them in their pocketbook at the time, they’re not making great decisions, which is just as bad.
[Nate] And yet I can understand making those decisions, as you said, just based on your pocketbook. Most small businesses, most midsize businesses aren’t going to have the money to hire those experts to pay for those expensive security solutions like large corporations and governments can. So how can we expect a business owner to prioritize what is fundamentally a theoretical problem, cyber attacks, when they have plenty of real and present threats to their bottom lines?
[Josh] Yeah, that’s a great question. And I think that’s the million dollar question that a lot of cybersecurity practitioners wrestle with when working with small and midsize businesses. And I think that the standard answer is probably, oh, we need more education and we need to
teach them more about the risks. We need to do more risk assessments. We need to do quantitative risk assessments as opposed to qualitative risk assessments, all of which is fantastic. But I think even with all that, security is largely going to stay in the domain of warriors and companies who have experienced recent breaches, at least for the near future.
What I’m hoping will happen over time is that we’re going to see more of these kind of outside bodies, whether it’s regulatory bodies or insurance companies who make this more and more of a priority. I’ve been super excited to see what’s coming out of the cyber breach insurance industry in that insurance companies, their losses are going up so, so quickly because they’re insuring companies that don’t even have basic cybersecurity measures in place. So they’re not coming out and saying, hey, fill out this form. You don’t want to buy a centrally managed antivirus, then that’s fine. You’re not getting a policy. You know, best of luck to you.
So I’m hoping that we see a lot more of that over the years and that the insurance companies and the regulations are going to consistently raise the bar of what these companies need to do.
[Nate] Isn’t the kind of company that would be shopping for cyber insurance the kind of company that would have the basics like antivirus already covered?
[Josh] You’d hope so, but I haven’t found that to be the case. I think a lot of people do the math where they say, okay, is the amount that I’m going to spend on even something ridiculously inexpensive like antivirus going to offset the insurance payment delta? The answer is usually probably not. People are almost thinking of it more like a homeowner’s insurance where, yeah, you know you should get a burglar alarm or a monitored smoke alarm, but the cost delta is not enough to justify the cost of the improvement, so they’ll just accept the risk.
[Nate] So if small and mid-sized businesses are sort of starting by without much in the way of security, is that a function of not being subject to the kind of regulations that we all know that large organizations are? Are the regulations not the same for everyone?
[Josh] Yeah, absolutely, and that’s a lot of the challenge, right? Any healthcare company is subject to HIPAA, whether it’s a hospital network or whether it’s a three-person doctor’s practice down the road. Same is true for wealth management firms. We work with a lot of wealth management firms. Once they reach a certain level of assets under management, they’re all under the umbrella of the SEC cybersecurity standards, again, whether they’re a multinational wealth management firm or whether they are a five-person firm in your town.
Now to be fair, if these companies were audited, they probably wouldn’t be assigned a particularly sophisticated auditor, but the regulations that they need to follow, the things that they need to do are exactly the same, and I don’t know if your listeners follow this at all, but I and a number of other cybersecurity practitioners were really excited, believe it or not, when the Department of Defense announced the CMMC, the Cybersecurity Maturity Model Certification Process. That was meant to be a standard that was going to apply to tens of thousands of companies that sell to the Department of Defense, and I can tell you firsthand that it’s sorely needed, right? There are so many companies in this country that build things that directly affect the lives of our soldiers, and their security is not much better than you’d find it at your
grandmother’s house.
[Nate] Wait, wait, wait. Josh, you can’t move on from that point without explaining it. How is that even possible?
[Josh] When I think about the defense-industrial base, it’s tens of thousands of companies that are selling really important things to the Department of Defense. They’re making things that directly affect the lives of soldiers. Oftentimes when we first engage with these companies, as I was talking about before, they only have very remedial security in place. It’s kind of antivirus firewall, not particularly tightly controlled, and that’s about it. Personally, I find that scary because while they’re not handling classified information, that follows a whole other path of security requirements, they are handling information that if it fell into the hands of foreign attackers, could be of value to our military adversaries.
[Nate] Okay. Your point is that CMMC would solve this?
[Josh] The regulation like that would have really forced a lot of companies to get their act together. There was even some talk in the early days that the CMMC might eventually evolve into a single standard that could apply to multiple industries, but CMMC version two came out last year and it looks like they’re backing off some of the plans to roll out such a stringent cybersecurity framework in the US.
[Nate] From what I’m gathering, are you suggesting that CMMC was originally going to be some sort of singular nationwide broad brush standard for everybody?
[Josh] Yeah. There was some talk about that early on and I don’t think it’s going to happen. I think a number of cybersecurity people would welcome a single nationwide cybersecurity regulation. I’m sure your listeners appreciate this, but there are so many super talented cybersecurity professionals who are just wasting their time on the bureaucracy of tracking how they satisfy each regulation as opposed to taking a step back and thinking about the risks.
So I think anything that our government can do to simplify that situation will let us free up people from their bureaucracy and instead focus on fighting the bad guys in a time when we already have a shortage of cybersecurity talent, but I’m not naive enough to think that any government can just wave a wand and make cyber attacks magically disappear and I definitely don’t want to get into the politics of government overreach, especially these days, but I do think that this is a problem that’s much bigger than one company can solve and then whether it’s, again, like I said before, whether it’s regulators or industry groups or insurance companies, these small and midsize businesses need that help and motivation to up their game.
[Nate] And I understand the problem, but cybersecurity is a complex thing, right? It doesn’t look the same for, I don’t know, a startup in Chicago and an oil refinery in rural Texas, plus the threat environment as you and I and our listeners will know is constantly evolving, so is a single national standard a realistic or productive solution to the kinds of problems we’ve been talking about?
[Josh] Yeah, I think it would and actually you’d be surprised when you’re looking through the lens of small and midsize businesses and this is one thing that I really enjoy about working with small and midsize businesses. I’d say 80 to 90% of the stuff they need to do, the technology that they need is going to be the same regardless of industry and actually some regulatory bodies are starting to wake up to this fact.
The Department of Health and Human Services released two publications. It was, here are the cybersecurity things that small and midsize businesses do and here are the cybersecurity things that large healthcare organizations need to do and if you look at the things that the small organizations need to do, it’s largely going to be the same list that I’d want to see at a wealth management firm, at a CPA firm, at any number of small and midsize businesses.
So we have this difference in the language and the regulations and the way it’s being audited but the things that we need to do are pretty consistent and some vendors are actually leaning into this which is really exciting to see. They’re seeing the opportunity of these small and midsize businesses and they’re making some excellent products that are affordable to any small business. I mean 24 by 7 managed EDR for less than $10 a seat is a hell of a deal.
[Nate] Yeah, and to that end, what are some of the other security solutions that are available to small and midsize businesses right now that could help improve the situation in the interim?
[Josh] I think by far the most important one is to really focus on companies cloud security. I think that’s the biggest hole that I’m seeing commonly across all of these small and midsize businesses.
You know, they’ve migrated their email either themselves or with the help of their IT service provider to a service like Microsoft 365 or Google Workspaces or their CRM to Salesforce which is great because these services have way better security than these small businesses can afford on their own but they have this assumption that because they’re working with a big name company like Microsoft or Google that their stuff is secure and they don’t realize and their IT services don’t realize that there are dozens and dozens of security settings that it’s their responsibility to configure and oftentimes they don’t configure it.
I’ll give you an example. We were working with a company a few weeks ago. They had thought they had turned on multi-factor authentication in Microsoft 365, right? Good basic cybersecurity control that we all need but Microsoft has made the configuration so confusing that they had actually created two different rules that canceled each other out and the client had no idea that their multi-factor authentication just wasn’t turned on because of that. They had no idea in about five minutes of doing some simple testing, we realized what was going on. So the first thing that these businesses should really focus on is kind of getting their cloud security under control.
The second thing, again, most of these companies are working with IT service providers. These companies need to start asking their IT service providers some difficult questions, right? Get the sense that maybe your IT service provider isn’t doing everything they should be around
cybersecurity. Lean into that. Start asking them for reports and proof that you have antivirus on every computer, that you’ve got the latest patches installed on every computer. There’s a lot of assumptions that seem to be made between IT companies and their clients.
I think the clients just assume because they like their IT firm that their cybersecurity is handled. And I think if you talk to the IT firms, especially over a beer or two, they’ll tell you, hey, we’re only doing the really basic stuff. There’s all this other stuff that we could be doing.
And they sort of assume that the client knows that they’re missing a lot of this stuff. So you’ve got this weird dynamic where nobody’s talking about it. And that’s really the second thing that these businesses need to grab the bull by the horns and start really asking difficult questions about security.
[Nate] Josh, is there a final word that you would like to leave with our listeners?
[Josh] I think my final point is that all of this pain is so preventable. I’m sure that every cybersecurity professional feels that way. It’s not like these small and mid-sized businesses need sophisticated threat intel or enterprise UEBA to fight these attacks. This is very much within reach if it’s a function that the small business decides to actively manage.
And I’m really hopeful that we’re going to get to the point, whether it’s the rising tide of regulation or insurance requirements or just IT companies coming up the stack with their security expertise that’s going to make it a lot harder for attackers to go after small businesses.
And I’ll leave you with this. Again, I want to reiterate this. If there are any small business owners out there listening, please take the time to have a serious conversation with your IT company this week about the security of your cloud configuration. That’s going to be your most important thing.