Podcast: Play in new window | Download (Duration: 52:30 — 48.9MB)
Subscribe: Apple Podcasts | RSS | More
(If you’re reading this in a podcast directory/app, please visit https://webandbeyondcast.com/ for clickable links and the full show notes and transcript of this cast.)
If you’d like to discuss this episode, please click here to leave a comment down below (this jumps you to the bottom of the post), or feel free to contact me here about any other questions or comments.
In this Cast
Ray Sidney-Smith, Host
Vince Crisler, CEO of Dark Cubed, a cybersecurity expert with more than 20 years of Information Technology and Cybersecurity leadership in government and private sector roles.
Show Notes
Resources we mention, including links to them will be provided here. Please listen to the episode for context.
- Cybersecurity for Small Business – Resources Library ( https://w3cinc.com/resources/cybersecurity-for-small-business-resources-library/ )
- TwoFactorAuth.org ( https://twofactorauth.org/ )
- DarkCubed ( https://darkcubed.com )
Raw Text Transcript
Raw, unedited and machine-produced text transcript so there may be errors, but you can search for specific points in the episode to jump to, or to reference back to at a later date and time, by keywords or key phrases.
Read MoreRaymond Sidney-Smith 0:06
Welcome, everybody to web and beyond live for this October 26 2020. I’m Marie Sidney-Smith, President of W three consulting and managing director of WCC web services, which provides affordable web hosting and managed WordPress hosting and domain registration services and all that fun stuff for small business. And so I’m so excited to have you all here for this edition. As you all know, it is National Cybersecurity Awareness Month. And these past few weeks, I have been going through and talking to folks and explaining things all around cybersecurity, so that you can all stay more cyber resilient. And today, I am just really excited. We’re gonna we’re gonna cover all kinds of fun things about how to really use cybersecurity as a function for being more cyber resilient, but really using it as a business competitive advantage. Many of us don’t think about cybersecurity from that perspective. It’s all fear based, response based, reactionary stuff. And what I really want to do today is really talk about this from a more proactive perspective, and really thinking about this as a pro, as opposed to how to mitigate risk and reaction. And to do that today, I have with me, Vince Crisler, he is the CEO of dark cubed. It is a SaaS tool, and he’s going to explain it more, I cannot possibly do it justice. But Vince himself is a cybersecurity expert with more than 20 years of information technology and cybersecurity leadership in government and private sector roles. And so with that, I’m going to bring Vince on ivens How’s it going?
Vince Crisler 1:41
Great. Ray, how are you?
Raymond Sidney-Smith 1:42
Good, good. So I cannot possibly do your CV justice. Can you tell us a little bit about yourself and, and and what brought you to this point of being the proprietor but also the the brain genius behind dark cubed? Well, thank you for that. You know, I like this, this focus of this overlap of small business and cybersecurity, and I’ve always been very entrepreneurial, started my first company in high school doing some web design. And I remember getting hired to do this web design for this company in New Jersey. And so as a high schooler driving to New Jersey to talk with a customer is pretty cool.
Vince Crisler 2:21
I got into kind of security in it pretty early. A woman in my town, who was also very entrepreneurial, decided to start the first internet service provider in southeastern Ohio. And she hired me as her system, admin, tech support, web design everything else. And so I’ve been hooked ever since. I’ve been very fortunate my career to have some really cool opportunities. The first part of my career was active duty Air Force, I was a communications officer got to go to Germany for three years work on some pretty cool missions there. Following Germany, I was sent to the Pentagon where I got to work in the National Military Command Center in the White House, National Military Command Center and Pentagon. Following the Pentagon, I went to the White House communications agency where I got to travel as a presidential communications officer on the road with the President. And then from there, I was loaned as an active duty officer to the White House to be the chief information security officer for the unclassified networks, which was a great eye opening experience a chance to secure one of the most heavily targeted networks in the world, in lock things down and protect things. Following the White House time, I had an opportunity to go over to the Department of Homeland Security and work on some of their National Cybersecurity missions. How do you protect the federal government and critical infrastructure from nation state threats, it was just just a really cool mission, amazing people there. And it was actually during that experience that I kind of started to come up with the foundational ideas for dark cube that kind of had these themes of cybersecurity is too expensive, too complex, there’s got to be a better way. Most small businesses are left out, you know, if you look at, it’s a very crowded, noisy cybersecurity market, a lot of marketing a lot of advertising. But I like to say 99% of the companies out there can’t afford cybersecurity the way it’s being delivered today. I kinda had a passion to change that. And so I started my own company focused on small and mid sized companies, and how do you rethink the way you deliver cybersecurity? How do you make it accessible to small and mid sized companies? And you know, one of the things that I really enjoy is talking to folks education, talking, you know, how do you take this complex topic that everybody likes to fearmonger around and make it accessible to small business owners?
Raymond Sidney-Smith 4:26
Fantastic. Thank you. And this is, as you were all noting why I have Vince here today, I think this is just such a prescient and important aspect of all of our world. And so what I’ve done is I’ve broken this down for you all, and we’re getting lots of chats in the messages with people with wild faces for you.
So thank you to everybody who’s engaging and if you have questions, feel free to throw them into the you know, we have multiple tools where people are watching so those who are watching from the webinar chat, you have your q&a panel, you can feel free to throw questions in there. For Vince as we make our way through our time together, but just to start out here, I thought we would kind of bucket this into three different areas where competitive advantage can be utilized. First up is productivity. And in that space where business productivity can be conditioned, and then we can talk about public relations and marketing. And then we can close out with kind of employee issues, which which can be attraction, retention and engagement. And so just like starting right off at the bat, let’s talk about profitability, and how productivity can be garnered from that. And so I wanted to start off with the kind of the toughest question up front, which is, what do you say, to the SMB owner to the small business owner who says, You know what, I can save money by not investing in cybersecurity? We’re, we’re not we’re not really at risk. And what do we do to for those folks? What what’s the best argument for the pro side? Not the, yeah, you’re at risk, you’re going to be attacked, you’re already being attacked all of those things? what’s the what’s the, what’s the argument for cybersecurity in the positive sense? Well, there are a couple of answers. One is you may be absolutely right, there may be no reason you need to invest in cybersecurity at all. But as a business owner, you know, you may not be an expert in technology, you may not be an expert in cybersecurity, and when you hear cybersecurity, you know, people on the news and other places say there’s only two types of businesses, those have been hacked, and those that don’t know they have, right, that’s all fear mongering, and you know, what business owners are really good at intuitively, whether you realize it or not, is risk management. So when you think about operating your business, you know, you have customers, you have products and services that you have to deliver, and you manage risks all day, every day, you know, in terms of supply chain in terms of how you’re advertising, how you’re marketing, how you’re budgeting, how you’re planning. And so pitching cybersecurity as a risk management discussion, lets you make an informed decision. So, you know, do you have financial records? Do you process payments? Do you have healthcare records? Do you have sensitive information, you know, personally identifiable information, which is a lot of times name, social security number, date of birth? Do you interact with these sorts of data as a part of your day to day job? And if the answer is yes, then you have compliance risk rate, if that data gets out, it could cost you money, it could cost you legal issues. And so you need to think about ways to manage that risk. Do you have intellectual property? Do you have something that makes your business special, that if that information got released publicly, it would impact your business? And if so, you need to think about ways to protect that. And you know, there are lots of ways in there are cyber things that can get that information out. And so, rather than trying to sell on fear mongering, I like to kind of have that discussion with small business owners around, you know, what matters to your business. And if you if you’re touching, nothing, nothing sensitive. If there’s no no compliance information at all, and you run all of your stuff off of one account, and you have to factor setup, then maybe you don’t need to spend on security. But maybe you do. Yeah. And I always I always put it from the perspective that, you know, I’m I’m teaching digital marketing and productivity so often. And what I try to explain to people is that business, data driven business decisions are always going to be more powerful than ones done in the darkness. You know, people always ask me, what, who’s my target audience? I don’t know who my target audience is. And I always say, Well, what does the data say? Are you collecting the right data to be able to get the right answers? And cybersecurity good cybersecurity practices gives you more data, it gives you more ability to make those kinds of competitive analyses. And so why wouldn’t you? Why wouldn’t you make those right? Best calls for the business from a data driven perspective? And so I love that this leads us right into kind of my next question here, which is that I was recently reading somewhere I forget online about how insurance companies are doing showdown scans. And for everyone’s edification, if you don’t know what showdown is, if you go to showdown.io. It’s a tool that will allow you to basically look for various types of services and ports on systems, basically, you can look at the open web and see what is available in that space. And it can be very eye opening, go to monitor.showdown.io. And you can actually see various parts of your own network that can be that is publicly available and potentially susceptible online to risk. But anyway, these insurance companies are doing showdown scans, before issuing insurance policies, and and so like before issuing insurance quotes and policies, and I’m curious how business owners kind of take advantage of this. You know, what, what’s kind of the advantage to them in that in that side?
Vince Crisler 9:39
Yeah, this is a good complicated question. You know, insurance. You know, this from other parts of your business is about transferring risk to a third party. So there’s DNO insurance, there’s car insurance, there’s health insurance, and there’s cyber insurance. And so you know, if you’re one of those companies that’s impacted by compliance, compliance issues, if you have data that could cause significant financial harm to your company, if that data were breached, then you need to be asking questions about, you know, can you transfer that risk to insurance company? And what the insurance company then is going to say is, you know, what sort of risk Do you present as a company? And they’re going to look at things like, what is your revenue? How many records do you have? Do you have 1000 Records, medical records? Or do you have a million medical records? Do you have PCI data, payment card information data. And so as a part of that risk discussion with your insurance company, a lot of times what they’re trying to do to accelerate the, the writing process of getting you a policy is they’re gonna say, what what external risk factors exist about your business. And that’s where showed in comes into play, if your infrastructure is heavily exposed, and you’re not locked down, then they’re going to be able to see it. And they’re using, they’re actually using tools like bitsight, and Cisco security scorecard, which wrap this stuff up in even at a higher level. And so as a company, if you’re thinking of pursuing cyber insurance, you need to understand how they’re going to price those policies. So if you are, if you create a bigger risk, it’s going to cost you more so so you can take advantage of this process by understanding what they’re looking at. So do do a scan on your your company and see what shows up. Things like your email infrastructure, these are really important. There are some these terms get pretty technical. And if you have an IT department, have them help you. If you have a managed service provider, they should already answer this for you. But things like SPF records and DKM, how do you authenticate your mail server that the mail is coming from you? Those are things that insurance companies will look like look at and could change your the price of your premium. And they’re easy things to fix. And so you know, thinking about what are those? What are the ways you’re exposed externally on the internet? And how do you reduce that exposure? Yeah, and like you just noted SPF and demark, and DKM, all of those email policies that you set up are also good for email deliverability. So you know, the better you set yourself up, the better, you can get your marketing messages out to people both. Remember that when you set up your email tools, you need to make sure that emails and deliverable between one to one communications, but also in your email marketing service provider tools, so that they also have those right policies set up. And those are things that are exposed as you’re going through these insurance quotes and insurance, policy provisioning. So I think that’s really, really exciting. Now, I think, because it actually helps to go ahead and have the insurance companies know as much as they do. I mean, there’s, there’s always a sense of culpability there, right. Because, you know, the more insurance companies know, the more they can deny you, or terminate a policy or deny a claim, having been both an insurance producer in the past, I’ve been licensed as an insurance producer, in a very narrow field of real estate, title insurance. But having been an insurance producer before, as well as having worked to, in a litigation sense, against large insurance companies. I’ve been on both sides of this, you know, knowing what it’s like to be able to do it. But what I’ve always understood is that the more you know, as you said, Vince, about insurance and the process, the better your business is going to be. Because you’re going to know the the both the risk, but also the possibilities to work through the system to get better at the end at the end of the day. And I’m just not talking about insurance issues, but also in the compliance space. I wanted to talk a little bit about, you know, there’s, there are new laws coming up on the books all the time. You know, we’ve seen several, just in the last two years crop up in the United States, but we’re seeing more and more compliance issues. We have data breach notification laws, we have data privacy and rights laws that are not yet codified on on the federal level, but certainly state by state now, with California being kind of the strongest one, recently releasing these these kinds of data protection pieces, and then we have data protection laws just generally that are that are on the books. What What do you feel like is kind of the the area where businesses can grow best in these processes? From a from a real productivity perspective? What What can they do? I know, I have my own thoughts, but I’m curious what yours are?
Well, there are a couple of pieces to this discussion. One is as a security practitioner, I think it’s clear to articulate that compliance and security are not equal. Because you’re compliant does not mean you’re secure, because you’re secure does not mean you’re compliant. And so as a business owner, you need to treat these as separate but related buckets of activity. With respect to compliance, you know, you mentioned there, there is no national standard on data privacy, data breach notification, in compliance. And so, you know, if you’re a small business that works on one state, you should understand the laws and requirements of your state and how your attorney general thinks about these problems. And there are a lot of great resources on the internet, kind of around data compliance and data breach privacy laws. If you operate in multiple states, it becomes very difficult because you have to you have to understand the nuances of those laws in every state and you know, we work with health care coverage. needs that operate in 30 or 40 different states and, you know, to think about managing 30 or 40 different sets of rules. And you know what one Wednesday may consider a breach and other might not what the reporting process could be different in one state to another. And so there’s a work in there and in the first piece of that discussion is to understand what part of your business touch from a couple touches compliance, right. And again, if your healthcare, it’s pretty easy. If your financial services, it’s pretty easy. If you do your own internal health care, like your own internal management for your employees, you may have a lot of data, that PII data on your systems that could be affected by compliance. And, you know, we’ve seen plenty of great examples where an HR person will have all the records for the company on a laptop, that laptop gets gets stolen. Well, you have to report that to the state because that’s, that’s a loss. And so how do you manage that risk? Things like encryption certainly help. Yeah. And I guess the other thing is looking at kind of where we’re headed. And you look at what’s happening in Europe, with GD GDP are the general data protection regulation. And, you know, that’s a model of how to start to think about requiring data protection is this model that this sensitive data to belongs to you as an individual, and companies have access to it, but they have to manage that appropriately. And so as we see, as that gets pushed to United States, you know, you mentioned California with their consumer Privacy Act, the California consumer Privacy Act, ccpa. That’s kind of the most forward leaning, and I expect more states to start following suit. I mean, there are certainly a lot of industry groups that are trying to push for this idea of a national law that codifies and unifies all of these approaches to make it easier on small and medium businesses. Yeah, we have the Uniform Commercial Code, we have the uniform trust code, you know, we have all of these various uniform codes, and they’re always, you know, mildly changed here or there between states. And I think it’s, it’s about time that businesses have, really, it’s less regulatory hurdle, when you can have a centralized, you know, code to work from. And so if any of you are watching, go out there and lobby your representatives to support. There are several bills in Congress right now that are focused on this and support a bill. You know, it doesn’t matter what the law says, as long as it is one that you have to comply by, as opposed to many, many, and I’m being somewhat facetious there, I will note for So folks, if you, if you’re looking, I did create a cybersecurity resources library, if you go to W three c Inc, W the number three c i NC comm over resources drop down, you’ll see a cybersecurity small business resources library, and there on the site, you can sign up and access it, it has access to all of the current data breach notification laws, I kind of you know, tried to put them all together in one space for you all. So you can go ahead and check that out. And, and so, moving right along, then you started to touch on this and kind of and I know that breaking this into three different sections is really tough because they kind of meld into one another. But I wanted to make our way into public relations and marketing. And that’s the space I spend in the most. So I’ll try to keep my comments limited. So they but But the idea here is that we have the immense opportunity, I think, in the cybersecurity space. And you know, I’m not a cybersecurity practitioner, you know, I’m on the outside. I’m a super geek. So I just love knowing all these things about cybersecurity. But it makes so much sense because people are doing marketing, they say oh my gosh, my Twitter account has been hacked into I get all of those questions. You know, my website’s been hacked into and being in the web hosting space, we get a lot of discussion about that. I’m curious, how can small businesses use cybersecurity practices, good cyber hygiene, to increase their audience? How can they use it from a marketing perspective?
So So branding and marketing is all about establishing you and your company in the marketplace? Right? So what do you stand for? How do customers think about you? And you know, if you’re a dry cleaner, or an accounting firm, you know, there are certain messages you want to include in that marketing in terms of how you think about protecting, protecting your customers.
You know, you mentioned some of a lot of these tools and getting hacked, we worked I worked a hack where you know, this this group got their Facebook account hacked, it got taken over by some some actors and started to put horrible messaging up on their site. pictures that they couldn’t take down it was it was just disgusting. And it all came because they didn’t have two factor authentication in place. And so you know, I’m going to take a moment here to kind of push like my number one rule in cybersecurity. It’s it’s not foolproof, but you know, if you’re doing you know, whether it’s your email, your digital marketing or any of these platforms turn on two factor authentication. Because getting having somebody steal your password is a pretty easy task from an attacker perspective. And so get two factor authentication turned on. Make sure that on platforms like like Facebook, you have delegate setup that can If something happens, they can actually get in and lock that account down for you. It is really difficult once the breach or the compromise happens on a platform like Facebook or Twitter to get it back, it takes a while. And there’s there’s not a streamlined, easy process.
So going back to your original question around kind of increasing your audience using cybersecurity, I think a lot of it depends on you know, what type of business you are, you know, if you’re an accounting firm, you have access to a lot of small businesses that are that are facing threats, things like business email compromise, we see it in the news all the time where, you know, the the person in, in finance and accounting gets an email from their CEO that says, hey, I need you to transfer, you know, $100,000 to this account, and they do it and that money’s gone, and small businesses impacted significantly, and may even go out of business. And so, you know, if you have customers that are in the small business world, taking a moment out to educate, and train them and get them resources just builds a better relationship between you and your customers. It also shows kind of that you’re being responsible, and there are so many resources out there from a training and education perspective that delivering this to your customers is pretty easy these days. So think about ways to kind of establish your brand and reputation there. So that’s kind of my, my key focus. Absolutely. I mean, all of you watching or listening, don’t you like me more, because I’m helping you be more cybersecurity? No, but it’s, but it’s a reality factor, right. And in this age of COVID-19, and the pandemic, you know, safety and affordability are the two primary marketing messages that really work well, for good reason and and, and, and good, both ethical and probably moral reasons. But what we see here is that if we can push a message, message of safety across the board, and say, we’re not just being safe, because of this public health crisis, we’re being saved across the board, physical security, digital security, as well as your health and safety, as well as the health and safety of our employees. When we get to talking about that, you know, all of these pieces blend into both the brand messaging the ongoing messages of the company, and work gets out. I mean, you know, word is, you know, spreads really quickly among people, when you’re doing the right things. And when you’re doing the wrong things. And just staying on the side of the right things, I think it’s just so powerful when you can do the right things and have that message be heard by your audience. So I really, really recognize that we can, we can put together some light touch mechanisms for being able to get the message accountant, if you all have questions about that, feel free to reach out, I’m happy to talk to you about what good messaging you can do related to how you are keeping your your customers data, your vendors data, all of the various stakeholders data, safe and secure, and, and how that can actually help you actually grow trust and credibility across the board. And we’re going to talk a little bit about that in just a bit. So I wanted to see if you had any examples of innovations and companies that were spurred on by cybersecurity, and I’m thinking of, you know, in your work and time in cybersecurity, you must have seen something where people started off thinking, Okay, we’ve got to create a more cybersecurity friendly environment here, we have to lock down the system because of x. And it actually, like maybe person a new product or birth, the new service line, or the the division or department made a fundamental change that was really positive on the other side. any examples that you have for us that you can think of?
Yeah, so I think, you know, taking a stand on the security side is important. You know, things like, you know, if you’ve heard of Twilio is a platform, they do a lot of messaging pushing they, they’re basically a telco in the cloud, where you can do phone, you can do texting, all sorts of automation, you know, they’ve taken a stand to basically make two factor authentication required. And, you know, steps like that, that, you know, I think industry will catch up, it’s a no brainer, that two factor is going to be required at some point soon, but taking a stand on some of these security issues, because you’re looking out for your customers, you know, just gets you noticed, and it you know, any, any, you kind of have this idea that any press is good press, and I maybe not in a breach, but but ways to get noticed as a business to say, look, we’re gonna, we care about our customers so much, that we’re going to take these extra steps to make things more secure, and we’re going to push information out. And we certainly see and we’re working with organizations, you know, there’s a very large insurance company in the US called Gallagher insurance that we’re working with, where, you know, we’re collaborating with them to deliver, you know, more affordable security to their customers. And so that’s an example where, you know, they’re finding partners in the space to compliment them to deliver better products and services to their customers. And so these are all ways that you can build your brand and build messaging and get get folks more secure as at the same time. Yeah, I’ve seen definitely in this age of the pandemic spur innovation, like I’ve Never seen before, in, you know, 25 years of watching small businesses develop and grow. And what I have learned in this timeframe is that, you know, necessity is a great driver. And what businesses can do in this point in time, is while you’re already doing all of this work to become more digitally aware, and building your digital presence, if you just add a little bit of cybersecurity in there, you will find that there are things that because of the limitations, right, you know, we always talk about in the cybersecurity space, at least always talks about the the trade off of security and convenience, right? If you can really make your product more convenient in the face of more security, then you really have a true competitive advantage. Thinking about curbside delivery and local delivery and things in which you know, otherwise would be, you know, just a necessitating factor, if you can think about how you are doing that in such a way that actually protects client data. And you can message that appropriately, that can actually be really, really powerful for people, in a lot of ways. So I’m just I’m really, I’m really bullish on that whole concept of pushing that message, completely agree. Okay, moving right along to building trust and brand strength, because it’s an area that I spend a lot of time with clients working on, through the economic development agencies that I work for, and so on and so forth. And I always wonder, how did how do small businesses, small and medium sized enterprises really communicate cybersecurity to past present and potential customers, so that they can build a greater trust and brand strength? What What is, you know, being on the inside, watching how people lose trust and lose credibility very quickly in that space? What’s the flip side message to that? How do you put that on the other side, so that businesses can communicate? Again, like I said, in those three kind of time zones of past, present, and potential, how do they communicate to those folks? in such a way that’s positive?
Unknown Speaker 26:57
Yeah. And I,
Vince Crisler 26:57
you know, again, going back to this whole idea of risk management and managing your company and your brand and your reputation and the trust of those, you know, past current and future employees or future customers. You know, I think one thing that’s really important is, you know, while I while I kind of bad mouth fearmongering, a little bit early on, I think there also has to be a realistic expectation that something’s going to happen to your business at some point. Right. And so, you know, hopefully, it’s not ransomware. But it could be, you know, a phishing attack, what if your email account gets compromised, and a nasty message goes out to all of your customers? So you know, thinking as a leadership group, and you’re, you know, whether it’s one or two of you, or five of you in your business, thinking through one of those scenarios that would cause your business harm. So, you know, what happened to what happened if all of your systems got locked down, and somebody was asking you to pay $20,000 to get it back? Or more? Right. And I think the average ransom right now is around $100,000. At $200,000. What would you do as a company? If you had a data breach? How would you communicate to that to your customers? How would you react? And I think, you know, in some ways, you know, this is the unforgotten pieces. How do you do branding and marketing and PR after a breach, and if you’re not prepared for that, before the breach, you’re going to be, you know, playing catch up. And that’s not where you want to be playing catch up in a bad in, in a bad situation like a data breach. So I would strongly encourage that you think about, you know, can you do that internally? Do you have the right marketing? Folks, you have the right PR folks internally to support that messaging? And what does that messaging look like? Start writing it now? because that’ll get you thinking about what those risks look like, if you don’t have that internal support? Who do you reach out to for that support? What are the groups in your area that understand PR and marketing and legal support for cybersecurity breaches, you don’t have to spend money, right? You don’t have to spend a lot of time, you just have to identify those resources and say, Hey, do you guys do? Do you guys do or do you guys know if somebody that does marketing after a data breach, get introduced to them understand?
The other thing I like to recommend is, you know, there’s this whole term of tabletop exercises. And it can be very complicated. But it can also be writing down three questions that you’re going to sit down, I normally would say we’re a bag lunch now I’d say over over a zoom or a WebEx and just ask your team a couple of questions. You know, if
question one, we got, we got a ransomware attack that locked all of our laptops. Is that a problem or not? Right? Do we have a backup? Yeah. And we’re backing up every night? Oh, do we realize that if we’re backing up every night, all of those backups are probably encrypted as well? Do we have an offline backup somewhere? No. Okay, let’s make an offline backup. Right? So just a couple of simple questions can make the difference between your business going under and your business being able to fight through and survive. Having the right PR and marketing support set up ahead of time can be the difference between a very, very rough experience and a positive experience where you’re able to communicate to your customers that if this happens to a lot of businesses, we We’re ready. This is how we’re protecting you and taking care of you. Again, that’s the difference between losing your company and not in a lot of situations. Absolutely. And and yeah, I don’t think fear mongering is necessary to understand that it is a win. Not if proposition when it comes to cybersecurity attacks, we are all under attack. And that is because we are low hanging fruit. And easily, easily susceptible. Right? You know, I said this actually last week, and I’ll repeat myself, because this is so important. There are people whose job it is to show up every day and attack you, right? while you’re out there showing up every day to serve your community through your small business products and services. There are some poor schlub, who shows up every day and some large server farm in some other country who sits down and says, Okay, how do I break into your business today? You know, they’re probably given a list of IP addresses and list of business names. And they get to just go look for low hanging fruit. And so it’s really important for us to think not about the oh my god part of this, right? There’s this fanfare that’s around it, forget all that, forget the fear mongering, you just understand this is a risk you are under attack, how do you deal with that attack. And just by virtue of doing that, you can go out there and say, to your past customers, we are protecting your data. And this is how we’re doing it, going to your current customers and saying, you know, what, we have to implement these kinds of practices, because we want to make sure that while we’re working with you, we’re not susceptible to this attack that’s ongoing. And then to future customers, you can say, if you do business with me, I am going to do my best to make sure that you’re secure. And does that mean that like me, once in a while, maybe more than once in a while, people send me an email, and I don’t get it. Because it’s been quarantined. And I don’t check my quarantine email, as often as I probably should, you know, okay, that’s fine. But what I do tell them is when I do finally excise that email from wherever it came from, I can say, you know what that was in in pursuit of making sure that we stayed more secure. And by the way, you don’t have DKM, or demark, or SPF applied on your systems, and that will make you better by doing so. And it becomes an educational moment. So I just really think across the board, people feel more trusting and your brand benefits from that trust, by virtue of communicating on a regular basis that you’re thinking about them, it’s not just about you, right, it’s about them, when it comes to that kind of thing. And talking about them in kind of a transition to employees, many times in small businesses, you know, I deal with a lot of micro printers, a lot of solopreneurs. And then, you know, kind of smaller than 10, maybe sometimes smaller than 25, employee own employee businesses. And when it comes to that perspective, they’re kind of two umbrellas here, right? There are the businesses that choose to, you know, basically fear and shame, you know, the fear and shame part of if you, if you do this, you’re gonna ruin our business, right. So they make sure their employees are scared to death of technology, generally, when employees generally are not the most tech savvy people in the first place, they’re just everyday people, you know, go to work, and they want to do their job. And technology is a part of it. But it’s not like, you know, they’re out caring about the latest iPhone or the latest, you know, Google Pixel device, you know, they’re, they’re just, you know, average people. And then once in a while, there’s a cybersecurity event. And someone has made an example of, we go out there and we say, Oh, you know, you know, Jane, you did this, and you’re going to be fired for doing this. And I’m just really curious, from your experience. How can businesses flip the script on that? How can they support people more, to be able to make sure they benefit from cybersecurity practices? And even when incidents happen, right, like, when when a mistake happens? How can businesses kind of do differently? be better? As they say?
A lot? It’s a great question. You know, there are a couple of things. I think, one, you know, nobody goes to work saying, you know, about nobody, but most people do not go to work saying I want to find a way to screw over my company, right? I want to find a way to open every bad email and get get computer’s infected and cause problems. You know, people generally, the non disgruntled ones, generally want to do good for their company and support their company. And so with that in mind, it’s, it’s up to the company to be responsible to give those employees the tools to be responsible and to be helpful. And, you know, the thing that always frustrates me as a security practitioner, when I’m talking with companies is when you when you let the security team go too far to the extreme of security. What it does is it prevents people from doing their job. And people just want to do their job, they want to do what’s right. And they’re going to find a way to do it, whether you let them or not. And if you have things locked down to the point that they can’t even do some basic job functions, they’re going to go around you and you know, that could result in a breach or compromise as a result. And it’s, again, it’s not because they’re trying to do harm. It’s because they’re just trying to take care of a customer or take care of a client or take care of a business partner. And so, you know, one is, is getting in the mindset of security as a collaboration with business. Right and IT security is an enabler, it’s to make sure that you’re, you’re managing the rest of your company, you’re managing the the integrity of the information, you’re keeping that information private, that needs to be held private. The other thing I’d say here is, you know, none of us like, except for some, some people that like really like pain, and suffering, none of us like to sit through cbts, like computer based training on security, and to say that your company forces you to sit through an hour of computer based training, that’s exactly the same every year, and you’re going to click through, like, that’s not fun. It’s not educational. And so being creative about ways to train and educate thinking about a continuous training environment where, you know, you’re you’re getting your company into a cycle where you know, every other week or once a month, you’re kind of introducing topics as part of a longer term program is really helpful. And one of the things I really like to do, especially when you look at the small end of business, is, you know, you’ve got people working on their own own laptops, their own computers, they’re working from home, they’re working from coffee shops, maybe not anymore, but someday we will work from coffee shops again. And, you know, they’re they’re just trying to do their job. And so how do you? How do you think about a culture of security in a small business where you don’t have a chief information security officer in a security operation center? And in from that context, right, like to get people is? How do you educate your kids? How do you educate your parents. So if you reach out to your employees with resources to say, Hey, here’s some really great cybersecurity tips that you can talk to your kids about, here are some great cybersecurity resources that you can take to your parents, because, you know, the elderly population tends to be more targeted with scams, these computer tech support scams and other things that are hitting them, and causing significant financial harm and pain and suffering. And so here’s Here are ways that you can train those folks. And I’ve seen employees latch on to that, because everybody likes to train and help other people, nobody likes to be trained, and, you know, getting your employees resources to take care of their kids and train their kids, they’re going to learn more from doing that than they ever would from getting, you know, a lecture from your company. So finding ways to partner and be more creative about spreading the message in the company is really important, especially down market,
Raymond Sidney-Smith 37:12
that is a fantastic idea, and I am going to steal it.
Because I really love the idea of helping help having them help others. That’s a really great, you know, way to demonstrate cybersecurity practices. In that vein, kind of nice segue here, which is that, you know, for many small businesses, as I said, Before, I deal with a lot of micro printers and a lot of small enterprises. And many times the staff are small, they’re family members, right? Whether the business is family owned or not, it’s sometimes many times a family business, because you know, a spouse or a partner is entrenched in, you know, dealing with things. Maybe they’re the other admin on the Facebook page, you know, that just happens. It’s just a virtue of being small and not having enough people to go around. And I’m curious from like, investors, vendors and other stakeholders, how can we make the entire company think of cybersecurity as a competitive advantage in terms of strategy? Like, what are some things that you can, in terms of high level talk to people about to get them on board in terms of, Okay, we’re gonna we’re gonna adopt cybersecurity as a competitive advantage.
x.
Vince Crisler 38:26
Yeah, you know, the easiest path to this discussion is talking about the financial impact, right? Like, the fact that a breach or a compromise could cost us $100,000. And with the margins that we have, that could put us out of business. So you’re getting people to understand that there is true financial harm, and you talk to the poor schlep at the server farm, a lot of times these guys are making tons of money. It’s a great job. Hacking small businesses, you can make a ton of money really fast, and they’re not just targeting you. I mean, there, there’s a misconception that there’s a hacker that’s targeting your restaurant or your law firm. You know, typically, that’s not the case. Because that doesn’t make sense financially. What they’re doing is they’re hitting 5000 companies with the same email and hoping for one or two hits. And when they get a hit, they have a fully automated process, they go off on to take advantage of that, of that, that hit. And so understanding that it’s kind of an asymmetric threat where these folks are targeting a ton of companies and you’re just going to be collateral damage because they can make money off of you.
When you think about the the compliance world if you’re in a in a business that has some compliance concerns, I think this is another place where it’s more obvious to have a competitive advantage where you can message message, your security, your approach, tie that into your brand, it makes a huge difference. There are programs emerging right now such as the cybersecurity Maturity Model certification within the Department of Defense cmmc. There’s a chance that that can apply to up to 300,000 companies that are in kind of the umbrella of the defense industrial base that are doing business with Department of Defense. Those require moments are going to flow through the very large contractors all the way down to the very small companies.
And just so people are aware, that means that if you are and I know a lot of you who are watching are in the ad space, that may mean that that might apply to you even though you may not think about it. So Exactly. And so you know, paying attention this emmc. And it’s, it’s pretty, there’s a lot of noise and information out there. But from a competitive advantage, I would say, you know, if you actually look at the security controls that are built into CMC, and it looks big and complex, but if you actually read through it, it’s not all that all that complicated. They’re things you should be doing anyways. And so people are getting caught up in the news about will cmmc actually work or not, will it fall apart? Who knows? I to me, what I would say, and I’m working with companies that are going down this path right now is, regardless of whether cmmc goes forward, there is value in terms of thinking about security from that model, if you want to do business with the government. Right now, it’s Department of Defense focus. But if you’re working with Treasury, or FAA, or Homeland Security, or any of these other groups, this stuff is coming down the road at some point. And so it’s a competitive advantage for you to get ahead of that. So if if cmmc comes through, and you can say, look, level three is kind of the middle of the MMC and we are already CMC level three compliant, that gives you a leg up in those contracting discussions, it makes you look more proactive, as a parent, as opposed to those companies that may try to slam in at the last minute to be able to get into a contract that they want to get into. So from the compliance side, you know, certainly thinking about trends and patterns, and where these things are going and how you’re aligning your business can be a huge competitive advantage. And the final thing I’d say here is, you know, when we’re looking at this world of COVID, and kind of the lockdowns that have happened, a lot of businesses and functions are moving online that were never online. A lot of restaurants, a lot of other organizations are putting services and capability online that weren’t there before. Because it’s essential to do your business. And you know, integrating services like like stripe and other services that handle the payment stuff for you gets rid of that regulatory burden a lot of ways. And so you know, thinking about how you deploy those technologies is really important. And it not only is going to streamline your business, but it’s going to help you from a compliance and regulation perspective, and it will make you more competitive in the market.
Raymond Sidney-Smith 42:21
Yeah, I remember when the glba came out, this is back in before the year 2000. For those of you who are watching who may be younger, but you know, 1999, the gramm Leach bliley act was a financial institution based, you know, bipartisan legislation. But of course, it was only relegated to financial institutions, you know, those who had touched the financial services space. And I said, at that point, you know, if you followed the glba, you’re gonna be better off in business, not just now, but 510 and 20 years from now. And here we are on the cusp of those who are in California now are basically applying the glba to their businesses. So really listen to what Vince is saying here, because this is coming down the pike, it’s going to touch more businesses than you think. And to be quite honest, it’s it’s the right ethical thing to do for your business for your customers and across the board. But it’s also going to be ultimately good for your business, because you’re going to save yourself, the productivity hit, right, the downtime, and potentially the loss of business, and the loss of your business at some point, if that’s the case. So it all kind of works itself out in in in the long run in terms of the good in the end, the other side, I wanted to I wanted to just ask you, Vince, if there’s anything I missed, was there anything here in terms of competitive advantage that you think of that may have been a missing element in kind of these three buckets of productivity, Public Relations and Marketing, and then employee attraction, retention and engagement? I think we covered a lot of ground here, it’s been great Ray, I think, you know, I just want to reinforce this two factor authentication.
Vince Crisler 43:56
If you don’t know what I’m talking about, go on Google and look at it. Your personal accounts, your company accounts, should have two factor authentication turned on. If your financial institution doesn’t support two factor authentication through their website, look at a different financial institution. If you’re using a managed service provider that doesn’t use two factor authentication on some of their management platforms, you should look at a different managed service provider. It is again, it’s not there, there are ways to defeat it. But it makes the job a lot harder for an attacker. And so, you know, I just think, you know, what are the basics and, you know, this is where I get to a lot of resources. And Ray, you talked about some of the resources you have available on our dark queue on our website, dark cube.com we actually have a cyber security resources page. So you go to dark cube that comm resources and there’s a whole page of information available. And we put that up there. You know, there’s there’s no benefit to us other than making it available for you all to do your jobs better. So really pay attention to kind of those this quick and easy things you can do to lock down and secure your business and protect your customers. Protect your employees. and protect your business and your livelihood. Yeah, I just wanted to bring up on screen this site at two factor auth.org is what Vince was talking about in terms of your the capability of you being able to go in and determine whether or not your financial services agency, institution or otherwise has he considered his banking here. And there’s all kinds of other financial and legal sites here, you can just type the name in and see whether or not and how to set up either to fee to FA two factor authentication or multi factor authentication on your service. So just know that that exists. And it’s out there, and really, really helpful for being able to do that. That being the case, but I wanted to give a few minutes to you to kind of explain to folks what dark cubed does, how it works, and, and how it can help small businesses who are really, in that space of interested in becoming more cyber aware, and cyber secure in this kind of age of digital retail experience. Yeah, so we’re, we’re a cybersecurity software as a service company, we are focused on simplifying the ability to detect when when bad things are happening and stop it. We primarily partner with managed service providers, and there’s managed service providers are supporting small and mid sized companies, they’re managing their firewalls, they’re managing their their desktops and laptops and making sure that you can do your job. And then we also work with small and midsize companies that do their own IT infrastructure. And when I look at kind of the landscape of cybersecurity, you know, the foundational requirement, if you have a network and you have computers on that network, as you purchase, you probably have a firewall of some sort. And that firewall is kind of a gate to keep the good, allow the good traffic through in the bad traffic to stop the bad traffic. But a lot of times these firewalls require a lot of sophistication and expertise to manage. And it’s really hard to do the job really well with just a firewall. When you go up market, you hear terms like security operations centers, and threat intelligence, and analysts and all of these functionality that, you know, if a firewall was sufficient, you wouldn’t need all these other things. But as you go up market, you find folks need to invest in that because it’s a necessary step. So what do you do about the gap? What do you do about all these companies that that can afford a firewall or should put a firewall in place, and those people that that can afford a security operation center and analysts and all the time, energy and money that takes and that’s where we fit in is to say, you know, a lot of the functionality that a security operation center performs, can be taken care of, by automation can be taken care of, by analytics can be taken care of by a creative solution, like dark cube. And so we integrate into your firewall, there’s no hardware or software to deploy, in a matter of five to 10 minutes, we can be up and running, we can detect, you know, we can look at what’s coming in and out of your network, we can detect the bad stuff, we can block it, and help you move on, we can do nice reporting and analytics around it. So it’s been really neat to see kind of fitting into a very noisy, crowded market into a space that’s relatively uncovered by a lot of other products and services. And to do it at a price point that works for this for the small and mid market is pretty cool. And going back to what I said in the beginning, you know, my passion is really about helping small and midsize companies. And,
Unknown Speaker 48:08
you know, I think it’s,
Raymond Sidney-Smith 48:09
you know, in some ways, incredibly frustrating that, you know, you can have the large banks and the large government contractors can spend, you know, half a billion to a billion dollars a year on security and still not be completely secure. And everybody else has just told, like, if you can’t spend a lot of money on security, you’re being irresponsible. And I think that’s the wrong thing to do. It’s up to us technologists to solve this problem for small and midsize companies and creative ways. And that’s what we’re doing. Yeah, and I just wanted to point this out. And, you know, because I think that would Vince is doing and with dark cubed is doing generally is available out there there are there are companies doing this kind of work to make it less onerous on you. And I know I’ve talked in the last two episodes about some of the tools that are out there. Dark cubed is among those that I think is really important for us to be able to reduce the the burden on us while still staying affordable and making it possible for us all to basically stay in that space. And so with that I wanted to one Thank you, Vince for joining me here on ledger. Yeah, on the show. And where can people keep up to date with dark cube and with you?
Yeah, so we’re on you know, our website is dark, keep calm. We’re also on Twitter at Vince Crisler, and we’re at dark cube cyber on Twitter. So come follow us. Join us. connect with me on LinkedIn. You know, I always encourage folks to go on LinkedIn, there aren’t many bins. Crisler is out there connect with me, I’d love to connect with you. If you need help. Or if you have a question, I’m happy to answer them. Again, you know, this is going back to brand and you know, the same discussion we had with you all around. How do you how do you manage your brand and your reputation? what I’m passionate about is helping you all do cybersecurity better, whether it’s not whether or not my products involved at all, you know, I want to help you. And so if you have questions or comments or things that that you need information to I’m happy to point you to the right way.
Fantastic. Thanks, Vince. Thank you. That was Vince Chrysler. CEO of dark, cubed and dark cubed. And I just want to just close with a couple of announcements that I have for you all. And I really appreciate you sticking around for the conversation and all that fun stuff. And so just a couple of quick things. Next week, we go back to our regularly scheduled content. And so I see that you there are some questions in the chat panel. We’re running out of time. So I apologize for those. I will I will certainly answer those questions, post recording. But there are two episodes coming out next week, one on Monday, and then another one I will be releasing, not going live. So just everybody is aware that I’m going live Monday as normally at 11am. eastern US time. And and then I will be putting out another episode because it was a lot of news that happened in October. And I wasn’t able to do that because you’re doing the National Cybersecurity Awareness Month content. Second is 11 five, there is a I’m doing a webinar called podcasting, podcasts marketing changes you need to know and so that’ll be on November 5. And so you can check that out by going to W three c i NC comm forward slash events. So w the number three c i NC comm forward slash events. And if you scroll down, you’ll see the Eventbrite embed, that will show up and you can go ahead and register for the webinar there. And then last but not least, if you’re not already a member of weapon beyond community, you can go ahead and join weapon beyond community that is our digital community for small business owners. And so you can go ahead to www make sure you put in the www www, web and beyond community, and you can join us there in the community. And so with that, we’ve come to the end of our time together this week. If you’ve enjoyed the live stream and you’re watching on YouTube, or wherever else feel free to hit the Like a thumbs up icon that helps us make new small business friends. And so thank you for doing that. If you have a question or a comment, you know that I’m always on Twitter, you can leave a comment or question you can tweet at us at W three, the number three w three consulting. And then you can join us of course here every Monday at 11am. Eastern, unless we otherwise note, thank you so much for spending this webinar beyond live with me with this cybersecurity theme and sticking with me all month on these topics. Again, I’m Ray Sidney-Smith, President of v3 Consulting and managing director of WCC web services, have a great week marketing. You know a great week ahead marketing on the web and beyond. Take care everybody
