Episode 39

How do SMBs protect themselves from ransomware attacks?

A recent Global SMB Ransomware survey finds that nearly half of small and medium-sized businesses (SMBs) have experienced a ransomware attack, yet the majority aren't sure they are a target, and most are not confident they can fend off such an attack. Since 60% of SMBs are known to go out of business within six months of being hacked, it is a very troubling state of affairs. In this episode, Grayson Milbourne, Security Intelligence Director at OpenText Security Solutions, joins me in discussing the security challenges faced by SMBs and sharing success factors and best practices.

Time Stamps

02:21 -- Before we get into the details of SMB information security challenges and best practices, let's talk about you a bit. Share with listeners some highlights of your professional journey.

04:19 -- From a cybersecurity risk resiliency and defense standpoint, small and medium-sized businesses (SMBs) are often the most vulnerable and least mature. As one CIO of a midsize bank put it, "many cybercriminals are specifically targeting midsize companies that are in the cybercrime sweet spot. They are big enough to have significant bank accounts, but they often don't use the latest cybersecurity defenses. Also, middle market firms are often the gateway to bigger targets for cyber thieves." Your thoughts and reactions?

10:53 -- In a study that my colleague, Mike Benz and I published, we noted that 95% of the surveyed SME IT leaders believe they have an above-average security posture. And so the concern is when you think you are prepared, but actually, you are not, that is a bigger problem. Don't you agree?

17:38 -- Grayson, I'd like to go back to the ransomware report, the survey report that your organization published. It's concerning that nearly half of SMBs have experienced a ransomware attack. And yet the majority still don't think or aren't sure they are a target. Why don't you expand on this?

23:57 -- Grayson, what are the top three things that you would recommend SMBs do to protect themselves from, say, ransomware attacks, what would be those top three things?

30:43 -- My research finds that time, and again, a lot of planning happens, and a lot of documentation is maintained. But when it comes to execution, that's where organizations fail time and again. Your thoughts?

36:05 -- I'd like to give you the floor to wrap things up for us.


Memorable Grayson Milbourne Quotes/Statements

"What we see in the SMB spaces is that if they encounter ransomware, they don't report it. And they want to sweep it under the rug, move on and pretend it didn't happen. And unfortunately, that has other consequences that come along with it."

"One of the biggest things that causes a headache during a ransomware incident is that it's a timed attack. They don't give you a lot of time to pay the ransom before they increase the demand because they know you're going to start scrambling, you're going to start thinking, Okay, what backups do I have in place? If you rehearsed the plan, at least you have a battle card to go to, you have some steps, and you're not scrambling because this is the worst time to be scrambling."

"I think one thing that insurance probably doesn't look at is your readiness plan."

"It comes down to reacting properly in that critical amount of time when you face one of these types of attacks."

"Average downtime can be several weeks. It is right to look at cyber risk as any other risk to your business's continuity."

"As your business grows, I think there's tremendous benefit in having an internal security-focused resource."

"Ransomware reporting is vastly underreported. People don't want to have that black eye, they don't want to; it's bad for the customers. If it's not reported, it creates an even fuzzier picture for law enforcement that has resources to go after these organized groups."

"The vast majority of attacks succeed because of a human error of somebody falling for something, clicking on a link, giving away too much information. And so I think education and awareness are really important."

"It's a living and continuous cycle of identifying your assets, protecting them, detecting and looking for active infections, having a response plan in play, learning from your mistakes, and educating."

"Having a plan is very different from having a fire drill with your plan."

"If something bad happens, that's okay; come forth with the information and share it so that we can, as a community, defend ourselves better."


Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast

Please subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.

Connect with Dr. Chatterjee on these platforms:

LinkedIn: https://www.linkedin.com/in/dchatte/

Website: https://dchatte.com/

Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

https://us.sagepub.com/en-us/nam/cybersecurity-readiness/book275712

Latest Publication: https://www.imd.org/ibyimd/magazine/preventing-security-breaches-must-start-at-the-top/

Transcript
Introducer:

Welcome to the Cybersecurity Readiness Podcast

Introducer:

Series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of

Introducer:

the book Cybersecurity Readiness: A Holistic and

Introducer:

High-Performance Approach, a SAGE publication. He has been

Introducer:

studying cybersecurity for over a decade, authored and edited

Introducer:

scholarly papers, delivered talks, conducted webinars and

Introducer:

workshops, consulted with companies and served on a

Introducer:

cybersecurity SWAT team with Chief Information Security

Introducer:

officers. Dr. Chatterjee is Associate Professor of

Introducer:

Management Information Systems at the Terry College of

Introducer:

Business, the University of Georgia. As a Duke University

Introducer:

Visiting Scholar, Dr. Chatterjee has taught in the Master of

Introducer:

Engineering in Cybersecurity program at the Pratt School of

Introducer:

Engineering.

Dr. Dave Chatterjee:

Hello, everyone, I'm delighted to

Dr. Dave Chatterjee:

welcome you to this episode of the Cybersecurity Readiness

Dr. Dave Chatterjee:

Podcast Series. Our discussion today will focus on the

Dr. Dave Chatterjee:

challenges and best practices associated with securing

Dr. Dave Chatterjee:

small-to-midsize businesses. We will be using the acronyms SMBs

Dr. Dave Chatterjee:

or SMEs during the course of the discussion. SMB stands for

Dr. Dave Chatterjee:

small-to-midsize businesses, SME stands for small-to-midsize

Dr. Dave Chatterjee:

enterprises, I think it's okay to use these terms.

Dr. Dave Chatterjee:

synonymously; a quick definition small businesses are usually

Dr. Dave Chatterjee:

defined as organizations with fewer than 100 employees.

Dr. Dave Chatterjee:

Midsize enterprises are organizations with 100 to 999.

Dr. Dave Chatterjee:

Employees. This should be a very interesting and useful

Dr. Dave Chatterjee:

discussion because the attacks on SMBs are growing and survey

Dr. Dave Chatterjee:

finds that 60% of small and medium sized businesses go out

Dr. Dave Chatterjee:

of business within six months of being hacked. Grayson Melbourne,

Dr. Dave Chatterjee:

Security Intelligence Director at OpenText Security Solutions

Dr. Dave Chatterjee:

is our guest for this episode. I'm delighted to have him join

Dr. Dave Chatterjee:

me in having this very important conversation. Greyson, welcome.

Greyson Milbourne:

Hey, thank you, David. Glad to be here.

Dr. Dave Chatterjee:

So before we get into the details of SMB

Dr. Dave Chatterjee:

information security challenges and best practices, let's talk

Dr. Dave Chatterjee:

about you a bit. Share with listeners some highlights of

Dr. Dave Chatterjee:

your professional journey.

Greyson Milbourne:

Yeah, thanks, Dave. So I have about a little

Greyson Milbourne:

over 18 years of experience within the cybersecurity space,

Greyson Milbourne:

I began my career as a threat analyst and studied malware a

Greyson Milbourne:

really fun part of my career where I come in, put some

Greyson Milbourne:

headphones on and really just observe and see how malware

Greyson Milbourne:

authors were trying to be creative and trying to be

Greyson Milbourne:

evasive, which was really important back in the mid early

Greyson Milbourne:

2000s. And ever more so important today. But as my

Greyson Milbourne:

career grew, I eventually became the manager and the director of

Greyson Milbourne:

the threat research operations for our endpoint team. And that

Greyson Milbourne:

led me just to discover more and more. And I guess we have one of

Greyson Milbourne:

my real proud accomplishments is being chosen to speak at RSA on

Greyson Milbourne:

several occasions and kind of gave me my foot into public

Greyson Milbourne:

speaking and just more thought leadership to talk about the

Greyson Milbourne:

problems that we face in cybersecurity, just drive

Greyson Milbourne:

awareness of these problems so that we can act and measure risk

Greyson Milbourne:

accordingly. And I did that for a while and kind of burnt out a

Greyson Milbourne:

little bit on the on the conference. There's so many

Greyson Milbourne:

conferences. And so now I work more on the cybersecurity front

Greyson Milbourne:

and I work with the product teams to ensure the efficacy of

Greyson Milbourne:

our products. I stay very close to the threat research teams and

Greyson Milbourne:

evolutions and how malware functions and invasive

Greyson Milbourne:

techniques and just how that threat landscape continues to

Greyson Milbourne:

evolve. And so that's what I do today primarily is is, right,

Greyson Milbourne:

track that make sure our products, stay capable. And then

Greyson Milbourne:

join you for podcasts like this and spread the good word of why

Greyson Milbourne:

it's important to be aware of the risks that we face and not

Greyson Milbourne:

just be aware, but you know what know what steps you can take to

Greyson Milbourne:

actively improve your defense, you know, now because you know

Greyson Milbourne:

what our data will show, and what we'll talk about throughout

Greyson Milbourne:

this this podcast here is that the problem is, is unfortunately

Greyson Milbourne:

getting worse, and it's somewhat moving down market and we're

Greyson Milbourne:

seeing smaller and smaller businesses become more and more

Greyson Milbourne:

of the focus, especially of ransomware attacks.

Dr. Dave Chatterjee:

Great to hear about your journey. You're

Dr. Dave Chatterjee:

doing great. And I appreciate you taking time out of your busy

Dr. Dave Chatterjee:

schedule to talk to my listeners. I couldn't agree with

Dr. Dave Chatterjee:

you more than we are discussing a very important topic. And it's

Dr. Dave Chatterjee:

not enough just to talk about the challenges or the realities

Dr. Dave Chatterjee:

of what the SMBs face when it comes to securing their

Dr. Dave Chatterjee:

organization securing their data, but what can they do? How

Dr. Dave Chatterjee:

can they do better? That really needs to be the focus and I'm

Dr. Dave Chatterjee:

sure we will talk a lot about that. But let's begin by sharing

Dr. Dave Chatterjee:

with the listeners some facts and stats. A couple of years ago

Dr. Dave Chatterjee:

I authored a paper along with Mike Benz, who's the partner and

Dr. Dave Chatterjee:

fractional CIO at Fortium Partners. The paper is titled

Dr. Dave Chatterjee:

Calculated Risk? A Cybersecurity Evaluation Tool for SMEs. It's

Dr. Dave Chatterjee:

published in Business Horizons in 2020. It's been cited

Dr. Dave Chatterjee:

heavily, been very well received. So there when we were

Dr. Dave Chatterjee:

authoring the paper, we shared some facts. And I'd like to hear

Dr. Dave Chatterjee:

your reactions to some of them; will not go through all of them.

Dr. Dave Chatterjee:

The first one is SMBs are among the least mature and most

Dr. Dave Chatterjee:

vulnerable, in terms of their cybersecurity risk and

Dr. Dave Chatterjee:

resilience. As one CIO of a midsize bank put it, "many cyber

Dr. Dave Chatterjee:

criminals are specifically targeting midsize companies that

Dr. Dave Chatterjee:

are in the cybercrime sweet spot. They are big enough to

Dr. Dave Chatterjee:

have significant bank accounts, but they often don't use the

Dr. Dave Chatterjee:

latest cybersecurity defenses. Also, middle market firms are

Dr. Dave Chatterjee:

often the gateway to bigger targets for cyber thieves." Your

Dr. Dave Chatterjee:

thoughts, your reactions?

Greyson Milbourne:

Yeah, I mean, I think this is an unfortunate

Greyson Milbourne:

reality. But our data shows the same and that as I mentioned, we

Greyson Milbourne:

see a continued downward trend in the median size of a business

Greyson Milbourne:

that suffers a ransomware attack. And when we look back

Greyson Milbourne:

over time, this number is now just over 100 is the average so

Greyson Milbourne:

far in 2022. But at this time last year, it was over 200. And

Greyson Milbourne:

so we've seen a very significant shift downmarket. And along with

Greyson Milbourne:

that we've actually seen the median ransomware payment has

Greyson Milbourne:

also dropped. And so I think you know what misconception a lot of

Greyson Milbourne:

times is that ransomware demands, what we see maybe in

Greyson Milbourne:

the media are these seven figure, maybe even eight figure

Greyson Milbourne:

ransoms. But what we really see for the vast majority people who

Greyson Milbourne:

are getting infected and then deciding to pay, or some do,

Greyson Milbourne:

some don't. But the ransoms are less than $50,000, I think we're

Greyson Milbourne:

now somewhere around 38 or so $1,000, which again, if you

Greyson Milbourne:

compare that to last year, was considerably higher, closer to

Greyson Milbourne:

$100,000, then but again, you're those businesses are larger. So

Greyson Milbourne:

I think in some ways, the ransom average demands reflect the size

Greyson Milbourne:

of the business. Because I mean, let's face it, this is a

Greyson Milbourne:

business to them. And the only way that they make money is if

Greyson Milbourne:

you pay, and so they know what you can pay, a lot of times

Greyson Milbourne:

they've been inside your environment and have have a good

Greyson Milbourne:

enough idea to set a ransom that has a chance of being paid. But

Greyson Milbourne:

I think that makes it a problem because these are people who've

Greyson Milbourne:

who've come forward and told their story. But I think a lot

Greyson Milbourne:

of times also, what we see in the SMB spaces, especially in

Greyson Milbourne:

the smaller sizes of businesses is that if they encounter

Greyson Milbourne:

ransomware, they don't report it. And they just want to sweep

Greyson Milbourne:

it under the rug, move on and pretend it didn't happen. And

Greyson Milbourne:

unfortunately, that has its other consequences that come

Greyson Milbourne:

along with it.

Dr. Dave Chatterjee:

Indeed, very unfortunate. Sweeping under

Dr. Dave Chatterjee:

the rug is not the way to deal with this problem, Organizations

Dr. Dave Chatterjee:

will have to proactively prepare for ransomware attack scenarios.

Dr. Dave Chatterjee:

As you know, the threat actors have upped their game, and are

Dr. Dave Chatterjee:

now engaging in double, triple and quadruple extortions. Along

Dr. Dave Chatterjee:

with encrypting systems and data, they are now doing

Dr. Dave Chatterjee:

something called double extortion. They're stealing the

Dr. Dave Chatterjee:

data before they encrypt it. So even if the organization can

Dr. Dave Chatterjee:

recover the systems and recover data from their backups, and

Dr. Dave Chatterjee:

disaster recovery methods, they're still forced to

Dr. Dave Chatterjee:

negotiate to get an agreement from the hackers, that they are

Dr. Dave Chatterjee:

not going to post the stolen data. They engage in triple

Dr. Dave Chatterjee:

extortion when they launch a denial-of-service attack, so the

Dr. Dave Chatterjee:

business is no longer able to function. And now we are also

Dr. Dave Chatterjee:

seeing something called quadruple extortion, where

Dr. Dave Chatterjee:

they're not only engaging in the first three types of attacks I

Dr. Dave Chatterjee:

talked about, they're also communicating with customers

Dr. Dave Chatterjee:

whose data they have stolen, and telling them to put pressure on

Dr. Dave Chatterjee:

the breached organization to pay up. So all organizations should

Dr. Dave Chatterjee:

be prepared for such eventualities and they should

Dr. Dave Chatterjee:

have a plan in place. And they should regularly rehearse the

Dr. Dave Chatterjee:

plan to build organizational memory.

Greyson Milbourne:

Yeah, I mean, I think it's the unfortunate

Greyson Milbourne:

nature that these threat actors there, they're being

Greyson Milbourne:

advantageous with what they're there after. Right. And

Greyson Milbourne:

unfortunately, they don't care about your small business

Greyson Milbourne:

potentially going under. And they know that these are softer

Greyson Milbourne:

targets. And plus there's definitely a benefit to flying

Greyson Milbourne:

under the radar. We've seen some examples of like Colonial

Greyson Milbourne:

Pipeline, for example, brought a lot of attention to dark side.

Greyson Milbourne:

And these guys didn't really like their business model wasn't

Greyson Milbourne:

really going after critical infrastructure. They had this

Greyson Milbourne:

ransomware-as-a-service model, and they have affiliates who

Greyson Milbourne:

happened to deploy their variant of ransomware into an

Greyson Milbourne:

environment that drew a lot of attention. And eventually, their

Greyson Milbourne:

operation was disrupted. So there's a lot of added benefit

Greyson Milbourne:

to going after smaller businesses. And the reality is,

Greyson Milbourne:

right, is that most small businesses don't have dedicated

Greyson Milbourne:

security individuals, IT has been outsourced to an MSP and

Greyson Milbourne:

these cases, it can be much more time consuming to get back

Greyson Milbourne:

online. So I think it's it's, it's an unfortunate reality, but

Greyson Milbourne:

it is, especially for smaller companies need to have a plan in

Greyson Milbourne:

place. As you mentioned, I agree. One of the biggest things

Greyson Milbourne:

that causes a headache during a ransomware incident is that it's

Greyson Milbourne:

a timed attack. They don't give you a lot of time to pay the

Greyson Milbourne:

ransom before they increase the demand because they know you're

Greyson Milbourne:

gonna start scrambling, you're gonna start thinking, Okay, what

Greyson Milbourne:

backups do I have in place? And this is where if you have that

Greyson Milbourne:

plan in place, if you rehearsed the plan, at least you have a

Greyson Milbourne:

battle card to go to you have some steps and you're not

Greyson Milbourne:

scrambling because this is the worst time to be scrambling.

Dr. Dave Chatterjee:

Well said! To avoid scrambling, to avoid a

Dr. Dave Chatterjee:

chaotic response, which is often the case, the organization needs

Dr. Dave Chatterjee:

to be prepared. But preparation begins at the top management

Dr. Dave Chatterjee:

level, the top management sets the tone for the entire

Dr. Dave Chatterjee:

organization, sets the ball rolling for the entire

Dr. Dave Chatterjee:

organization. So if top management is under an illusion,

Dr. Dave Chatterjee:

is under the mistaken impression that the organization is in good

Dr. Dave Chatterjee:

shape from a cybersecurity defense standpoint, the

Dr. Dave Chatterjee:

organization suffers. And that is often the case with midsize

Dr. Dave Chatterjee:

enterprises. Research finds that midsize organization leaders are

Dr. Dave Chatterjee:

overly confident about the level of preparedness and defense

Dr. Dave Chatterjee:

capabilities. In a study that my colleague, Mike Benz and I

Dr. Dave Chatterjee:

published, we noted that 95% of the surveyed SME IT leaders

Dr. Dave Chatterjee:

believe they have an above average security posture. And so

Dr. Dave Chatterjee:

the concern is when you think you are prepared, but actually

Dr. Dave Chatterjee:

you are not, that is a bigger problem. Don't you agree?

Greyson Milbourne:

Oh, absolutely. I mean, that's the

Greyson Milbourne:

exact posture that a cyber attacker is looking for somebody

Greyson Milbourne:

who believes they're there, they're much more defended than

Greyson Milbourne:

they are and their guard is down. I think it absolutely

Greyson Milbourne:

you're absolutely right. And that it does need to start from

Greyson Milbourne:

the leadership level. And it needs to sort of be the ethos of

Greyson Milbourne:

your company needs to be around security and around around that.

Greyson Milbourne:

And I think so much so that it can even be a selling factor,

Greyson Milbourne:

right? I mean, you can be proud of your your ability to have a

Greyson Milbourne:

secure posture. I mean, we see this actually, in cyber

Greyson Milbourne:

insurance, for example, you know, they price-based on this,

Greyson Milbourne:

right, but depending on how I mean, you can't just get it

Greyson Milbourne:

right. It's not just oh, I'm gonna buy cyber insurance. It's,

Greyson Milbourne:

well, let's look at the policy. And let's look at your current

Greyson Milbourne:

posture, and more mature, more established postures get better

Greyson Milbourne:

rates with what's not too different from a credit score.

Greyson Milbourne:

But the consequences are much more damaging. They all say,

Greyson Milbourne:

having your identity stolen is really inconvenient, you're

Greyson Milbourne:

having your business hit with ransomware even more

Greyson Milbourne:

inconvenient. So there's a reason that these ratings exist.

Greyson Milbourne:

And there's a reason that layered security matters. And,

Greyson Milbourne:

and having a plan really matters. And I think one thing

Greyson Milbourne:

that insurance probably doesn't look at is is your readiness

Greyson Milbourne:

plan, they'll probably look to say these are the layers you

Greyson Milbourne:

have in place. But really, it comes down to reacting properly

Greyson Milbourne:

in that critical amount of time when you face one of these types

Greyson Milbourne:

of attacks,

Dr. Dave Chatterjee:

I couldn't agree with you more. In fact, as

Dr. Dave Chatterjee:

you were talking about preparedness, and what what

Dr. Dave Chatterjee:

surprises me again, is the fact that how can top management look

Dr. Dave Chatterjee:

the other way when cybersecurity is increasingly being recognized

Dr. Dave Chatterjee:

as a strategic competency. And there's another startling data

Dr. Dave Chatterjee:

that 60% of small and medium sized businesses are known to go

Dr. Dave Chatterjee:

out of business within six months of being hacked. And the

Dr. Dave Chatterjee:

reason I bring it up is because, let's put myself in the CEO

Dr. Dave Chatterjee:

shoes, I obviously have to run the organization, make money, I

Dr. Dave Chatterjee:

have to follow through with the vision of the organization. And

Dr. Dave Chatterjee:

cybersecurity doesn't quite fall within that vision. But the

Dr. Dave Chatterjee:

unfortunate reality is, unless I am secure, organizationally,

Dr. Dave Chatterjee:

infrastructure-wise, in many other ways. I may not be in

Dr. Dave Chatterjee:

business for very long. So having that recognition, having

Dr. Dave Chatterjee:

that foresight that is so important for the leadership to

Dr. Dave Chatterjee:

sit up and say, You know what, we got to do something about it.

Dr. Dave Chatterjee:

It's not enough just to outsource it. Let's get some

Dr. Dave Chatterjee:

intelligence and in let's do an assessment of where we are, what

Dr. Dave Chatterjee:

we need to do. And yes, we will do the best we can with the

Dr. Dave Chatterjee:

resources we have because there's no expectation that you

Dr. Dave Chatterjee:

have to have a security setup that befits a large

Dr. Dave Chatterjee:

organization. I've had the pleasure of talking with several

Dr. Dave Chatterjee:

legal experts and they have said consistently, that when a cyber

Dr. Dave Chatterjee:

attack allegation is being reviewed in a court of law, the

Dr. Dave Chatterjee:

judge looks very favorably at an organization, as long as they

Dr. Dave Chatterjee:

can prove that they did the due diligence, and they did

Dr. Dave Chatterjee:

everything they could, and maybe even with beyond to try and

Dr. Dave Chatterjee:

secure their strategic assets. So the intent needs to be there.

Dr. Dave Chatterjee:

But the intent needs to be followed by, by actions.

Greyson Milbourne:

Yeah, no, definitely makes sense. And I

Greyson Milbourne:

mean, that's quite an alarming statistic. I mean, 60% is, is a

Greyson Milbourne:

huge number, and a lot of these small businesses get are

Greyson Milbourne:

attacked. And we know like, the average downtime is can be

Greyson Milbourne:

several weeks. And so it right having looking at like cyber

Greyson Milbourne:

risk as any other type of risk to your business's continuity, I

Greyson Milbourne:

think is the smart play, and just anticipating if what

Greyson Milbourne:

happens if this goes offline? How do I survive? can I survive?

Greyson Milbourne:

And then again, to the other point, I think having like, it's

Greyson Milbourne:

a complex thing. And for really small businesses, outsourcing to

Greyson Milbourne:

an MSP a service provider is sometimes your only option. But

Greyson Milbourne:

I do think not all businesses are equal. And as your your

Greyson Milbourne:

business perhaps grows, I think there's there's tremendous

Greyson Milbourne:

benefit in having an internal security focused resource. And

Greyson Milbourne:

that resource will probably still be overwhelmed and will

Greyson Milbourne:

liaison with MSPs. But that's probably better than your your

Greyson Milbourne:

CEO or your your COO being that person, right. And this gives

Greyson Milbourne:

somebody who can stay on top of the trends. You know, a lot of

Greyson Milbourne:

times people ask me what, what's a good resource. And I like to

Greyson Milbourne:

point back towards the CISA, the government cybersecurity

Greyson Milbourne:

information sharing platform that that does a good job of

Greyson Milbourne:

sending out bulletins and like keeps you at least aware of, of

Greyson Milbourne:

things that might change. And let me give you just one really

Greyson Milbourne:

good example, earlier this year we are Microsoft had a

Greyson Milbourne:

vulnerability in Exchange, and everybody uses Microsoft

Greyson Milbourne:

Exchange, or a lot of people have moved to cloud, but a lot

Greyson Milbourne:

of people still host their own Exchange servers for email. And

Greyson Milbourne:

it was a bad vulnerability about as bad as it gets right allows a

Greyson Milbourne:

hacker to remotely execute code on your system through a

Greyson Milbourne:

vulnerability in Exchange. They posted about this and what you

Greyson Milbourne:

should do and the steps you should take. But a lot of

Greyson Milbourne:

businesses still didn't follow this to the point that the FBI

Greyson Milbourne:

actually practically hacked in and patched many environments

Greyson Milbourne:

that they found vulnerable. And because at least if they if

Greyson Milbourne:

they're able to get in, they know that they can do the right

Greyson Milbourne:

thing and fix it, as opposed to who knows who gets in, and then

Greyson Milbourne:

does what. So it's a complex thing. And I know sometimes

Greyson Milbourne:

small businesses definitely get overwhelmed when they think

Greyson Milbourne:

about just all the complexity and the different services and

Greyson Milbourne:

things that go into it, which again, is why once you're over,

Greyson Milbourne:

I think a certain size in the low 20s to above, it does make

Greyson Milbourne:

sense to have a dedicated individual, and then accordingly

Greyson Milbourne:

scale that to larger company seat sizes.

Dr. Dave Chatterjee:

That's great. In fact, I'd like to add

Dr. Dave Chatterjee:

to what you said about having a dedicated individual or maybe a

Dr. Dave Chatterjee:

couple of a couple of people, it might be unfair to have

Dr. Dave Chatterjee:

expectations of a large team in a small or medium sized

Dr. Dave Chatterjee:

organization. But again, it's not the matter of size, it comes

Dr. Dave Chatterjee:

down to how thorough and rigorous the planning is, and

Dr. Dave Chatterjee:

how precise and consistent is the execution and what my work

Dr. Dave Chatterjee:

finds, and in my book on Cybersecurity Readiness, I talk

Dr. Dave Chatterjee:

about creating and sustaining a high-performance information

Dr. Dave Chatterjee:

security culture. I use the word culture because unless there is

Dr. Dave Chatterjee:

a change in the mindset of the leadership, unless there's a

Dr. Dave Chatterjee:

change in the mindset of the organizational members, you're

Dr. Dave Chatterjee:

unlikely to get that kind of buy-in, you're unlikely to get

Dr. Dave Chatterjee:

everyone doing their part over a long period of time. What

Dr. Dave Chatterjee:

generally happens is all of a sudden, a company gets really

Dr. Dave Chatterjee:

big on something and then they start acting extensively. And

Dr. Dave Chatterjee:

then after a while, again, things quieten down, and then

Dr. Dave Chatterjee:

they're back to their usual ways. And then they may not be

Dr. Dave Chatterjee:

as rigorous. And once again, something happens. And again,

Dr. Dave Chatterjee:

they sit up and take note. So unfortunately, we are in a very

Dr. Dave Chatterjee:

reactive culture, we are not proactive by nature. If the

Dr. Dave Chatterjee:

pandemic has taught us anything, it's definitely taught me that,

Dr. Dave Chatterjee:

that we have been very, very reactive. So even from the

Dr. Dave Chatterjee:

standpoint of securing organizations, whether it's for

Dr. Dave Chatterjee:

ransomware, or for any other type of attack, being proactive,

Dr. Dave Chatterjee:

being ahead of the curve, leveraging resources, internal

Dr. Dave Chatterjee:

and external, is so, so important. And and it all starts

Dr. Dave Chatterjee:

with the intent of the leadership that yes, I want to

Dr. Dave Chatterjee:

know, I want to know where we are, I want to be periodically

Dr. Dave Chatterjee:

updated. And that timetable is entirely up to the organization

Dr. Dave Chatterjee:

every week or every month and of course there will be exception

Dr. Dave Chatterjee:

reporting, but cybersecurity metrics should feature

Dr. Dave Chatterjee:

prominently alongside the other business management metrics.

Dr. Dave Chatterjee:

That's how important security has become. It's not because you

Dr. Dave Chatterjee:

and I are in this field. And we are trying to tell the world

Dr. Dave Chatterjee:

hey, take note. But that's the reality of it, is that

Dr. Dave Chatterjee:

businesses in today's day and age where we are highly

Dr. Dave Chatterjee:

digitized, we have to give the security infrastructure, focus

Dr. Dave Chatterjee:

attention, the right kind of nurturing, or you kind of get

Dr. Dave Chatterjee:

into trouble. So Grayson, I'd like to go back to the

Dr. Dave Chatterjee:

ransomware report, the survey report that your organization

Dr. Dave Chatterjee:

published, and and I want to share with the listeners a few,

Dr. Dave Chatterjee:

but I don't want to steal the thunder, I'll let you share most

Dr. Dave Chatterjee:

of it. But it's really concerning that nearly half of

Dr. Dave Chatterjee:

SMBs have experienced a ransomware attack. And yet the

Dr. Dave Chatterjee:

majority still don't think or aren't sure they are a target.

Dr. Dave Chatterjee:

Why don't you expand on this?

Greyson Milbourne:

Yeah, so I mean, so this survey was

Greyson Milbourne:

conducted over 1300 businesses all under 1000 endpoints, or

Greyson Milbourne:

1000 seats, and so it's not evenly distributed. There's many

Greyson Milbourne:

more that are that SMB, so probably 100 or less, but a

Greyson Milbourne:

really good array of different companies. And I think it is

Greyson Milbourne:

concerning. I mean, we know that ransomware has been around for a

Greyson Milbourne:

while. And so, you know, I think it was 46% of businesses already

Greyson Milbourne:

admit to having encountered ransomware, at least to some

Greyson Milbourne:

degree, I think that number if we pull next year is only going

Greyson Milbourne:

to be higher, because year over year, it's not really an if it's

Greyson Milbourne:

a when type of scenario. And I think unfortunately, our data

Greyson Milbourne:

still supports that. And it's because of the posture, or the

Greyson Milbourne:

denial of the risk that we still see largely the SMB space. And I

Greyson Milbourne:

think it's a challenge because one of the other things that

Greyson Milbourne:

we're queried on is small and medium sized businesses and

Greyson Milbourne:

their anticipation of the economic future and potential

Greyson Milbourne:

recession or cuts in spending. It kind of just makes this

Greyson Milbourne:

problem worse. And so we see a) we see the threat actors are

Greyson Milbourne:

100% moving downstream. And so we know that there's many more

Greyson Milbourne:

businesses in the 100 seats and less than there are the one to

Greyson Milbourne:

1000. So there's much more opportunity. These at the same

Greyson Milbourne:

time people are being squeezed, right, they have shrinking

Greyson Milbourne:

budgets, and are making tough decisions as to where the

Greyson Milbourne:

dollars go. And cybersecurity, unfortunately, it applies to

Greyson Milbourne:

every business that has a digital footprint, which is

Greyson Milbourne:

pretty much every business today has at least a website and

Greyson Milbourne:

stores customer information. And these are the targets that are

Greyson Milbourne:

deciding against an improvement to their their sales and

Greyson Milbourne:

marketing efforts. Or maybe cybersecurity. Oh, and guess

Greyson Milbourne:

what cybersecurity does nothing, which is the point, right? Like

Greyson Milbourne:

you're paying for something that kind of does nothing? And you're

Greyson Milbourne:

like, oh, great, like, what has it done for me recently? And now

Greyson Milbourne:

you're happy about that? Right? So, so it's kind of a perfect

Greyson Milbourne:

storm. And I think what our data shows is that the risk awareness

Greyson Milbourne:

is still really lacking, based on just the stats of how many

Greyson Milbourne:

people have encountered this. And I'll leave you with one more

Greyson Milbourne:

thing is that this is 46% of people admit to it. But we know

Greyson Milbourne:

that ransomware reporting is vastly underreported. People

Greyson Milbourne:

don't want to have that, that black eye, they don't want to

Greyson Milbourne:

it's bad for the customers. And as you mentioned, I mean,

Greyson Milbourne:

different levels of extortion that we've seen in the past

Greyson Milbourne:

year, right? It used to be, oh, just give me a ransom payment,

Greyson Milbourne:

then it was, well, there's GDPR and other data leakage fine. So

Greyson Milbourne:

we're gonna leak your data, okay, if you don't pay us, and

Greyson Milbourne:

then that it's like, yeah, we're gonna go after your customers,

Greyson Milbourne:

and we're gonna sully your reputation, we're gonna go to

Greyson Milbourne:

the media with this. So like, these are all reasons that

Greyson Milbourne:

people pay. But it's unfortunate, but I don't blame

Greyson Milbourne:

companies for not wanting to disclose it. But what that does

Greyson Milbourne:

is it says the difficulty of attribution. And even though

Greyson Milbourne:

this is something that's still very much lacking with respect

Greyson Milbourne:

to cyber crime and punishment, if it's not reported, it creates

Greyson Milbourne:

even even fuzzier picture for law enforcement that has

Greyson Milbourne:

resources to go after these organized groups, the more

Greyson Milbourne:

information that they are provided about your encounter

Greyson Milbourne:

only helps strengthen our ability to strike back and, and

Greyson Milbourne:

try to take some of these organizations that have been,

Greyson Milbourne:

you know, up till today's largely resilient to any sort of

Greyson Milbourne:

multinational organized shutdown. We've seen some

Greyson Milbourne:

examples, but largely, it's a highly competitive space that

Greyson Milbourne:

thrives today.

Dr. Dave Chatterjee:

Yep. Unfortunately, those are all

Dr. Dave Chatterjee:

realities. As you and I have been talking, I am thinking of

Dr. Dave Chatterjee:

what are a list of challenges that SMBs in encounter. Starting

Dr. Dave Chatterjee:

with the lack of awareness, a bit of this 'ignorance is bliss'

Dr. Dave Chatterjee:

kind of a scenario, inadequate resources, lack of top

Dr. Dave Chatterjee:

management involvement, and then during our discussion planning

Dr. Dave Chatterjee:

meeting, you talked about the training is not very

Dr. Dave Chatterjee:

satisfactory. So there is a probably a list of of things

Dr. Dave Chatterjee:

that SMBs could do better. But I think what might be helpful to

Dr. Dave Chatterjee:

the listeners, many of whom are probably working for SMBs is to

Dr. Dave Chatterjee:

let's say, if I were to ask you, Grayson, what are the top three

Dr. Dave Chatterjee:

things that you would recommend SMBs do to protect themselves

Dr. Dave Chatterjee:

from say, ransomware attacks, what would those top three

Dr. Dave Chatterjee:

things?

Greyson Milbourne:

Okay, and I'll put these in no particular

Greyson Milbourne:

order because I think they're all very important, but I'll

Greyson Milbourne:

start with education. Because I think education is one of the

Greyson Milbourne:

there's almost always a human element. This isn't always the

Greyson Milbourne:

case, right? Sometimes like software is vulnerable. And a

Greyson Milbourne:

hacker is able to exploit something that is very difficult

Greyson Milbourne:

to defend against that. But the vast majority of attacks succeed

Greyson Milbourne:

because of a human error of somebody falling for something,

Greyson Milbourne:

clicking on a link, giving away too much information that begins

Greyson Milbourne:

the attack, right. And so I think education and awareness is

Greyson Milbourne:

is really important. And that it's not something like PCI DSS

Greyson Milbourne:

where it's an annual, everybody knows how to store credit card

Greyson Milbourne:

information. Okay, this is not that right? This is much more

Greyson Milbourne:

complex. And it has a lot of variety and trends and trends

Greyson Milbourne:

shift pretty quickly. And so we advocate for like quarterly

Greyson Milbourne:

updates, because things shift from the end of the year and the

Greyson Milbourne:

tactics and what we think the scams that are very prevalent in

Greyson Milbourne:

this time of year are typically prevalent at this time of year.

Greyson Milbourne:

So so that goes a long way, and just eliminating whatever might

Greyson Milbourne:

happen after a human mistake. Right. So education, I think is

Greyson Milbourne:

really important. I think the other one is, is identifying

Greyson Milbourne:

your assets. And I like cyber resilience as a as an approach

Greyson Milbourne:

to layered security that fits nicely with a zero trust

Greyson Milbourne:

approach to cybersecurity. And really, it's just a cycle. It's

Greyson Milbourne:

a living cycle of, of identifying your assets,

Greyson Milbourne:

protecting them detecting and looking for active infections,

Greyson Milbourne:

having a response plan in play, learning from your mistakes, and

Greyson Milbourne:

educating it's a continuous cycle. But the first part of

Greyson Milbourne:

that is identification. And I think every business really

Greyson Milbourne:

needs to understand their internal assets. And this

Greyson Milbourne:

includes people, right, this isn't just your PCs that are

Greyson Milbourne:

critical. But hey, if you know, this single source of failure as

Greyson Milbourne:

an individual leaves, my business might equally be as

Greyson Milbourne:

disrupted as if I get hit with ransomware. So identify your

Greyson Milbourne:

risks and what those are, and then apply proper risk

Greyson Milbourne:

mitigation strategies to those things. And so if it's, if it's

Greyson Milbourne:

data, have backups, and make sure that your backups are air

Greyson Milbourne:

gapped are not capable of being compromised by ransomware.

Greyson Milbourne:

There's lots of great technology that does this automatically.

Greyson Milbourne:

But if it's people, right, I think, again, staffing is a

Greyson Milbourne:

tough thing sometimes, but identify and understand your

Greyson Milbourne:

your assets and then defend them. So educate, identify, and

Greyson Milbourne:

defend, those would be the three things that I would look at.

Dr. Dave Chatterjee:

Totally agree, totally agree. So there

Dr. Dave Chatterjee:

are a couple of things I'd like to add to that. And one of that

Dr. Dave Chatterjee:

is how do you incentivize proper security behavior, we all need

Dr. Dave Chatterjee:

motivation to do things which are, where, especially when we

Dr. Dave Chatterjee:

are not seeing the ROI directly. If you're if you're talking to a

Dr. Dave Chatterjee:

non-security professional in an organization, who has a

Dr. Dave Chatterjee:

particular type of work, and you have certain security do's and

Dr. Dave Chatterjee:

don'ts, kind of expectations of that person, you have to be able

Dr. Dave Chatterjee:

to convince that person that this is if they followed through

Dr. Dave Chatterjee:

with that cyber discipline with that cyber hygiene, the end

Dr. Dave Chatterjee:

result, overall end result is good, and that's going to help

Dr. Dave Chatterjee:

them. So you have to keep showing them the big picture.

Dr. Dave Chatterjee:

Yep. Along similar lines, even to get the top management

Dr. Dave Chatterjee:

attention, present the scenarios, the consequences of

Dr. Dave Chatterjee:

the different types of attacks and breaches, and what happens

Dr. Dave Chatterjee:

after that what the organization has to deal with. So make it as

Dr. Dave Chatterjee:

realistic as possible to get the attention because that's gonna

Dr. Dave Chatterjee:

lead to some actions, maybe some change in behaviors, and

Dr. Dave Chatterjee:

absolutely means I cant agree with you more that while humans

Dr. Dave Chatterjee:

are the greatest assets, they're also a great vulnerability. So

Dr. Dave Chatterjee:

the best way of addressing that is through regular training

Dr. Dave Chatterjee:

sessions. And these training sessions should not be the check

Dr. Dave Chatterjee:

the box approach, okay, I met the requirements, but it should

Dr. Dave Chatterjee:

be continuous. And it should be incremental. I often use the

Dr. Dave Chatterjee:

analogy of people do this nerdles and wordles on a daily

Dr. Dave Chatterjee:

basis. And I have shared with organization that how about

Dr. Dave Chatterjee:

every day, an email goes out with a security little puzzle or

Dr. Dave Chatterjee:

a security game that people have to solve, kind of make it fun.

Dr. Dave Chatterjee:

At the same time you are impacting the mind. On a day to

Dr. Dave Chatterjee:

day basis, you're sowing that security seed. And over a period

Dr. Dave Chatterjee:

of time, everyone has a certain level of awareness, as opposed

Dr. Dave Chatterjee:

to the current approach where we go through this security

Dr. Dave Chatterjee:

training for say, 30-35, 40 minutes, we take a quiz. And

Dr. Dave Chatterjee:

then after six months, we again do it. And it's also not

Dr. Dave Chatterjee:

customized. So we have to make security training role-based we

Dr. Dave Chatterjee:

have to make it more immersive. So a lot of thought has to go

Greyson Milbourne:

Yeah, I totally agree. I think along

Greyson Milbourne:

into it.

Greyson Milbourne:

with training, one of the things I support is doing simulated

Greyson Milbourne:

attacks. So you can send out a phishing and so we do this

Greyson Milbourne:

internally and we we quite literally take from the wild and

Greyson Milbourne:

examples and create templates so that you can test using the most

Greyson Milbourne:

recent techniques and imagery, and I think that that helps. I

Greyson Milbourne:

think the other thing that you definitely touched on is like

Greyson Milbourne:

engagement with IT. And I know for a lot of companies that have

Greyson Milbourne:

an IT department, sometimes there's the there's a

Greyson Milbourne:

hesitation, we've always tried to foster that IT is a fun and

Greyson Milbourne:

loving place, and they are going to be much, much more fun and

Greyson Milbourne:

loving when you ask them in advance of something as opposed

Greyson Milbourne:

to saying, so I opened that email, and I clicked this thing,

Greyson Milbourne:

and now I have ransomware in my computer, then your IT guy is

Greyson Milbourne:

gonna be grumpy. But if you're like, Hey, I got this email. And

Greyson Milbourne:

it just seems weird. Before I open it, I thought I'd ask you,

Greyson Milbourne:

I hope I'm not wasting your time, they're gonna be like not

Greyson Milbourne:

wasting my time at all, thank you for I think creating that

Greyson Milbourne:

kind of culture to have a do suspicion but also having a

Greyson Milbourne:

right place to go that it's not going to make you feel like

Greyson Milbourne:

you're you're going to be shunned for for asking that

Greyson Milbourne:

question.

Dr. Dave Chatterjee:

I'm so glad you mentioned that, because I

Dr. Dave Chatterjee:

was having this discussion with another subject matter expert.

Dr. Dave Chatterjee:

And he talked about creating a culture of empathy, where people

Dr. Dave Chatterjee:

are not scared to report that look, yes, I made a mistake. I

Dr. Dave Chatterjee:

clicked on this. And yes, now we are dealing with the

Dr. Dave Chatterjee:

consequences, as opposed to trying to hide and waiting to be

Dr. Dave Chatterjee:

caught. And hopefully, so changing that approach and and

Dr. Dave Chatterjee:

recognizing that, yes, we will do our best we will learn. But

Dr. Dave Chatterjee:

if you make mistakes, just fess up and just let us know what

Dr. Dave Chatterjee:

happened. So we can start doing damage control sooner than

Dr. Dave Chatterjee:

later. So creating that environment, that culture, is so

Dr. Dave Chatterjee:

important, where they're not looking at IT or security as a

Dr. Dave Chatterjee:

stumbling block, as a hurdle. But more as a partner. You know,

Dr. Dave Chatterjee:

that's why there's that phrase out there that cybersecurity is

Dr. Dave Chatterjee:

everybody's business, it is not just the business of the

Dr. Dave Chatterjee:

information security function. But to be able to develop that

Dr. Dave Chatterjee:

mindset, you have to create and nurture that culture where you

Dr. Dave Chatterjee:

have to incentivize certain behaviors, there has to be

Dr. Dave Chatterjee:

shared responsibility and accountability. So everyone,

Dr. Dave Chatterjee:

everyone has a stake in the game, you can just put your

Dr. Dave Chatterjee:

hands up and say, well, something has happened. It's the

Dr. Dave Chatterjee:

CISOs problem, the CISO should get fired, that doesn't really

Dr. Dave Chatterjee:

solve the problem, you may have a symbolic reaction, you might

Dr. Dave Chatterjee:

impress some external folks. But have you really taken a deeper

Dr. Dave Chatterjee:

look at your processes, at your systems, to identify what the

Dr. Dave Chatterjee:

real issues are. So again, I emphasize an in-depth systematic

Dr. Dave Chatterjee:

approach, you don't have to be an expert. I don't expect the

Dr. Dave Chatterjee:

leadership team to be cybersecurity experts. But they

Dr. Dave Chatterjee:

if they have the real intent of securing the organization as

Dr. Dave Chatterjee:

best they can, and they want to have the best-in-class security

Dr. Dave Chatterjee:

practices, they can absolutely get it. There are resources out

Dr. Dave Chatterjee:

there, they can bring in, leverage, like you talked about

Dr. Dave Chatterjee:

earlier, there are the cyber insurance companies, who will

Dr. Dave Chatterjee:

absolutely help them get to a certain point in terms of

Dr. Dave Chatterjee:

maturity to be eligible for certain amounts of insurance. So

Dr. Dave Chatterjee:

seek the help. There are lots of guidance out there, you talked

Dr. Dave Chatterjee:

about CISA you talked about NIST. There's lots of guidance

Dr. Dave Chatterjee:

out there, it's a matter of really getting it, pulling it

Dr. Dave Chatterjee:

all together, and having a plan in place. I know it sounds kind

Dr. Dave Chatterjee:

of mundane. And it sounds like stating the obvious. But my

Dr. Dave Chatterjee:

research finds time and again, a lot of planning happens, a lot

Dr. Dave Chatterjee:

of documentations are maintained. But when it comes to

Dr. Dave Chatterjee:

execution, that's where organizations falte time and

Dr. Dave Chatterjee:

again, but I don't want to monopolize the conversation, I'd

Dr. Dave Chatterjee:

like to send it back to you your thoughts and reactions.

Greyson Milbourne:

You make a very good point, right? Like

Greyson Milbourne:

having a plan is very different from having a fire drill with

Greyson Milbourne:

your plan. And again, I think it's so critical, especially for

Greyson Milbourne:

ransomware. I mean, this is important to have, meaning you

Greyson Milbourne:

like there's lots of different types of response plans. But

Greyson Milbourne:

when you have limited amounts of time to respond, this is where

Greyson Milbourne:

it's most important that you practice these things. So maybe

Greyson Milbourne:

think when you're speaking before, I'm like, one of my

Greyson Milbourne:

passions is aviation. And so I'm a private pilot and pilot, like

Greyson Milbourne:

aviation is like very, very safety driven. And one of the

Greyson Milbourne:

great things about just the story of aviation is from the

Greyson Milbourne:

beginning till now is just how well aviation did at sharing

Greyson Milbourne:

mistakes and learning from mistakes and embracing that

Greyson Milbourne:

mistakes happen and life and death mistakes happen. And so

Greyson Milbourne:

let's do our best to learn from everything from a community

Greyson Milbourne:

based all engaged approach. And I look at like, I'm like, Wow,

Greyson Milbourne:

this works so well. And I look at cybersecurity and my career

Greyson Milbourne:

that I've spent here trying to get like a similar sort of

Greyson Milbourne:

benefit of of so many adjacent mistakes, right? So like company

Greyson Milbourne:

A company B, C, all suffer the same mistake, right? Like they

Greyson Milbourne:

all got breached the same way. Like why are companies making

Greyson Milbourne:

the same mistakes that other companies have already made on?

Greyson Milbourne:

How do we do a better job of? Well, so like, right, as you

Greyson Milbourne:

mentioned, there's this stigma, right like If you make a

Greyson Milbourne:

mistake, it can be bad for the brand, it can be bad for your

Greyson Milbourne:

trust, but it can have a rippling effect. But if we

Greyson Milbourne:

change the culture and acknowledge that we live in a

Greyson Milbourne:

world where mistakes happen, and as long as you're doing your due

Greyson Milbourne:

diligence, you're trying to prevent them, like good job. And

Greyson Milbourne:

if some bad thing happens, that's okay, come forth with the

Greyson Milbourne:

information and share it so that we can, as a community can

Greyson Milbourne:

defend ourselves better. And of course, it's more complex, and

Greyson Milbourne:

we have our own individual corporate networks. But again,

Greyson Milbourne:

if you kind of look to where the world is moving, the boundary of

Greyson Milbourne:

the network is becoming fuzzier and fuzzier. So I guess I was

Greyson Milbourne:

just reflecting that

Dr. Dave Chatterjee:

No, this is great. In fact, when you when

Dr. Dave Chatterjee:

you mentioned about flying the plane, that's such a powerful

Dr. Dave Chatterjee:

metaphor, that immediately immediately makes me think that

Dr. Dave Chatterjee:

when you are in a cockpit, you have to be absolutely prepared,

Dr. Dave Chatterjee:

you must have to be on top of things

Greyson Milbourne:

We prepare, like when the engine goes out at

Greyson Milbourne:

like all the time, right? And it's because you want it to be

Greyson Milbourne:

automatic, because you have like, seconds really matter that

Greyson Milbourne:

okay. Like, you don't want to be thinking like, Oh, let me pull

Greyson Milbourne:

up the checklist. And like, what do I do? No, no, you like, know

Greyson Milbourne:

that the six things to do immediately, in which order? You

Greyson Milbourne:

could do it all in three seconds, right? And then you can

Greyson Milbourne:

start looking around and figuring out, where am I gonna

Greyson Milbourne:

go? So, you know,

Dr. Dave Chatterjee:

And that's it. It's the fear of, of loss of

Dr. Dave Chatterjee:

life, fear of loss of the lives of the passengers. And if we

Dr. Dave Chatterjee:

were to scale it to small to medium sized enterprise, what

Dr. Dave Chatterjee:

are we talking about, we're talking about the demise of the

Dr. Dave Chatterjee:

organization, if proper security practices are not in place, and

Dr. Dave Chatterjee:

that's precisely why the leadership has to recognize

Dr. Dave Chatterjee:

that, that cyber cybersecurity governance is not something

Dr. Dave Chatterjee:

unfortunately, we have to do. It's a pain. It is distracting

Dr. Dave Chatterjee:

us, but it is significant, it is centric to our survival. And if

Dr. Dave Chatterjee:

I may add one more thing here, the last episode we published,

Dr. Dave Chatterjee:

we had a senior and a senior leader as my guest. And he made

Dr. Dave Chatterjee:

a very important point he said, Dave, we should look at

Dr. Dave Chatterjee:

cybersecurity as a strategic opportunity, not as a stumbling

Dr. Dave Chatterjee:

block. When organizations, when the leadership takes that

Dr. Dave Chatterjee:

approach, has that mindset, then miracles happen because then

Dr. Dave Chatterjee:

they're saying, You know what, we're going to be so secure. And

Dr. Dave Chatterjee:

given the nature of our business, we can put it out

Dr. Dave Chatterjee:

there that if store your data with us, you are safe, because

Dr. Dave Chatterjee:

we are really the best in the business when it comes to

Dr. Dave Chatterjee:

securing your data. So there are different ways that

Dr. Dave Chatterjee:

organizations can play up their security strengths, and get an

Dr. Dave Chatterjee:

edge in the business. And I wish more the leadership thought

Dr. Dave Chatterjee:

along those lines, as opposed to treating it as a separate

Dr. Dave Chatterjee:

function, but making it more making it part of the the

Dr. Dave Chatterjee:

overall goals of the organization. So that's kind of

Dr. Dave Chatterjee:

the way I see see things here. But since but we are coming to

Dr. Dave Chatterjee:

the end of our time, unfortunately, this was

Dr. Dave Chatterjee:

fascinating. But I'd like to give you the the floor to wrap

Dr. Dave Chatterjee:

things up for us.

Greyson Milbourne:

Yeah. Thanks, Dave. And thank you everybody

Greyson Milbourne:

who's listening today. From a thought leadership perspective,

Greyson Milbourne:

I like to drive awareness of what the risk is. And I hope to

Greyson Milbourne:

from this presentation or this this talk today, we've made it

Greyson Milbourne:

pretty clear that I mean, this is in our opinion, what the data

Greyson Milbourne:

really shows us as it this risk is here to stay, things are

Greyson Milbourne:

likely to get worse before they get better. And SMBs, small

Greyson Milbourne:

businesses are really going to be in the crosshair. And so the

Greyson Milbourne:

risk is real. But we've provided hopefully some steps to help you

Greyson Milbourne:

understand what you can do some good resources of how to better

Greyson Milbourne:

understand where you might need improvement. And if you're here

Greyson Milbourne:

today, you're already taking the right step because again, I'm a

Greyson Milbourne:

firm believer that you need to know about the things you need

Greyson Milbourne:

to defend the events. And so you've hopefully learned today a

Greyson Milbourne:

bit more about what's going on in the threat landscape and how

Greyson Milbourne:

to stay secure. So with that, David, I'll turn it back to you.

Greyson Milbourne:

Thanks for being here. I'm honestly this has been a ton of

Greyson Milbourne:

fun.

Dr. Dave Chatterjee:

We'll said, you couldn't have wrapped it up

Dr. Dave Chatterjee:

better. Thank you again, Grayson, for your time. It's

Dr. Dave Chatterjee:

been a pleasure.

Greyson Milbourne:

Thanks Dave.

Dr. Dave Chatterjee:

A special thanks to Grayson Melbourne for

Dr. Dave Chatterjee:

his time and insights. If you like what you heard, please

Dr. Dave Chatterjee:

leave the podcast a rating and share it with your network. Also

Dr. Dave Chatterjee:

subscribe to the show, so you don't miss any new episodes.

Dr. Dave Chatterjee:

Thank you for listening, and I'll see you in the next

Dr. Dave Chatterjee:

episode.

Introducer:

The information contained in this podcast is for

Introducer:

general guidance only. The discussants assume no

Introducer:

responsibility or liability for any errors or omissions in the

Introducer:

content of this podcast. The information contained in this

Introducer:

podcast is provided on an as-is basis with no guarantee of

Introducer:

completeness, accuracy, usefulness or timeliness. The

Introducer:

opinions and recommendations expressed in this podcast are

Introducer:

those of the discussants and not of any organization.

About the Podcast

Show artwork for The Cybersecurity Readiness Podcast Series
The Cybersecurity Readiness Podcast Series
with Dr. Dave Chatterjee

About your host

Profile picture for Dave Chatterjee

Dave Chatterjee

Dr. Debabroto 'Dave' Chatterjee is tenured professor in the Management Information Systems (MIS) department, at the Terry College of Business, The University of Georgia (UGA). He is also a Visiting Scholar at Duke University, affiliated with the Master of Engineering in Cybersecurity program in the Pratt School of Engineering. An accomplished scholar and technology thought leader, Dr. Chatterjee’s interest and expertise lie in the various facets of information technology management – from technology sense-making to implementation and change management, data governance, internal controls, information security, and performance measurement. His work has been accepted and published in prestigious outlets such as The Wall Street Journal, MIT Sloan Management Review, California Management Review, Business Horizons, MIS Quarterly, and Journal of Management Information Systems. Dr. Chatterjee’s research has been sponsored by industry and cited over two thousand times. His book Cybersecurity Readiness: A Holistic and High-Performance Approach was published by SAGE Publishing in March 2021.