
EP 44: Cybersecurity for entrepreneurs (and their employees)
Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.
Sign Up Now!
About this episode
January 7, 2020
Kip Boyle, CEO of Cyber Risk Opportunities, and Jake Bernstein, JD and CyberSecurity Practice Lead at Focal Law Group, discuss why entrepreneurs need special guidance on cybersecurity.
Episode Transcript
Speaker 1: Welcome to the Cyber Risk Management Podcast. Our mission is to help you thrive as a cyber risk manager. On today's episode, your virtual chief information security officer is Kip Boyle and your virtual cybersecurity council is Jake Bernstein. Visit them at cyberriskopportunities.com and focallaw.com.
Jake Bernstein: So Kip, what are we going to talk about today?
Kip Boyle: Jake, today we're going to talk about cybersecurity for entrepreneurs and their employees.
Jake Bernstein: Okay, what's so special about entrepreneurs that they need special advice?
Kip Boyle: Okay. Well, I've been interacting with a lot of entrepreneurs over the last few years. Turns out I'm an entrepreneur also, I have a small business that I've been leading for over four years now and what I've learned is that entrepreneurs have a few special qualities that bear on the question of cybersecurity. So for example, they are often optimistic to the point of delusion about everything. So things that should be on their radar as a thing that could happen that's bad often is not. They are dancing down the happy path almost all the time. And so they take risks, big, big, big risks, so that's one thing.
Jake Bernstein: So we have delusional risk takers, okay.
Kip Boyle: Yeah.
Jake Bernstein: Got it.
Kip Boyle: Delusional risk takers, I love that, which isn't to say they're stupid. So don't get me wrong on that. They're not dumb. They're smart. They're very, very smart. But being an entrepreneur often requires the suspension of reality and credit to Steve Jobs, a quintessential entrepreneur, people talked a lot about his reality distortion field-
Jake Bernstein: Yes.
Kip Boyle: ... when he would suspend the laws of physics and business and get people to do things or believe in things that they didn't think were possible. And so I just think it sort of comes with the territory of being an entrepreneur. Another unique aspect of entrepreneurs is they have very limited resources. They're always scraping to squeeze, to choke that dollar and to get every last penny out of it, to fund their dream. And so you should not expect to find a person on their team dedicated to cybersecurity and you should not expect to see a line item for cybersecurity in the budget. So it's very resource starved.
Jake Bernstein: Yeah. No, that makes sense. Do you have a plan for these guys? What can entrepreneurs do because they need to stay safe just like everyone else?
Kip Boyle: Right, right, right. Well, before I get to the plan and I have assembled a four point plan, there's a couple of other things about entrepreneurs that I want to make clear because a lot of people think that entrepreneurs are too special already and that they shouldn't have special plans for cybersecurity, they should just do everything that everybody else does. But the truth is that entrepreneurs, especially in the first years of business have much, much bigger risks that they're trying to manage beyond cybersecurity, which is hard to believe with all the headlines and all the data breaches and all the ransomware attacks you might think, well... And even most American business leaders are responding to polls saying, "Cyber is our number one risk," but really entrepreneurs have another risk that's life or death for their companies and that's called product market fit.
And if you don't have product market fit, if it's not good, you can't earn money. Nobody will buy what you're selling. So, you're constantly as an entrepreneur trying to find product market fit. And that is a dominant risk because if you don't get that right, you're going out of business, you're going to fail. And cyber risk won't mean anything. And then the fourth special characteristic for an entrepreneur is they often are rugged individualists and they expect their employees and their team members to be that way as well. And to just figure out the details. So entrepreneurs are often the visionaries, and although some of them can be very detail obsessed, they typically are not detail obsessed about everything. They're only that way on the things that are most important. So again, Steve Jobs was famous for his attention to detail on the products that Apple sold obsessively so, and maddeningly so to his team, but he didn't obsess about a lot of other details. For example, he reportedly drove a car with no license plate always, because he didn't care about the detail of having a properly registered automobile.
Jake Bernstein: Well, there you go. So does this mean that the rugged individualist thing and the expecting people to figure out details, that doesn't really work great in cyber, does it?
Kip Boyle: No. No. It really doesn't. And that goes to the fact that the entrepreneur is a wild risk taker but the people who work for the entrepreneur often are not, or are only partially as risky as the entrepreneur is. And so you've got people with all these different risk tolerances and risk appetites, and left to their own devices, they will all do completely different things, but mostly they'll just follow the example of the entrepreneur. So the challenge here is what's a three or a four point plan that an entrepreneur can grab onto and actually do so that we can expect that their employees will do it as well. And so that's why I came up with a four point plan.
Jake Bernstein: That's a good plan. Let's dive right in.
Kip Boyle: Okay. So the first point is that the entrepreneur has to accept that they're a target online, and that people will try to steal their money. And again, this isn't a thing that you do, but rather it's a state of mind that I'm trying to create, because as I mentioned, and this goes back to these special characteristics of entrepreneurs, they're walking down a happy path. And they just are always thinking about how can I make this go right? How will it go right? And they just don't do enough of what I call negative visualization, which is a topic I talk about in my book, Fire Doesn't Innovate. Negative visualization is a super important thing to do when you're risk managers to think about what could go wrong and what would I do if it did. And so you've got to sort of plant a seed I feel in the entrepreneur's mind that you've got to remember, and you've got to internalize that you and your company are a target.
Jake Bernstein: Yeah, for sure. Interesting-
Kip Boyle: Because if they won't do that or they can't do that, then the other three items in the four point plan they'll never do.
Jake Bernstein: So once you accept that you're a target online, now is it enough to just be like, "Yeah, okay, whatever I'm a target," or do you think that people, entrepreneurs in particular need to actually understand what this means? That cyber risk is existential to a lot of small companies and that you don't have the resources to survive a cyber attack? So when we say, accept that you're a target and people are trying to steal your money, I think what we really want people to know is that this is a substantial risk. And it's not enough to pay lip service to it.
Kip Boyle: Right. This can crush your dream.
Jake Bernstein: Yeah.
Kip Boyle: Right? Your vision of putting a dent in the universe and I just keep invoking Steve Jobs, forgive me, I do think he's the quintessential modern American entrepreneur, but that's what he said, "I'm going to put a dent in the universe." Well, at this stage of the game, as an entrepreneur, with a small company, you could be snuffed out by a cyber attack and your chance to make that dent may never happen. So it is existential.
Jake Bernstein: Got it.
Kip Boyle: Yeah. But I'll be honest with you, I have found that it's not always productive to push on this point, a great deal. Some people, well, they just won't accept it. And the more you press them, the more resistive they become.
Jake Bernstein: And it's clear why. We already talked about entrepreneurs being delusional risk takers so.
Kip Boyle: In the best possible way.
Jake Bernstein: In the best possible way, but a delusional risk taker in the best possible way is not someone who by nature is going to react to, oh, this is an existential threat, you have to pay attention, because they're thinking, "Well, no kidding. Everything I do every day is an existential threat. I have nothing to lose anyway." So-
Kip Boyle: That's right.
Jake Bernstein: ... deal.
Kip Boyle: Yeah. That's right.
Jake Bernstein: That's a major hurdle to overcome.
Kip Boyle: Yeah. They're living with existential risks, 24/7 already. And the biggest one, as I said, is product market fit. So they're just like, yeah pile on, whatever, come on in the get on the bus. Oh anymore? I mean it's almost sarcastic and it's like tell me something, I don't know.
Jake Bernstein: Right.
Kip Boyle: So I don't try to really pound that point home. I just get them to, at the very least, if they can just superficially, grudgingly even say, "Yeah, I know you're right." If they can just at least get to that point then I think I can go onto point number two, which is, don't use your admin account for routine daily work, like processing email and doing web browsing and that you should use a non admin account for that stuff.
Now, if I can just get the entrepreneur to say, "I'll do it," without really having a big conversation about it or without them even really understanding why, if I can just get them to do it, they'll be better off. And so I'm okay with that. It's like, if you'll just do it, just accept it as yeah, yeah, I know I got to wash my hands after I go to the bathroom. Yeah, fine. I'll do it. I'm not going to think about it very much and I'm not going to wash them. I'm going to sing happy birthday halfway through. I'm not going to do it the whole way through it's like, okay, great, thank you.
Jake Bernstein: Yep.
Kip Boyle: So, and that's an easy, easy thing to fix, even if they don't reconfigure their computer, there's probably somebody on their team. They may have an executive assistant or a really super smart techy person and it can be done for them. So they don't even have to actually make the change, they just have to live with the change. And believe me, I've gone through this, I mean this four point plan and everything I'm talking about in case you cannot tell, comes from my real experience in the market space, working with real entrepreneurs and trying to get their twitchy selves to sit down for five minutes and pay attention to me.
Jake Bernstein: Yeah. No, I agree, that makes perfect sense.
Kip Boyle: So, all right, so that's point number two. So again, point number one is accept that this is real and that you need to do something about it, you're a target. Number two, don't use your admin account for routine stuff. And point number three is use a high quality attack resistant password manager. And I believe we've talked about this in previous episodes, but just to be clear for those of you who haven't listened to our extensive back catalog, a password manager is absolutely essential in this day and age and will continue to be so until such time as we don't have passwords anymore. And everybody's talking about getting rid of passwords, but I haven't seen it happen yet. I know we're working on it, but until that happens, you need a password manager and it can't be the one built into your web browser.
It really needs to be a purpose built high quality password manager that has a team of experts spring loaded to fix vulnerabilities and to release patches as fast as possible, whenever issues come up and they always do. And you need your password manager to create for you and they will do this, unique, very long complex passwords for every website where you have an account, you should never use the same password twice. And what I love about a password manager is it'll do this for you, it automates it. It has actually one of these rare cybersecurity things where you get more security and you get more productivity, you actually get a return on your investment for this password manager. So when I talk about password managers and I talk about how that actually give them more productivity and security too, that typically will resonate with them.
Jake Bernstein: That's great. Who doesn't want more productivity and I agree one password is excellent and any of these password managers are very good.
Kip Boyle: Yeah. And so the two I always recommend are LastPass and the other one is 1Password. Now people say to me, well, which one should I choose? And I'm like, I don't know, Coke or Pepsi, blue or red whatever, just taste one and then taste the other one, buy the one whose logo you like the most, I don't know. It doesn't matter. Just pick one. The most important is that you pick one. And that's why I spent time examining two, because I wanted people to have a choice. People love having a choice. They don't want to be overwhelmed with choice. Two is a good amount of choice, that's what I've learned.
Jake Bernstein: It's true.
Kip Boyle: So that's point number three, and then point number four, stay off public WiFi. Just don't go there. Use your mobile hotspot instead for your devices, your laptop and your tablet that doesn't have LTE built in and even for your mobile phone. So your mobile phone has LTE or it's got some kind of a cellular data plan, just use that. Just shut off your WiFi and just rely on cellular data. And this is another great example where you're not just going to get better security, you're going to get better performance because WiFi in public is typically a shared bandwidth situation. And you should know this. Anybody who's ever gone to a conference or a festival, or any kind of a large gathering where there's "free" public WiFi, you could barely get on. And when you do it's horribly slow. So just skip that and get the better performance and the better security. So get rid of the public WiFi.
Jake Bernstein: Yeah. Always.
Kip Boyle: Yep. And notice how I've chosen action items that resonate with the entrepreneurs, deep, deep hunger for productivity, for doing more with less, for not spending a lot of money on unessential things. I mean, the only here that really costs money is you're going to have to pay for the password manager, which is not much, you don't need to spend anything to use your admin account all the time, and you don't need to spend anything to stay off public WiFi, because most people have unlimited data plans. And if you don't just upgrade to that, because it's really going to be worth it.
Jake Bernstein: Yeah. My son keeps telling me I should do that.
Kip Boyle: Okay. Now, Kip's telling you too.
Jake Bernstein: Yeah.
Kip Boyle: So that's the four point plan that I'm bringing to the table. What do you think?
Jake Bernstein: What about a VPN solution? I'm just curious because you hear about these all over the place. There's all types of VPNs.
Kip Boyle: Yeah.
Jake Bernstein: Let's just say that for some reason, what if I'm out somewhere where my cell phone has no reception And I need to use the hotel WiFi for example?
Kip Boyle: Right, right, right, right. Okay. So what if public WiFi is unavoidable? Okay. I've been in that situation too, where I absolutely had to get something done and the only choice was some kind of public WiFi. Okay so the first thing I asked myself is I know it feels like an emergency, but is it really? I know I want to clear this action item, I know I want to send that message or whatever it is I need to do, but can I wait? A lot of times the answer is yes, I can wait. I just have to use some self control and make a note so that the next time I'm in a mobile range that then I can then do what I need to do. But if it's not then, okay, a VPN could be helpful.
I'll tell you though, I don't think of a VPN as a security device. A lot of people do, I don't, because I think that the real value of a virtual private network and again, I'm talking about commercial services that you pay for not a corporate VPN, but a commercial service that you pay for, the real value there is other things like skirting intellectual property rights. So you're in the United States and you want to watch a streaming show out of the UK or some other part of the world and so you can use a VPN to actually fool the broadcaster into thinking that you are geographically located in it different place than you actually are. Maybe some privacy, I mean, you don't want your internet service provider to know your browsing history. Great. Wrap it in a VPN. That's fine.
But if you want to cloak your traffic for security purposes, well, here's a couple things. First of all, most VPNs are absolute garbage and I can absolutely give you a link to an article that did a lengthy research project into VPNs. Most of them, for example, the encryption, which is essential for VPN, most of the encryption is implemented poorly or not at all. Or even if it's implemented, your VPN provider is actually siphoning off your browsing history and selling it. So even though your ISP doesn't get it, or your mobile provider doesn't get it, the VPN is selling it.
So it's like, wait a minute. It's kind of defeating my goal here. So you've got to choose your VPN very, very carefully. Don't choose it as you would a random piece of software where you're saying what's the greatest value for the money? How can I spend as little money as possible? And all I care about is price and performance. When it comes to security products like password managers and VPNs, you've got to add one other thing and you've got to make that actually number one, which is attack resistance and security functionality. I mean, those things have to be right. If they're not, then you're just throwing your money down a hole and you've got a false sense of security. So there's my rant on VPNs.
Jake Bernstein: Very good. So I'm glad that I asked. It's a good question, I think. People should know about that.
Kip Boyle: Yeah. I really think they should. If you're using a corporate VPN, that's a totally different story. Those are typically set up by wise IT systems administrators, and they terminate in, what I would call a more or less a safe zone inside your corporate network and so the rant that I just gave you doesn't really apply to that situation.
Jake Bernstein: Yep. Got it.
Kip Boyle: All right. Any other thoughts about my four point plan for entrepreneurs?
Jake Bernstein: What about when you start to grow a bit?
Kip Boyle: When the entrepreneur's company starts to grow?
Jake Bernstein: Yeah. When should they expand their horizons on cyber risk management?
Kip Boyle: So the answer there, I believe isn't really about size of the company, because I think that can be misleading. It's really about when does an entrepreneur's existential risks become manageable so that they can reallocate some of that bandwidth to cyber. And so some companies, their product market fit locks in and by the time they have six employees or five employees, they're generating revenue and they're growing. And that would be a good time for some companies. Let's say you're an attorney and you've just started a law practice and you get product market fit right away or within six months because the law that you're practicing, there's enough business in your local market and you can earn a living, great. But then you get these venture capital fueled wannabe unicorns whose product market fit continues to be uncertain.
Even after they have hundreds of employees, they've raised hundreds of millions of dollars. And it's still not clear if they're ever going to achieve profitability, I'm looking at you Uber. So now in those cases, sometimes cybersecurity has to be forced on them by a regulator or credit card regulations or something like that. And so that's the other extreme of when does an entrepreneur's company actually start practicing cybersecurity in the way that we're used to. So those are two ends of the spectrum that I've been seeing.
Jake Bernstein: That makes perfect sense. All right. Very good. So what else do you want to say? This might end up being a quicker episode.
Kip Boyle: Well, congratulations, everybody. This was the fastest maybe episode of Cyber Risk Management Podcast ever, but that's okay because I think I've made my point and so-
Jake Bernstein: Listeners can blame me. I'm sick, in case that's not clear.
Kip Boyle: Yeah. See, I deliberately chose a day when you were sick so that I could push my plan on you and know that you couldn't put up much resistance.
Jake Bernstein: There you go. Well, I'm still here so that works out. I'm doing this. I'm here for the listeners.
Kip Boyle: Well, we appreciate you turning out even though you aren't feeling well. The great thing about podcasts is you can't make anybody else sick, not even me, because I'm not even sitting in the same room as you.
Jake Bernstein: That's correct.
Kip Boyle: Yep. So we love it. Well, that wraps up this episode of the Cyber Risk Management Podcast. Today, we talked about cybersecurity for entrepreneurs and their employees. We'll see you next time.
Jake Bernstein: See you next.
Speaker 1: Thanks for joining us today on the Cyber Risk Management Podcast. Remember that cyber risk management is a team sports so include your senior decision makers, legal department, HR and IT for full effectiveness. So, if you want to manage cyber as the dynamic business risk it has become, we can help. Find out more by visiting us at cyberriskopportunities.com and focallaw.com. Thanks for tuning in. See you next time.
Sign up to receive email updates
Enter your name and email address below and I'll send you periodic updates about the podcast.
YOUR HOST:
Kip Boyle
Cyber Risk Opportunities
Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).
YOUR CO-HOST:
Jake Bernstein
K&L Gates LLC
Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.