EPISODE 87
 
Cybersecurity for Small Companies

EP 87: Cybersecurity for Small Companies

Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.

Sign Up Now!

About this episode

August 31, 2021
 
What are the best options for small and medium-sized businesses when it comes to cybersecurity? Let’s look at the common barriers what and options they have with your hosts Kip Boyle, vCISO with Cyber Risk Opportunities, and Jake Bernstein, Partner with K&L Gates. Check out the CR-MAP that Kip mentions here: https://www.cr-map.com/
Tags:

Episode Transcript

Voiceover: Welcome to the Cyber Risk Management Podcast. Our mission is to help you thrive as a cyber risk manager. On today's episode, your virtual chief information security officer is Kip Boyle, and your virtual cybersecurity counsel is Jake Bernstein. Visit them at Cyberriskopportunities.com and Focallaw.com.

Kip: Jake, hi. What are we going to talk about today?

Jake: Hey, Kip. Today, we're going to talk about cyber security for small companies.

Kip: Yes. Yes. This is great. I remember how we decided that we were going to do this. Just so everybody knows, we were recently working with one of our joint clients, which is a professional sports team, which quite frankly, we're thrilled to be working with them, but they've got a pretty big IT crew, and we are often talking to them about difficult cybersecurity problems. At one point while we were in the middle of some problem solving, all of a sudden our client said, "Geez, this is really complicated. How would I do this if I was running a 50-person company? How could I do cybersecurity right if I was smaller?" We were just like, "Wow, that's going to be a great podcast episode when we do that one." That's a great question, super insightful.

Jake: Yeah, it really is. I think what's really important is that this topic not be given short shrift, because I think so much of the market focuses on big enterprise style clients and services that really target the enterprise, that I thought, "Hey, I know a company, Cyber Risk Opportunities," of which, in your other life, you are the CEO and the founder. It's not that it doesn't help larger businesses or enterprise, but it really does focus a lot on helping small businesses. So today let's interview you about how Cyber Risk Opportunities does just that.

Kip: Yes. Thank you. I think that's great. We've been studying how to help small businesses for years now, and we actually, I think, are doing a good job of helping them, and so I'm glad to get an opportunity to share what we've learned.

Jake: Great. So let's do it.

Kip: Yeah.

Jake: Let's get clear on what exactly small business means, because I think terms like small and medium-sized business get tossed around an awful lot, and we don't really have good definitions. Since, as we've talked about, lawyers like to define terms, let's do that. So small businesses have fewer than 500 employees. However, as a group, they account for 99% of all business establishments in the US, which is kind of amazing.

Kip: It is amazing, because it's like the silent majority, right?

Jake: It is.

Kip: Based on just reading the headlines in the news and whatnot, I don't think most people realize this.

Jake: No, I don't. I think what's really interesting too is, there are 28.7 million firms, give or take, in the country, and 28.4 million are small business, which means they have less than 500 employees, which means only 300,000 companies in the US have 500 or more employees. Now, let's be clear. That's still a lot of large businesses.

Kip: Yeah.

Jake: I mean, when people talk about... I don't know anyone personally who could name the S&P 500 or-

Kip: Or the Fortune 1000.

Jake: The Fortune 1000 even. So if you think about, there are 300,000 companies in the US that have that, that's still a lot, but that's nothing compared to the 28.4 million firms that are small businesses. Of course, small businesses employ nearly half of all US employees, 48%, and contribute over 43% to net job creation annually.

Kip: That's incredible.

Jake: It's a lot of people.

Kip: It is. It's a lot of people. It's a lot of entities. I think of that when, when I think about the 500 or less employee dividing line, really, I think what we're talking about is small business includes medium-sized businesses, right? So SMB, that's the term. So if we just say, we're talking about small and medium-sized businesses in the United States, and looking at those numbers that you just shared, they are the backbone of the US economy. If all of those companies disappeared, it would be traumatic.

Jake: Oh, very much so. But here's a problem that they face, is that they're easy target for cyber criminals, because they don't have the infrastructure and the large IT teams. So what have you seen in the SMB space and the cyber criminal behavior?

Kip: They are an easy target for cyber criminals. I think later on in the episode we'll unpack that a little bit more, but I just want to say upfront that it's true, and it really makes me angry. I know I'm kind of laughing right now, but it's just not right that cyber criminals can steal from us with almost no risk of getting caught. I think it's one thing for large companies to be exploited, and many of them are being exploited very badly, but they have some heft and inertia, and their size just really keeps them from being taken out, to be made bankrupt. Even some of the most horrible incidents haven't actually put them out of business, but that's just not the case for smaller companies for, again, this backbone of our economy, and the fact that they can just be stolen from and put out of business in many cases with no risk of getting caught for the people who are doing this, is just awful.

The most recent ransomware attack, high-profile ransomware attack, we heard all about Kaseya, right? This was a large IT software provider, to managed service providers, and downstream from those two were a bunch of small, medium businesses. These were companies that were big enough to have IT needs but not big enough to have full-time people on their staff to administer their technology, and so they outsourced it. They just got their clocks cleaned. I think it's really awful that that happened.

The press is so focused on Kaseya that they don't seem to really be covering and naming and shining some light on the fact that really SMB companies are the ones that were really made to suffer. They're so outgunned. It's just like, they're just laid bare. I don't think SMB senior decision makers really understand this. Cyber criminals have massive budgets. They have sophisticated tools. They can target anybody economically. It doesn't matter how big or how small you are.

I guess the other thing I'll just say at this point about why they're such an easy target is, you've got SMB companies that are exposed just as much as large enterprises, but they only have a fraction of the resources to deal with it, right? They need time, they need money, technical skills, and I think maybe sometimes, most importantly, sophisticated management approaches.

Jake: I think it's really important to realize those risk factors, and I think a lot of people tend to think, "Oh, well, it's not going to happen to me," or they don't understand how easy it is for cyber criminals to exploit small businesses. Can you explain why it's so easy for cyber criminals to exploit small businesses?

Kip: Yeah, absolutely. It's counterintuitive is what I'm realizing when I work with senior decision makers in SMB, and I talk to them about what the risks are. So in those conversations, I've kind of teased out something that I think is really important. These threats, they can't see them. They're not tangible, right? These are things that are going on in the digital world. So it seems to me that senior decision makers are thinking about this problem the way they think about the IRS, the Internal Revenue Service.

So they know that if they don't pay their taxes, they know that if they don't keep clean books and so forth, that they could get in trouble with the IRS, but they see the IRS as this big sprawling bureaucracy with a somewhat limited budget, and that requires them to focus on big companies, because that's where they're going to get the most return for their efforts, right? So if I audit a giant enterprise with the amount of resources that I'm going to spend to do that, I can only audit a small number of SMB, and the amount of money that I might be able to identify as being owed to the government, I'll probably identify more money with a big company if I audit them than if I audit a lot of little companies, right?

So these SMB senior decision makers, this is what they're thinking. They're going, "Well, I'm just too small to justify any effort on behalf of the IRS to scrutinize me, or nothing more than just the most cursory look at me," right? "So if I just ignore a few of the things the IRS wants or even if I ignore a lot of what they want, as long as I keep my head down, do the basic what needs to be done, then they're never going to really even know that I exist, and I'll be fine."

I think that's kind of true, right? If people are thinking about the IRS that way, that's more or less true, I believe. But the problem is, is that they seem to be extending that thinking to cyber criminal gangs. I can see it on the surface. Cyber criminal gangs, they keep a low profile. You don't see them until you see them, so on and so on. But I think SMB leaders are saying to themselves, "Well, cyber criminals work the same way as an IRS bureaucracy. They're slow, kind of ponderous, and they're predisposed to only going after the largest enterprises, because that's where the biggest payday is going to be, right? Break in once and you can steal a lot."

But this is just not right thinking, because modern cyber criminals don't work that way at all. They don't have to pick and choose their targets. They actually have mastered the art and applied both technological and capitalistic approaches to finding SMBs and victimizing them. It doesn't matter what size they are, and it doesn't matter what industry they are. I think the best way for senior decision makers to think about it is, you know how Amazon uses technology very, very effectively to compete with Walmart, to almost terrorize Walmart. That's how you need to think about cyber criminals, as these are competitors of yours, and they are out to get you, and they are.

Jake: I think that's all really, really important. It's a mindset issue. It's a defensive mindset issue. Really, everything you've just described is really, you could almost summarize it as, "Well, that won't happen to me."

Kip: Yeah.

Jake: It's that feeling of invulnerability.

Kip: "I'm too small or too insignificant. I don't have enough."

Jake: "I don't have enough," exactly. Which, there's actually a specific name for that, security by obscurity.

Kip: "I'm too obscure."

Jake: "I'm too obscure." That's not exactly what security by obscurity means, but it definitely fits the concept, which is, "They won't find me."

Kip: Yeah, "I'm not on anybody's radar screen."

Jake: It's just not true. So what happens to a small or medium-sized business who actually gets exploited or successfully attacked, to use the normal code of terminology.

Kip: Yeah. Well, so if they get attacked, everyone's getting attacked all the time. You don't always know. Unless you have a firewall and you're looking at your logs all the time, you don't see all the attacks, but they're happening all the time. Every second of the day, everyone's getting attacked. Sometimes the attacks are just somewhat innocuous queries, where criminals are just sort of inventorying the internet, trying to figure out who's out there and stuff all that information to a giant database. But everyone's getting attacked all the time. The issue is the exploitation, right? It's actually getting attacked to the point where you get exploited. That's why I like to use that word. But SMBs suffer in the same way that a giant enterprise suffers, which is to say they get distracted, that their executive team gets very, very distracted for months.

The other thing that happens that's the same is expenses. The expense of recovery is tremendous. Unless they have adequate insurance and the insurance company actually decides that it's a legit claim, they're going to get just hammered with expenses. That's one thing that's unique about SMB, I think, when they get exploited, is that they have a much greater risk of going into bankruptcy over this, that the cost of recovery will just quickly become out of reach for them, and they can't recover at all.

Or the other thing that happens, and I've seen this, is that the cost of recovery is tremendous. It's within their means, but the owners just don't have the heart to rebuild from scratch. They look at the wreckage of their company. They think about the tremendous amount of work that it's going to take to recover their reputation, to rebuild their customer lists, and they just don't have it in them. So they just say, "Well, I'm just going to retire," or, "You know what? I'm just going to get a job somewhere else. This just doesn't make any sense anymore." Very little of this makes it into the national news, because it just doesn't... Individually, it doesn't hurt the economy when that happens. It's absolutely devastating to the owners of these businesses, though.

Jake: Remember that, as we talked about, there can be up to 500 employees, so you're right, on an individual level-

Kip: One of 28.4 million disappears.

Jake: Business with 304 employees goes out of business after a ransomware attack is not going to make the national news, although maybe it should, but the problem is, is that it happens, it's probably happening far more often than we think.

Kip: I think it's the aggregate, right? If somebody would sit down and aggregate this, if they had the visibility to see just how many companies this was happening to on a regular basis, I think that's the story, is the aggregate. So yeah. Some people just think, "Well, that's just sort of capitalism, right? That's just, companies go out of business all the time."

Jake: Which is true, but it's not because of... Let's think of it this way. If businesses were being physically robbed at the same rate that they are being cyber attacked, I think there would be a very different narrative around the country. People would not, they just wouldn't stand for that. They just wouldn't... There would be-

Kip: And they don't. Anytime somebody pulls out a weapon, a handgun, whether it's loaded or not, we don't even know, but you pull out a weapon and you hold people for their money or whatever-

Jake: It makes the news every time.

Kip: Oh my gosh. National news, right? You can take somebody hostage in a small town anywhere in the country, and if that goes on for any length of time, you're going to have news crews just prowling around, and it's going to become sensational. You're right. The same thing, if I wield a digital gun and steal from somebody in silence, there's just no interest.

Jake: Yeah, it's fascinating. So okay. All of this is the case. What are their options?

Kip: You're seeing this too, right? I'm sharing right now my perception on SMB. I know that, Jake, you don't work with SMB as much as I do, but does this all seem to be right to you?

Jake: Well, I certainly get calls quite often about business email compromise, small ransomware attacks, and none of it, I'm not seeing news stories about it, so yeah, it absolutely jives with what I'm seeing.

Kip: Yeah. Okay. Okay. Good. I just want to be clear that what I'm sharing right now is my direct experience talking with senior decision makers in SMB. So yeah, it's anecdotal, but that's definitely what I'm finding out there.

Jake: Yeah. So these SMBs, they need options. What are the four most common potential responses?

Kip: Yeah.

Jake: Some of these should not be labeled as real options.

Kip: Yeah. Well, we talked about this before, right?

Jake: Yeah.

Kip: Over time I've shared with you the four common options that senior decision makers tend to choose from. Let me just share with you what they tend to choose from.

Well, the first thing that I see that they do is they pretend it's not a problem. When I say pretend, I choose that word carefully and deliberately, because I think no matter how much somebody protests to me out loud that they're not a target, I think secretly inside they know they are, but they just can't admit it. For some reason, they just can't admit it. They don't want to admit it. They have too many other things to do, whatever the issue is, and so they just pretend it's not a problem.

Cynically, I could say, "Well, they're just putting their head in the sand and they're just being silly." I think I've said this to you before, that when I talk to somebody about helping them with their cybersecurity and they just start acting like nothing bad's ever going to happen to them, I just think to myself, "Well, this is about as useful as me trying to sell life insurance to Zeus, so I think it's time for me to go."

Jake: I agree. I think that's important for sure. So, they can pretend it's not a problem.

Kip: That's the first option, yeah.

Jake: What's the second option?

Kip: The second option is they can admit that it is a problem, but they're just choosing to do nothing and hope for the best. The reason why I think they do this is because in their minds, they're imagining these long sweaty lines at the airport to go through security to try to get to their gate, right? That's what they think security is, and who can blame them? They've actually experienced that, and so they think-

Jake: Sometimes that's true.

Kip: It's often true, right? They're just thinking, "Oh my gosh, if I try to do something about this, the cure is probably worse than the disease. My company would become so process bound and dominated by administrative overhead and so forth, we'd never get anything done, so it doesn't make any sense. I know it's a problem, but it doesn't make any sense for me to do anything about it, because I can't stand the idea that we're going to get crushed with security, so forget it. I'm just going to keep going and hope for the best."

Jake: Okay, and your third option here, I think is, it oftentimes folds into the knowing it's a problem but not doing much. This one is merely install an antivirus software package on their computers, oftentimes not even paying attention to the required updates. I think that does happen a lot. We've talked about the, you and I at least have talked about the so-called curse of knowledge, of forgetting what it's like to not know what we know. I think that's a really important thing to keep in mind, is that so many computer users just have the barest understanding of how their machines work. That's normal, but at the same time, it does mean that... I read this and I thought to myself, "Well, who wouldn't update it?" But then I realized that even really being aware that software requires regular updates, that's part of the knowledge space that we have. It's important to keep that in mind when we, particularly for these SMBs, that we've already established are unlikely to have sophisticated IT groups.

Kip: Right. Yeah, that's right. So they want to do something, right? So this seems to be the answer, just install an antivirus package. They're looking for an easy button, right? God bless them. They want to do something, so they're doing something. They're kind of just going with with the herd, right? I think too, senior decision makers at SMBs tend to skew older, and we grew up at a time when really that's all you did need to do, and you were fine. There was a time in history when that was okay. There was a time in history when you didn't need a password to get onto your computer, and nobody had a firewall either. I remember those times, and certainly that's not the case anymore.

So I think, in part, their thinking is a little behind the time. I think there's another thing going on here too, which is a little bit of, "Well, if I do get hacked, I can at least say I did this, right? This is what everybody does." So there's a little bit of cover your ass here. "I'm going to put this on and then if anything bad happens, I can at least point to it and say, 'Well, I didn't do nothing. I did this and everybody does this, right? Isn't this enough?'" Yeah, so that's the third option, is just sort of doing this little minimal thing and then just getting on with life.

Jake: Now, your fourth option here really strikes me, because I hear this all the time, all the time. Tell us what it is, and then I'll comment.

Kip: Okay. So the fourth common option that I see SMBs choosing to deal with the threat of being exploited by cyber attack, is they actually contract with an IT specialist, and it could be a managed service provider, or, I don't know, maybe it's just somebody that they hire part-time or whatever, but they find somebody who's good at IT, and they say, "Handle it," and they just walk away. "Handle it," and they just get back to their jobs. They've delegated it. They abdicated it, and they're just like, "It's done, it's dealt with."

Jake: It's the IT guy, right? That's just how it is thought. The problem is, is that what it does, and we can talk about this in more detail, and I'm sure that we will, is that when you do that with security and you make the classic mistake of conflating cybersecurity with IT support, you end up offloading a major business risk to someone who is generally not qualified to handle it, and you probably don't even realize what you've done.

Kip: No, no, you don't. This goes back to an earlier point that I made about, SMBs don't typically have management approaches that are as sophisticated as larger organizations, and this is where it comes into play here in these four options that we're talking about. This is where it really comes into play. If you just take cybersecurity and cyber attacks and just say, "Well, it has the word cyber in it, so it's just a technology problem," and then you hand it off to them. Yeah, it just is not very effective, and we can see it. There's data, abundant amounts of data, that shows that this approach just does not work. One of the reasons, God bless him, it's not really the IT person's fault, because they don't really get set up for success to do this.

What I mean by of that is, for example, if the printer doesn't work, then who gets yelled at? The IT person. If the website's down, the IT person gets yelled at, right? So what they're really attuned for is availability. That's really what IT people pay attention the most to. This goes back to the CIA triad, what is it that cybersecurity is all about? Well, it's about confidentiality, integrity and availability. IT people are all about availability, because they get yelled at when the availability isn't attended to. But they rarely, if ever, get taken to task for confidentiality problems, integrity problems, and that's where we get into a lot of trouble. That's where the real issues are, but they're just not set up to deal with that. They've really never been trained to do it, and they don't get in trouble really when it goes bad. People just assume that, "Well, we've been attacked by a sophisticated group and nobody could have avoided this," just kind of the crosstalk.

Jake: That is my favorite excuse or rationalization, is, "Oh, how can we possibly have defended against that?" Let's be fair. There are times when that is a true statement, but those are probably not the SMBs being attacked by those, because here's the thing. We spent all this time talking about how it's a bad idea to think in terms of you're too small to be targeted. Well, there is some truth to that when you talk about the truly sophisticated kind of nation state level actors. Because with those situations, that level of attack does require a fair amount of skill and human attention span. So those ones, and we usually call those APTs, advanced persistent threats. One of the reasons that they're advanced and persistent is that you really do have people behind that who are skilled hackers.

Kip: And they're determined.

Jake: And they're determined.

Kip: They have a very specific thing they want to accomplish.

Jake: Yes.

Kip: Two examples that I'll put on the table right now, the Sony hack in 2014, I believe was the year, when the North Koreans completely decimated Sony digitally. They compromised all their digital assets. They released films before those films were able to be shown in movie theaters. They stole all the emails and released all the emails and completely embarrassed lots of people for saying things in email that they never thought would see the light of the day. That was a direct retaliation to a movie that Sony was making and was going to release that was going to embarrass the North Korean leader on the world stage. That's an example of a targeted attack, where a government with vast resources made the decision that they're going to make Sony pay for what they're going to do.

Another example is NotPetya, so in 2017, we believe that the Russian government compromised a tax software preparation package in Ukraine, and they compromised it. They released an exploit, and it went on to do 10 billion dollars of damage around the world. They were determined that they were going to do this, and they did it. Those are the kinds of advanced, persistent threats that we're talking about. Really, I don't think that SMBs really have to worry about that, and I don't think they... They really can't anyway. They just don't have the resources.

Jake: Correct. Correct. That is all true. Given all of this, it's pretty obvious that these options don't make sense, given the threat being, that's faced by the SMB space. So what can we do?

Kip: Yeah.

Jake: What should be done?

Kip: Yeah. Well, so obviously those four don't make sense. I absolutely agree. Through talking with SMBs and then finding the ones that want to do something but don't know what to do, who want to do something really effective but don't want the long sweaty lines at the airport type of an experience, we've come up with something that is really working.

So let's talk about the goal. What should be the SMBs' goal here? All right. Well, what we figured out is that they shouldn't be thinking about perfect security, because that leads to visions of those long sweaty lines at the airport, and they shouldn't be focused on achieving world class security, because that invokes visions of large payments, like a tap on their checking account that's going to open and never shut off that's wildly expensive. I don't think those are the goals.

I think the goal is to become a difficult target, and that's a much more achievable goal. Just become a more difficult target. Just get above the fray. There's so many different ways to think about this. You can just say, "Well, when I park my car in a lot and I'm going to commute, I'm just going to put a club on my steering wheel," not because the club is perfect, but because it's a very visible signal to criminals, like, "Just go steal an easier car to steal," because time is not on their side. So that's just a visible signal that, you really don't want to steal this car, go get another one. You've made yourself a more difficult target.

You can think about it in terms of floods. If you can just build your house a little bit higher, then where the flood is probably going to happen when it happens, then you're going to be able to avoid the flood. So you just want to become a more difficult target. I think that's really what SMBs need to focus on.

Jake: Well, and in a way it's the old kind of semi joke that you don't need to run faster than the bear. You just need to run faster than the other person being chased.

Kip: Yeah. Yeah, absolutely. That is a kind of a hackneyed little joke, but I think there's a ring of truth to it, absolutely.

Jake: Yeah. Okay. So there are a lot of risks to manage across their business. They don't have enough resources to manage them all, especially all of this strange cyber stuff, which may seem out of reach. Tell us the better way. Illuminate.

Kip: Yeah. Yeah. So this is what we found. Just by going into the market and helping people, we've found a way to help them become a more difficult target and to do it in a way that's business savvy, and I think that's so important. It has to be business savvy. We cannot bind them by putting their feet in concrete, right? So this approach that we've come up with, it's a three-step process, and we call it a cyber risk management action plan. That's what comes out from these three steps that we follow, is an action plan designed to reduce cyber risk. So it's three steps. Let me tell you what the three steps are.

So the first step is, what are your top cyber risks? How can we identify what they are? The second step is, okay, now that we know what your top cyber risks are, we're going to bring in our expertise, and we're going to figure out how to mitigate those risks. When we do that, what we're doing is we're looking at who you are as a company, your unique business model. Then we're pairing that with what we know works from experience, practically what works. So we have a little catalog of things that we know that work, that deliver lots of business value when you use them. So these are dollars very well spent.

We're also keeping an eye on the criminals, right? Because as I write about in my book, Fire Doesn't Innovate, they're always figuring out new ways to attack us. That means we have to defend ourselves differently over time, and so we keep an eye on that too. So we mash up those three data sources, and we use that to finish step number two, which is creating a business savvy cyber risk management action plan.

Then step three is we mitigate those... Or sorry, we implement those mitigations, and we do that together with our customers. One of the ways we do that is we have a deployment kit. So every mitigation that we recommend, we're going to be giving them either a plan for getting that mitigation done, a template document that they're going to use to make that mitigation happen, or maybe some kind of procedure that they're going to modify and implement. So these are minimum viable items in a deployment kit that's going to make it a very business savvy result.

The other thing we realized, Jake, about serving SMB is that we have to be very, very careful about how many resources we consume. So to do steps one and two, to identify top risks and then create the CR map, that is what we call it, it doesn't take any more than six hours of our customer's time over three weeks. Just six hours over the course of three weeks. That's the commitment. The feedback we're getting is that's totally reasonable. People can do that. We schedule all that time up in advance. That way there's no time spent trying to figure out where to fit meetings into calendars.

Jake: It feels like it would be somewhat inexcusable as an SMB owner to not spend six hours over three weeks to potentially avert disaster.

Kip: We've talked a lot about reasonable cybersecurity. What's reasonable, right? People want to practice reasonable cybersecurity. We're obligated to do that by our regulatory bodies. The Federal Trade Commission, which regulates all commerce in the United States, expects us to practice reasonable cybersecurity. But I think for SMBs, that has been elusive. What is reasonable? So yeah, I think it's reasonable to spend six hours over three weeks trying to figure out what to do.

Step three, when we do the mitigations, when we actually implement them, so now you've got a deployment kit, so you've got a leg up on everything, and you can decide how much time you want to allocate to implementing. You could say, "We want all this done in three months, nine months or a year." I don't think that it really matters how much time you take to implement the mitigation plan, but I think what matters is you need to get on that journey. You need to get going and establish some momentum. That's what we're what we're doing. You know what? People are telling us they like it.

Jake: Yeah, and that makes perfect sense. As we've already talked about, a typical SMB is not going to be specifically targeted by the nation states with unlimited resources. They're really looking to be exploited as a target of opportunity discovered by automated tools or just a standard business email compromise attempt. You make them a difficult target by creating a custom cyber risk management action plan. We talked about how that works. Talk a little bit more about the actual CR map, the cyber risk management action plan. When it's finished, they're set up for success because why? What do they have?

Kip: So let's talk about what do you get. So I've talked about how we do it. Okay, set that aside for a second. You know it's lightweight. So there's really five things that they're going to get. So the first is, they're going to get a prioritized cost effective cyber mitigation plan, right? So it's prioritized and it's cost effective. Most of the mitigations cost nothing. You don't have to write a check. You just have to make some changes. That's what our deployment kit helps you figure out how to do. So that's the first thing.
The second thing is you get an implementation roadmap. So not only is it prioritized, but we actually sort it out so that you can move fast, as fast as you want. When you implement these mitigations, you're not going to overwhelm your workforce with changes, because that's one thing that we've found that everybody, no matter what size you are, you're always rightly concerned about, "Hey, we're going to change the way people work and that's super disruptive and we need to be really careful," and we are careful about that. We're very careful when we design the roadmap so that you're not going to overwhelm your folks. This gets back to the whole idea of putting people's feet in concrete or forcing them to go through a long security line. We don't do that. So that's the second thing.

The third thing, again, is the deployment kit, the minimum viable plans and templates and procedures that we could provide for every mitigation. Now, the fourth thing that they're going to get, and this is kind of cool actually. We didn't even know that this was a thing until we started working with SMBs, is free project management tools. So it turns out that most companies don't really have a project management tool, but they need something. So what we've done is we've built a very basic set of project management tools in Microsoft Excel, because what we found out is everybody has that. So we just said, "Great, we're going to build some project management tools in there," and when we're done making them a CR map, we're just going to give them a spreadsheet with these tools, and all their data is already going to be entered in there, so there's no data entry burden at all.

Then the fifth thing that they're going to get is we're going to help them implement. So a CRO technician is going to be assigned to actually help them do the implementation of the more challenging mitigations. A lot of them are not that challenging. You just have to do them, but we actually will help with the mitigations, the actual implementation. So all they have to do is just set a deadline and say, "Okay..."

Jake: And get to work. Of course, you'll be right there beside them as much or as little as they want. I've seen the prices. It's very affordable. It does vary somewhat based on size and sophistication. We are talking about less than 500 people, but there's a big difference between a five- or six-person company and a 457-person company.

Kip: Yeah, absolutely. We can serve all of them actually. We have versions of a cyber risk management action plan that is scalable and suitable, and we've helped companies as little as five or six people, and we've done it affordably. I've actually sat down and deliberately designed the pricing so that it would be affordable and it would move the needle. So yeah. So we have a whole range that we can help.

Jake: And all of this is being done and available for SMB today, correct?

Kip: Yeah, absolutely. We actually have, we've asked for our customers like, "Well, if you're happy with this, will you even write us a testimonial?" My gosh, we've got a whole stack of them. I mean, people who actually said, "This is so good that here's my name. Here's my company name, and here's a little blurb about what we liked about it, and you can share that with people. You don't even have to ask us in advance." I think that's really striking, because we're talking about people's digital dirty secrets here, and they're so happy that they're just, they just don't even worry about, like, "Gosh, I wonder if we're going to get some negative attention." So, I couldn't be happier.

Jake: Yeah, for sure. Any final words? I think this is your opportunity here to really be very, very clear about Cyber Risk Opportunities, and to the extent we have SMB listeners, let's put it out there.

Kip: Yeah. Look, here's the bottom line. This is my elevator pitch. Every business is a target, right? So for sophisticated, cyber-criminals even small, medium-sized businesses. So what we do is we work with you to build a business savvy cyber risk mitigation plan. When you have that, it frees you to move the needle on your business, while at the same time, you are letting cyber criminals know that they need to move on to a softer target. So that's the value prop.

Jake: Excellent. Well, today, that wraps up this episode of the Cyber Risk Management Podcast. I don't do this very often, so it took me a second to remember how to wrap up an episode. Today we talked about cyber security for small companies, and we will see you next time.

Kip: Yeah, right. Okay, cool. See you next time, everybody.

Voiceover: Thanks for joining us today on the Cyber Risk Management Podcast. Remember that cyber risk management is a team sport, so include your senior decision makers, legal department, HR, and IT for full effectiveness. So if you want to manage cyber as the dynamic business risk it has become, we can help. Find out more by visiting us at cyberriskopportunities.com and focallaw.com. Thanks for tuning in. See you next time.

Headshot of Kip BoyleYOUR HOST:

Kip Boyle
Cyber Risk Opportunities

Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).

YOUR CO-HOST:

Jake Bernstein
K&L Gates LLC

Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.