Skip to content

We’re All at Risk of Breach, So What Should We Do?

 

Speaker: Connor Swalm

Welcome to Gone Phishing, a show diving into the cybersecurity threats that surround our highly connected lives. Every human is different. Every person has unique vulnerabilities that expose them to potentially successful social engineering. On this show, we'll discuss human vulnerability and how it relates to unique individuals. I'm Connor Swam, CEO of Phin Security, and welcome to Gone Phishing, everyone.

Welcome back to another episode of Gone Phishing. I'm your host, Connor, CEO at Phin Security, and we're going to talk today about small business and cybersecurity breaches, or however you want to phrase that, just breaches in general. So what is a breach?

Well, I've categorized this as unwanted theft of information, access, or money.

But also it's not just theft, unwanted access to information, money, or authorization. So a lot of times, a breach is not just someone who is actually coming into your business to steal something. It's just somebody who's there who has access, which the intention and the thought on at least the defender's part is that that individual at some point is going to try to steal money, information, or access. So while they already have some amount of it, their goal is going to continue to be to expand that so that they can just have more. Things are valuable, information is valuable, access is valuable, and money itself is very valuable. And that's what people who will break into your business and attempt to steal it are going to want.

So the thing that I see a lot of times by small business owners. If you want to say small business wwners, but largely it's people in general, is there's this sentiment of, I blend in. I'm not a target, I'm not at risk.

Somebody else is going to be at risk.

It phrased a lot like any of those or any variation of those as well. And I have no idea who said this, and I've pirated it 100 times.

So if anyone listening to this podcast knows who said this quote, first, please reach out to me on LinkedIn and let me know so I can attribute it to them, because I was not the one who made this up. You're not too small to get hacked. You're just too small to make the news. And so I think there's this outsized expectation that, oh, I haven't seen companies like mine in the news get hacked, and so I am not at risk.

It's not happening.

I can promise you it is happening. Like it absolutely is happening, that small businesses are getting hacked on a consistent basis.

And if you don't believe me, the FBI reports on these statistics every year. And the amount of cybercrime, specifically cybercrime in the US for small to medium sized businesses, is skyrocketing. It just is happening. And so a lot of people feel safe as a result of they don't stand out or they believe they are too small.

When I'm here to tell you, that's just not the case. Now, what I will credit them with is might be too small to get targeted, like individually targeted. However, that is not going to stop you from getting swept up into a larger breach. What I mean by that is basically, you're not going to get singled out, but let's say, I don't know if I want to name the name, but there is a well known password manager that was hacked recently.

And by recently, I mean within the last year.

If you as a small business, or even you as an individual, used that password manager, there was a chance some of your information, your password manager, which is like the keys to all of the kingdom, would have the ability to get stolen. It's like that was just a reality. Now, I have no idea what the end result of that was, but I do know it's like, well, the risk.

At that point was not that your business got hacked. The risk was that a tool that you use got hacked.

And then the information that was received from the tool that you use could be used to hack your business. That's called third party risk, it's called supply chain risk. It has a lot of different names, but it's basically like your business was not the target sometimes, but it was not the reason your business ended up getting hacked. It was because a tool that you used got hacked. A third party. And so even if you believe you're not going to get targeted, you probably use large enough tools that will Google. Who wouldn't target Google if they thought they could get away with it? I was going to say YouTube, but YouTube is owned by Google, so that's a moot point.

But I don't know.

Yahoo, Microsoft, Cloudflare, I'm just throwing out random names now, software that you're likely to use on a regular basis.

It's like, well, there is the big Sony hack.

What was that almost ten years ago?

Now, if you had an account with Sony, maybe that information is out there on the web. So even though your business wasn't a target, you will become a target as a result of being swept up in those large organizations.

So I bring this all up not to communicate that you should be incredibly scared about any of that happening.

But for anyone who you're talking to. Or maybe if you believe this, that even though you are right that you probably too small to be targeted, you're using tools and the total risk that you're exposed to is way more than just your actual business systems. It's the tools you're actually using for email, for calendar scheduling, for anything at all.

And if you happen to reuse password, I'll give you another pedantic example. Let's say you use DoorDash and you reused a password from Doordash to some other tool in your business. Well, congratulations. If your doordash gets hacked, then they technically have the password to your other tools as well.

So it's just like there is this cascading effect where sure, you might not be large enough to get targeted, but you are absolutely at risk and you should be aware of that.

So it's just a mental switch that folks need to be aware of, so to speak. It's just like you believe these things even though they're not true, largely because I guess nobody's told you all otherwise.

Or it's just hard to understand. It's something built in, so to speak.

So. What should you do to prevent a breach?

There is a ton of advice I could give here, but I'll draw a lot on a ton of presentations I'd give for small business development centers. Those are organizations that are funded by local, state and federal government to actually just help small businesses get up and off the ground, whether that's through loans or through education. And I'm going to sum the entirety of the program that I would run for them, and the entirety of the education I would give them, in a sentence, be the second slowest person that the bear is chasing. So I'm sure all of you have heard statement or like the idiom, you don't have to outrun a bear, you just have to outrun the person next to you.

There is a little bit of truth to that when it comes to your cybersecurity posture.

Specifically for small to medium sized businesses, it's usually not a crime of intention when you get hacked. It's just a crime of circumstance and a crime of ease.

If it's easier to hack you than it is the person next door, congratulations. You're going to be the one that gets hacked. That's just how it's going to work. Specifically in a world where the real value in targeting companies comes from targeting these incredibly large organizations that have a very large amount of money, a very large amount of information, and a very large amount of access, right?

In the case of the password manager. Millions and millions and millions of accounts and passwords.

And that is a ton of access that if somebody ends up hacking that they could get access to. You happen to get swept up into that. But that's not because you had any individual value, it's because there were millions of people in there, millions of pieces of access that ended up giving it value. So that's why when I would do security education, just basic principles, it's simple things such as, here's how you identify Phishing.

Here's how you implement MFA, here's what multi factor authentication really is. Funny anecdote. I would also always make the statement, the IRS will never call you. And then I'd do another slide right after that, and it would still say, I promise, period, the IRS won't call you. That was not them. And then sometimes I'd add a third slide that was just a restatement of no, seriously, they won't call you, just stop picking up the phone. And inevitably, I would still have people that I'd be talking to that would ask me.

It's like, are you sure that's not the IRS on the phone and I don't owe them taxes?

I was.

Yes, yes. They're not going to call you, just hang up the phone. But that brings up a good point, is a lot of this cybercrime, if it is a crime of ease, just because it's easy for happen, and it's just like a drive by cybercrime, so to speak, a lot of that is just sweeping you up into emotions because the average individual doesn't understand most of security. So if the IRS calls you and says, you owe us $100,000 in taxes. And we're going to take your home if you don't pay it, or something.

Like that, the threat of that is sometimes capable of getting somebody into enough of a panic that they just go along with it. So that's what I would do a lot of education on, is you need to stop, slow down, and you need to understand, educate yourself, so to speak.

Another very big example I always gave was, your bank.

Sure, your bank's going to call you.

If your bank ever calls you could take this today. Your bank ever calls you and says, hey, whatever, undisputed charges or there's some issues with your account, you owe us money, or we need your password. I would always give two pieces of advice. One is your password. Is your password. Anyone who is asking you for your password, to any of your accounts is not in the right, and you should never give that out. It's your password, it's your access, it's not theirs. And if your bank is calling you, whoever's doing that should have enough information and enough access to handle this thing without them needing your password.

So never, ever, under any circumstance, in any world, universe or otherwise, or in any alternate timeline, don't ever give out your password. It's yours. Don't give it out. But the second thing was that emotion I talked about, if that phone call or that text message or that email is enough to start spinning up those thoughts of, wow, I might really be in trouble, or I really need to go do something about this, there's a very, very simple step you can take to relieve all of that anxiety. Go to the website of your bank. Right? Go to PNC.

I don't even know what PNC's website is.

Go to citibank.com or wherever you bank. There will be phone numbers you can contact, there will be emails that you can reach out to, or go to the website, log into the account, and go through the messaging app that is typically located within your banking portal. And then they'll tell you, in 99.99% of cases, we have no idea what you're talking about.

That was very clearly a scam. That's what I would always suggest. So I guess one thing for you all to take with you, or I guess two things, just because you're not big enough to make the news doesn't mean it's not possible that you won't get breached. It is possible. We live in a really connected world where you're using tools from incredibly large companies in your day to day personal life and in your day to day business life. And the second thing is, most security breaches, almost all of them, that relate humans are all centered around getting you into this emotional mental state of anxiety and panic so that you just blindly accept the commands that come after to give this person whatever access or information they want. And what I would say is breathe. And then in the case of your bank, or like, you can do this with any tool, any person that's calling you or any company, quote unquote, that's calling you to try and get you to do something, is you never give out your password, ever.

It's yours. The second is go to the official company website, call back on the official number, go into the portal and actually lodge a support ticket or tell them what's happening and ask them if they can go check.

And by the way, anyone you're on the phone with that is cautioning you not to do that, you should hang up the phone and you should go do it anyway because that is the proper way to get.

So that's what I would say. Those are the two pieces of advice I would always give to folks that I was given a little bit of education to, and now I've given it.

To you here today. If you have any comments, questions, concerns, or feedback or you just want to reach out and say, hey, you can find my LinkedIn in the show notes and I'm always willing to connect and chat with you all. I think that would be a lot of fun, but I highly encourage you to go do that. But once again, I am Connor, host of the Gone Phishing podcast that you've been listening to for the last little bit, and I can't wait to see you next time. Bye. Thanks so much for tuning in to Gone Phishing. If you want to find out more about high quality security awareness training campaigns, how to launch them in ways that actually engage employees to change their habits, then check us out Phinsecurity at Phinsec IO.

That's p h I n S e C IO you or click all of the wonderful links in our show notes. Thanks for fishing with me today and we'll see you next time. Close.