Welcome to the Cybersecurity Readiness Podcast Site
Nov. 23, 2022

How do SMBs protect themselves from ransomware attacks?

A recent Global SMB Ransomware survey finds that nearly half of small and medium-sized businesses (SMBs) have experienced a ransomware attack, yet the majority aren't sure they are a target, and most are not confident they can fend off such an attack. Since 60% of SMBs are known to go out of business within six months of being hacked, it is a very troubling state of affairs. In this episode, Grayson Milbourne, Security Intelligence Director at OpenText Security Solutions, joins me in discussing the security challenges faced by SMBs and sharing success factors and best practices.

To access and download the entire podcast summary with discussion highlights --

https://www.dchatte.com/episode-39-how-do-smbs-protect-themselves-from-ransomware-attacks/

A recent Global SMB Ransomware survey finds that nearly half of small and medium-sized businesses (SMBs) have experienced a ransomware attack, yet the majority aren't sure they are a target, and most are not confident they can fend off such an attack. Since 60% of SMBs are known to go out of business within six months of being hacked, it is a very troubling state of affairs. In this episode, Grayson Milbourne, Security Intelligence Director at OpenText Security Solutions, joins me in discussing the security challenges faced by SMBs and sharing success factors and best practices.

To access and download the entire podcast summary with discussion highlights --

https://www.dchatte.com/episode-39-how-do-smbs-protect-themselves-from-ransomware-attacks/

Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast

Please subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.

Connect with Dr. Chatterjee on these platforms:

LinkedIn: https://www.linkedin.com/in/dchatte/

Website: https://dchatte.com/

Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

https://us.sagepub.com/en-us/nam/cybersecurity-readiness/book275712

Latest Publication: https://www.imd.org/ibyimd/magazine/preventing-security-breaches-must-start-at-the-top/

Transcript

Introducer:

Welcome to the Cybersecurity Readiness Podcast

 

 


Introducer:

Series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of

 

 


Introducer:

the book Cybersecurity Readiness: A Holistic and

 

 


Introducer:

High-Performance Approach, a SAGE publication. He has been

 

 


Introducer:

studying cybersecurity for over a decade, authored and edited

 

 


Introducer:

scholarly papers, delivered talks, conducted webinars and

 

 


Introducer:

workshops, consulted with companies and served on a

 

 


Introducer:

cybersecurity SWAT team with Chief Information Security

 

 


Introducer:

officers. Dr. Chatterjee is Associate Professor of

 

 


Introducer:

Management Information Systems at the Terry College of

 

 


Introducer:

Business, the University of Georgia. As a Duke University

 

 


Introducer:

Visiting Scholar, Dr. Chatterjee has taught in the Master of

 

 


Introducer:

Engineering in Cybersecurity program at the Pratt School of

 

 


Introducer:

Engineering.

 

 


Dr. Dave Chatterjee:

Hello, everyone, I'm delighted to

 

 


Dr. Dave Chatterjee:

welcome you to this episode of the Cybersecurity Readiness

 

 


Dr. Dave Chatterjee:

Podcast Series. Our discussion today will focus on the

 

 


Dr. Dave Chatterjee:

challenges and best practices associated with securing

 

 


Dr. Dave Chatterjee:

small-to-midsize businesses. We will be using the acronyms SMBs

 

 


Dr. Dave Chatterjee:

or SMEs during the course of the discussion. SMB stands for

 

 


Dr. Dave Chatterjee:

small-to-midsize businesses, SME stands for small-to-midsize

 

 


Dr. Dave Chatterjee:

enterprises, I think it's okay to use these terms.

 

 


Dr. Dave Chatterjee:

synonymously; a quick definition small businesses are usually

 

 


Dr. Dave Chatterjee:

defined as organizations with fewer than 100 employees.

 

 


Dr. Dave Chatterjee:

Midsize enterprises are organizations with 100 to 999.

 

 


Dr. Dave Chatterjee:

Employees. This should be a very interesting and useful

 

 


Dr. Dave Chatterjee:

discussion because the attacks on SMBs are growing and survey

 

 


Dr. Dave Chatterjee:

finds that 60% of small and medium sized businesses go out

 

 


Dr. Dave Chatterjee:

of business within six months of being hacked. Grayson Melbourne,

 

 


Dr. Dave Chatterjee:

Security Intelligence Director at OpenText Security Solutions

 

 


Dr. Dave Chatterjee:

is our guest for this episode. I'm delighted to have him join

 

 


Dr. Dave Chatterjee:

me in having this very important conversation. Greyson, welcome.

 

 


Greyson Milbourne:

Hey, thank you, David. Glad to be here.

 

 


Dr. Dave Chatterjee:

So before we get into the details of SMB

 

 


Dr. Dave Chatterjee:

information security challenges and best practices, let's talk

 

 


Dr. Dave Chatterjee:

about you a bit. Share with listeners some highlights of

 

 


Dr. Dave Chatterjee:

your professional journey.

 

 


Greyson Milbourne:

Yeah, thanks, Dave. So I have about a little

 

 


Greyson Milbourne:

over 18 years of experience within the cybersecurity space,

 

 


Greyson Milbourne:

I began my career as a threat analyst and studied malware a

 

 


Greyson Milbourne:

really fun part of my career where I come in, put some

 

 


Greyson Milbourne:

headphones on and really just observe and see how malware

 

 


Greyson Milbourne:

authors were trying to be creative and trying to be

 

 


Greyson Milbourne:

evasive, which was really important back in the mid early

 

 


Greyson Milbourne:

2000s. And ever more so important today. But as my

 

 


Greyson Milbourne:

career grew, I eventually became the manager and the director of

 

 


Greyson Milbourne:

the threat research operations for our endpoint team. And that

 

 


Greyson Milbourne:

led me just to discover more and more. And I guess we have one of

 

 


Greyson Milbourne:

my real proud accomplishments is being chosen to speak at RSA on

 

 


Greyson Milbourne:

several occasions and kind of gave me my foot into public

 

 


Greyson Milbourne:

speaking and just more thought leadership to talk about the

 

 


Greyson Milbourne:

problems that we face in cybersecurity, just drive

 

 


Greyson Milbourne:

awareness of these problems so that we can act and measure risk

 

 


Greyson Milbourne:

accordingly. And I did that for a while and kind of burnt out a

 

 


Greyson Milbourne:

little bit on the on the conference. There's so many

 

 


Greyson Milbourne:

conferences. And so now I work more on the cybersecurity front

 

 


Greyson Milbourne:

and I work with the product teams to ensure the efficacy of

 

 


Greyson Milbourne:

our products. I stay very close to the threat research teams and

 

 


Greyson Milbourne:

evolutions and how malware functions and invasive

 

 


Greyson Milbourne:

techniques and just how that threat landscape continues to

 

 


Greyson Milbourne:

evolve. And so that's what I do today primarily is is, right,

 

 


Greyson Milbourne:

track that make sure our products, stay capable. And then

 

 


Greyson Milbourne:

join you for podcasts like this and spread the good word of why

 

 


Greyson Milbourne:

it's important to be aware of the risks that we face and not

 

 


Greyson Milbourne:

just be aware, but you know what know what steps you can take to

 

 


Greyson Milbourne:

actively improve your defense, you know, now because you know

 

 


Greyson Milbourne:

what our data will show, and what we'll talk about throughout

 

 


Greyson Milbourne:

this this podcast here is that the problem is, is unfortunately

 

 


Greyson Milbourne:

getting worse, and it's somewhat moving down market and we're

 

 


Greyson Milbourne:

seeing smaller and smaller businesses become more and more

 

 


Greyson Milbourne:

of the focus, especially of ransomware attacks.

 

 


Dr. Dave Chatterjee:

Great to hear about your journey. You're

 

 


Dr. Dave Chatterjee:

doing great. And I appreciate you taking time out of your busy

 

 


Dr. Dave Chatterjee:

schedule to talk to my listeners. I couldn't agree with

 

 


Dr. Dave Chatterjee:

you more than we are discussing a very important topic. And it's

 

 


Dr. Dave Chatterjee:

not enough just to talk about the challenges or the realities

 

 


Dr. Dave Chatterjee:

of what the SMBs face when it comes to securing their

 

 


Dr. Dave Chatterjee:

organization securing their data, but what can they do? How

 

 


Dr. Dave Chatterjee:

can they do better? That really needs to be the focus and I'm

 

 


Dr. Dave Chatterjee:

sure we will talk a lot about that. But let's begin by sharing

 

 


Dr. Dave Chatterjee:

with the listeners some facts and stats. A couple of years ago

 

 


Dr. Dave Chatterjee:

I authored a paper along with Mike Benz, who's the partner and

 

 


Dr. Dave Chatterjee:

fractional CIO at Fortium Partners. The paper is titled

 

 


Dr. Dave Chatterjee:

Calculated Risk? A Cybersecurity Evaluation Tool for SMEs. It's

 

 


Dr. Dave Chatterjee:

published in Business Horizons in 2020. It's been cited

 

 


Dr. Dave Chatterjee:

heavily, been very well received. So there when we were

 

 


Dr. Dave Chatterjee:

authoring the paper, we shared some facts. And I'd like to hear

 

 


Dr. Dave Chatterjee:

your reactions to some of them; will not go through all of them.

 

 


Dr. Dave Chatterjee:

The first one is SMBs are among the least mature and most

 

 


Dr. Dave Chatterjee:

vulnerable, in terms of their cybersecurity risk and

 

 


Dr. Dave Chatterjee:

resilience. As one CIO of a midsize bank put it, "many cyber

 

 


Dr. Dave Chatterjee:

criminals are specifically targeting midsize companies that

 

 


Dr. Dave Chatterjee:

are in the cybercrime sweet spot. They are big enough to

 

 


Dr. Dave Chatterjee:

have significant bank accounts, but they often don't use the

 

 


Dr. Dave Chatterjee:

latest cybersecurity defenses. Also, middle market firms are

 

 


Dr. Dave Chatterjee:

often the gateway to bigger targets for cyber thieves." Your

 

 


Dr. Dave Chatterjee:

thoughts, your reactions?

 

 


Greyson Milbourne:

Yeah, I mean, I think this is an unfortunate

 

 


Greyson Milbourne:

reality. But our data shows the same and that as I mentioned, we

 

 


Greyson Milbourne:

see a continued downward trend in the median size of a business

 

 


Greyson Milbourne:

that suffers a ransomware attack. And when we look back

 

 


Greyson Milbourne:

over time, this number is now just over 100 is the average so

 

 


Greyson Milbourne:

far in 2022. But at this time last year, it was over 200. And

 

 


Greyson Milbourne:

so we've seen a very significant shift downmarket. And along with

 

 


Greyson Milbourne:

that we've actually seen the median ransomware payment has

 

 


Greyson Milbourne:

also dropped. And so I think you know what misconception a lot of

 

 


Greyson Milbourne:

times is that ransomware demands, what we see maybe in

 

 


Greyson Milbourne:

the media are these seven figure, maybe even eight figure

 

 


Greyson Milbourne:

ransoms. But what we really see for the vast majority people who

 

 


Greyson Milbourne:

are getting infected and then deciding to pay, or some do,

 

 


Greyson Milbourne:

some don't. But the ransoms are less than $50,000, I think we're

 

 


Greyson Milbourne:

now somewhere around 38 or so $1,000, which again, if you

 

 


Greyson Milbourne:

compare that to last year, was considerably higher, closer to

 

 


Greyson Milbourne:

$100,000, then but again, you're those businesses are larger. So

 

 


Greyson Milbourne:

I think in some ways, the ransom average demands reflect the size

 

 


Greyson Milbourne:

of the business. Because I mean, let's face it, this is a

 

 


Greyson Milbourne:

business to them. And the only way that they make money is if

 

 


Greyson Milbourne:

you pay, and so they know what you can pay, a lot of times

 

 


Greyson Milbourne:

they've been inside your environment and have have a good

 

 


Greyson Milbourne:

enough idea to set a ransom that has a chance of being paid. But

 

 


Greyson Milbourne:

I think that makes it a problem because these are people who've

 

 


Greyson Milbourne:

who've come forward and told their story. But I think a lot

 

 


Greyson Milbourne:

of times also, what we see in the SMB spaces, especially in

 

 


Greyson Milbourne:

the smaller sizes of businesses is that if they encounter

 

 


Greyson Milbourne:

ransomware, they don't report it. And they just want to sweep

 

 


Greyson Milbourne:

it under the rug, move on and pretend it didn't happen. And

 

 


Greyson Milbourne:

unfortunately, that has its other consequences that come

 

 


Greyson Milbourne:

along with it.

 

 


Dr. Dave Chatterjee:

Indeed, very unfortunate. Sweeping under

 

 


Dr. Dave Chatterjee:

the rug is not the way to deal with this problem, Organizations

 

 


Dr. Dave Chatterjee:

will have to proactively prepare for ransomware attack scenarios.

 

 


Dr. Dave Chatterjee:

As you know, the threat actors have upped their game, and are

 

 


Dr. Dave Chatterjee:

now engaging in double, triple and quadruple extortions. Along

 

 


Dr. Dave Chatterjee:

with encrypting systems and data, they are now doing

 

 


Dr. Dave Chatterjee:

something called double extortion. They're stealing the

 

 


Dr. Dave Chatterjee:

data before they encrypt it. So even if the organization can

 

 


Dr. Dave Chatterjee:

recover the systems and recover data from their backups, and

 

 


Dr. Dave Chatterjee:

disaster recovery methods, they're still forced to

 

 


Dr. Dave Chatterjee:

negotiate to get an agreement from the hackers, that they are

 

 


Dr. Dave Chatterjee:

not going to post the stolen data. They engage in triple

 

 


Dr. Dave Chatterjee:

extortion when they launch a denial-of-service attack, so the

 

 


Dr. Dave Chatterjee:

business is no longer able to function. And now we are also

 

 


Dr. Dave Chatterjee:

seeing something called quadruple extortion, where

 

 


Dr. Dave Chatterjee:

they're not only engaging in the first three types of attacks I

 

 


Dr. Dave Chatterjee:

talked about, they're also communicating with customers

 

 


Dr. Dave Chatterjee:

whose data they have stolen, and telling them to put pressure on

 

 


Dr. Dave Chatterjee:

the breached organization to pay up. So all organizations should

 

 


Dr. Dave Chatterjee:

be prepared for such eventualities and they should

 

 


Dr. Dave Chatterjee:

have a plan in place. And they should regularly rehearse the

 

 


Dr. Dave Chatterjee:

plan to build organizational memory.

 

 


Greyson Milbourne:

Yeah, I mean, I think it's the unfortunate

 

 


Greyson Milbourne:

nature that these threat actors there, they're being

 

 


Greyson Milbourne:

advantageous with what they're there after. Right. And

 

 


Greyson Milbourne:

unfortunately, they don't care about your small business

 

 


Greyson Milbourne:

potentially going under. And they know that these are softer

 

 


Greyson Milbourne:

targets. And plus there's definitely a benefit to flying

 

 


Greyson Milbourne:

under the radar. We've seen some examples of like Colonial

 

 


Greyson Milbourne:

Pipeline, for example, brought a lot of attention to dark side.

 

 


Greyson Milbourne:

And these guys didn't really like their business model wasn't

 

 


Greyson Milbourne:

really going after critical infrastructure. They had this

 

 


Greyson Milbourne:

ransomware-as-a-service model, and they have affiliates who

 

 


Greyson Milbourne:

happened to deploy their variant of ransomware into an

 

 


Greyson Milbourne:

environment that drew a lot of attention. And eventually, their

 

 


Greyson Milbourne:

operation was disrupted. So there's a lot of added benefit

 

 


Greyson Milbourne:

to going after smaller businesses. And the reality is,

 

 


Greyson Milbourne:

right, is that most small businesses don't have dedicated

 

 


Greyson Milbourne:

security individuals, IT has been outsourced to an MSP and

 

 


Greyson Milbourne:

these cases, it can be much more time consuming to get back

 

 


Greyson Milbourne:

online. So I think it's it's, it's an unfortunate reality, but

 

 


Greyson Milbourne:

it is, especially for smaller companies need to have a plan in

 

 


Greyson Milbourne:

place. As you mentioned, I agree. One of the biggest things

 

 


Greyson Milbourne:

that causes a headache during a ransomware incident is that it's

 

 


Greyson Milbourne:

a timed attack. They don't give you a lot of time to pay the

 

 


Greyson Milbourne:

ransom before they increase the demand because they know you're

 

 


Greyson Milbourne:

gonna start scrambling, you're gonna start thinking, Okay, what

 

 


Greyson Milbourne:

backups do I have in place? And this is where if you have that

 

 


Greyson Milbourne:

plan in place, if you rehearsed the plan, at least you have a

 

 


Greyson Milbourne:

battle card to go to you have some steps and you're not

 

 


Greyson Milbourne:

scrambling because this is the worst time to be scrambling.

 

 


Dr. Dave Chatterjee:

Well said! To avoid scrambling, to avoid a

 

 


Dr. Dave Chatterjee:

chaotic response, which is often the case, the organization needs

 

 


Dr. Dave Chatterjee:

to be prepared. But preparation begins at the top management

 

 


Dr. Dave Chatterjee:

level, the top management sets the tone for the entire

 

 


Dr. Dave Chatterjee:

organization, sets the ball rolling for the entire

 

 


Dr. Dave Chatterjee:

organization. So if top management is under an illusion,

 

 


Dr. Dave Chatterjee:

is under the mistaken impression that the organization is in good

 

 


Dr. Dave Chatterjee:

shape from a cybersecurity defense standpoint, the

 

 


Dr. Dave Chatterjee:

organization suffers. And that is often the case with midsize

 

 


Dr. Dave Chatterjee:

enterprises. Research finds that midsize organization leaders are

 

 


Dr. Dave Chatterjee:

overly confident about the level of preparedness and defense

 

 


Dr. Dave Chatterjee:

capabilities. In a study that my colleague, Mike Benz and I

 

 


Dr. Dave Chatterjee:

published, we noted that 95% of the surveyed SME IT leaders

 

 


Dr. Dave Chatterjee:

believe they have an above average security posture. And so

 

 


Dr. Dave Chatterjee:

the concern is when you think you are prepared, but actually

 

 


Dr. Dave Chatterjee:

you are not, that is a bigger problem. Don't you agree?

 

 


Greyson Milbourne:

Oh, absolutely. I mean, that's the

 

 


Greyson Milbourne:

exact posture that a cyber attacker is looking for somebody

 

 


Greyson Milbourne:

who believes they're there, they're much more defended than

 

 


Greyson Milbourne:

they are and their guard is down. I think it absolutely

 

 


Greyson Milbourne:

you're absolutely right. And that it does need to start from

 

 


Greyson Milbourne:

the leadership level. And it needs to sort of be the ethos of

 

 


Greyson Milbourne:

your company needs to be around security and around around that.

 

 


Greyson Milbourne:

And I think so much so that it can even be a selling factor,

 

 


Greyson Milbourne:

right? I mean, you can be proud of your your ability to have a

 

 


Greyson Milbourne:

secure posture. I mean, we see this actually, in cyber

 

 


Greyson Milbourne:

insurance, for example, you know, they price-based on this,

 

 


Greyson Milbourne:

right, but depending on how I mean, you can't just get it

 

 


Greyson Milbourne:

right. It's not just oh, I'm gonna buy cyber insurance. It's,

 

 


Greyson Milbourne:

well, let's look at the policy. And let's look at your current

 

 


Greyson Milbourne:

posture, and more mature, more established postures get better

 

 


Greyson Milbourne:

rates with what's not too different from a credit score.

 

 


Greyson Milbourne:

But the consequences are much more damaging. They all say,

 

 


Greyson Milbourne:

having your identity stolen is really inconvenient, you're

 

 


Greyson Milbourne:

having your business hit with ransomware even more

 

 


Greyson Milbourne:

inconvenient. So there's a reason that these ratings exist.

 

 


Greyson Milbourne:

And there's a reason that layered security matters. And,

 

 


Greyson Milbourne:

and having a plan really matters. And I think one thing

 

 


Greyson Milbourne:

that insurance probably doesn't look at is is your readiness

 

 


Greyson Milbourne:

plan, they'll probably look to say these are the layers you

 

 


Greyson Milbourne:

have in place. But really, it comes down to reacting properly

 

 


Greyson Milbourne:

in that critical amount of time when you face one of these types

 

 


Greyson Milbourne:

of attacks,

 

 


Dr. Dave Chatterjee:

I couldn't agree with you more. In fact, as

 

 


Dr. Dave Chatterjee:

you were talking about preparedness, and what what

 

 


Dr. Dave Chatterjee:

surprises me again, is the fact that how can top management look

 

 


Dr. Dave Chatterjee:

the other way when cybersecurity is increasingly being recognized

 

 


Dr. Dave Chatterjee:

as a strategic competency. And there's another startling data

 

 


Dr. Dave Chatterjee:

that 60% of small and medium sized businesses are known to go

 

 


Dr. Dave Chatterjee:

out of business within six months of being hacked. And the

 

 


Dr. Dave Chatterjee:

reason I bring it up is because, let's put myself in the CEO

 

 


Dr. Dave Chatterjee:

shoes, I obviously have to run the organization, make money, I

 

 


Dr. Dave Chatterjee:

have to follow through with the vision of the organization. And

 

 


Dr. Dave Chatterjee:

cybersecurity doesn't quite fall within that vision. But the

 

 


Dr. Dave Chatterjee:

unfortunate reality is, unless I am secure, organizationally,

 

 


Dr. Dave Chatterjee:

infrastructure-wise, in many other ways. I may not be in

 

 


Dr. Dave Chatterjee:

business for very long. So having that recognition, having

 

 


Dr. Dave Chatterjee:

that foresight that is so important for the leadership to

 

 


Dr. Dave Chatterjee:

sit up and say, You know what, we got to do something about it.

 

 


Dr. Dave Chatterjee:

It's not enough just to outsource it. Let's get some

 

 


Dr. Dave Chatterjee:

intelligence and in let's do an assessment of where we are, what

 

 


Dr. Dave Chatterjee:

we need to do. And yes, we will do the best we can with the

 

 


Dr. Dave Chatterjee:

resources we have because there's no expectation that you

 

 


Dr. Dave Chatterjee:

have to have a security setup that befits a large

 

 


Dr. Dave Chatterjee:

organization. I've had the pleasure of talking with several

 

 


Dr. Dave Chatterjee:

legal experts and they have said consistently, that when a cyber

 

 


Dr. Dave Chatterjee:

attack allegation is being reviewed in a court of law, the

 

 


Dr. Dave Chatterjee:

judge looks very favorably at an organization, as long as they

 

 


Dr. Dave Chatterjee:

can prove that they did the due diligence, and they did

 

 


Dr. Dave Chatterjee:

everything they could, and maybe even with beyond to try and

 

 


Dr. Dave Chatterjee:

secure their strategic assets. So the intent needs to be there.

 

 


Dr. Dave Chatterjee:

But the intent needs to be followed by, by actions.

 

 


Greyson Milbourne:

Yeah, no, definitely makes sense. And I

 

 


Greyson Milbourne:

mean, that's quite an alarming statistic. I mean, 60% is, is a

 

 


Greyson Milbourne:

huge number, and a lot of these small businesses get are

 

 


Greyson Milbourne:

attacked. And we know like, the average downtime is can be

 

 


Greyson Milbourne:

several weeks. And so it right having looking at like cyber

 

 


Greyson Milbourne:

risk as any other type of risk to your business's continuity, I

 

 


Greyson Milbourne:

think is the smart play, and just anticipating if what

 

 


Greyson Milbourne:

happens if this goes offline? How do I survive? can I survive?

 

 


Greyson Milbourne:

And then again, to the other point, I think having like, it's

 

 


Greyson Milbourne:

a complex thing. And for really small businesses, outsourcing to

 

 


Greyson Milbourne:

an MSP a service provider is sometimes your only option. But

 

 


Greyson Milbourne:

I do think not all businesses are equal. And as your your

 

 


Greyson Milbourne:

business perhaps grows, I think there's there's tremendous

 

 


Greyson Milbourne:

benefit in having an internal security focused resource. And

 

 


Greyson Milbourne:

that resource will probably still be overwhelmed and will

 

 


Greyson Milbourne:

liaison with MSPs. But that's probably better than your your

 

 


Greyson Milbourne:

CEO or your your COO being that person, right. And this gives

 

 


Greyson Milbourne:

somebody who can stay on top of the trends. You know, a lot of

 

 


Greyson Milbourne:

times people ask me what, what's a good resource. And I like to

 

 


Greyson Milbourne:

point back towards the CISA, the government cybersecurity

 

 


Greyson Milbourne:

information sharing platform that that does a good job of

 

 


Greyson Milbourne:

sending out bulletins and like keeps you at least aware of, of

 

 


Greyson Milbourne:

things that might change. And let me give you just one really

 

 


Greyson Milbourne:

good example, earlier this year we are Microsoft had a

 

 


Greyson Milbourne:

vulnerability in Exchange, and everybody uses Microsoft

 

 


Greyson Milbourne:

Exchange, or a lot of people have moved to cloud, but a lot

 

 


Greyson Milbourne:

of people still host their own Exchange servers for email. And

 

 


Greyson Milbourne:

it was a bad vulnerability about as bad as it gets right allows a

 

 


Greyson Milbourne:

hacker to remotely execute code on your system through a

 

 


Greyson Milbourne:

vulnerability in Exchange. They posted about this and what you

 

 


Greyson Milbourne:

should do and the steps you should take. But a lot of

 

 


Greyson Milbourne:

businesses still didn't follow this to the point that the FBI

 

 


Greyson Milbourne:

actually practically hacked in and patched many environments

 

 


Greyson Milbourne:

that they found vulnerable. And because at least if they if

 

 


Greyson Milbourne:

they're able to get in, they know that they can do the right

 

 


Greyson Milbourne:

thing and fix it, as opposed to who knows who gets in, and then

 

 


Greyson Milbourne:

does what. So it's a complex thing. And I know sometimes

 

 


Greyson Milbourne:

small businesses definitely get overwhelmed when they think

 

 


Greyson Milbourne:

about just all the complexity and the different services and

 

 


Greyson Milbourne:

things that go into it, which again, is why once you're over,

 

 


Greyson Milbourne:

I think a certain size in the low 20s to above, it does make

 

 


Greyson Milbourne:

sense to have a dedicated individual, and then accordingly

 

 


Greyson Milbourne:

scale that to larger company seat sizes.

 

 


Dr. Dave Chatterjee:

That's great. In fact, I'd like to add

 

 


Dr. Dave Chatterjee:

to what you said about having a dedicated individual or maybe a

 

 


Dr. Dave Chatterjee:

couple of a couple of people, it might be unfair to have

 

 


Dr. Dave Chatterjee:

expectations of a large team in a small or medium sized

 

 


Dr. Dave Chatterjee:

organization. But again, it's not the matter of size, it comes

 

 


Dr. Dave Chatterjee:

down to how thorough and rigorous the planning is, and

 

 


Dr. Dave Chatterjee:

how precise and consistent is the execution and what my work

 

 


Dr. Dave Chatterjee:

finds, and in my book on Cybersecurity Readiness, I talk

 

 


Dr. Dave Chatterjee:

about creating and sustaining a high-performance information

 

 


Dr. Dave Chatterjee:

security culture. I use the word culture because unless there is

 

 


Dr. Dave Chatterjee:

a change in the mindset of the leadership, unless there's a

 

 


Dr. Dave Chatterjee:

change in the mindset of the organizational members, you're

 

 


Dr. Dave Chatterjee:

unlikely to get that kind of buy-in, you're unlikely to get

 

 


Dr. Dave Chatterjee:

everyone doing their part over a long period of time. What

 

 


Dr. Dave Chatterjee:

generally happens is all of a sudden, a company gets really

 

 


Dr. Dave Chatterjee:

big on something and then they start acting extensively. And

 

 


Dr. Dave Chatterjee:

then after a while, again, things quieten down, and then

 

 


Dr. Dave Chatterjee:

they're back to their usual ways. And then they may not be

 

 


Dr. Dave Chatterjee:

as rigorous. And once again, something happens. And again,

 

 


Dr. Dave Chatterjee:

they sit up and take note. So unfortunately, we are in a very

 

 


Dr. Dave Chatterjee:

reactive culture, we are not proactive by nature. If the

 

 


Dr. Dave Chatterjee:

pandemic has taught us anything, it's definitely taught me that,

 

 


Dr. Dave Chatterjee:

that we have been very, very reactive. So even from the

 

 


Dr. Dave Chatterjee:

standpoint of securing organizations, whether it's for

 

 


Dr. Dave Chatterjee:

ransomware, or for any other type of attack, being proactive,

 

 


Dr. Dave Chatterjee:

being ahead of the curve, leveraging resources, internal

 

 


Dr. Dave Chatterjee:

and external, is so, so important. And and it all starts

 

 


Dr. Dave Chatterjee:

with the intent of the leadership that yes, I want to

 

 


Dr. Dave Chatterjee:

know, I want to know where we are, I want to be periodically

 

 


Dr. Dave Chatterjee:

updated. And that timetable is entirely up to the organization

 

 


Dr. Dave Chatterjee:

every week or every month and of course there will be exception

 

 


Dr. Dave Chatterjee:

reporting, but cybersecurity metrics should feature

 

 


Dr. Dave Chatterjee:

prominently alongside the other business management metrics.

 

 


Dr. Dave Chatterjee:

That's how important security has become. It's not because you

 

 


Dr. Dave Chatterjee:

and I are in this field. And we are trying to tell the world

 

 


Dr. Dave Chatterjee:

hey, take note. But that's the reality of it, is that

 

 


Dr. Dave Chatterjee:

businesses in today's day and age where we are highly

 

 


Dr. Dave Chatterjee:

digitized, we have to give the security infrastructure, focus

 

 


Dr. Dave Chatterjee:

attention, the right kind of nurturing, or you kind of get

 

 


Dr. Dave Chatterjee:

into trouble. So Grayson, I'd like to go back to the

 

 


Dr. Dave Chatterjee:

ransomware report, the survey report that your organization

 

 


Dr. Dave Chatterjee:

published, and and I want to share with the listeners a few,

 

 


Dr. Dave Chatterjee:

but I don't want to steal the thunder, I'll let you share most

 

 


Dr. Dave Chatterjee:

of it. But it's really concerning that nearly half of

 

 


Dr. Dave Chatterjee:

SMBs have experienced a ransomware attack. And yet the

 

 


Dr. Dave Chatterjee:

majority still don't think or aren't sure they are a target.

 

 


Dr. Dave Chatterjee:

Why don't you expand on this?

 

 


Greyson Milbourne:

Yeah, so I mean, so this survey was

 

 


Greyson Milbourne:

conducted over 1300 businesses all under 1000 endpoints, or

 

 


Greyson Milbourne:

1000 seats, and so it's not evenly distributed. There's many

 

 


Greyson Milbourne:

more that are that SMB, so probably 100 or less, but a

 

 


Greyson Milbourne:

really good array of different companies. And I think it is

 

 


Greyson Milbourne:

concerning. I mean, we know that ransomware has been around for a

 

 


Greyson Milbourne:

while. And so, you know, I think it was 46% of businesses already

 

 


Greyson Milbourne:

admit to having encountered ransomware, at least to some

 

 


Greyson Milbourne:

degree, I think that number if we pull next year is only going

 

 


Greyson Milbourne:

to be higher, because year over year, it's not really an if it's

 

 


Greyson Milbourne:

a when type of scenario. And I think unfortunately, our data

 

 


Greyson Milbourne:

still supports that. And it's because of the posture, or the

 

 


Greyson Milbourne:

denial of the risk that we still see largely the SMB space. And I

 

 


Greyson Milbourne:

think it's a challenge because one of the other things that

 

 


Greyson Milbourne:

we're queried on is small and medium sized businesses and

 

 


Greyson Milbourne:

their anticipation of the economic future and potential

 

 


Greyson Milbourne:

recession or cuts in spending. It kind of just makes this

 

 


Greyson Milbourne:

problem worse. And so we see a) we see the threat actors are

 

 


Greyson Milbourne:

100% moving downstream. And so we know that there's many more

 

 


Greyson Milbourne:

businesses in the 100 seats and less than there are the one to

 

 


Greyson Milbourne:

1000. So there's much more opportunity. These at the same

 

 


Greyson Milbourne:

time people are being squeezed, right, they have shrinking

 

 


Greyson Milbourne:

budgets, and are making tough decisions as to where the

 

 


Greyson Milbourne:

dollars go. And cybersecurity, unfortunately, it applies to

 

 


Greyson Milbourne:

every business that has a digital footprint, which is

 

 


Greyson Milbourne:

pretty much every business today has at least a website and

 

 


Greyson Milbourne:

stores customer information. And these are the targets that are

 

 


Greyson Milbourne:

deciding against an improvement to their their sales and

 

 


Greyson Milbourne:

marketing efforts. Or maybe cybersecurity. Oh, and guess

 

 


Greyson Milbourne:

what cybersecurity does nothing, which is the point, right? Like

 

 


Greyson Milbourne:

you're paying for something that kind of does nothing? And you're

 

 


Greyson Milbourne:

like, oh, great, like, what has it done for me recently? And now

 

 


Greyson Milbourne:

you're happy about that? Right? So, so it's kind of a perfect

 

 


Greyson Milbourne:

storm. And I think what our data shows is that the risk awareness

 

 


Greyson Milbourne:

is still really lacking, based on just the stats of how many

 

 


Greyson Milbourne:

people have encountered this. And I'll leave you with one more

 

 


Greyson Milbourne:

thing is that this is 46% of people admit to it. But we know

 

 


Greyson Milbourne:

that ransomware reporting is vastly underreported. People

 

 


Greyson Milbourne:

don't want to have that, that black eye, they don't want to

 

 


Greyson Milbourne:

it's bad for the customers. And as you mentioned, I mean,

 

 


Greyson Milbourne:

different levels of extortion that we've seen in the past

 

 


Greyson Milbourne:

year, right? It used to be, oh, just give me a ransom payment,

 

 


Greyson Milbourne:

then it was, well, there's GDPR and other data leakage fine. So

 

 


Greyson Milbourne:

we're gonna leak your data, okay, if you don't pay us, and

 

 


Greyson Milbourne:

then that it's like, yeah, we're gonna go after your customers,

 

 


Greyson Milbourne:

and we're gonna sully your reputation, we're gonna go to

 

 


Greyson Milbourne:

the media with this. So like, these are all reasons that

 

 


Greyson Milbourne:

people pay. But it's unfortunate, but I don't blame

 

 


Greyson Milbourne:

companies for not wanting to disclose it. But what that does

 

 


Greyson Milbourne:

is it says the difficulty of attribution. And even though

 

 


Greyson Milbourne:

this is something that's still very much lacking with respect

 

 


Greyson Milbourne:

to cyber crime and punishment, if it's not reported, it creates

 

 


Greyson Milbourne:

even even fuzzier picture for law enforcement that has

 

 


Greyson Milbourne:

resources to go after these organized groups, the more

 

 


Greyson Milbourne:

information that they are provided about your encounter

 

 


Greyson Milbourne:

only helps strengthen our ability to strike back and, and

 

 


Greyson Milbourne:

try to take some of these organizations that have been,

 

 


Greyson Milbourne:

you know, up till today's largely resilient to any sort of

 

 


Greyson Milbourne:

multinational organized shutdown. We've seen some

 

 


Greyson Milbourne:

examples, but largely, it's a highly competitive space that

 

 


Greyson Milbourne:

thrives today.

 

 


Dr. Dave Chatterjee:

Yep. Unfortunately, those are all

 

 


Dr. Dave Chatterjee:

realities. As you and I have been talking, I am thinking of

 

 


Dr. Dave Chatterjee:

what are a list of challenges that SMBs in encounter. Starting

 

 


Dr. Dave Chatterjee:

with the lack of awareness, a bit of this 'ignorance is bliss'

 

 


Dr. Dave Chatterjee:

kind of a scenario, inadequate resources, lack of top

 

 


Dr. Dave Chatterjee:

management involvement, and then during our discussion planning

 

 


Dr. Dave Chatterjee:

meeting, you talked about the training is not very

 

 


Dr. Dave Chatterjee:

satisfactory. So there is a probably a list of of things

 

 


Dr. Dave Chatterjee:

that SMBs could do better. But I think what might be helpful to

 

 


Dr. Dave Chatterjee:

the listeners, many of whom are probably working for SMBs is to

 

 


Dr. Dave Chatterjee:

let's say, if I were to ask you, Grayson, what are the top three

 

 


Dr. Dave Chatterjee:

things that you would recommend SMBs do to protect themselves

 

 


Dr. Dave Chatterjee:

from say, ransomware attacks, what would those top three

 

 


Dr. Dave Chatterjee:

things?

 

 


Greyson Milbourne:

Okay, and I'll put these in no particular

 

 


Greyson Milbourne:

order because I think they're all very important, but I'll

 

 


Greyson Milbourne:

start with education. Because I think education is one of the

 

 


Greyson Milbourne:

there's almost always a human element. This isn't always the

 

 


Greyson Milbourne:

case, right? Sometimes like software is vulnerable. And a

 

 


Greyson Milbourne:

hacker is able to exploit something that is very difficult

 

 


Greyson Milbourne:

to defend against that. But the vast majority of attacks succeed

 

 


Greyson Milbourne:

because of a human error of somebody falling for something,

 

 


Greyson Milbourne:

clicking on a link, giving away too much information that begins

 

 


Greyson Milbourne:

the attack, right. And so I think education and awareness is

 

 


Greyson Milbourne:

is really important. And that it's not something like PCI DSS

 

 


Greyson Milbourne:

where it's an annual, everybody knows how to store credit card

 

 


Greyson Milbourne:

information. Okay, this is not that right? This is much more

 

 


Greyson Milbourne:

complex. And it has a lot of variety and trends and trends

 

 


Greyson Milbourne:

shift pretty quickly. And so we advocate for like quarterly

 

 


Greyson Milbourne:

updates, because things shift from the end of the year and the

 

 


Greyson Milbourne:

tactics and what we think the scams that are very prevalent in

 

 


Greyson Milbourne:

this time of year are typically prevalent at this time of year.

 

 


Greyson Milbourne:

So so that goes a long way, and just eliminating whatever might

 

 


Greyson Milbourne:

happen after a human mistake. Right. So education, I think is

 

 


Greyson Milbourne:

really important. I think the other one is, is identifying

 

 


Greyson Milbourne:

your assets. And I like cyber resilience as a as an approach

 

 


Greyson Milbourne:

to layered security that fits nicely with a zero trust

 

 


Greyson Milbourne:

approach to cybersecurity. And really, it's just a cycle. It's

 

 


Greyson Milbourne:

a living cycle of, of identifying your assets,

 

 


Greyson Milbourne:

protecting them detecting and looking for active infections,

 

 


Greyson Milbourne:

having a response plan in play, learning from your mistakes, and

 

 


Greyson Milbourne:

educating it's a continuous cycle. But the first part of

 

 


Greyson Milbourne:

that is identification. And I think every business really

 

 


Greyson Milbourne:

needs to understand their internal assets. And this

 

 


Greyson Milbourne:

includes people, right, this isn't just your PCs that are

 

 


Greyson Milbourne:

critical. But hey, if you know, this single source of failure as

 

 


Greyson Milbourne:

an individual leaves, my business might equally be as

 

 


Greyson Milbourne:

disrupted as if I get hit with ransomware. So identify your

 

 


Greyson Milbourne:

risks and what those are, and then apply proper risk

 

 


Greyson Milbourne:

mitigation strategies to those things. And so if it's, if it's

 

 


Greyson Milbourne:

data, have backups, and make sure that your backups are air

 

 


Greyson Milbourne:

gapped are not capable of being compromised by ransomware.

 

 


Greyson Milbourne:

There's lots of great technology that does this automatically.

 

 


Greyson Milbourne:

But if it's people, right, I think, again, staffing is a

 

 


Greyson Milbourne:

tough thing sometimes, but identify and understand your

 

 


Greyson Milbourne:

your assets and then defend them. So educate, identify, and

 

 


Greyson Milbourne:

defend, those would be the three things that I would look at.

 

 


Dr. Dave Chatterjee:

Totally agree, totally agree. So there

 

 


Dr. Dave Chatterjee:

are a couple of things I'd like to add to that. And one of that

 

 


Dr. Dave Chatterjee:

is how do you incentivize proper security behavior, we all need

 

 


Dr. Dave Chatterjee:

motivation to do things which are, where, especially when we

 

 


Dr. Dave Chatterjee:

are not seeing the ROI directly. If you're if you're talking to a

 

 


Dr. Dave Chatterjee:

non-security professional in an organization, who has a

 

 


Dr. Dave Chatterjee:

particular type of work, and you have certain security do's and

 

 


Dr. Dave Chatterjee:

don'ts, kind of expectations of that person, you have to be able

 

 


Dr. Dave Chatterjee:

to convince that person that this is if they followed through

 

 


Dr. Dave Chatterjee:

with that cyber discipline with that cyber hygiene, the end

 

 


Dr. Dave Chatterjee:

result, overall end result is good, and that's going to help

 

 


Dr. Dave Chatterjee:

them. So you have to keep showing them the big picture.

 

 


Dr. Dave Chatterjee:

Yep. Along similar lines, even to get the top management

 

 


Dr. Dave Chatterjee:

attention, present the scenarios, the consequences of

 

 


Dr. Dave Chatterjee:

the different types of attacks and breaches, and what happens

 

 


Dr. Dave Chatterjee:

after that what the organization has to deal with. So make it as

 

 


Dr. Dave Chatterjee:

realistic as possible to get the attention because that's gonna

 

 


Dr. Dave Chatterjee:

lead to some actions, maybe some change in behaviors, and

 

 


Dr. Dave Chatterjee:

absolutely means I cant agree with you more that while humans

 

 


Dr. Dave Chatterjee:

are the greatest assets, they're also a great vulnerability. So

 

 


Dr. Dave Chatterjee:

the best way of addressing that is through regular training

 

 


Dr. Dave Chatterjee:

sessions. And these training sessions should not be the check

 

 


Dr. Dave Chatterjee:

the box approach, okay, I met the requirements, but it should

 

 


Dr. Dave Chatterjee:

be continuous. And it should be incremental. I often use the

 

 


Dr. Dave Chatterjee:

analogy of people do this nerdles and wordles on a daily

 

 


Dr. Dave Chatterjee:

basis. And I have shared with organization that how about

 

 


Dr. Dave Chatterjee:

every day, an email goes out with a security little puzzle or

 

 


Dr. Dave Chatterjee:

a security game that people have to solve, kind of make it fun.

 

 


Dr. Dave Chatterjee:

At the same time you are impacting the mind. On a day to

 

 


Dr. Dave Chatterjee:

day basis, you're sowing that security seed. And over a period

 

 


Dr. Dave Chatterjee:

of time, everyone has a certain level of awareness, as opposed

 

 


Dr. Dave Chatterjee:

to the current approach where we go through this security

 

 


Dr. Dave Chatterjee:

training for say, 30-35, 40 minutes, we take a quiz. And

 

 


Dr. Dave Chatterjee:

then after six months, we again do it. And it's also not

 

 


Dr. Dave Chatterjee:

customized. So we have to make security training role-based we

 

 


Dr. Dave Chatterjee:

have to make it more immersive. So a lot of thought has to go

 

 


Greyson Milbourne:

Yeah, I totally agree. I think along

 

 


Greyson Milbourne:

into it.

 

 


Greyson Milbourne:

with training, one of the things I support is doing simulated

 

 


Greyson Milbourne:

attacks. So you can send out a phishing and so we do this

 

 


Greyson Milbourne:

internally and we we quite literally take from the wild and

 

 


Greyson Milbourne:

examples and create templates so that you can test using the most

 

 


Greyson Milbourne:

recent techniques and imagery, and I think that that helps. I

 

 


Greyson Milbourne:

think the other thing that you definitely touched on is like

 

 


Greyson Milbourne:

engagement with IT. And I know for a lot of companies that have

 

 


Greyson Milbourne:

an IT department, sometimes there's the there's a

 

 


Greyson Milbourne:

hesitation, we've always tried to foster that IT is a fun and

 

 


Greyson Milbourne:

loving place, and they are going to be much, much more fun and

 

 


Greyson Milbourne:

loving when you ask them in advance of something as opposed

 

 


Greyson Milbourne:

to saying, so I opened that email, and I clicked this thing,

 

 


Greyson Milbourne:

and now I have ransomware in my computer, then your IT guy is

 

 


Greyson Milbourne:

gonna be grumpy. But if you're like, Hey, I got this email. And

 

 


Greyson Milbourne:

it just seems weird. Before I open it, I thought I'd ask you,

 

 


Greyson Milbourne:

I hope I'm not wasting your time, they're gonna be like not

 

 


Greyson Milbourne:

wasting my time at all, thank you for I think creating that

 

 


Greyson Milbourne:

kind of culture to have a do suspicion but also having a

 

 


Greyson Milbourne:

right place to go that it's not going to make you feel like

 

 


Greyson Milbourne:

you're you're going to be shunned for for asking that

 

 


Greyson Milbourne:

question.

 

 


Dr. Dave Chatterjee:

I'm so glad you mentioned that, because I

 

 


Dr. Dave Chatterjee:

was having this discussion with another subject matter expert.

 

 


Dr. Dave Chatterjee:

And he talked about creating a culture of empathy, where people

 

 


Dr. Dave Chatterjee:

are not scared to report that look, yes, I made a mistake. I

 

 


Dr. Dave Chatterjee:

clicked on this. And yes, now we are dealing with the

 

 


Dr. Dave Chatterjee:

consequences, as opposed to trying to hide and waiting to be

 

 


Dr. Dave Chatterjee:

caught. And hopefully, so changing that approach and and

 

 


Dr. Dave Chatterjee:

recognizing that, yes, we will do our best we will learn. But

 

 


Dr. Dave Chatterjee:

if you make mistakes, just fess up and just let us know what

 

 


Dr. Dave Chatterjee:

happened. So we can start doing damage control sooner than

 

 


Dr. Dave Chatterjee:

later. So creating that environment, that culture, is so

 

 


Dr. Dave Chatterjee:

important, where they're not looking at IT or security as a

 

 


Dr. Dave Chatterjee:

stumbling block, as a hurdle. But more as a partner. You know,

 

 


Dr. Dave Chatterjee:

that's why there's that phrase out there that cybersecurity is

 

 


Dr. Dave Chatterjee:

everybody's business, it is not just the business of the

 

 


Dr. Dave Chatterjee:

information security function. But to be able to develop that

 

 


Dr. Dave Chatterjee:

mindset, you have to create and nurture that culture where you

 

 


Dr. Dave Chatterjee:

have to incentivize certain behaviors, there has to be

 

 


Dr. Dave Chatterjee:

shared responsibility and accountability. So everyone,

 

 


Dr. Dave Chatterjee:

everyone has a stake in the game, you can just put your

 

 


Dr. Dave Chatterjee:

hands up and say, well, something has happened. It's the

 

 


Dr. Dave Chatterjee:

CISOs problem, the CISO should get fired, that doesn't really

 

 


Dr. Dave Chatterjee:

solve the problem, you may have a symbolic reaction, you might

 

 


Dr. Dave Chatterjee:

impress some external folks. But have you really taken a deeper

 

 


Dr. Dave Chatterjee:

look at your processes, at your systems, to identify what the

 

 


Dr. Dave Chatterjee:

real issues are. So again, I emphasize an in-depth systematic

 

 


Dr. Dave Chatterjee:

approach, you don't have to be an expert. I don't expect the

 

 


Dr. Dave Chatterjee:

leadership team to be cybersecurity experts. But they

 

 


Dr. Dave Chatterjee:

if they have the real intent of securing the organization as

 

 


Dr. Dave Chatterjee:

best they can, and they want to have the best-in-class security

 

 


Dr. Dave Chatterjee:

practices, they can absolutely get it. There are resources out

 

 


Dr. Dave Chatterjee:

there, they can bring in, leverage, like you talked about

 

 


Dr. Dave Chatterjee:

earlier, there are the cyber insurance companies, who will

 

 


Dr. Dave Chatterjee:

absolutely help them get to a certain point in terms of

 

 


Dr. Dave Chatterjee:

maturity to be eligible for certain amounts of insurance. So

 

 


Dr. Dave Chatterjee:

seek the help. There are lots of guidance out there, you talked

 

 


Dr. Dave Chatterjee:

about CISA you talked about NIST. There's lots of guidance

 

 


Dr. Dave Chatterjee:

out there, it's a matter of really getting it, pulling it

 

 


Dr. Dave Chatterjee:

all together, and having a plan in place. I know it sounds kind

 

 


Dr. Dave Chatterjee:

of mundane. And it sounds like stating the obvious. But my

 

 


Dr. Dave Chatterjee:

research finds time and again, a lot of planning happens, a lot

 

 


Dr. Dave Chatterjee:

of documentations are maintained. But when it comes to

 

 


Dr. Dave Chatterjee:

execution, that's where organizations falte time and

 

 


Dr. Dave Chatterjee:

again, but I don't want to monopolize the conversation, I'd

 

 


Dr. Dave Chatterjee:

like to send it back to you your thoughts and reactions.

 

 


Greyson Milbourne:

You make a very good point, right? Like

 

 


Greyson Milbourne:

having a plan is very different from having a fire drill with

 

 


Greyson Milbourne:

your plan. And again, I think it's so critical, especially for

 

 


Greyson Milbourne:

ransomware. I mean, this is important to have, meaning you

 

 


Greyson Milbourne:

like there's lots of different types of response plans. But

 

 


Greyson Milbourne:

when you have limited amounts of time to respond, this is where

 

 


Greyson Milbourne:

it's most important that you practice these things. So maybe

 

 


Greyson Milbourne:

think when you're speaking before, I'm like, one of my

 

 


Greyson Milbourne:

passions is aviation. And so I'm a private pilot and pilot, like

 

 


Greyson Milbourne:

aviation is like very, very safety driven. And one of the

 

 


Greyson Milbourne:

great things about just the story of aviation is from the

 

 


Greyson Milbourne:

beginning till now is just how well aviation did at sharing

 

 


Greyson Milbourne:

mistakes and learning from mistakes and embracing that

 

 


Greyson Milbourne:

mistakes happen and life and death mistakes happen. And so

 

 


Greyson Milbourne:

let's do our best to learn from everything from a community

 

 


Greyson Milbourne:

based all engaged approach. And I look at like, I'm like, Wow,

 

 


Greyson Milbourne:

this works so well. And I look at cybersecurity and my career

 

 


Greyson Milbourne:

that I've spent here trying to get like a similar sort of

 

 


Greyson Milbourne:

benefit of of so many adjacent mistakes, right? So like company

 

 


Greyson Milbourne:

A company B, C, all suffer the same mistake, right? Like they

 

 


Greyson Milbourne:

all got breached the same way. Like why are companies making

 

 


Greyson Milbourne:

the same mistakes that other companies have already made on?

 

 


Greyson Milbourne:

How do we do a better job of? Well, so like, right, as you

 

 


Greyson Milbourne:

mentioned, there's this stigma, right like If you make a

 

 


Greyson Milbourne:

mistake, it can be bad for the brand, it can be bad for your

 

 


Greyson Milbourne:

trust, but it can have a rippling effect. But if we

 

 


Greyson Milbourne:

change the culture and acknowledge that we live in a

 

 


Greyson Milbourne:

world where mistakes happen, and as long as you're doing your due

 

 


Greyson Milbourne:

diligence, you're trying to prevent them, like good job. And

 

 


Greyson Milbourne:

if some bad thing happens, that's okay, come forth with the

 

 


Greyson Milbourne:

information and share it so that we can, as a community can

 

 


Greyson Milbourne:

defend ourselves better. And of course, it's more complex, and

 

 


Greyson Milbourne:

we have our own individual corporate networks. But again,

 

 


Greyson Milbourne:

if you kind of look to where the world is moving, the boundary of

 

 


Greyson Milbourne:

the network is becoming fuzzier and fuzzier. So I guess I was

 

 


Greyson Milbourne:

just reflecting that

 

 


Dr. Dave Chatterjee:

No, this is great. In fact, when you when

 

 


Dr. Dave Chatterjee:

you mentioned about flying the plane, that's such a powerful

 

 


Dr. Dave Chatterjee:

metaphor, that immediately immediately makes me think that

 

 


Dr. Dave Chatterjee:

when you are in a cockpit, you have to be absolutely prepared,

 

 


Dr. Dave Chatterjee:

you must have to be on top of things

 

 


Greyson Milbourne:

We prepare, like when the engine goes out at

 

 


Greyson Milbourne:

like all the time, right? And it's because you want it to be

 

 


Greyson Milbourne:

automatic, because you have like, seconds really matter that

 

 


Greyson Milbourne:

okay. Like, you don't want to be thinking like, Oh, let me pull

 

 


Greyson Milbourne:

up the checklist. And like, what do I do? No, no, you like, know

 

 


Greyson Milbourne:

that the six things to do immediately, in which order? You

 

 


Greyson Milbourne:

could do it all in three seconds, right? And then you can

 

 


Greyson Milbourne:

start looking around and figuring out, where am I gonna

 

 


Greyson Milbourne:

go? So, you know,

 

 


Dr. Dave Chatterjee:

And that's it. It's the fear of, of loss of

 

 


Dr. Dave Chatterjee:

life, fear of loss of the lives of the passengers. And if we

 

 


Dr. Dave Chatterjee:

were to scale it to small to medium sized enterprise, what

 

 


Dr. Dave Chatterjee:

are we talking about, we're talking about the demise of the

 

 


Dr. Dave Chatterjee:

organization, if proper security practices are not in place, and

 

 


Dr. Dave Chatterjee:

that's precisely why the leadership has to recognize

 

 


Dr. Dave Chatterjee:

that, that cyber cybersecurity governance is not something

 

 


Dr. Dave Chatterjee:

unfortunately, we have to do. It's a pain. It is distracting

 

 


Dr. Dave Chatterjee:

us, but it is significant, it is centric to our survival. And if

 

 


Dr. Dave Chatterjee:

I may add one more thing here, the last episode we published,

 

 


Dr. Dave Chatterjee:

we had a senior and a senior leader as my guest. And he made

 

 


Dr. Dave Chatterjee:

a very important point he said, Dave, we should look at

 

 


Dr. Dave Chatterjee:

cybersecurity as a strategic opportunity, not as a stumbling

 

 


Dr. Dave Chatterjee:

block. When organizations, when the leadership takes that

 

 


Dr. Dave Chatterjee:

approach, has that mindset, then miracles happen because then

 

 


Dr. Dave Chatterjee:

they're saying, You know what, we're going to be so secure. And

 

 


Dr. Dave Chatterjee:

given the nature of our business, we can put it out

 

 


Dr. Dave Chatterjee:

there that if store your data with us, you are safe, because

 

 


Dr. Dave Chatterjee:

we are really the best in the business when it comes to

 

 


Dr. Dave Chatterjee:

securing your data. So there are different ways that

 

 


Dr. Dave Chatterjee:

organizations can play up their security strengths, and get an

 

 


Dr. Dave Chatterjee:

edge in the business. And I wish more the leadership thought

 

 


Dr. Dave Chatterjee:

along those lines, as opposed to treating it as a separate

 

 


Dr. Dave Chatterjee:

function, but making it more making it part of the the

 

 


Dr. Dave Chatterjee:

overall goals of the organization. So that's kind of

 

 


Dr. Dave Chatterjee:

the way I see see things here. But since but we are coming to

 

 


Dr. Dave Chatterjee:

the end of our time, unfortunately, this was

 

 


Dr. Dave Chatterjee:

fascinating. But I'd like to give you the the floor to wrap

 

 


Dr. Dave Chatterjee:

things up for us.

 

 


Greyson Milbourne:

Yeah. Thanks, Dave. And thank you everybody

 

 


Greyson Milbourne:

who's listening today. From a thought leadership perspective,

 

 


Greyson Milbourne:

I like to drive awareness of what the risk is. And I hope to

 

 


Greyson Milbourne:

from this presentation or this this talk today, we've made it

 

 


Greyson Milbourne:

pretty clear that I mean, this is in our opinion, what the data

 

 


Greyson Milbourne:

really shows us as it this risk is here to stay, things are

 

 


Greyson Milbourne:

likely to get worse before they get better. And SMBs, small

 

 


Greyson Milbourne:

businesses are really going to be in the crosshair. And so the

 

 


Greyson Milbourne:

risk is real. But we've provided hopefully some steps to help you

 

 


Greyson Milbourne:

understand what you can do some good resources of how to better

 

 


Greyson Milbourne:

understand where you might need improvement. And if you're here

 

 


Greyson Milbourne:

today, you're already taking the right step because again, I'm a

 

 


Greyson Milbourne:

firm believer that you need to know about the things you need

 

 


Greyson Milbourne:

to defend the events. And so you've hopefully learned today a

 

 


Greyson Milbourne:

bit more about what's going on in the threat landscape and how

 

 


Greyson Milbourne:

to stay secure. So with that, David, I'll turn it back to you.

 

 


Greyson Milbourne:

Thanks for being here. I'm honestly this has been a ton of

 

 


Greyson Milbourne:

fun.

 

 


Dr. Dave Chatterjee:

We'll said, you couldn't have wrapped it up

 

 


Dr. Dave Chatterjee:

better. Thank you again, Grayson, for your time. It's

 

 


Dr. Dave Chatterjee:

been a pleasure.

 

 


Greyson Milbourne:

Thanks Dave.

 

 


Dr. Dave Chatterjee:

A special thanks to Grayson Melbourne for

 

 


Dr. Dave Chatterjee:

his time and insights. If you like what you heard, please

 

 


Dr. Dave Chatterjee:

leave the podcast a rating and share it with your network. Also

 

 


Dr. Dave Chatterjee:

subscribe to the show, so you don't miss any new episodes.

 

 


Dr. Dave Chatterjee:

Thank you for listening, and I'll see you in the next

 

 


Dr. Dave Chatterjee:

episode.

 

 


Introducer:

The information contained in this podcast is for

 

 


Introducer:

general guidance only. The discussants assume no

 

 


Introducer:

responsibility or liability for any errors or omissions in the

 

 


Introducer:

content of this podcast. The information contained in this

 

 


Introducer:

podcast is provided on an as-is basis with no guarantee of

 

 


Introducer:

completeness, accuracy, usefulness or timeliness. The

 

 


Introducer:

opinions and recommendations expressed in this podcast are

 

 


Introducer:

those of the discussants and not of any organization.