Episode 141

8 Reasons Why Cybersecurity is Doomed for Small Businesses with John Barker

In this episode of the Business Samurai Podcast, I discuss 8 reasons why I think Cybersecurity will continue to be a failure for small and medium businesses and what we can do to start correcting the problem.

1. Tech people don’t speak business/too into the weeds (can’t elevate the conversation)

2. Business side only know the buzz words (incorrectly)

3. Tech have to be technically correct (happens to me all of the time annoying)

4. Everything is a risk regardless of the business impact

5. Too many frameworks?????

6. Business haven’t started working enough with SOPS/ROLES/ etc (then get dropped in a major compliance framework that is as much process as technical controls) (This includes tech team with things such as patching, reducing SPOF, etc)

7. Business underestimate their RISK profile until its too late (it can't happen to me until it does)

8. Businesses think cyber is strictly and IT problem


Get my 7 Easy Ways to Understand Your Cyber Business Risk Framework for only $7 Bucks. Full money back guarantee. Have cybersecurity make Business Sense:


https://consulting.barkerleadership.com/flagship-frameworkibdzn46i

Listen to full episodes on your favorite podcast platform or by visiting: https://podcast.thebusinesssamurai.com


#cybersecurity

#business

#podcast

Transcript
Speaker:

On this episode of the business samurai podcast, I'm gonna go into a

Speaker:

little bit of why think cybersecurity is doomed, particularly for the

Speaker:

small, medium businesses of what the breakdown has been and why it's really

Speaker:

the same thing over and over again.

Speaker:

Of the failing of the human element within there.

Speaker:

And I think that's a failure of technical leaders and business leaders,

Speaker:

not being able to communicate, not being able to talk the same language

Speaker:

as it were to get on the same page so everybody can understand.

Speaker:

So I've got a list of reasons and a couple stories to share from my 20 plus

Speaker:

years of experience in the technical field that I think that if we can correct

Speaker:

this, we can start making some headway.

Speaker:

On the human side of things, and start making some real progress on protecting

Speaker:

the community, our staff, our clients, and customers, and being good partners with

Speaker:

other businesses with better security, tactics, practices, and communication.

Speaker:

So sit back and listen on the business samurai podcast.

Speaker:

As I go through my reasons of what we can do to improve cyber security

Speaker:

and risk management for businesses.

Speaker:

Do you enjoy talking business?

Speaker:

Do you enjoy reading about business?

Speaker:

Do you geek out over the entrepreneurial journey?

Speaker:

If so, then you are in the right spot.

Speaker:

The business amide podcast brings you.

Speaker:

The stories told by the people themselves you'll be immersed in a wide variety

Speaker:

of industries from venture capital.

Speaker:

To gourmet popcorn learning how to be a better leader or the personalities behind

Speaker:

solving the broadband crisis at the Business Samurai, we believe it takes a

Speaker:

wide variety of skill sets and experiences to be successful in business and life.

Speaker:

Our aim is to not only entertain, but educate for you to recognize how

Speaker:

successful tactics and motivations in one industry can help propel you

Speaker:

forward in your own unique business.

Speaker:

Sit back, enjoy, and welcome to the business Samurai podcast.

Speaker:

I am your host, John Barker.

Speaker:

All right.

Speaker:

Like I said, in the intro, I'm gonna go over.

Speaker:

What I think is going to be the failing between your very technical people, which

Speaker:

we obviously need to have as well as your non-technical business leaders and

Speaker:

just other non-technical folk in general.

Speaker:

That of course we need to have to make everything run.

Speaker:

Uh, Extremely well.

Speaker:

So one of the things, if you make it all the way to the end, I do have a, an offer

Speaker:

it's only seven bucks that goes through my risk management framework of what I do

Speaker:

to evaluate, and it kind of backs up what I'm gonna go through on my steps here.

Speaker:

on this episode.

Speaker:

So let's set the framework.

Speaker:

I want to give everybody, who's not familiar with me a little

Speaker:

bit of my, uh, short back story.

Speaker:

So you can understand the context.

Speaker:

I'm not just some random dude that has not experienced anything.

Speaker:

I, I started back on in technology.

Speaker:

In the late nineties, uh, started out in uny mainframes.

Speaker:

So obviously you've seen those, if you've never seen mainframe or really

Speaker:

old computers for younger folk, you know, they would take up an entire room.

Speaker:

I had these big reels of tape, no kidding that were, were utilized for, for backup

Speaker:

and recovery and things of that nature.

Speaker:

Um, there was actually a person that was only dedicated to doing backups

Speaker:

of the uny mainframe because these tape reels, I think if you stretch

Speaker:

them out, Or miles and miles long.

Speaker:

And the thing the process would take like all night for very little data compared

Speaker:

to what we obviously what we have now.

Speaker:

So then I went through the, kind of went through the ranks, you know,

Speaker:

you know, building computers, running networks, being an administrator in

Speaker:

windows environments, going into, you know, being a full on, uh, engineer.

Speaker:

I was a consultant, you know, a hands on, you know, I, I think it was before

Speaker:

the term managed service provider was really even big, but essentially that's

Speaker:

kind of what I did for tons of companies helping some grow from two people to well

Speaker:

over 500 and with the global footprint, uh, lots of government contracting

Speaker:

lawyers, medical, uh, I got exposed to a ton of industries, a ton of different

Speaker:

technology partners and interacting with either in-house support or, you know,

Speaker:

other, other vendors that are in the, in.

Speaker:

So some of what I'm, you know, doing now is know I wanna help clients scale

Speaker:

and grow their organization and really start integrating the technology better

Speaker:

and improve general business operations.

Speaker:

So you're gonna hear me start talking.

Speaker:

You'll you'll hear me reference that a little in a little

Speaker:

bit where I think a lot of.

Speaker:

When cyber security is and risk management is around process and procedures.

Speaker:

Well, most businesses, small, medium businesses.

Speaker:

And I can speak from this first hand, really don't have process

Speaker:

and procedures that are in play.

Speaker:

So if you start working in, in an environment where something

Speaker:

becomes, it needs to be compliant.

Speaker:

Um, and I think federal government contracting space is one of those.

Speaker:

That all of a sudden a you kind of self attested.

Speaker:

Yeah.

Speaker:

We're doing all these things, but really nobody was that all of a sudden, if it's

Speaker:

gonna be enforced on you and all, you've got all these rules for this kind of

Speaker:

one segment of technology and protecting data, but the rest of your business

Speaker:

doesn't run on processing procedures that it's, you're setting yourself up for a

Speaker:

hard time implementing, particularly if it's not kind of rolled out gradually.

Speaker:

I mean, you don't build a house in a day.

Speaker:

It takes months to start.

Speaker:

You gotta start with the foundation and work your way up.

Speaker:

That's a little bit of what I have done and, and am doing now, working

Speaker:

with clients on the, on integrating business strategy operations with

Speaker:

the security mindset in, in play.

Speaker:

So I wanna start out with the story, and this is something that happened to me

Speaker:

that so I can kind of demonstrate a, a threat that a company faced, um, that I.

Speaker:

I was the it director.

Speaker:

I ran a project for it.

Speaker:

I helped out on proposals and a bunch of other things.

Speaker:

Um, and that was just, I had my hands in a lot of different areas.

Speaker:

So the company had just won a new, a new contract and they required

Speaker:

the development of a new software.

Speaker:

and at the time, just to give you a sense, everything was H uh, housed in house.

Speaker:

The servers were all in house.

Speaker:

I had a team that helped manage this stuff, and everything was inside.

Speaker:

We were just starting to see virtualization was still a big thing.

Speaker:

For those of you familiar with that term, you have a server, but it can

Speaker:

handle multiple versions of operating system, but we're just starting to see

Speaker:

the early stages of where the cloud, you know, your Amazon web services.

Speaker:

We're just starting to, to really get ahold.

Speaker:

Things in the smaller, medium market spaces, it was still something I

Speaker:

would see your larger enterprises were, were definitely starting to

Speaker:

adopt faster during this time period.

Speaker:

But we asked we housed everything in house.

Speaker:

So for during this time period, I had like a trusted developer that I.

Speaker:

Was very comfortable with knew personally.

Speaker:

And that was who typically, you know, if they needed to build something

Speaker:

that was a, a custom solution, that's who they typically went with in this

Speaker:

particular scenario, the, the project manager and the other company leaders

Speaker:

decided to not use that same resource.

Speaker:

I, I don't know why.

Speaker:

I don't know if it was a pricing thing.

Speaker:

I don't know if it was a capabilities thing.

Speaker:

I never, I never.

Speaker:

Never found out.

Speaker:

I wasn't really in the, you know, I wasn't in the loop with this outside

Speaker:

of, at some point, uh, whoever was doing the development work would need

Speaker:

access to the live production equipment.

Speaker:

So they selected this new vendor to build the, the software platform out

Speaker:

at the, uh, and I just said, all right, I do not know who these guys are.

Speaker:

So there's a couple rules.

Speaker:

Um, they have to have their own development environ.

Speaker:

They've gotta have their own testing environment for you to sign off on.

Speaker:

We, we really didn't have a lot of resources internally at the time for that.

Speaker:

And then we'll give access to the production.

Speaker:

And at the time being a, a smaller business, we had the, the other

Speaker:

programs that we were already running.

Speaker:

We could actually.

Speaker:

Use one, uh, server essentially to run multiple programs because they

Speaker:

weren't big, you're talking 20 people, 50 people, something like that.

Speaker:

And they weren't like really heavily utilized it.

Speaker:

Didn't take a lot of resources so we could run multiple, multiple different

Speaker:

programs, isolated on the same machine.

Speaker:

So that's what we were gonna do in this case as well, because again, it

Speaker:

was another smaller ish type project, but requires a custom platform.

Speaker:

Uh, again, that was my stipulation.

Speaker:

I, I was kind of just really out of the loop until it came time to

Speaker:

all right, we need to deploy this.

Speaker:

And they were using a program, uh, called base camp and base camp is

Speaker:

a project management tool and it's kind of a communication platform.

Speaker:

I had access to it, but really didn't get into it because.

Speaker:

That program had nothing to do with me.

Speaker:

There was, I had no oversight.

Speaker:

I didn't know about features.

Speaker:

I just really didn't have anything to do with it, but that's what they were using.

Speaker:

And I did have access if something did pop up or I got a question, which I think

Speaker:

may have happened a time or two, and it really came into play here at the end.

Speaker:

Well, we came in one day.

Speaker:

they had already, everything had been signed off.

Speaker:

They, they were in the processes of deploying this new application on the

Speaker:

same, you know, on the existing machine.

Speaker:

So we had to give elevated privileges to our subcontractor,

Speaker:

that, that, uh, to go deploy this.

Speaker:

And we did.

Speaker:

We came in one day and the machine is basically wiped,

Speaker:

clean there was no data on it.

Speaker:

It booted, it ran, they didn't delete the operating system.

Speaker:

It wasn't like the machine was formatted, but they, they had, it was gone.

Speaker:

There was no data on it.

Speaker:

The other programs were gone, just everything.

Speaker:

And it became this scramble everybody in a panic mode, like what happens.

Speaker:

What was what was going on.

Speaker:

So of course at this point, now I'm jumping in with the team and

Speaker:

we're going through log files.

Speaker:

Sure enough.

Speaker:

We could see the vendor's name had been, who had been logged in.

Speaker:

Uh, to the machine and when things had been deleted, everything

Speaker:

was, you know, we had good audit logs, we could actually track it.

Speaker:

So after digging around, I jump into base camp just to see what had been going on.

Speaker:

Who's who knows the last time I was in it again, not having anything

Speaker:

to do with the project and ended up seeing that they had actually the,

Speaker:

the, the people that we contracted to that said, Hey, we can build this.

Speaker:

They also outsourced it to a third party themselves.

Speaker:

So we were dealing with a subcontractor of a subcontractor.

Speaker:

And we didn't know it.

Speaker:

And apparently those guys had been the, those that subcontractor

Speaker:

and his other resource had been getting into a fight over payment.

Speaker:

The other guy felt like he wasn't getting paid properly or in a timely

Speaker:

manner and deleted all the stuff.

Speaker:

we didn't know that our, the contractor that we had actually directly hired

Speaker:

had given his name login and username and password to this other party.

Speaker:

So every time we, we were seeing a login to it, we, you know, it looked

Speaker:

like it was from the right person.

Speaker:

We were never asked to set up another who this other third party was.

Speaker:

And so it just, it was just, it was absolutely crazy.

Speaker:

And.

Speaker:

From a, you know, sitting there going this isn't a technology thing.

Speaker:

Somebody needed to have told us to change the password, to turn off the

Speaker:

account, to create a new account, something along those lines, something

Speaker:

that would've been done in seconds that now calls, you know, a, I don't know,

Speaker:

it was probably 12 to 24 hours between the discovery, what was going on and

Speaker:

then getting recovered and one of the other things, and then we're getting to.

Speaker:

Partially where I started learning how to start talking a little bit

Speaker:

more on the business side, even though I've got all the business degrees and

Speaker:

all this stuff, backing it up, but I was still have my head in the tech,

Speaker:

a little too much previous to this.

Speaker:

I had asked for a more robust backup and recovery system and something that

Speaker:

would've allowed us because we were having some more of these smaller,

Speaker:

uh, production environments in house, along, along with email and a whole,

Speaker:

you know, stuff that makes the company.

Speaker:

that we could have recovered from seconds or at least stood up a, a, a

Speaker:

clone platform to get us running till we got, you know, if hardware needed to

Speaker:

replace or something along that line.

Speaker:

And it was $5,000.

Speaker:

I very, I dis I distinctly remember that being $5,000 and I was told no,

Speaker:

and I'm sure I was going over the bells and whistles piece of it versus

Speaker:

the financial side, you know, in, in retrospect of that, Hey, we can,

Speaker:

we can recover in like 10 seconds.

Speaker:

And it does all these snapshots and all of this kind of stuff.

Speaker:

And.

Speaker:

All I could hear was $5,000 and I was told no.

Speaker:

And of course now I did, of course had backup and disaster recovery in

Speaker:

place, but it was basically taking a snapshot, you know, once a day.

Speaker:

So when we were able to recover this re restore all of this stuff back, you know,

Speaker:

there was a day's worth of data that was lost in this, on top of how much downtime

Speaker:

had incurred since all the data had been.

Speaker:

so we get it back up and running, but this just goes to show that maybe

Speaker:

I should have been more involved in this, or at least been tracking closer.

Speaker:

I, you know, I can, hindsight's 2020 in these cases and maybe I should have went

Speaker:

with a different business perspective.

Speaker:

We could have got up faster, but quite frankly, this was a, a

Speaker:

situation of some, the communication should have happened faster.

Speaker:

All we needed to do was turn this account off.

Speaker:

If we knew.

Speaker:

That somebody else was having access to the system and was almost, I'm

Speaker:

gonna say almost impersonating the person we thought, you know, the

Speaker:

company that we thought was having access had given their access away,

Speaker:

what are we supposed to do about that?

Speaker:

So it's a breakdown.

Speaker:

This is where we gotta start communicating better.

Speaker:

We gotta start talking better.

Speaker:

So I've got roughly eight things that.

Speaker:

That tie in a little bit.

Speaker:

That's, that's the story that I had a long time ago.

Speaker:

I've got several others that are probably like that, but that's just a story I had

Speaker:

that, you know, technology necessarily wouldn't have stopped this from occurring.

Speaker:

This was a communication not knowing who was in the supply chain.

Speaker:

Uh, you know, I could sit there and say, I should have been

Speaker:

tracking the, the, the base camp conversations a little bit closer.

Speaker:

The project manager should have been tracking the base camp to see.

Speaker:

Hey, who's this other person that's, that's involved in this type of

Speaker:

thing, or even seeing that they were in a dispute, uh, in, within the

Speaker:

base camp project management offer.

Speaker:

It's crazy.

Speaker:

So I want to go into this, uh, I'm this isn't exactly in any particular order

Speaker:

per se, but so let's get into number one, but you got technical people.

Speaker:

Don't speak business and they just jump into the weeds way, way, way too soon.

Speaker:

So it's using that example.

Speaker:

When I was talking about the backup and disaster recovery, I was probably

Speaker:

talking about how, again, how fast this thing could recover from us and

Speaker:

how fast, you know, it does all these bells and whistles and boom, boom, boom.

Speaker:

And I'm going, oh, this is cool.

Speaker:

This is cool.

Speaker:

And that's probably how they heard it.

Speaker:

They probably heard me saying this is something cool that

Speaker:

I just wanna play with.

Speaker:

And I really wasn't tying.

Speaker:

Into business outcomes.

Speaker:

So if you're looking to increase, let's say you need new technology in,

Speaker:

in place to, to make sure you're tying things back to business outcomes, that

Speaker:

you understand the value that it's going to bring the business, how it's,

Speaker:

you know, something may minimize risk.

Speaker:

Maybe something's gonna be a time saver.

Speaker:

Maybe something is going to.

Speaker:

You know, just enhance a client value that you can sit there and

Speaker:

actually say, this is, this is what is going to bring from us.

Speaker:

Maybe even from a monetary standpoint, you know, you've got your kind of qualitative

Speaker:

and quantitative measurements, the things that make you feel good, but also can

Speaker:

you back it up with some numbers, um, you know, time or money in most cases.

Speaker:

And if you could do that, your chances of success are probably gonna be higher.

Speaker:

If you know, the budget allows it or in the next cycle.

Speaker:

Number two on my list.

Speaker:

Th kind of flipping the script on this a little bit is the business side

Speaker:

that are definitely non-technical.

Speaker:

They've heard the buzzwords that are floating around out there,

Speaker:

but have no clue what they mean.

Speaker:

And saw this all the time, constantly trying to correct this over the, the

Speaker:

cor, uh, over the course of my career.

Speaker:

But one of the things that I've noticed recently, there's a big, you know, hiring

Speaker:

difficulty in the cyber security industry.

Speaker:

And this is something where I think people are looking to certifications to try to.

Speaker:

Qualify people, which I'm not gonna sit there and say, whether that's

Speaker:

good or bad, the problem is they're using the wrong certifications

Speaker:

for the wrong job requirements of what they're really looking for.

Speaker:

And so give you a good example of this.

Speaker:

This is something I actually went through recently with speaking to an

Speaker:

organization that one of the requirements where they wanted to have a CI S S P.

Speaker:

So I've got that certification.

Speaker:

It is.

Speaker:

My, the way I view this certification is it's a management certification with

Speaker:

some small technical aspects to it.

Speaker:

The, the term, if you go study for this thing, it's a mile wide and

Speaker:

an inch deep, you touch a lot of ex you touch a lot of things in this.

Speaker:

When you, when you're studying for it, or your experience is really broad.

Speaker:

You're gonna go be a leader somewhere in the field and this

Speaker:

organization for, they were looking for somebody that was a pen test.

Speaker:

A coder things of that nature.

Speaker:

And we actually, I don't wanna say we got into an argument, but they

Speaker:

were pushing back on me saying, how can you have this certification

Speaker:

if you've never done those things.

Speaker:

And to me, it was blowing my mind because we're seeing this

Speaker:

out there in the cybersecurity field, when you're looking at job

Speaker:

requirements that they've got C I S S.

Speaker:

On entry level requirements, you have to have five years of

Speaker:

documented experience to even take the certification because it's it's

Speaker:

requires experience requires a lot of experience and a lot of broad areas.

Speaker:

And that's, it's just blowing me away that the people that think they

Speaker:

understand it are not listening to the people that do understand it.

Speaker:

So I encourage you.

Speaker:

If you're, if you're trying, you're starting to explore, you know, risk

Speaker:

management strategies for your company, because you worked really hard to, to.

Speaker:

To build your business, build a strong client base, you know?

Speaker:

No like, and trust people know like, and trust you.

Speaker:

You want to take the right steps to protect yourself.

Speaker:

If somebody keeps pushing back on you on the way that you're using

Speaker:

phrases and the way you're using terminology, there's a good chance.

Speaker:

You've heard the buzzword, but you're using it wrong and you're

Speaker:

using it in the wrong connotation.

Speaker:

And you need to correct that.

Speaker:

So I would say drop the buzz words and very plainly speak, Hey, we, you know,

Speaker:

instead of them saying, they, you know, they understand the term Pente, you know,

Speaker:

maybe they think they understand the word pen tester, Hey, but we're looking

Speaker:

for somebody with a technical experience to kind of break into our systems.

Speaker:

And used it that way, or instead of just going, Hey, we need a C I S S P.

Speaker:

And assuming that that covers it all because it's the top level

Speaker:

one that they may have heard.

Speaker:

Number three technical people that have to be technically correct all the time.

Speaker:

And this is one super annoys me when I'm in meetings where we're, maybe we're

Speaker:

doing a product, uh, project kickoff, uh, product launch or something long,

Speaker:

not necessarily a product launch, but prepping for a product launch

Speaker:

or implementation with something.

Speaker:

I tend to try to talk to analogies.

Speaker:

I, you know, if I start picking up my audience, it, they don't

Speaker:

have a deep technical background.

Speaker:

So I raised that elevation, going back to that first point, being able to

Speaker:

try to tie this back into business.

Speaker:

And we wanted to, and I wanna make sure everybody at the table understands.

Speaker:

I don't wanna go deep down to, you know, the bells and whistles.

Speaker:

And I have been corrected many times by somebody at the table that has

Speaker:

that deep level engineering, that deep level database development, things

Speaker:

of that nature that really likes the, the, to go in there and make the

Speaker:

stuff work to make the buttons work.

Speaker:

They just start talking all that stuff and, and almost correcting

Speaker:

me and going way into the weeds.

Speaker:

And you just see everybody at the table's eyes just glaze over that.

Speaker:

You don't wanna do that.

Speaker:

It's unnecessary.

Speaker:

And in some cases it's very counterproductive to what you're

Speaker:

trying to get it accomplished.

Speaker:

So yes, if you're at a table and it's all engineers that are around

Speaker:

you of various types, you need to have those technical talks.

Speaker:

But if you're at a table and you've got, multidisciplines sitting around the room

Speaker:

and what do I mean by multi-disciplines?

Speaker:

Let's say you're giving a status update.

Speaker:

So you've got somebody that's doing finance.

Speaker:

You've got somebody from human resources.

Speaker:

You've got the business development person.

Speaker:

You've got the.

Speaker:

Uh, you've got the customer relationship person there.

Speaker:

You you've gotta sit there and raise that conversation up.

Speaker:

Don't get too focused into the weed.

Speaker:

One of the things I've started using recently is kind of like talking

Speaker:

like the president's daily briefing.

Speaker:

If you go look that up, they either get it once or twice a day, but it's a

Speaker:

very, it's a short summary of the top priority things that the president needs

Speaker:

to deal with during that timeframe.

Speaker:

And I think it's only like a page, two pages, maybe tops.

Speaker:

I, I, I guess it depends on who the president is, but they don't get into

Speaker:

a 50 page bulleted list of everything, which is what I see happening in a

Speaker:

lot of these, uh, group meetings.

Speaker:

So please try to avoid.

Speaker:

Number four.

Speaker:

And this is something I've I've noticed when it comes to the

Speaker:

federal con con contracting space.

Speaker:

As federal government contractors are getting ready to be subjected

Speaker:

to the new cybersecurity framework that everybody sees everything as

Speaker:

a risk, regardless of the context.

Speaker:

and I think that's one of those things that we really need to take a step back

Speaker:

and look and say, what's gonna, what is the risk profile of this business?

Speaker:

So we can start prioritizing.

Speaker:

Right.

Speaker:

And what do I mean by risk profile?

Speaker:

How likelihood is the risk going to occur and what would be the

Speaker:

impact should that risk occur?

Speaker:

I, I forget how many years ago this was, I was wrapping up a lunch meeting with

Speaker:

a, another colleague and somebody calls me and I get this call from this cyber

Speaker:

risk analyst guy, no clue who it was.

Speaker:

And he was calling to yell at me because I had talked to one of his clients and

Speaker:

it was a random reach out on LinkedIn.

Speaker:

Twitter or something.

Speaker:

I don't, I don't even remember this at this point.

Speaker:

I remember the yelling part of this conversation though.

Speaker:

And what had happened was I had, I had reached a, I, I had gotten

Speaker:

a random phone call from like a six or seven person company.

Speaker:

I think they did landscaping, something like this in another state.

Speaker:

Like I live in Virginia, this was in like New York.

Speaker:

And they were very concerned with some stuff that was coming down,

Speaker:

that they were gonna basically be put out of business and that they.

Speaker:

We're concerned with the advice that they were given and whoever they had

Speaker:

been speaking to got ahold of my number starts calling me and starts yelling

Speaker:

at me that these guys needed to spend 50, 60, $70,000, some astronomical

Speaker:

amount to do everything on this list.

Speaker:

And I'm like, dude, are you trying to put them out of business?

Speaker:

This we've gotta, you've gotta go back and start prioritizing, which

Speaker:

of the things are likely to occur within their business and put in the.

Speaker:

The, the proper steps, whether that's just a process and procedure to mitigate

Speaker:

that risk and, and make it the chances of it happening to be small, or if you

Speaker:

can eliminate it with a technical tool, as long as it doesn't break the bank.

Speaker:

We need to get back to this, not breaking the bank thing and start gradually

Speaker:

getting people rolled into this.

Speaker:

So the best way to do that is to really do a, you know, look at the entire threat

Speaker:

landscape of an organization and go, where are the big holes at that would cause the

Speaker:

most damaged and are most likely going to occur and start plugging those and

Speaker:

then work your way through the process.

Speaker:

And that we need to get back to that because I've told people, I said,

Speaker:

I can take you down the risk rabbit hole, as far as you want to go.

Speaker:

I can make everything look like one.

Speaker:

And, but that's not my intention.

Speaker:

I think we need to start putting in to start getting people and getting that

Speaker:

cultural mindset of risk management risk awareness that we need to sit

Speaker:

there and really prioritize this.

Speaker:

Number five.

Speaker:

I'm gonna briefly talk about this.

Speaker:

There's just way too many frameworks out there.

Speaker:

I believe for cyber security.

Speaker:

Um, there's tons of them.

Speaker:

You can go look, 'em up.

Speaker:

NIST has tons of special publications that go into very deep subsets.

Speaker:

Um, you've got ISO, you've got PCI.

Speaker:

You've got HIPAA.

Speaker:

And I'm sure there's others.

Speaker:

Those are probably the, the ones that always come to mind first.

Speaker:

And they've bought all these different subsets.

Speaker:

I used to actually have this chart that, that actually cross-referenced them all.

Speaker:

And the bulk of them have the same controls, but they're just

Speaker:

listed in kind of a different way.

Speaker:

And obviously if you're in a financial sector, there's gonna be a little bit

Speaker:

more focus on certain things with money.

Speaker:

Obviously, with, with HIPAA, you got a little bit more personally identifiable

Speaker:

information, but don't get me wrong.

Speaker:

They both have that bleed over.

Speaker:

They both have that crossover.

Speaker:

And so my concern is.

Speaker:

As these frameworks keep coming out there, that the businesses that really

Speaker:

haven't taken a lot of approaches to cybersecurity, risk management

Speaker:

are gonna get absolutely overwhelmed when they start doing their own due

Speaker:

diligence, their own research into, Hey, you know, I, I built my business.

Speaker:

We've got all this stuff here, but we really haven't dug into

Speaker:

the risk management and the cybersecurity piece of this stuff.

Speaker:

And when I look out there, there's like a bazillion frameworks out there

Speaker:

with hundreds of controls in there, and they don't know where to start.

Speaker:

. And so then instead of reaching out for help, they just get overwhelmed

Speaker:

and they just Chuck it to the side.

Speaker:

So that is a concern of mine.

Speaker:

As, as this continues to evolve, software drives the world.

Speaker:

Of course, and the frameworks are great for the, uh, technical, the

Speaker:

tech, the technicians coming in there, particularly if you're in an environment

Speaker:

that should and needs to be compliant.

Speaker:

But I do believe it's overwhelming.

Speaker:

Um, for others that have not started the process.

Speaker:

Number six, uh, businesses that haven't started working enough with standard

Speaker:

operating procedures and formalized roles within their organization.

Speaker:

I think if they're starting from scratch and all of a sudden they're thrust into

Speaker:

an environment where they need to be compliant and somebody drops in, uh, a

Speaker:

framework using 110 controls that they're just it's, it's gonna blow their mind.

Speaker:

So if the rest of the company does not run on standard operating

Speaker:

procedure, how are they?

Speaker:

How are you expecting them to actually stick to operating

Speaker:

procedures just around risk manage?

Speaker:

It's not gonna happen.

Speaker:

And it hasn't been happening.

Speaker:

Look around, we can't get people to stick with patching procedures.

Speaker:

Uh, you can't get people to do offboarding procedures.

Speaker:

Uh, I've seen people have access to old email years after they've left the system.

Speaker:

Cause now I turned them off.

Speaker:

Um, it's one of my pet peeves is, is off boarding procedures.

Speaker:

Cause somebody's been gone in an organization and nobody, you know, the

Speaker:

technical team, they're not mind readers.

Speaker:

They don't know when somebody leaves, somebody has to tell 'em those things

Speaker:

so that the best way to, to start.

Speaker:

I, you know, it is for the company to start working off

Speaker:

standard operating procedures.

Speaker:

And it doesn't necessarily mean that they have to be perfect, cuz these

Speaker:

things should be living and breathing.

Speaker:

But if you start saying, Hey, we're gonna have a very set way that

Speaker:

we're gonna do client delivery.

Speaker:

We're gonna have a set onboarding way every single time.

Speaker:

It's very much repeatable your staff, your team starts

Speaker:

working within those boundaries.

Speaker:

So when you start trickling.

Speaker:

And I do use the term trickling in because I think you should start again,

Speaker:

building a foundation with some of the, the risk management process procedures.

Speaker:

There won't be as much resistance because they're working.

Speaker:

They're used to working within some, some boundaries.

Speaker:

And the side benefit from that is you get predictable, repeatable results.

Speaker:

Number seven, obviously you can't UN there's too many businesses

Speaker:

out there that just don't think they have any risk at all.

Speaker:

They go, I've got a cyber insurance policy.

Speaker:

I'm protected.

Speaker:

I don't need to do anything.

Speaker:

Let me get this straight.

Speaker:

And let me be as clear as possible.

Speaker:

Cyber insurance policy is a prescriptive measure, meaning it

Speaker:

does absolutely nothing to help you.

Speaker:

Stop an event from happening.

Speaker:

It doesn't stop your employee from clicking on a ransomware link

Speaker:

that shuts down your business.

Speaker:

It doesn't do anything to stop the laptop being stolen that has all the

Speaker:

data on it that has no passwords on it.

Speaker:

To lock the machine out.

Speaker:

This is a not a preventative measure.

Speaker:

It is way, way better to be prevent.

Speaker:

Than it is to be prescriptive.

Speaker:

The cyber insurance policy will probably help with payout.

Speaker:

The cyber insurance policy will probably give you access to a very robust, awesome

Speaker:

team of people to try to help you get your business back up and running again.

Speaker:

But there's no guarantee.

Speaker:

There is absolutely no guarantee that you got a ransomware attack that you'll ever

Speaker:

be able to get those files unlocked again, because of the wrong thing being done.

Speaker:

And you not having the proper tools and processes in place to recover

Speaker:

from an event like that, or to try to stop it as much as possible.

Speaker:

so please you have to understand your risk profile.

Speaker:

You need to understand some key metrics around your business, how much it costs

Speaker:

to run your business per day per week.

Speaker:

What's the opportunity cost.

Speaker:

If you got shut down and much, does it cost for overhead?

Speaker:

Believe me when I say, and this is gonna sound.

Speaker:

You know, kind of dumb, but it's absolutely true.

Speaker:

So there are many people that do not know what the breakdown cost

Speaker:

to actually run their business and how much money would fly by if they

Speaker:

were shut down, they just wouldn't.

Speaker:

I've had those conversations.

Speaker:

I know that to be true.

Speaker:

And the last one to kind of wrap this up businesses that think

Speaker:

cyber security is just a technical.

Speaker:

I, I hopefully approved through these other steps.

Speaker:

That that is clearly not the case that it's it's woven throughout, but I I've

Speaker:

been using this analogy coming up with some new analogies, uh, here to try to

Speaker:

approve my point and try to make the conversation approachable for others.

Speaker:

But if you take any company, there's, what's the what's one thing that

Speaker:

flows through every piece of the.

Speaker:

Well, that's money, money flows through every department within an organization.

Speaker:

So HRS got a budget.

Speaker:

Accounting has a budget.

Speaker:

Your sales team has a budget.

Speaker:

Marketing has a budget.

Speaker:

So what's the thing.

Speaker:

When, when you got all these places that have.

Speaker:

Uh, a budget.

Speaker:

They have to be good stewards of that money.

Speaker:

They can't just go out and blow it.

Speaker:

They can't take everybody out to expensive lunches and dinners.

Speaker:

They can't just go buy whatever they want.

Speaker:

They've gotta work within the confines of that.

Speaker:

And they've gotta do right responsibly by the company, by clients, by the

Speaker:

other team members, with what they do with that money to drive value.

Speaker:

What is the other thing that goes throughout an entire organization?

Speaker:

Is technology.

Speaker:

Everybody is functioning on if not one device like seven different devices

Speaker:

now, and working from wherever, you know, working from Starbucks,

Speaker:

working from home, working from the library, working from their car, cuz

Speaker:

we've got the ability to do that now.

Speaker:

So it is.

Speaker:

Absolutely impossible for your tech technical team, whether that's a group,

Speaker:

a person in, in house that you respond to, or even an outside managed service

Speaker:

provider, a managed security service provider to have any clue what everybody

Speaker:

is doing in at any given moment.

Speaker:

It is on everybody to have that security conscious mindset when

Speaker:

they're out doing whatever it is.

Speaker:

Another example of this would.

Speaker:

Uh, when it comes to data, you know, it, the technical team in a lot of

Speaker:

cases is the custodian of the data.

Speaker:

They're the ones, you know, they're the protectors, they're the ones that

Speaker:

in, in a lot of cases, but not all.

Speaker:

And I'll give you an example of this here in a second, in a lot of cases,

Speaker:

if, if you've got a file share for instance, or a SharePoint site, um,

Speaker:

which is like a document repository, they may be the ones that click the

Speaker:

button that gives you access to certain.

Speaker:

But they're not making that decision.

Speaker:

The, the lead that owner, the department head is the one that

Speaker:

says who gets access to what?

Speaker:

And it's on them to actually sit there and go, all right.

Speaker:

Now, take that access away.

Speaker:

The technical team won't know that it's on that other person.

Speaker:

so that's a, a good reason why you've gotta start building this culture

Speaker:

throughout it's everyone's responsibility.

Speaker:

When they teach you cybersecurity culture, it's it's getting, uh, your champion.

Speaker:

If you've got a new initiative that you're trying to really get, take hold, you

Speaker:

need your champion strategically placed.

Speaker:

So figure out within your organization, how to strategically place champions

Speaker:

to get that risk mindset set, because it's way, way better to be preventative

Speaker:

than it is to be prescriptive after the fact, cuz quite frankly, there may

Speaker:

not be an after effect unless you're in a situation to be too big to fail.

Speaker:

And if you have an event and you're a small business, the stats are out there.

Speaker:

Go look 'em up very chance.

Speaker:

Good chance of being shut.

Speaker:

and never recovering.

Speaker:

And if it's out long enough, your customers are gonna find out and your

Speaker:

reputation's probably gonna be toast.

Speaker:

So those are the reasons why I think.

Speaker:

That we've been failing at cybersecurity and that cybersecurity is doomed.

Speaker:

If we don't solve these communication gaps in there, and actually start getting

Speaker:

technical people to start learning a little bit more about business and

Speaker:

communicating to business leaders and business leaders, not necessarily

Speaker:

having to understand the technical, but being open, that there is a problem

Speaker:

that they need to start solving it.

Speaker:

And it's gotta be across the board.

Speaker:

It can't just be delegated to this specific group.

Speaker:

So I got, like I said, made it to this point.

Speaker:

Uh, I think I've been running for about 30 minutes.

Speaker:

if you, uh, want to understand the F.

Speaker:

That I use to understand a cyber business risk.

Speaker:

I've got seven easy steps to understanding it.

Speaker:

It, it requires business leaders to be involved.

Speaker:

It requires your accounting department to be involved and

Speaker:

whoever your technical help is.

Speaker:

And it's seven bucks.

Speaker:

I gotta have the link in the description.

Speaker:

Of this.

Speaker:

And it's the exact thing that I use to start identifying

Speaker:

kind of your threat landscape.

Speaker:

So you can start figuring out exactly how you need to allocate resources,

Speaker:

whether that's people, money, uh, or additional tools to start

Speaker:

making sure that you're protected.

Speaker:

Everybody has a different risk profile.

Speaker:

There's no one size fits all.

Speaker:

And if you think somebody's coming at you with a turnkey solution, walk away,

Speaker:

you're either underpaying or overpaying, cuz it's not gonna be fit to you.

Speaker:

And that's one of the things when you're talking.

Speaker:

uh, risk management and cyber security in, in principles in general, it

Speaker:

needs to flex, it needs to flex to be where you are at any given moment.

Speaker:

I hope this has been helpful.

Speaker:

If you, if you disagree with me, let me know, hit me up and say I'm full of crap.

Speaker:

If you think I've missed something, that's also key in this discussion.

Speaker:

Please let me know.

Speaker:

I'd love to have that, have that conversation.

Speaker:

Maybe even have you on the, the podcast as a guest.

Speaker:

And we can talk about the, where we agree and where we disagree.

Speaker:

I'm open to that conversation.

Speaker:

But after 20 years of being 20 plus years of being at.

Speaker:

In tons of different industries, uh, and talking to tons of different

Speaker:

people, CEOs to, you know, the, the front desk clerk that you, you come

Speaker:

in, these are the, the things that I've seen, that kind of been rules.

Speaker:

I can almost put rules to them and predict them at this point.

About the Podcast

Show artwork for The Business Samurai
The Business Samurai
Skills and Stories to be a Well-Rounded Leader in Business

About your host

Profile picture for John Barker

John Barker

20+ years of technology, cybersecurity, and project management experience. Improving business operations to create a culture of better cybersecurity and technology practices. John is the Founder of Barker Management Consulting and the creator of the Business Samurai Program.

MBA, PMP, CISSP