The Water Trough- We can't make you drink, but we will make you think!
No-nonsense insight for business folks! Whether you're contemplating starting a business, you're new to business, or you're a pro who is dealing with unresolved challenges, this is the place for you. You'll get actionable ideas, insights, and the motivation to grow your business, as you've always hoped to. Your host, Ed Drozda, The Small Business Doctor brings down-to-earth talk, conversation with thought-leaders, and much more. The key to your success lies in the untapped potential of you and your team. Join us at the Trough as we tap into your opportunity. A special shout-out to Tim Paige. Not only an amazing Human Resources VP at a prestigious New England university but a true Master of Music. That's right, he produced, played, mixed, and recorded our music tracks. Thanks, Tim.
The Water Trough- We can't make you drink, but we will make you think!
Safeguarding Small Business: Cybersecurity Insights with George Bakalov
Ever wondered if your small business is truly protected from cyber threats? Tune into The Water Trough as Ed Drozda, The Small Business Doctor speaks with cybersecurity expert George Bakalov of Executive Solutions USA, LLC to uncover the realities of cyber risks & how to safeguard your business! 🎧🔒#CyberSecurity #SmallBusiness
​Welcome to The Water Trough where we can't make you drink, but we will make you think. My name is Ed Drozda, The Small Business Doctor, and I'm really excited you chose to join me here as we discuss topics that are important for small business folks just like you. If you're looking for ideas, inspiration, and possibility, you've come to the right place. Join us as we take steps to help you create the healthy business that you've always wanted. Welcome back to The Water Trough folks, this is Ed Drozda, The Small Business Doctor, and today I'm joined by George Bakalov. George is a certified cybersecurity professional and a Virtual Chief information Security Officer. He specializes in tailored cybersecurity services for small, and medium-sized organizations. He spent over 20 years in technology, of which almost half was in cybersecurity. He's the former director of cybersecurity for a leading managed service provider in the Minneapolis area. Currently he's the CEO of his own consultancy Executive Solutions USA, LLC, and he's a consultant for several other cybersecurity organizations. George is also a member of the first professional organization of Certified Virtual CISOs, Chief Information Security Officers based in Minneapolis, Minnesota. George, welcome.
George Bakalov:Ed's a pleasure to be with you on the podcast.
Ed Drozda:I'm very grateful to have you here today, Sir. It's growingly important for us to embrace cybersecurity. We hear about things all the time. Hopefully we haven't had firsthand experience, but even for those of us in small, in mid-size business, the risk of cyber security issues is considerable. Yes?
George Bakalov:It is you're spot on. A lot of people think that this is something that relates to the big names we hear on the news. And those do tend to steal the show so to say, when it comes to the big breaches. Many years ago I had the fortunate or unfortunate opportunity to be involved with a very well-known breach indirectly, being on the subcontractor side of things. In fact, that was an event that was a catalyst in propelling me in this space, because I realized up until that point I was pretty much consumed with software functionality, basically concerned with uptime and things working from a technical perspective. So your average developer or IT professional was looking for this app to work the way it was intended to work, or this server to work the way it was intended to work. Nothing wrong with that. However, when you introduce cybersecurity, where you introduce the whole idea of someone breaching that app or breaching that server, now you're mixing two different domains. You have a criminal sticking their hands into your technology, and that introduces a whole different angle to technology. Not every technological field is necessarily exposed to that. You don't see criminals going into a surgeons' operating room and trying to do something, you know what I'm saying? Yeah. But this right here is intricately connected and so that intrigued me. And the other thing that intrigued me is because previously in my professional life I was a pastor. I graduated Bible School, and that kind of triggered my shepherd heart. I saw how people who don't know how to protect themselves potentially are exposed, so I think as far as the ethos of this profession, you need to have that sense of loyalty. You cannot create trust with your customer unless they see that you're loyal, and capable, and likable at the end of the day as well. So those kind of things came into play, and I took great interest in that feel, and then I began to find out small business is quite exposed, it's a soft target. Most of the money goes to tools that are developed for enterprise. But the small business, the medium sized business, the nonprofit, they're exposed, they don't know what to do, and that's why I got into this space, because you're exactly right, small business is a target.
Ed Drozda:I think those of us in small business don't appreciate the fact that we are vulnerable and that we truly are targets. I imagine from the standpoint of the cyber criminal, they realize there's a lot more money in the larger corporations, but there's a lot more smaller businesses in the world, and let's face it, they are not as well protected as the larger corporations because they simply don't have the resources to build that sort of protection in. Nonetheless, their livelihood depends upon their businesses and when faced with the intrusion, they're going to have to consider that they might have to deal with the intrusion by paying a ransom, for example. So as a criminal, if I have a population of 50,000 businesses to pick from versus a population of 5,000, why don't I just go after the 50,000, I'm sure I'll get something out of that, right?
George Bakalov:Absolutely. I've heard numbers from 50% up to 75% of the US economy is basically chugging along because of SMBs, not because of enterprise. Breaching an enterprise grade customer or organization brings notoriety for the criminal. Let's say if it's a ransomware they can have a greater ransom demand, things like this, but the greater number of organizations are the SMBs of the world, and they not having the defenses configured correctly, not knowing only how to defend themselves, then the being soft targets, because you can easily scan, find out who's vulnerable and breach them, and low hanging fruit. Right? That happens all the time. They don't make as much of a juicy headline so the media tends to report on the bigger, more scandalous cases. But actually small and medium enterprises, including nonprofits, churches, foundations and whatnot, they get attacked all the time in many different ways.
Ed Drozda:Let's face it, we've all experienced some form of intrusion. So at any given time you get that little notice saying that 4 million people have been affected. That's a lot of people. Of those 4 million people, maybe 1% to 4% will actually have an impact. Yet these companies, in response, are giving us Identity Guard and Experian ID Works and blah, blah, blah, for which there is a cost. Okay? As sophisticated as they are, and for that protection that they've built in, they're still vulnerable. For the small company, that impact is 100%. If I'm the victim of an intrusion in which they have locked me out of my system, ransomware, I can't get into my system. The average small business owner may not have a sophisticated backup separate from that which ransomware would affect. They don't have the ability to throw that mirror back on to their system. The thieves, the criminals are hey, I'll charge you a hundred thousand dollars to get that back. Oh my God, that was my profit last year. But if I don't have it, then what happens to me? So the bigger corporations, as much as they've got all this protection and they're paying out significant amounts of money, it's still a dribble compared to the small guy or gal who has everything at stake in that moment, us small folks. In your experience are we taking it seriously or are we playing the betting game and say, they'll never get to me.
George Bakalov:Great question. The world is divided in two different groups of people, those who have had a breach and those who have not. For example, about once a month I do executive round tables where I bring business owners, SMBs, and bring them to a environment where they can share what works for them, what doesn't, what concerns they have. They learn from each other, I guide them and coach this discussion so it's a non-threatening, non- geeky time. That's my passion, to break it down as a business problem, because it is a business problem. If it affects your reputation, your manufacturing facility, your production line, if it's something that affects your organization in a way that you will take a financial hit, that will shut you down for even three days sometimes is critical for a business then it is a business problem, it's not a technological problem, right? When I begin these executive round tables one of the first questions, let me ask who has experienced a breach? Sometimes there's a particular attack, it's known as business email compromise, where someone impersonated a vendor or a client and there was a payment due. They impersonated them and they got the CFO to wire a hundred thousand dollars to somebody. And then once money's wired in the banking system it's very difficult to retrieve it. I don't know of one single case where the bank actually got the money back. Part of the reason is because the criminals know how to quickly move the money around into several other accounts. It becomes a very difficult logistical problem at the least. There's a legal layer on top of that, so when you ask the question, who has had a breach and who hasn't, you realize people listen differently. They engage differently when they've experienced a breach, because they know the impact it has, personally, emotionally, spiritually. People can't sleep, they feel exposed, they feel like someone invaded their personal life, and they know the cost they've paid so they wanna know, how do I protect myself better? People who have not experienced, they tend to be like, well yeah maybe, but hopefully not to me. Maybe it's not gonna happen to me. So then it boils down to this human response to risk. Do I really entertain this risk, because cybersecurity is just one of the many risks we face on a daily basis. I think the way business people respond to this type of risk is not much different than other types of risks. It boils down to your philosophy of life, your response to life, your whole philosophy of risk management. Cybersecurity is like a glorified term for risk management and technology, so it boils down to who you are, how you see the world, how you respond to risk, and what steps are you willing to take to minimize that risk? you're not gonna eliminate it, but you can minimize it and you can bring it down to an amount of risk that you can manage and understand, and it will not have a devastating effect on your life.
Ed Drozda:Do you have any statistics about the frequency of intrusions, intrusions or worse, in small business?
George Bakalov:We do have data. I just read a study on 90% of small businesses report some type of a breach last year, 90%. Verizon publishes a report on these stats every year. It used to hover around 65%. Now it's becoming inevitable and in fact, that actually is a belated statistic because a lot of businesses don't report on these, so probably when they were reporting at 65 there was 30% who are not admitting it. And the reason that they don't admit it is because sometimes they have reputational concerns. You know, what if I share this, you know what I'm saying. Cyber crime is usually under reported, like a lot of other crimes. It happens a lot more than we realize, and unfortunately it gets downplayed or, I'll give you a bad example in my opinion. This law firm that I talked to years ago had been breached. They had a ransom, and they paid their ransom. Their mindset was like we paid a hundred thousand dollars in ransom, but we're not gonna do anything about our cybersecurity because we figured if we pay it every five years somewhere, they'll leave us alone and we'll be fine. That was the response when we offered solutions. The cost of those solutions was minuscule compared to the size of the breach. But they figured, well you know over five years, all these cybersecurity solutions will end up costing us. Which is another good question. Are you prepared for the day if that occurs, have you ever entertained the thought of do we pay or not? What do you do when there is a breach? One of the things that I do through my consultancy is work with organizations to simulate, it's called tabletop simulation, where we get together with the executive leadership team, maybe a technical team, and we role play the scenario. What happens if this occurs, what if then scenarios, and then everybody jumps in with their role: the CFO, the technical lead, the CEO. So there's a certain sequence and steps to be taken to properly handle an incident, and if you prepare for such, you will probably handle it a lot better. And my question to people who are just
counting beans so to say,
George Bakalov:have you ever thought about reputational impact, because financially you may save money on cybersecurity, but reputation you cannot fix so easily. Right? There's different aspects of how a breach impacts an organization, one of which is reputation, and sometimes people don't think about that.
Ed Drozda:Going back to your comment about the 90%, I wanna see if I understand this. The 90%, an intrusion such as a phishing attempt and things like that, not necessarily one that led to a deleterious outcome, right? Just the intrusion itself, wherever it might go, but not 90% with an actual ransom or...
George Bakalov:Not necessarily ransom. This would be a bigger umbrella that will encompass different types of breaches. So maybe it was malware, maybe it was phishing, successful credential harvesting, there's different types, but 90% would experience some type of a data leak, breach, compromise, or something of that nature. It's not just a threat, it's an actual impact. The worldwide cyber crime industry is like a$10 trillion industry. It would be a country of its own if it had national boundaries. What's happened is that the bar has been lowered for the bad actors. It used to take people of great sophistication many years of experience to be able to put together an attack. But now we have so many automation tools. It's so easy for people to get into this quote unquote, business. Also on the dark web you can hire people to execute attacks, so you don't even have to necessarily be one. You can just target an enemy, and hire criminals. And the price has been going down progressively, so it doesn't really cost a whole lot of money to organize an attack on someone. Let's say you're a shop and you have a busy season, and right around Black Friday your store goes down'cause you had a DDoS attack, well somebody who is selling right next to you, similar store or whatever, they might be a culprit because their store is up, right? So everybody's going to them. It's a very interesting and terrifying industry, because it keeps changing, pivoting. Sometimes defenders like myself, people who work with small businesses to help them understand the strategy here. A lot of times businesses say, I'll just hire a pen tester. Pen testing is okay, you know, someone testing your defenses. But the question is did you have the defenses set up the right way to begin with? Why don't we start by assessing what you got going? Why don't we configure it and then maybe down the road we hire a pen tester to actually test it?'Cause people really don't know when to begin. This is one of the most frequent questions that I hear is, where do I start? It just seems to be such a big thing and they're right. It's just overwhelming. Where do I begin? That's what I help business owners understand. Here's what you got going, size of organization, type of industry, history of attacks, et cetera, et cetera. We'll run an assessment, kind of show'em where the low hanging fruit is, where the most risk is with the most impact, right? And then we put together a remediation roadmap so they can gradually, not to be in panic mode, but gradually begin to bring that risk down.
Ed Drozda:Each and every one of us in small business should be aware of, I'm sure we are aware of and concerned about the possibility of an intrusion, and one that might be profoundly deleterious to our business. So having said that, many of us do a certain number of things, things that we figure are apropos. Firewalls, password generators, diligence about emails and where they came from and who they came from. You know, there's a level of awareness and there's a certain level of basic things that we do. And maybe if our diligence is sufficient we might catch those things that are visible anyway. Right? Because there are certain things that are visible, like phishing attempts, and things of this sort. They are coming from a in your face type position. These are things that can be seen. I don't click on that link because I don't recognize where that email came from. Don't do this, don't do that. That's fine, but there's a lot of stuff that is invisible.
George Bakalov:It is not absolutely visible. Then again, for every attack vector you have a different countermeasure, or controls as we call them. So to correctly understand and assess where I spend my limited amount of dollars, the best way to go about it is to perform a organizational level assessment, because you can focus on technical controls and fix your firewalls and such. But what if you have an administrative process that's left the door wide open, where somebody can come in through through a fake interview and they're not vetted? You see what I'm saying? There's a lot of administrative processes that open up the organization to attack. It's not necessarily technical. So you have what we call defense in depth which is like a multi-layered approach where you have, you know here's a firewall for that type of attack. If they overcome that what are they gonna come next to? Okay, they're gonna come to our databases, and so you build these defenses, basically understanding how the attack occurs and what they're after, understanding where the data is, because at the end of the day, it is about data, whether they're gonna encrypt it, whether they're gonna steal it, it is mostly about that. Not only that, sometimes criminals will take over an organization's infrastructure only so they can execute their attack through that infrastructure. They're not even coming to steal your data. They'll come to take over your infrastructure and they'll use your server to distribute malware, right? Who wants to wake up one day to find that their online reputation is tainted, because out of their IP's and emails they're blasting out phishing campaigns or malware or child inappropriate pictures and things like that, right? So you're defending against different types of attacks. That's why what I do as a virtual CISO is to stay at that strategic level where I understand the full organizational risk, and then build a program that's going to begin to deal with administrative and physical risk. Then you prioritize and you spend the dollars with the lowest hanging fruit with the greatest impact, the greatest risk, and then you begin to work your way to a better security posture as time goes.
Ed Drozda:So we've established that from a small business perspective, vulnerability exists, it's very real, and the risk associated is very real and potentially disastrous One of the things that always comes to mind is, how much is this going to cost me? I'm not asking you and your company how much it would cost per se, but what I am asking you is what could one expect? We always talk about return on investment, but let's face it, this is really an insurance policy of sorts more so than return on investment. The return only occurs in the event of an actual attack that was prevented. Let's say you are gonna come in and you're going to do these various layers of things to create a curtain if you will, a safety curtain. There is a cost associated with this. Let's say you came in and said to me, it's gonna cost$20,000 to build this curtain. Now we've already established that this is more like an insurance policy than it is something I can look at as a return on investment, but as a responsible business person I'm still gonna have to look at this from a cost benefit perspective. What could I expect in return in the event that something did happen or if something was prevented. Does that make sense?
George Bakalov:I understand exactly what you're saying.
Ed Drozda:Okay. So take it from there, because I'm confusing myself.
George Bakalov:Well, the cost of the cure can't be greater than the cost of the illness. Right?
Ed Drozda:Of course. Of course. Right.
George Bakalov:And that actually is a great point you're bringing because unfortunately, traditionally if you will, people in our line of work are carrying this bad rap from the past where the geek always wants more tools and they want more licenses and they want more of this and that. And there seems to be completely oblivious to the fact that the business owner is managing an organization. Wait a minute you want to make me super secure, but I'm gonna go bankrupt. I can't do that. The tricky thing is to work with the existing budget, right? If the organization has an IT budget, then designate part of that budget for security because designating the IT budget, let's just say X amount of dollars goes to IT in the mind of the business owner. IT should be taking care of security, right? That's where the problem comes in, not necessarily. Like I explained in the beginning, taking care of IT doesn't necessarily mean you took care of the security piece of it, right? Basically, the best way to approach this would be, okay, there is a security risk. We're gonna carve out a budget whatever that is, now let's find out where the threats are, what the vulnerabilities are. Let's find out what the low hanging fruit is. Let's find out what the risk is, and now let's apply the cure. So you methodically approach this at a business level rather than just a geek level where like, oh, boss we need, you know x, y, z, such and such firewall, and such and such expensive tool. And Mr. Business owner's like, I have no idea what this guy just said. So we have financial impact if your business goes down and if data gets locked up and now HR can't pay salaries or you have customers you can't serve, what is the impact of that? Then we do something called business impact analysis where we estimate a loss as a dollar amount. So you have that financial impact. Then you have the reputational impact as well to think about. That's why these tabletop simulations, when we talk about that, sometimes I see people's eyes just get big, like okay now you have law enforcement coming in because someone got into your network because they planted child, you know what on your servers. Now they're gonna shut you down for six months and they're gonna put the yellow tape around your server room. Now you have no technology. That's why you go out of business, right? So, when you begin to understand the impact and what it does to the business, then you go backwards and say okay, then this budget is justified because now I realize that I'm managing this risk, and no one can accuse you of not having practiced due diligence as an executive, as a business owner. Imagine yourself standing in a courtroom and saying did you do your due diligence to find out how much cyber risk there is? If you've done some of the things that I'm just laying out here, and if you have a security program that's being well managed you can say we have done, we are doing it. Here's the evidence for it, but we got breached. No one's gonna accuse you of being negligent just basically leaving the shop open so the bad guys can come in. And that's one of the intangible benefits beyond the dollar amount that you're gonna potentially save.
Ed Drozda:Gotcha. I really appreciate the distinction you made and I think it's important. I think it's very important for people to get that distinction between the technology, you know, information technology, which is a structure and a process, and the integrity of such structure in process. Where the latter, the integrity, is the security associated with it. They are two distinct things, but I think there's an inclination to view them as being conjoined, and therefore, well if I have a good system, I have integrity built in. This is not the case at all. That's really sticking in my head, and while it's a simplistic observation, and I've always said the simplistic ones are the ones we overlook, we're so designed to make things more complex than they need to be.
George Bakalov:If I can just add this Ed, just to make sure as a kind of a note in the back of my mind, is that actually we've moved beyond defending. We are now defending from a position of assumed breach. Because can I sign my name, can I take on a customer and guarantee there will be no breach? No, I cannot. Nobody can. Essentially, if you don't wanna be breached, don't be in business. Right. So, looking at the data, looking at what's happening in the real world, it is much more prudent for a business to assume that it's not if, but it's when. And to understand how to build their security house in such a way that they will quickly pivot. They'll know what to do, they'll be prepared. You mentioned in the beginning they'll have the backups, those backups will have been tested. They'll have done all those things, and they will recover quickly. The impact of a breach will be minimal, or not negligent. That is actually the best perspective whether it's a 50 people shop or 500 manufacturing organization. You need to look at it from a perspective of I need to have resilience and it's achievable. That's not Utopian, that is achievable. It's achievable, and it can be done within budget. In the hands of a skillful security manager you could use not even that many resources. You can be really smart with your money, but you can achieve that resilience. So even when things break and there's a breach, you can bounce back quickly and be back in business without that devastating impact that a lot of people report on.
Ed Drozda:It's all about strategic planning and execution. So George, our time has come to an end. All good things come to an end, right? Before we go is there any parting wisdom you'd like to leave us with?
George Bakalov:Huh, I'm not very good at parting wisdom words, but this is what I'll say for any business owner that truly has the vision to grow their business. If you are storing and exchanging information, you are an information business. Some people say, well I'm not a software development company. Actually, we all are in information business because we all depend so heavily these days on information, and that information sometimes is the lifeblood of the business. And so the question would be, like I said what level of due diligence and due care can you point to for yourself to claim that you are a responsible business owner. That your good business owner to your own self, to your employees, to your partners, to your vendors, to your clients. There's a lot of people involved in these complex relationships, and so when one party has been breached, it doesn't stop there. It doesn't end. Other people get affected. It goes back to a philosophy, a way of life, a way of thinking about life, about people, about yourself, about longevity. So be strategic. Think about it from a strategic perspective, and think of it as just one of the very important business risks that you have to deal with. Don't stick your head in the sand, face it, look at it, and figure out what to do with it. It's doable. It's doable, within budget. In the hands of a skillful manager, all things are possible.
Ed Drozda:Fantastic. Well, I want to thank you very kindly for being here with me today. Again, George Bakalov is a Certified Cybersecurity Professional and a Virtual Chief Information Security Officer. He is the founder and the CEO of Executive Solutions, USA. George, this was really fantastic information. I believe it's important for all of us, and I hope that people are listening carefully to the things that you've told us today.
George Bakalov:Great. Thanks, Ed. Thank you for the opportunity to be on your program.
Ed Drozda:You're more than welcome, and it was a pleasure. This is Ed Drozda, The Small Business Doctor, and here at The Water Trough as always, I want to wish you a healthy business, and a cyber secure business.