Season 1 Episode 42: Smart Ways Successful Owners Can Prevent Data Hacks (Interview with Scott Taber of SBDC)
Tim Hello nerds and faithful listeners of the Team Nerd Tech Show. Tim Gillen here, Terrapin Networks, Traverse City, Michigan. Thanking you for joining us again for this week’s edition of the Team Nerd Tech Show, tech digest for the small business owner.
We’ve been doing this show now for 40 some episodes, most of 2019 here, and we’ve been able to put together some pretty interesting speakers for us to interview, to talk to you about and talk to you with.
So while we normally focus on tech news that relates to small business and maybe a tech gadget or two or a tech tip, we’d like to work in these interviews from time to time as a way to also bring in some relevance to the small business owner with technology.
Often they seem to revolve around cybersecurity, and today’s does too. We’re going to be joined in a minute or two here by Scott Taber. Scott is with the Cybersecurity Awareness Program at the Small Business Development Center of Michigan. It’s part of the EDC, down in Lansing.
In the meantime though, before we get to Scott, we’ll give a little more of an intro then, but I’ll throw it back over to my assistant, this week and every week, from Queens, New York: Ruthy Kirwan. Hello, Ruthy. What do you have for us?
Ruthy Hi, Tim! So yeah, I think we’re going to have a great conversation with Scott today. I’m really looking forward to that. Y,ou know, we’ve talked to a lot of people who are cybersecurity experts and we’ve talked to some people who are in the small business realm, but this conversation today is really marrying the two. So I’m very excited about this conversation here.
This is episode number 42 for anybody following along at home. If you want to head over to teamnerdtechshow.com and search for this particular episode, we’ll have more of our links and all of the information that you can use to find out more about the Small Business Development Center, or about Scott himself, or anything else that we talk about in the episode today.
Tim So Scott, good day and welcome, and thank you again for joining us! We’re just thrilled to have you on board. So tell us a bit about yourself and the SBDC and what they do and your part in it, I’ll give you a couple of minutes here.
Scott Yeah, yeah. Thank you, Tim. Thank you, Ruthy, for having me this afternoon.
So a little bit about my background: I am a former IT security analyst. I worked at Ferris State University helping protect all of our students’ data, staff, faculty, data, you name it.
I was helping to protect it, implementing all the tools, policies, all that good stuff.
Prior to that, I was a student actually at Ferris State as well. I have a degree in Information Security and Intelligence and also one in Criminal Justice. So I kind of was looking to marry the two different degrees, and it’s so far it’s worked out pretty well for me.
Ruthy Very cool.
Scott Yeah. And so I’m now with the Michigan Small Business Development Center, and I’ve been with them just under two years now. Seeing the opportunity back in Grand Rapids, and, and then being able to really educate people on cybersecurity and why it’s important, why it impacts small businesses, how we can help them be successful in protecting their information, it has really intrigued me and really made me want to go this route. It’s such a, I think, an underserved area where small businesses don’t have the budgets, the ideas, the knowledge, the tools, whatever it is.
My job is confined to help find easy ways to help them really implement strong security measures that are inexpensive or aren’t terribly complicated, and that can really help protect themselves.
So that’s a little bit about my professional background here, and I’ll tell you now a little bit about the SBDC as a whole.
First, I do want to say we are funded through the US Small Business Administration and the Michigan Economic Development Corporation. Along with some off-funds from our local network partners throughout the entire state.
So we serve all, I believe, 83 counties in Michigan, from the Upper Peninsula all the way down to Ann Arbor, Detroit, all the way down there. So we are everywhere you go.
Oh, some of the cool things that we do besides just cybersecurity: what my specialty is, is we work with all different kinds of small businesses, small businesses, new venture startups or existing businesses, those who are looking to grow, or if you have an advanced technology company, we’d love to work with you.
Some other things about us: We will also work with export assistance. So if you’re looking to have a product go outside of the country, we can help guide you in that process. Or if you’re looking to really grow your business, we have experts in that.
And one of the coolest things that we offer is it’s no cost. We offer either a no-cost or extremely low-cost one-on-one business consulting and business education. We do that through things like webinars or in-person events, and we also do secondary market research for businesses.
Tim Well. That’s pretty interesting. That’s a lot of services to provide. What is your part in the cybersecurity side for the smaller company? Our focus here at Terrapin Networks is small. We’ve kind of made a little a boutique corner for a tech services firm. We’ve done this for 29 years and I’ve had a lot of iterations over those decades. But what we do these days is real small companies. By that, I mean, up to about 20 computer users. So 5 and 10, commonly. It’s sometimes more employees than that because they may not all be computer users. Say it’s a shop floor that may have staff, that kind of thing. But generally smaller companies.
To government folks, they’ll think of small business is a hundred employees and 150 employees, depending on the industry especially. But we’ve made a little market out of really small companies who want to use technology to, sometimes even just frankly, to stay small. They have no interesting doubling or tripling in size, but they can become, using technology, especially, become quite profitable. But they’ll still have the same kind of security risks and data protection risks as a large company, it’s really no different.
Now the fact that those of us with a small outfit can compete against the big boys, as it were, is because of the technology. But of course, that brings along those same risks.
So what do you see on the small company sizes with some of the consulting you’ve been involved in? In some of the different situations that you have seen, what stands out for a smaller company, for a business owner to think of?
Scott That really falls right into our wheelhouse. So you mentioned the maybe 5 to 20 devices, and that’s a lot of what our clients are really, they are smaller on the small side of the business. You know that there’s that government definition of, like, up to 500 employees, but most of our small business finance is almost a micro size. So it’s really a kind of in our right in our wheelhouse.
And so for me, they may not necessarily have the big budgets and obviously, they don’t have a big security team or even an IT team at that point.
They may be using a service provider. And so, some of the biggest recommendations that I give to our clients is, are you deploying tools like two-factor authentication?
I’d highly recommend strong passwords and really going more towards the passphrases, so that way it’s something easier for you to remember. Make it 50, 60 characters long at that point, instead of the bare minimum of like 12 or 16 characters or whatever the rule is going to be for that particular user account.
Tim So maybe use some kind of sentence with random words and spaces, the whole thing.
Scott Yup. One of the, one of the examples that I give in the webinars that I do in presentations I give is: “cybersecurity is important 247, 365 days a year!” I mean, crazy long,
Tim But that’s a pretty good password.
Ruthy You’re not going to forget it!
Scott Just I hope no one tries that password.
Tim Just find Scott’s email address and you’re in to everything, right?
Scott You have access to all of it!
Tim I would imagine probably not, but yeah, that’s very good advice. We’ve talked.. We have actually whole episodes on that. Maybe you can, Ruthy, can dig some of those up and add them to the show notes?
Ruthy I will. We’ve got a whole episode on 2-factor authentication and also about strong passwords, password keepers, and Lastpass and all that.
Tim It’s technically “multifactor authentication”, right?
Scott Yeah, absolutely. So we’re trying to use MFA as much as to 2FA these days, at least as far as how we describe it.
Tim Tell us about the Small Business Big Threat initiative that you folks have. We talk a lot about small business, big tech, small business, big tech. We’ve used it as a marketing tagline from time to time. But this notion of small business, big threat; you guys have an a particular initiative about that, which, tell us about that a little bit.
Scott Yeah, absolutely. We do. So it’s, really our cybersecurity program that we offer here at the Michigan SBDC. It was implemented a few years before I started.
I’m now really in the one in charge of it and leading the push for it. And it’s really about raising awareness and training for small businesses when it comes to cybersecurity, whether they’re at the beginning stages of what is cybersecurity, why it’s important to them and their small business, how cybersecurity impacts them.
And I go all the way to do actual training sessions for their employees they can do, like at their annual yearly training. We’ll discuss things like phishing or good cyber practices or, you know, “don’t click on the link in the email.” So it’s really our big initiative that we have here in the state of Michigan, and actually several other states have jumped on board as well with it.
And then so it’s really trying to help educate business owners and other entrepreneurs to realize that cybersecurity matters. It’s a threat.
Tim Tell me a bit about how that would work for a small company in. Here in our state of Michigan, say I’m an accounting firm with a staff of 9 or 10, let’s just say, will you do some training for my folks if we’re able to put something together?
Or if you think of a provider like us, we’re a services provider, so a little bit different, as I’ve mentioned, kind of a tech team for hire. If we got several of our clients together who were, you know, at least similar enough, that it would make sense? You guys would put on little training sessions, like a seminar or something?
Scott Yeah. It’d be either an in-person or a recorded webinar, designed either for the particular business or for a handful of businesses together. We would really talk about the concepts of cybersecurity, the basics of it, what to look for and when, what to find when we’re looking for cyber attacks that are happening against that business, especially coming through.
One of the last ones I did, they really wanted to focus primarily on things like phishing emails, insider threats. So we’ll talk about, like, malicious insiders versus the accidental insiders, so we can really shape and create something unique for what that business or the businesses are looking for.
So it’s really similar to a lot of the in-person events that we do as well. If we’re going to a particular audience, I want to speak on what really resonates with them. This is as opposed to just the standard “Well, cybersecurity is scary and you need it.” Let’s talk about how we can help you institute it into your business. How we can help create that culture for your business. We’ll use either free tools or inexpensive tools and policies that you can implement. A lot of it is just policies really.
Tim So for our listeners, it’s a good thing to talk to your tech services team about, whoever that is. We’ll have a link in our show notes for the, at the teamnerdtechshow.com. Ruthy, this is an episode, which did you say? 39?
Ruthy 42!
Tim Oh my goodness. I’m getting old. Of course, we knew that, but, so episode 42, and Scott Taber and the Small Business Development Center of Michigan, the cybersecurity awareness program. That might be something to reach out to Scott’s group with. We’ll have some links there so that you can do that.
And we’ll be talking with our customers and other companies that we take care of about this because that’s… I didn’t even know that was coming from our conversation today. Because sometimes, once a year, maybe twice a year are the email followups, but so much of it, we find, is just training.
I bring up things to users and it doesn’t even occur to them because they’re not aware of what these risks are. They don’t live in this world here. They’re an accountant or they’re running a landscaping shop or they’re running a little small cabinet-making factory, whatever it might be, and they’re not thinking of all this stuff. That’s what our role is as the tech team.
And so we can bring up real simple stuff where we’ll talk about on something here and it comes back to me, and people will say, “Man. I wasn’t even thinking about that.” And so that awareness that you mentioned, Scott, is clearly a big deal. If it’s just out there, it’s one thing, but if we can bring it right to people, that would seem to have a lot of value.
What have you found out? What’s the standout thing? So we’ve talked about these generic programs. Now, give us one or two things, actionable items, that a small business owner and a small business owner talking to his or her tech manager can bring forward.
What’s the one or two things you would say they do for us? Well, let’s say the second and third thing we’ll call the first thing two-factor authentication, multifactor authentication, MFA. What would you say is maybe 2 and 3, or 2A and 2B, or however you might want to think of it.
Scott We kind of mentioned it already, but really I’m a strong proponent of password managers. In organizing it. And that really goes not just to have good passwords but to the password policies themselves.
And then policies in general. I mean, you said it, I think you mentioned it really comes all back to the policies. I did a webinar today, where half the attendees didn’t have an incident response plan. So for me, let’s start with policies.
As you know, two-factor, multi-factor, password minders. But after that, let’s focus on your policies because you need to have them. It tells you what you’re trying to do, why you’re trying to accomplish, what you’re doing with any of the potential tools that you might install or deploy. It gives you a reason to actually follow through with it. So policies are huge.
If we’re going past that, intrusion detection. That’s, that’s a big one. For me, if you can’t identify that a cyber attack was successful in getting into your network, you’re way behind the eight ball at that point because you’re not aware that you have or may have that data breach. So being able to identify whether you have a log of, like a SIM that can help you identify it or if it’s just you reviewing the logs consistently to identify that you have an intrusion.
Tim And to our listeners, that goes back to what you’ve heard me talk about as “perimeter security”, which is generally the firewall device. That’s our fancy nerd way of saying a firewall. We like to see an actual physical device in between that end, the business network and would encourage you to make sure your tech team has done that, but also that they have some kind of logging set up, which has to be turned on with a couple of settings made. It’s not difficult to do for those of us who do that.
So when Scott talks about intrusion detection, it reminds me of our conversation with William Kimble a few weeks ago, from Cyber Defense Technologies out of Washington DC. They talk, as you might remember, about intrusion detection and knowing when someone’s been banging away and how they might have gotten in. Because, as Scott’s mentioning, we’ll hear about these data breaches. And it turns out they’ve been inside the network for some big bank or some credit card for months, you know, just lurking around because somebody didn’t pay attention to that.
So these are both great pieces of advice, really great advice.
Scott And then lastly, data backups. Have to have them, make sure they’re working, and then if you automate, make sure it’s actually backing up correctly, and that you can vary the integrity of the backup. That you can also restore from the backup restore test. One of the worst things you can do is think, “Yeah, we’re backing up stuff.” And then 6 months later you find out your backups had been corrupted for six months, a year, or however long, and now what? What do you do with them?
Tim We’ve talked about, Scott, and maybe you can back this up, and if you have some other input, we’d love to hear it. But that’s one of the ways to get through a ransomware attack, is with an effective backup.
Scott Oh no, absolutely it is. You have a good quality backup that is, and you used the words “up to date”, so you know – whether it’s daily or every few days, you may be, I guess, only a couple of days worth of data behind, and most businesses can recover fairly quickly from that.
Tim We have found that we have had customers who had to recover from bonafide ransomware attacks, and the backup changes everything. If you’ve got good backups, you can restore. It’s a hassle, obviously. But it doesn’t close the doors and it doesn’t cost you $100,000 in keeping the business running. You’d be able to get back up and running. You still got customers waiting on it, you still got paychecks to get out, you still get orders fulfilled. You’ve created all this data. You just don’t want it gone.
Scott So you mentioned $100,000, and that’s right around the average per breach for small businesses.
Ruthy Wow.
Tim Imagine that. So imagine the, one of the things we talk about here in the show, and I tell my customers: just imagine you walk in tomorrow morning and your data’s gone.
Now, if the building burns down, your data’s backed up and you can run a conference room and a motel room and get some tables and chairs with good backups. At least get running while you’re getting things rebuilt. But imagine if you walked into it all gone? I mean, not that it’s not a hassle even when you have backups, that’s a big hassle.
But imagine if you walk in tomorrow and the data are gone. I mean, gone, gone. And there’s nothing on your computers.
Scott Yeah, absolutely.
Tim So one of the things we ask people is just to think about in your head: how big a check would you write to make that problem go away? And it’s a lot of money. I mean, that can really shut the doors to a company. It really can, can’t it?
Scott Oh, absolutely. There is an example of a doctor’s office near the Battle Creek, Michigan area. They were hit by ransomware and they decided that since they’re close to retirement age, “Well, we’re just going to retire and close up shop instead of dealing with the hassle of trying to remove all my ransomware.”
Tim Imagine what a mess was created there. That’s really too bad. I mean, you just hate to hear that kind of thing. But yeah, you see these numbers from the backup firms and through the Gartner Group in one of this that will say the percentage of major data attacks that will actually shut down smaller businesses is way higher than what you think.
Scott Here’s some numbers for you. I know that stay safeonline.org or the National Cyber Security Alliance, I believe, they just reported around 10% of businesses who are hit by their small businesses by data breach, close up shop, so that’s 10%. And then Verizon data breach incident report, just from this past year, it says that 43% of breaches were involved in some form of small business victims. I mean, we know: we’re the number one target.
Tim We have heavily rooted in that phrase, and it’s kind of overdone, but we’re kind of the low hanging fruit.
Ruthy Yeah.
Tim Because we don’t have, as you mentioned earlier in this conversation, the security, we don’t have the big fancy security teams. Most small companies, they may have someone like us providing tech support, a service provider providing tech support. But no one’s pretending that there are some big full-on cybersecurity team ninja guys. They’re small companies. So we have to balance out the expenses. And so we tend to be kind of low hanging fruit.
So it’s always good to make those adjustments that you can make. And part of that, as Scott mentioned, listeners, part of that, are policies internally.
Because a lot of these breaches come not just when someone messes up the firewall and when they install it, but when somebody internally, inadvertently, or sometimes maliciously as Scott mentioned, but more often than not, it’s inadvertent, clicked on a link they shouldn’t click on, let somebody in without realizing that they were, or loaded up a piece of software they thought was cute and it’s actually a piece of malware and next thing you know, you’ve let someone in.
And so having policies that are just spoken to very openly, not just once a year, but just, here’s how we do things. We have found that makes a pretty big difference once people kind of get their arms around that. That’s a good way to do things.
Change the passwords, use long passwords, apply password complexity and length, and use password managers. So not everyone’s not using the same password over and over again, or some minor variation of it.
Those are generic recommendations that you would back up or that you folks talk about in your things, is that right? Does that sound right?
Scott Yeah, absolutely. A lot of those… They said the low hanging fruits is how hackers look at small businesses. And so I’m trying to really help spread the message of let’s address our low hanging fruit. To fix your passwords. Do the 2-factor, have data backups, make sure you actually have an antivirus installed on your computer. It’s really one of the first lines of defense.
Obviously no, doesn’t solve everything. But it helps prevent those, you know, forms of malware that are 15 years old that are still successful today because people don’t have to be on their devices or on their servers.
So in doing those, essentially, inexpensive and easy options, one of the best things you or I can do is address doing your updates for your software, for your operating system, for the other applications. They have it and they do it on your mobile devices too. You know, those are free. We receive them every week. Every Tuesday for Windows devices. So I mean, those are all free services that free things that you can do that don’t cost you a single cent. And it can solve like, I think I read a stat that it was like 90% of the issues.
Having strong passwords, doing updates, and obviously, we’re doing data backups. You’re really securing yourself in a really inexpensive and almost easy way, and that way you can really take care of most of the threats.
And then the training and awareness of your employees about the phishing emails, about scam phone calls or about business email compromise.
You know, the gift card scams right now that are really prevalent where, “Hey, I need $500 of gift cards, send those to me,” and you think it must come from your boss. So it’s really simple things that we try to address that really go a long way in protecting small businesses.
Tim Yes, they do. And it’s a security, as our listeners have heard me talk about for months now, security is all just layers. And just like in your home or maybe your business, you’ve got two locks on the front door and two locks in the back door maybe bars on a certain set of windows and maybe an alarm. Those are all layers. And that’s how we think of all these things.
So when we do the updates, we have a good antivirus, we have good passwords, we have a good perimeter, and bit by bit these harden our tech system, not just our network, but our tech system.
So what Scott’s talking about has been echoed with what we’ve been chatting about on this show. Just taking these concepts making it part of the way you run your company, part of the mindset, here’s what we do. You don’t have to even necessarily understand or be able to explain it, but these are drummed it into my head. It’s probably worth doing. So think of it that way.
Cause that’s why all of us seem to say the same things. It really does work and it puts the advantage in your corner a little bit because normally we’re the ones being attacked, so we want to do what we can do as business owners, all of us collectively as business owners, want to do those parts that we can do.
Scott And you mentioned, Tim, you know, well, “They talk about it all the time. They drum it into your head. So it must be important“. You know, when it comes to creating a cybersecurity culture it’s difficult, especially for the non-tech people who are to create that culture within their business.
So it’s something where I say, “When you have your weekly meetings, or if you have a daily or a monthly meeting, whatever the case is, talk about cybersecurity for a minute or two, ok Ask your employees if they’ve seen anything suspicious. If they’ve seen the phishing emails.” So it becomes a natural part of the company.
Tim Yeah, exactly.
Scott And it kind of take away the scariness and the, oh, I don’t know about cybersecurity, so we can’t talk about it.Well, have those easy conversations. Like, we just started our phishing campaign here where I work. So I’m, I’m hosted by Grand Valley State University, and they handle all of our HR stuff, and I’m an employee of theirs. And we just started our phishing campaign to test our employees again.
And it was funny, I walked into the office and our student employer’s like, Hey, I got this phishing email, and I said, But you didn’t fall for it, right? It’s like, No, no, we didn’t fall for it. We actually call it and report it and they said ‘Good job. You identified the phishing email.’
It’s just, you know, casual conversations like that that helped build and create that culture and really raises everyone’s awareness level of what’s happening to that business.
Ruthy I’m sorry to say, guys. I think we do have to start wrapping this up. Like we could sit here and talk about small business and security and passwords for another hour at least!
Tim It’s kind of enjoyable, isn’t it?
Ruthy It is fun. Well, how can, how can businesses in Michigan contact you with the SBDC? They could just go to the website, or do you have a hotline or anything like that?
Scott I would direct them to go to SBDCmichigan.org. They can learn about all of our services there. They can also sign up for our one-on-one business consulting there as well and become a client of ours. It’s really easy to do. I would recommend that. Probably their best route to go on SBDCmichigan.org to sign up and they can get ahold of me that way. Or they can, if they have other business questions that aren’t cybersecurity. We’ve got experts in virtually everything that you can.
Ruthy Man, what a great resource.
Tim Yeah, truly outstanding resource.
Ruthy All right, well, thank you so much for hanging out with me again this week, guys, and again, Tim, for coming and hanging out with us this week. Scott, thank you again, and for you listening at home this is again, episode number 42. You can look up any of the past links that we’ve talked about today or is you have questions about SBDC, at teamnerdtechshow.com. And you can always call in and leave us a voicemail or if you have any questions or issues or anything like that you wanted to bring up after this episode, our phone number here is (231) 668-9175. And you could send us an email at teamnerd@terrapin.tech.
So thanks a lot guys, and have a great rest of your day.
Scott Okay, thanks.
Tim Thank you, Scott.
Timestamps:
2:22 Who Scott is and what he does
6:58 The types of businesses SBDC works with
8:54 Small Business, Big Threat initiative from SBDC Michigan
10:57 Seminars and webinars offered by SBDC for small businesses
15:05 What Scott thinks are the 3 most important things small businesses need to do to stay safe
19:37 How much money the average small business loses in a data breach
20:26 The worst story Scott ever heard about ransomware attack