Until Wheels Fall Off. Small Business Risk and Brand Protection.

Show Notes

Cyber Crime Junkies Podcast Host David Mauro and producer Jay have discussion about latest Small Business Cybersecurity Risks and how many are asleep at the wheel.

🎧 Subscribe now http://www.youtube.com/@cybercrimejunkiespodcast and never miss a video episode!

Follow Us:
🔗 Website: https://cybercrimejunkies.com
📱 X/Twitter: https://x.com/CybercrimeJunky
📸 Instagram: https://www.instagram.com/cybercrimejunkies/

Want to help us out? Leave us a 5-Star review on Apple Podcast Reviews.
Listen to Our Podcast:
🎙️ Apple Podcasts: https://podcasts.apple.com/us/podcast/cyber-crime-junkies/id1633932941
🎙️ Spotify: https://open.spotify.com/show/5y4U2v51gztlenr8TJ2LJs?si=537680ec262545b3
🎙️ Youtube (FKA Google) Podcasts: http://www.youtube.com/@cybercrimejunkiespodcast

Join the Conversation: 💬 Leave your comments and questions. TEXT THE LINK ABOVE . We'd love to hear your thoughts and suggestions for future episodes!

Chapters

• 0:00: Small Business Cybersecurity Risks
• 0:00: Risk And Brand Protection
• 0:00: Importance of Detection and Response
• 0:00: Difference between security and IT
• 0:00: How To Protect Your Brand
• 0:00: Role of AI in Cybersecurity
• 0:00: Small Business Cyber Risks Today
• 0:00: Are Small Businesses Asleep At Wheel In Cyber

Transcript

Until Wheels Fall Off. Small Business Risk and Brand Protection.

Cyber Crime Junkies Podcast Host David Mauro and producer Jay have discussion about latest Small Business Cybersecurity Risks and how many are asleep at the wheel.

Topics: risk and brand protection, Small Business Cybersecurity Risks, until wheels fall off, hot to protect your brand, are small businesses asleep at wheel in cyber, how to reduce risk of your identity being stolen, latest ways hackers are stealing your info, protecting identities online, small business risks today, Protect Your Brand Online, Latest Hacker Tactics, Protecting Identities Online, Small Business Cyber Risks Today, Cybersecurity for Small Businesses, How Hackers Steal Information,

Dino Mauro (00:00.204)
Cybercrime. When we say that very phrase, it evokes motion. It's serious, well-funded, and growing. The cybercrime effect on small business has had disastrous results for tens of thousands here in America this past year. Often, cybersecurity is run by vendors, and they purposely speak in code. Using acronyms nobody understands. That's by design. We try really hard to simplify it for you, to translate it for you here. To put it into plain terms,

terms business leaders can understand. Why? So that you can focus on growing your organization. That's an interesting perspective. Excellent way to say that. I mean, it is desperately needed today. There is great sophistication and simplicity. And I'm reminded of the Mark Twain quote that said, I didn't have time to write a shorter letter, so I wrote a long one instead. Likewise, French philosopher

Pascal said the same thing when he is quoted as saying, if I had more time, I would have written a shorter letter. Thanks. It's a great frame of mind, an excellent approach that is needed today in cyber. Thanks. The question today is whether cyber crime and the need to improve your cybersecurity measures is a necessary evil or golden opportunity. We dive into this. How, what seems like a burden.

might actually be the key to unlocking growth. Unprecedented growth. Even more, it's a chance. A chance to finally master customer trust. So, settle in and let's get started. Welcome everybody to Cybercrime Junkies. I'm your host, David Moro. I'm joined by our security researcher and producer known online as J-Cyber. Welcome. Glad to be here.

Love what we do here. Hmm, that's an interesting perspective. Are you suggesting that small businesses should see cybersecurity as more than just a defensive measure? Exactly. It's easy to think of cybersecurity as just another expense, a checkbox on a long list of to-dos, something to go cheap on, to spend the least amount of money on. And today, we hope we can explain how that is absolutely a mistake.

Dino Mauro (02:27.106)
A mistake for growth. A mistake for reputation. A mistake for your brand. Yay, it's tough because there's limited money and business leaders have tougher choices today on what to allocate them for. I mean, I see it in real time. The reality is far more nuanced. Let me throw some numbers your way. According to a recent Hiscox report, by the way, Hiscox is a business analytics and risk company that does some excellent research and has objective findings.

They recently found 41 % of small businesses right here in the US fell victim to a cyber attack this year. That's nearly double the 22 % we saw last year. These aren't just statistics, they're wake-up calls. Wow. That's a dramatic increase in just two years. What's fueling this surge in attacks? It's like a perfect storm. On one side, cybercriminals are becoming more sophisticated.

Leveraging AI to do two main things. Number one, AI is used in their malware and ransomware code to become even more undetectable when they enter your network. And number two, they are using AI to craft phishing emails so convincing they could fool even the savviest professionals. And then of course, on the other, many small businesses are still playing catch up with their digital defenses.

I mean, many have old systems and it's hard to get them to spend money on even the basics, let alone to educate their employees, right? So they can recognize these threats. That's ridiculous. You would think, but they don't take it seriously or get bad advice. Bad advice. 100%. Here's what I mean. There's a difference, a fundamental difference between. Holy crap. That's an excellent point. So it's like bringing a knife to a gunfight. Not only want the kife win, but it's the wrong weapon in the wrong.

battle. Never thought of it like that since I'm from the city and we always have guns. But yeah, good point. That's what it's like out there. Unevenly matched with so much at stake. So let me ask you this. If business leaders and their IT and security folks can know the extent of this threat earlier, meaning that can detect hackers or threat actors in real time, can or could businesses have be better prepared?

Dino Mauro (04:45.806)
100 %? Not all breaches are created equal. Not all breaches are created equal. Yeah, it should be an amendment to our Constitution, right? What matters now is asking, what can we do today? Here's something fascinating from a recent IBM Threat Intelligence report. The average time it takes a small business using an IT provider to detect a hacker inside their network is 207 days. Wait, what?

Yeah, seriously, Thigh S is serious crap. Many small business hire small IT companies who tell their leaders they are secure. It's total BS. It's crap. They are IT experts, not security experts. I know right. Can you help us understand? So explain the difference for the listeners. AIT has engineers and they have experience training and certifications, right? Yep, of course. Well, cybersecurity is totally different.

Even though they may look at similar hardware or software, they have different training experience and certifications. They aren't looking at the same technologies the same way as IT or network engineers. It's the difference between a SOC, a Security Operations Center, and a NOC, a Network Operations Center. Oh yeah, we just had an episode on that distinction. Yeah, it was solid. Thanks, Jay. A SOC is short for Security Operations Center, searches and hunts down threats.

They search for bad intent. They search for bad behavior for anomalies, movement, escalated privileges. Like catching a robber in your home, they are acting like motion detectors. The NOC, N-O-C standing for Network Operations Senator, they monitor for health of devices, making sure they are online or fall offline. They do patching and ensure your systems are running good. Makes sense. Yes, but they do not. They do not.

have the skill set and technology to search for hackers. And that my friend is the core problem. Nobody explains this to business leaders. Well, we just did. Amen to that. So, and to be clear here, explain to me and the listeners exactly why is that so important? Because otherwise hackers will be 100 % inside your network for over six months undetected. Let's explore that a bit. Let's do that. So to me, it seems like this is the core issue.

Dino Mauro (07:09.248)
It's totally often overlooked and yet critically important. The time it takes to detect a hacker inside your network. That's what makes our constitutional amendment so important, right? The amendment that proclaims, like a guy with a beard dressed like pioneer days, holding a scroll and reading it to the villagers. Not all breaches are created equal. The longer inside your network undetected, the more expensive, damaging and longer it takes to bounce back. Hear ye, hear ye.

Exactly, my friend. According to IBM's cost of a data breach report, the average time to identify and contain a breach is a staggering 207 days. That's over six months. Imagine someone breaking into your house and squatting there for half a year before you even notice. Again, like you said, David, not all breaches are created equal. Amen. So really, it really takes six months? That's unreal. What are they doing all that time?

Exactly what you'd imagine. Exploring, gathering sensitive data, learning your systems, and figuring out how to do the maximum damage. Or sometimes they stay quiet just to maintain access for the future. It's not always about immediate theft. Sometimes it's about prolonged exploitation. That's scary. Explain in simple terms, because I want to be treated like a child. I know you do. Why does it take so long to catch them?

It's a combination of factors. Many businesses rely on IT providers who focus primarily on infrastructure management, things like keeping systems running, updating software, and troubleshooting. They're like the mechanics of the digital world, which is essential, but they're not specialized in identifying or stopping cyber threats. So that's where you are saying there's a difference between IT providers and true security providers. Exactly. Think of it like this.

An IT provider is like a locksmith who installs locks on your doors and windows. They might even recommend a better lock if yours is outdated. But a security provider is more like a security guard who patrols your property. Looking for signs of an attempted break-in, they actively monitor for suspicious activity and respond in real time. That's an important distinction. Can you give an example of how that difference plays out?

Dino Mauro (09:26.956)
Sure, let's say a phishing email makes its way into your organization and an employee accidentally clicks a malicious link. An IT provider might help by restoring a backup if the link leads to a ransomware infection. A security provider, on the other hand, would work to detect that unusual activity immediately. They'd block suspicious outbound traffic, isolate the affected system, and investigate the root cause to ensure it doesn't happen again. It sounds like...

Security providers are proactive while IT providers are more reactive. Not really. It's not that at all. Network operations are proactive, but they are doing a totally different job. that makes sense. It's not that IT providers don't care about security. They absolutely do. But their primary focus is keeping everything humming along and operational. Their job is to help business optimize and be more productive.

Security providers, however, are laser focused on preventing breaches and minimizing the damage if one occurs. It's a different mindset and a different set of tools. So for a small business, is it better to have an IT provider, a security provider, or both? 100 % without question, they need both. And usually the cheaper, small, local IT provider who supports your people and network is not qualified or has a real life security team or security leaders that actually do what I am explaining.

So the two roles complement each other. Think of it as having a reliable mechanic for your car and a great insurance policy. The mechanic ensures everything runs smoothly day to day, while the insurance policy protects you if something unexpected happens. For cybersecurity, the IT provider ensures your systems are operational, and the security provider actively defends against threats. Yeah, but even more important, this security team does more than just give insurance.

They will stop an accident when it is about to happen and most times way before it ever happens. So like Batman or Superman? I personally like Wonder Woman, but yes sir, you are correct. That makes a lot of sense. But what about businesses that can only afford one? That's a total mistake. You need to find one that has both. Look man, even it is 25 % higher cost but saves you several hundred thousand dollars, you are a fool for going cheap. It's your brand you're trying to build.

Dino Mauro (11:47.608)
So if you wanna keep flying your plane into the mountain, then be my guest. It depends on your priorities. If you're struggling with day-to-day tech issues, an IT provider might be your first step. But if you're worried about the increasing risk of cyber attacks, and let's face it, every business should be, then investing in a security provider might give you the best bang for your buck. Going back to that IBM report, does it say anything about how businesses...

can shorten that 207-day window. Absolutely. One of the key takeaways is the importance of early detection. Companies that use advanced monitoring tools, train their employees, and conduct regular threat assessments can dramatically reduce the time it takes to identify and contain breaches. Think of it like installing motion sensors and cameras around your house. You're alerted to potential intrusions right away, rather than discovering them months later. That's such a

powerful analogy. Do small businesses really have access to those kinds of tools? They do. And the great news is that these tools are becoming more affordable and accessible. Managed security service providers, called MSSP's, for example, like your company, which offers solutions that literally will stop an attack in its tracks. So now you sound like a commercial and I don't ever want that. Okay, talk about a different company then. I don't want that either.

Okay, let's talk objectively, factually. Businesses, especially small business, absolutely 100 % need both. They are literally fools if they don't, and that is why it's always in the news. That seems factual and supported by A.L. the data. So I have to agree with you, unfortunately. It's hard because I come from a family who builds small businesses and it was never like this before.

Times have changed David, it's serious, it's real, and they will put you out of business. Cybersecurity is about layers. You need a combination of good technology, smart policies, and well-trained people. Whether you choose an IT provider, a security provider, or both, the most important thing is to stay proactive. Don't wait for the storm to hit before you start thinking about an umbrella. Cybercriminals have embraced a volume over value strategy, aiming to hit as many targets as possible. That's such a concerning.

Dino Mauro (14:10.846)
So how are these cyber criminals breaking in? What's the weak link? Fishing remains the primary entry point, accounting for 53 % of ransomware attacks. But it doesn't stop there. Unpatched servers and VPNs make up 38 % of vulnerabilities, while credential theft accounts for 29%. Think of it as cyber criminals prowling through a neighborhood, checking doors and windows to see which one's unlocked.

That's crazy. And I've heard that AI is making these phishing attempts even more sophisticated. Is that true? Absolutely. Chris Hojnowski from Hiscox shared an insight that stuck with me. He said, used to spot phishing emails because of bad grammar or weird formatting. But now with AI tools like ChatGPT, these emails are polished and convincing. It's like the cyber criminals suddenly hired a team of expert copywriters. That's terrifying.

How are small businesses supposed to deal with this? The good news is AI works both ways. Defensive tools powered by AI can scan inboxes for malicious links or corrupted email addresses, acting like a vigilant guard at the gates. It's an arms race. Cyber criminals versus cybersecurity experts, both wielding AI as their weapon of choice. So it's not enough to set up a firewall and forget about it. Businesses need to keep updating

and monitoring their defenses. Exactly. And here's where it gets really interesting. Despite the growing threats, many small businesses are still leaving their digital doors wide open. For example, 59 % don't use security awareness training and 43 % lack network-based firewalls. It's like knowing a storm is coming and refusing to board up the windows. That sucks. So, let me ask you this.

Why do you think so many businesses are neglecting these basic measures? It's complicated. On one hand, the report shows that a third of small businesses now consider cyber risks to be high or very high, ranking even higher than economic issues or competition. But there's often a disconnect between acknowledging the risk and taking action to mitigate it. So they know the threat exists, but they were not doing what is needed to stop the threats?

Dino Mauro (16:33.942)
or reduce their risks? Well, unfortunately, yes, that's what's happening here in the US, precisely. The silver lining is that more than half of small businesses now have some form of cyber insurance. But insurance only covers what it covers and does not help customer trust that gets harmed or reputations tarnished. Plus, as Hochnowski pointed out, from a claims perspective, better trained employees are your number one defense.

There's still a significant gap when it comes to education and training. That makes sense. You can have the best security system in the world, but if an employee falls for a phishing scam, it's game over. Exactly. But here's the flip side. Employees who are well-trained can be a company's first line of defense. They can spot threats and sound the alarm before any damage is done. Think of it as a neighborhood watch for your digital community. A human firewall

a human firewall. I love that analogy. How does the US compare to other countries in terms of small business cyber security? Not great, actually. The US ranks kind of far behind European countries who take their privacy and cybersecurity more seriously. But here is the kicker. Only four percent of small businesses in the US are considered cyber mature. So we're not doing great then?

and certainly not exactly leading the charge. Right. The U.S. falls behind when it comes to cyber expertise. It's a sobering reality check that underscores the need for continued improvement. No kidding. So what concrete steps can small business owners take to protect themselves? There are three key areas to focus on. First, invest in employee training. As we discussed, well-trained employees can make all the difference. Second,

Implement strong cybersecurity measures like firewalls, multi-factor authentication, and regular software updates. Third, consider cyber insurance to mitigate financial risks and provide a safety net in case of an incident. Those are great tips. Any other advice? Absolutely. Staying informed is crucial. The cybersecurity landscape evolves rapidly, and businesses need to keep up with the latest threats and best practices. And let's not forget...

Dino Mauro (18:56.354)
Having an incident response plan is essential. Knowing how to respond to a breach can minimize damage and speed up recovery. That's a lot to take in. For small business owners juggling so much already, this must feel overwhelming. I get it. But think about the alternative. The average cost of a cyber ransom for small businesses was over $16,000 last year. That's money that could have been spent on growth, hiring, or innovation.

Cybersecurity isn't just a cost. It's an investment in your future. An opportunity to build trust and resilience. When you put it that way, it's a no-brainer. Any final thoughts? Just this. Small business owners, you're not alone. There are resources out there, from government agencies to private firms, that can help you secure your business. Don't wait until after an attack to take action. And remember, cybersecurity isn't just about protecting data.

It's about safeguarding your reputation, your customers, and your livelihood. Well said. Can we take a moment to address one last thing? What would you say to a small business owner who feels they're too small to be targeted? that's such an important point. A lot of small businesses fall into the, it won't happen to me trap. But here's the reality. Small businesses are often seen as low hanging fruit by cyber criminals.

They're assumed to have fewer defenses, making them easier targets. It's like a burglar choosing to rob a house without an alarm system. Why make it harder than it needs to be? That's a great way to frame it. And for businesses that are already overwhelmed, where should they start? Start with the basics. Conduct a risk assessment to identify your most vulnerable areas. Educate your team on recognizing phishing scams.

and prioritize updates and patches for all your software. You don't have to do everything at once, but every small step you take adds up to a much stronger defense. Makes sense. And to our listeners, thank you for joining us on another episode of Cybercrime Junkies. Cybersecurity isn't just a tech issue, it's a business issue. Stay informed, stay vigilant, and stay secure. Until next time.

Dino Mauro (21:15.672)
Keep your firewalls up and your passwords strong. And remember, a little vigilance isn't just good sense. It's your best and often the only defense.

Dino Mauro (21:28.504)
Well that wraps this up. Thank you for joining us. We hope you enjoyed our episode. The next one is coming right up. We appreciate you making this an award winning podcast and downloading on Apple and Spotify and subscribing to our YouTube channel. This is Cybercrime Junkies and we thank you for watching.