This episode is Part 2 of our cyber security series with Dominic Vogel. We talk: keeping your email safe, common cyber security myths, how the cyber risk landscape has changed as a result of COVID-19, how to handle the risks associated with having a remote workforce, creating a safe website for visitors, why stress puts us more at risk for cyber crime, and how employees can talk to management about cyber security.
As Founder & Chief Strategist at CyberSC, Dominic Vogel holds a proven track record within cyber security across multitude of industries (financial services, logistics, transportation, healthcare, government, telecommunications, and critical infrastructure). Dominic actively participates in the Vancouver security community and is a well-respected cyber security expert for appearing on media news outlets across North American and Internationally on BBC World News. Dominic is highly regarded as a cyber security thought leader and was recently appointed to the BC Provincial Cyber Security Advisory Committee.
Dominic focuses much of his energy on providing strategic security leadership to technology start-ups and small/midsize businesses to proactively solve their cyber risk challenges. He strives to provide practical cyber security advice to his clients and actively turning the security consulting world upside down.
Morgan Berna is the host of Olympia Benefits’ podcast, The Small Business Mastermind. Her background is in marketing, journalism, and broadcasting. Passionate about small business, she aims to create content that inspires and educates listeners.
Dominic Vogel: If you do not have some of these basic security solutions in place. You are not meeting what I refer to as the security poverty line. You are putting yourself, your organization, your employees, and your shareholders heightened undue risk.
Morgan Berna: You’re listening to The Small Business Mastermind, a podcast created to help small businesses juggle business, finance, health and wellness. I am your host Morgan Berna. If you enjoy this episode, please take a moment to rate, review or follow the podcast.
The Small Business Mastermind is brought to you by Olympia Benefits. To learn how you can reduce your health and dental costs. Visit olympiabenefits.com.
Morgan: Hello, and thank you for tuning in to this episode of The Small Business Mastermind. This episode is part two in our cyber security series with Dominic Vogel of Cyber SC. On this episode, we talk about keeping your email safe, the common cyber security myths Dominic hears, how the cyber risk landscape has changed as a result of COVID-19, how to handle the risks associated with having a remote workforce, ways to make sure your website is safe for visitors, why stress puts us at an increased risk for cyber crime, and how an employee can talk to management about cyber security.
I would recommend giving Part 1 a listen as well, although you can listen to them in either order. It will be the episode that was released just before this one. So, with that I hope you enjoy this one and let’s jump right into the conversation. I will be checking in with you again at the end of the episode.
Morgan: Thank you very much for joining us.
Dominic: Absolutely Morgan, I am really looking forward to this conversation.
Morgan: As founder and Chief Strategist at Cyber SC, Dominic Vogel holds a proven track record within the cyber security community across a multitude of industries. Dominic actively participates in the Vancouver security community and is a well-respected cyber security expert appearing on media news outlets across North America and internationally on BBC World News.
Dominic is highly regarded as a cyber security thought leader and was recently appointed to the BC Provincial Cyber Security Advisory Committee. He focuses much of his energy on providing strategic security leadership to technology startups and small and mid-sized businesses to proactively solve their cyber risk challenges. He strives to provide practical cyber security advice to his clients and actively turn the security consulting world upside down.
Okay. So today we are talking some general safety, website safety, myths, and new security measures that have come out as a result of COVID. On our previous episode, we talked a lot about what the threats are, how to avoid them and we are going to go into some more detail today. So, let’s start off giving a bit of context for companies that may not have experienced this type of scenario. What can the impacts be if a company is hit by a cyber attack?
Dominic: Oh good. Good question. Yeah, here you are hitting hard right from the get-go! [laughs]
Morgan: Making you work. [laughs]
Dominic: Yes [haha] I know we are talking about the ramifications of this and it is very much what I refer to as a continuum in which sometimes it can just be a mild nuisance. In which you have a piece of a virus or malware and you need to get it removed from one computer and it is more of a nuisance. It does not really affect the business or the organization.
But then as you go down that continuum it can lead to many systems being knocked out. It could lead to the entire business organization being completely locked out in the case of something like ransomware, unable to do business. And then if-- you as an organization, if you lose a day or two, revenue, what does that mean? There are many SMBs that can-- if they go down for a day or two, that could bring them to their knees. So very much I would say cyber risk has evolved from being sort of a mild nuisance to being something which is very much an existential risk and threat for SMBs.
Morgan: And I just suggest for anyone listening, to listen to make sure they have checked out our previous episode as well that we did about cyber security because we went into a ton of information there on ransomware and what exactly that looks like.
I wanted to ask you a bit about email because this is something every business uses. Can you let me know the common risks email faces and some ways we can mitigate these?
Dominic: Yeah. I think there is a couple items in email that I think people should keep an eye on. So, the first one I would say is making sure that you leverage a multi-factor authentication. I believe we talked about that in the first one, but if not I will just quickly reset on that. My memory is not what it used to be. I can barely remember what I had for breakfast. But especially with small midsize organizations, many of them leverage a third party cloud services like Microsoft Office 365 or Google G Business Suite email for their company or their organizational email. Now, when it is leveraging something that is external—that’s referred to as externally facing, something anyone on the internet can access.
You need to go above and beyond just username and passwords. Unfortunately usernames and passwords are compromised all over the place. People reuse their passwords all over the place. So, you have to go on the assumption that your username and password is compromised. And that is where something like multi-factor authentication, that is basically where you will get a SMS like a text message code or you will get something to a phone a call or something with which tied to what was referred to as an authenticator app.
Basically, it is a one-time code which you will enter in as part of your login process. So, even if your username and password is compromised unless someone physically has access to your phone, as an example, they would not be able to access your account. Multi-factor authentication right now is one of the most effective risk mitigation techniques when it comes to email security and preventing what was referred to as account takeovers or having your account compromised. So, I highly, highly recommend that to your listeners. Again, if they do not need to necessarily know the details of how the roll that out, they should be engaging their IT team or their IT manager provider and outright demanding that MFA be a, multi-factor authentication, be enabled and be configured.
The other risk when it comes to email use is and sort of the particular threat which we are seeing is referred to as B-E-C or Business Email Compromise. And again something like this can often be mitigated by multi-factor authentication. But this particular threat of business email compromise, which is running rampant through the SMB community, this is where-- it is an email where the CEOs email account or CFO or VP of Finance. Either their account has been compromised or their account is being what is referred to as spoofed. So, someone is pretending to be them and what that often takes the shape of is it looks like it is a wire transfer request. It looks like it is coming from the CEO saying, “please send a wire transfer for 50k to this new vendor.” And often this is the way that scammers and fraudsters take advantage of the relative immaturity of a lot of these SMBs when it comes to their wire transfer processing.
This scam does not really work with larger organizations because there tends to be multiple layers of authorization which multiple people need to sign off if a wire transfer is being sent for something over like 5K or 10K. That level of process maturity does not exist with SMBs. And we see that time and time again that, again, this is not really a technical compromise per se but it is also psychological compromise.
Many people see this going to someone in accounts payable or someone on the finance team. They often would not think twice if they see an email that looks like it is come from the CEO or CFO. They have conditioned themselves to just act on it. And one of the most effective techniques that you can do to mitigate that, apart from multi-factor authentication, is to just have a little more procedural maturity. So, any time a wire transfer request comes in over let’s say 5K, and you can define that for your own organization’s risk tolerance, but whenever that comes in there needs to be another level of sign off. So, either someone else has to approve that or you validate that request through another communication channel. So, if that request came in through email, maybe you can connect with them through the company's instant messaging platform or you send them a text or you call them or you send a carrier pigeon, whatever you want but you validated through another communication channel.
Morgan: And this is something I did not put on the list, so sorry for making you think so early in the morning, [laughs] but I am curious if you would suggest people using a VPN?
Dominic: Yes. I mean not necessarily in the context of email. Email for many small to midsize organizations is already hosted by someone other than themselves. So, it might be hosted by Microsoft, or by Google. So VPN, there does not make a whole lot of sense in terms of improving the security outcomes, shall we say.
Dominic: Where a VPN is super useful if you is with working remotely, especially now during COVID with a very virtualized workforce. So, this is a timely question in which how you connect, let’s say there is a server or some systems back in the office, within the office’s physical wall so to speak that you need to be able to access to perform your job. VPN allows for a much more secure connection and VPN stands for Virtual Private Network in which that allows you to just connect back to your company organization's internal network and securely access any systems or any files securely rather than trying to use some other insecure remote access method. VPNs very much allow for a much more secured level of connection and same thing with email. You should be making sure that how you connect is done through a username and password as well as a multi-factor authentication.
Morgan: Okay. And then the other thing I had that will be something common to just about any small medium business is tips for internet browsing and just identifying if the website you are on is a safe website?
Morgan: You have some tips there?
Dominic: Yeah, absolutely. And I think what often tell a lot of our clients as well is that these are all great questions which to me serve as the starter for great dialogue that you should be having with your IT team or your IT service provider. Because I mean, this in this day and age is becoming basic table stakes. If you do not have some of these basic secure solutions in place. You are not meeting, where I referred to as a security poverty line. You are putting yourself, your organization, your employees, and your shareholders at heightened undue risk. Especially with something around web filtering that can be done quite easily, quite readily. There are some really fantastic solutions. Cisco has a great solution called Cloud Umbrella getting into the technical specifics of it. I think, it is not something which SMB owners or SMB executives need to fret about, I think what is important though is understanding that in this day and age, unfiltered web access just increases the likelihood that you will be hit by a cyber attack by a significant margin.
It is almost what I refer to as basic cyber hygiene, in which if you are not brushing your teeth and eating the food, some moderate level of exercise, you are asking for trouble kind of thing and that to me is where we are with something like web filtering. If you allow for completely unfiltered web access, I mean forget if people can be wasting their time or accessing inappropriate materials, I mean that is more of an HR issue than a security issue. But if they are then going into areas which could be infected with viruses, if there is no web filter in place to filter the web traffic to make sure that there is not any viruses or malware on that traffic, again, it is in this day and age is basic table stakes.
Morgan: And then on the other side, a lot of companies use say Shopify or WordPress to create their own website. Do you have some tips for these people, or maybe questions to bring to their IT, to make sure that their website is safe for visitors as well?
Dominic: Yeah, good question Morgan. And when we are-- I think what is really great about the advance of those types of services is that it does allow organizations to be able to create relatively robust web sites out of the gate and not having to sort of fool around with it themselves. So I mean, I think that is really fantastic. It where the key question that should be brought up is how are these websites being maintained? And I do not mean in terms of content but in terms of security updates. Many of these websites can be built on a platform called WordPress. And WordPress leverages a whole bunch of things called plugins. And these plugins like almost a mini applications and if they are not properly updated, again, they just become an invitation for cyber criminals and cyber attackers to just try and bring down your website or get unauthorized access or what have you. So, that is a key question in terms of how is the security of the website maintained, month over month, year-over-year kind of thing.
Morgan: Yeah, and they can get really disorganized with all the plugins I have worked a bit with WordPress.
Dominic: It can be even for some website that does not seem very fancy. It is shocking in terms of how many WordPress plugins there are. With our website, our company website it was not anything fancy and we went for something fairly standard and then we are looking at the number of plugins. I was blown away, there are like dozens of different plugins that are here that we are using right now, so.
Morgan: And then they all need to be updated and it is yeah, it can be confusing.
Dominic: Yeah, exactly. That to me again is what I refer to as low hanging fruit. There is no shortage of it, and that is where we are seeing a lot of website attacks right now. Because a lot of organizations if they are thing about security, they are maybe just focusing internally and totally forgetting about their website. Your website is still very much an entry point and needs to be protected.
Morgan: Okay. So, let us move on to common myths. So, can you let me know some of the common myths you hear around cyber security? Maybe just some things you want people to know.
Dominic: Yeah. Well one of the most common myths that I hear and that frustrates me to no end is when we are talking to someone in SMB leader and they say, "Oh, cyber security. Our IT guy handles that. We do not worry about that." And the myth there is that you can not outsource cyber risk. You can outsource the operational aspect of cyber security and that is completely true. A lot of SMBs do not have the in-house talent to be able to handle the operational aspect to cyber security. But the risk and the need to have the sufficient due diligence oversight and governance, that falls on the business, that falls on the executives. They are not fulfilling their fiduciary duties if they just say, "Oh. Our IT department handles that", that is not how it works. And in the event of a data breach or significant security incident and if there is any legal matters that follow that. If it shown that as a CEO or CFO that you just hand that off to your IT service provider you will be, for lack of a better term, you will have your butt handed to you.
It is negligent and that is why I think it is so important that people understand that this is not a technical problem. So many people equate cyber security with being the domain of IT. Technology is a part of it. Do not get me wrong. But that is all it is. At the end of the day, cyber security and cyber risk is an extension of enterprise and business risk management.It is not the domain of IT alone.
Something which is a very common myth and another sort of similar myth to that, "Oh, we have cyber insurance, we do not need to worry about it.” And to me that is like saying, "Oh, well, I have fire insurance, so I am going to throw a whole bunch of old wood and stuff all over my house and I am going to walk around lighting matches all day. I am going to disconnect my smoke alarms and not to have a fire extinguisher." Cyber insurance is not a catch-all and it blows my mind that people think like this. We even see people who understand risk management think that they can fully outsource the risk.
Anyone who understand the basic tenants of risk management is that you need to first address the residual risk. You need to take steps to mitigate and lower that risk as much as humanly possible. Whatever you cannot mitigate further, that is what referred to as the residual risk. Then you can leverage cyber insurance to insure against that residual risk. And furthermore, if you take, if you are not taking any steps proactively to deal with cyber security until you get hit by a breach and you try to get your cyber insurance. We have seen this countless times. Your insurance provider will say, "Hey, you know what you guys did jack-all in terms of cyber security, so your cyber insurance is void." We have seen this people come to us to literally crying saying, "We thought we had the insurance and we did not," and I said, "Well, you did have the insurance you just did not read the fine print." So, those are two of the most common and prevailing, and if not as well dangerous, myths and mindsets to have right now.
Morgan: I wanted to just clarify something with the first one you said. So, you were saying you cannot fully rely on IT. Do you mean that we need to have like a second cyber security team or do you mean that the leaders, management themselves, need to be doing things for cyber security?
Dominic: Yeah. I want to be careful with the wording. I mean, you can rely on your IT service provider, your IT team, but from an operational perspective. At the end of the day, you still have to give guidance and hold the IT team and IT service provider accountable by asking the right questions. If you do not know what questions to ask that is a different story. That is where people and companies like ours come in and we advise and then we own the cyber risk portfolio because many SMB leaders, they may be specialists in their business and their sector in finance and operations, but there is a gap in cyber risk leadership.
And that is where some of our service, our type of service, comes in hand. Because then we are able to help ask the right questions and make sure that from a governance and accountability perspective that the executives are able to demonstrate that they have performed due diligence and that they have fulfilled their fiduciary duties to protect the organization.
Morgan: Okay. Yeah, got it. Are you willing to share a few of the reasons why people come to you and your company?
Dominic: Yeah, absolutely. I would say that there are a few common scenarios. The first one is what we refer to as “after the breach” or when the-- literally when there is fire burning everywhere or after the earth has been completely scorched. So, they will come to us and say, "We barely got through this. We are not sure what happened, but we know we do not want to go through this again." So basically, we come-- it is almost like the like a restoration service in which will say, "Okay. Let’s look at things the cyber security risk environment terms of what you were doing, what you were not doing and then we will focus on pragmatic and prioritize recommendations to again lower the inherent risk that was in many cases left unaddressed" so that is one common scenario.
Another scenario, and this is particularly true with B2B, Business to Business, organizations where they will come to us and they will say, "One of our largest clients or one of our largest customers is asking for more proof around on how we do cyber security. And we have been telling them for years that we have a cyber security program or that we take cybersecurity seriously, but in fact we have been doing nothing. Please help us because if we lose this client that is 50% of our revenue." And that is a very, very common scenario right now with particularly with B2B organizations. And the broader trend there is that the larger organizations are clamping down on vendor risk management and supply chain risk. So, they are wanting to make sure that they are battening down the hatches in terms of potential weak spots.
A weak spot for many large organizations is the connections that they have with their supply chain. So, that is a big, big item right there. Those two scenarios are still very reactive as a practitioner of cyber security. I would love to see people be more proactive about this. But right now it seems the market seems to be heavily driven in reactive scenarios when it comes to investing in cyber security and cyber risk management.
Morgan: Yeah. I was going to ask what are the reasons you wish people came to you?
Dominic: Well, well the-- and it is fine. I do not think I shared this story when we talked last time, but we were dealing with a prospect and they were sharing this story. This lady who was widowed and she said it was her husband's company. He built it up from nothing. She was continuing on in his legacy.
She had been the CEO for a few years. She said few months ago that they were hit by ransomware and that they were inoperable for weeks. And she told me that I—“we literally came within days of having to shut down the company for good.” And I said, “okay, well, let us talk about that and we will tell you more about our services,” and we shared our services and what we did and what we do.
And when she looked over the our proposal she said, "Well, I was hoping to maybe pay, looking at paying 500 bucks a month" and I said, "Let me get this straight, your husband's legacy what you have told me was super important to you, the fact that you almost lost it with you, you came within a day or two worth of time of losing everything, you are telling me that that is worth 500 bucks a month?" And to me what really annoys me is that there is that disconnect in terms of that expectation of cost versus what that means to the organization. And to me it’s, "Okay. Well if you had invested in cyber security…" and again, what we are offering is in something which is, I’m not saying you have to drop a hundred G's on us. It is very much what I would say is fair market value, and these things it is that disconnect in which people still think "Oh, this is something which I really do not want to have to buy I want to try and minimize the cost on it."
They see it as a cost center and I was say it to people you know what, we are in a digital age whether you like it or not. We are in the digital economy. And unless you sell tacos out of the back of your mother's Volvo, you know all cash deals, you are dealing with data and you are digital organization, especially during covid. You are a virtual organization. With that comes incredibly heightened cyber risk. Either you do nothing about that and your company just goes by the wayside and you cease to exist or you do basic table stakes when it comes to cyber security or, as we mentioned last time, you invest in it. And the digital economy gets stronger and stronger. It becomes a source of competitive differentiation, that mindset of need to not see cyber security as a cost center, but rather as a business enabler in a digital age.
That is why I would love people to come to us. I wish they would come to us saying, “we are investing in digital transformation. We are investing and understand that we are trying to propel our organization to succeed in this digital economy. We want to invest in cybersecurity because we know that is paramount to us being successful in this digital transformation journey.” If just one prospect came to me and said that I would die a happy man.
Morgan: Do you think that the reason people aren’t doing it is that there is some fear and just not fully understanding it? Not wanting to dive into it because people get a little kind of concerned with all the terminology and not understanding everything about computers and not really knowing what to ask for. Do you think that is a pain point?
Dominic: I would say that the it is sort of a fundamental lack of understanding and awareness and that is why part of my mission is to go on podcasts like this to be able to speak to non-technical people. Speak to business leaders to really help them better understand what cyber security is. The reason there are still so many prevailing myths, the reason why it is still so unknown is that failing on the part of my industry and my colleagues and obviously myself as well. We have not done enough to make this relevant and tangible to those who are non techie and non security people.
So, I think that is sort of where we are right now. We have to further demystify. And that is why I am so grateful to you for giving me this platform to further help that awareness and over time as we increase that level of awareness I think we will see greater levels of acceptance and understanding in seeing cyber security like I said rather than a cost center, seeing as it a true business enabler. So it is through these types of grassroots initiatives I think that we will see that, see that change.
Morgan: Yeah, I think it can be just tough to know where to even look for this type of stuff. So I think hopefully this chat is helpful for everyone listening. You have mentioned a couple times that with COVID there has been some increased risk, people are going virtual with a lot of businesses. Have there been new security measures that have come out during this time? Have things changed at all in the industry?
Dominic: Oh, yeah. I mean, I would not say that necessarily security has changed. I think what has happened is that there have been new items or new risks which have bubbled to the surface which many SMBs are not prepared to deal with. So, one of the first ones was, and we sort of talked about this earlier, was about remote access. Many SMBs were not prepared to have their entire workforce work remotely. That was not really a problem for most enterprises, most large organizations that had remote access solutions in place for years. In most SMBs maybe one or two people, maybe just some key executives have the ability to work remotely, but certainly not everyone. And in that rush to make that happen, there was this focus on functionality and a lot of let us say in secure remote access solutions were rolled out and I think that is a key item right now. Is that because we are seeing COVID is going to still be here for at least the foreseeable future at least no 6 plus months out.
We need to-- SMBs need to take this opportunity to understand that they need to further, let us say make permanent, their remote access solutions and use this opportunity to make it as robust and resilient as possible and not just rely on the Band-Aid solution. So I mean, that is one item and we have seen increased cyber risks around remote access because cyber criminals know and have seen that in that rush that deploy it. Many of these remote access solutions were done insecurely and they are taking full advantage of that, so that is item number one.
Item number two has been that-- we have seen a huge increase in phishing activity and scam emails being sent out. And yeah, like a time and...
Morgan: I’ve never gotten so many before!
Dominic: ...it is huge. I have never seen an increase like this and in my career and one of the reasons again, is that psychological reason that scammers and cyber criminal and fraud just know that people are overwhelmed. They are stressed. They are tired. They are pulled in a million different directions. They are looking at their email while their kids are screaming at them and climbing all over them. And they know that this is the perfect psychological environment to make, to be successful with these phishing and scamming messages. And so one of the things that we are advocating to businesses and organizations is to tell their staff, tell their employees rather than just trying to inform them about, "Oh, here is the latest threat and all this thing" that is adding more to the plate. What we are seeing as something being more powerful is to just allow staff and allow your employees, give them the gift of pause or the gift of mindfulness and telling people, "You know what? If you get an email, you do not have to action it right away. It is okay to just, if you need few hours off take the few hours off,” kind of thing. And we have seen that organizations that are empowering their users and empowering their employees to be more mindful that they actually have-- they were less susceptible to these phishing scams. So I think there is a really interesting dynamic there to sort preach the that with your employees and staff.
Morgan: That is a great point. I think I could launch into a whole set of questions about that alone. But yeah, trying to take some of that stress off because you do not want people in such a reactive mode.
Dominic: Exactly. I mean, you do not want to add more to the plate. People are already overwhelmed. Why add more to that, add more noise, give them the gift like I said of something like mindfulness.
Morgan: Do you have tips for training employees on cyber security and I am curious if you recommend things like monitoring employees’ computers or that sort of thing?
Dominic: Yeah. I mean the could be a whole separate podcast on to its own there, working like that. [laughs]
Morgan: Quick tips, quick tips. [laughs]
Dominic: One of the things that I do advocate for is if you are not doing any level of cyber security awareness, I think it is very important to be at least doing something, and it is a really great solution, it is often free or very low cost for SMBs and it is this platform called Wizer, W-I-Z-E-R. It is one of my personal favorites. I recommend it to all our clients who do not have a security awareness platform or a program in place. It does a really great job of rather than trying to overwhelm me with like an hour awareness session every year, which is often very useless in terms of it being helping in terms of creating more positive security outcomes, they take more of a micro content point of view and you’re able to maybe have people engage with a one or two minute video, once a week. It is almost like this trickle effect. And if you just engage with that type of material once or twice a week in a short frequency, but on a longer time period, that has much more sustaining power in terms of affecting positive change. So that is something which I think is a really important thing right now to do.
And another one is to look at long-term, if your staff and your employees are going to be connecting to your internal network with their personal devices, with personal laptops, your organizations need to start planning and budgeting for solutions that can, for lack of better term, perform a minimal health check on those types of devices.
So, if something is a company device, it is able to access the internal network as an example. But it is a personal device then there is no visibility on it. Then you need to check that it has up-to-date security updates. That it has a running antivirus or anti-malware solution. It is almost like during COVID right now to enter a store. You have to wear a mask. Maybe there is a temp forehead temperature check. You have to wash your hands with, I was going to say detergent, what is that? With a good cleaning gel or sanitizer, what have you. That is, I think it is a very important thing moving forward as well.
Morgan: Yeah. That is great. You mentioned a couple there and you have mentioned a few through this episode. I was wondering if there are products or services you recommend everyone have on their computers? You had mentioned an authenticator app, obviously Cyber SC as a service. But are there others?
Dominic: Yeah, I mean one thing which I like recommend, especially what we do a lot of SMBs is that they, they like having Mac laptops. It was not that long ago where every, it didn’t matter what type of business, they were all Windows laptops or Windows machines. But it is a different age now and Mac laptops by default do not have an anti-malware or antivirus solution. So, I highly recommend downloading one and there is some really great free ones which are you are able to use it particularly for very small organizations. If you get past a certain threshold you have to pay but I mean, it is still quite inexpensive in the grand scheme of things. But Sophos, S-O-P-H-OS. Sophos antivirus for Mac, freely downloadable one of my preferred options for any of our Mac users for our clients. I think it is absolutely fantastic, again it is helping to make sure that you are doing some basic cyber hygiene, basic cyber security mechanisms in place.
Morgan: And there was that myth that Macs cannot get viruses. I am sure you have heard that and I used to believe that. I had a Mac and then one day some wonky stuff started happening and I was like, "Oh, gosh" this is wrong.
Dominic: I will try not to go into my soapbox because that was always one of my favorite rants when someone asked that question and said, "Oh I have a Mac. I will not have to worry about this.” No, nothing made me happier than tearing that person apart. But understanding this from an economic point of view, not to say Macs are inherently more safe or unsafe compared to Windows, one can argue Windows because they have had to go through so much and it being that consistent target, one could argue that they are more secure than the Mac. But the reason why they are-- Macs were not really had that appearance of being more secure is actually rooted in economics.
So, if you think about cyber crime, they are trying to perpetrate and commit the most effective crimes possible and up until, let us say the past three or four years, the majority of business machines worldwide were Windows machines, like 99% of them. So, if you are going to be crafting certain code or certain attacks. Are you going to be focusing on one percent of the business assets? No, you are going to be focusing on the majority asset to get the biggest bang for your buck in terms of committing these crimes. Now, over the past five years in particular we have seen that change drastically, especially with SMBs. Where now Macs taking 15-20% market share if not higher in the business space. Now, I would be-- makes more economic sense for cyber criminals to commit crimes and try and commit and crafts certain code to be able to hack into Macs and that is why over the past few years it went from seeing zero Mac attacks to seen quite a few. Like I said, it is all rooted in basic economics.
Morgan: That makes a lot of sense and I hadn’t thought of it like that. The next one is if someone is an employee and they are looking to discuss cybersecurity need with their leadership team what questions would you suggest they bring to that team?
Dominic: That is a really, really good question. The one of the things which I think is important and I know we have talked about both, I will just summarize them quickly is the need for awareness. If as an employee, if you are not feeling like you are being kept informed in terms of what cyber threats are you should be aware of or what is facing the organization you should bring that up to your management. That is a very, very important thing to know especially for frontline staff. I think that is an important thing to have a conversation with your management on.
The second one is making sure that if you are working remotely, especially in this day and age that you are able to connect securely. And again, if you are not sure if that is happening. You should be having that discussion with your management. And the third one would be what I referred to as secure data handling processes or guidelines. So many people do not know, is this particular type of data considered sensitive? Am I allowed to send it through email? Some of them will just sent through email and not even think twice about that. That is a third one, which I think absolutely needs to be well understood by employees and that needs to be communicated from management. What type of data should we be treating very, very carefully and one of the approved mechanisms for removing it from point A to point B.
Morgan: Awesome. Those are great tips. That is the end of the questions I have for you and thank you for letting me put you through the ringer on these last couple episodes, but I did want to check if there was anything you wanted to leave as sort of a final comment about this before you talk about your services or anything I have not touched on?
Dominic: Well, and Morgan first off I loved the depth and breadth of the questions you have asked.
Morgan: Thank you.
Dominic: And asked in the way in which we were making this resonate with your audience because it is very easy to just talk tech-talk when it comes to cybersecurity and I have seen that time and time again where you have, even my colleagues, talked to a business audience and people's eyes start glazing over. It is like when I am listening to my mother-in-law I just zone out. And that is so important to be able to connect with those, that business non-technical audience in the way that will make it compelling and truly help them understand what we are dealing with. And like I said, this is a very much a failing not so much on the SMBs, aside. I think it is a failing on the cyber security industry as a whole. That we have done a very poor job of making this well understood but in particular by the SMB Community.
Morgan: Fantastic, thank you. Yeah, I think hopefully everyone listening is kind of getting a clear image. This was not a topic I knew anything about so I really appreciate you making it easy. And obviously, you are extremely knowledgeable. So let’s plug your company or services. If anyone is looking to get in touch let them know how.
Dominic: Absolutely and I appreciate that Morgan. Again, I pride myself on being a conduit and a connector. You know I, even if your audience or people listening have a quick question. They can send it to me reach out to me on LinkedIn. I am crazy active there, reach out through our company website cyber.sc, reach out through my email DVogel@Cyber.sc. I am always happy to just-- I am a firm believer that we need to do more for the community and make them more aware.
I am not going to just answer a question and send you an invoice for 20K. I am very much a believer in trying to help people better understand cyber risk and what it means to their organization. So I always love it when people reach out and again in terms of what we do if your organization is, I said in the aftermath of a data breach or ransomware incident or if you are seeing that your clients and your customers are holding your company to a higher standard when it comes to cyber security. Or if you are worried about cyber risk or cyber security and if your organization should be doing more or how the hold your IT team or IT service provider more accountable when it comes to cyber security. These are all reasons why you should reach out.
I like to say that we provide cyber risk leadership and that we serve as trusted advisors to CEOs, business owners, CFOs, COOs. If you’re at your organization, you are ultimately responsible for cyber security and cyber risk and you know nothing about it, you should reach out to us.
Morgan: Fantastic and just for everyone listening. I will be linking everything down in the description below so you can take a look there if you did not catch that as well. Well, thank you so much for doing these two episodes. This has been really fun. It really has been.
Dominic: I have a blast Morgan. This is a lot of fun.
Morgan: Yeah. That is great. Yeah and maybe we will do something again in the future. If any listeners have more topics they would like us to cover. Please, feel free to send those into me as well. Great. Thank you so much.
Dominic: Thank you so much Morgan like I said, I truly humbled should-- to have an opportunity to be on the podcast. I had a ton of fun chatting with you and I would love to be a recurring guest. Let’s do this again soon.
Morgan: Let’s do it.
Morgan: Thank you so much for tuning in to this episode of The Small Business Mastermind. I hope you found it helpful and have enjoyed our cyber security series. A reminder, if you have not yet to give part one a listen. It is the episode we posted just before this one. And a huge thank you to our guest Dominic Vogel of Cyber SC. Please check out the podcast description for all of his information and links. For our listeners on Apple podcast and Spotify, please consider taking a moment to rate review or follow the podcast. It really helps grow the show and allow us to bring on great guests like Dominic. All right, we will be back again soon with a new episode. But until then thank you again for tuning in and I will be talking to you again, very soon.