A New Era of Cybersecurity: SMBs at the Forefront 🛡️⚔️
Not Everyone Needs to Be an Expert, but Staying Informed is Key
Hello 👋🏼
This week's topic is the start of a new series on SMB and Cybersecurity. I’ll start this week with a unique story I’ve heard recently that illustrates the challenges we, as an industry, have still to overcome. I also advocate for a mindset shift. Every company won’t have a security expert on board. It must not be our target. We should find a more mature way to build security as a service and facilitate how to consume security. In the following weeks, we will zoom in on SMB product and service characteristics and how to distribute and promote them. Don’t miss the series.
Before we dive in, here is a quick reminder about my undergoing quarterly review.
I started Cyber Builders to help create new services, products, and companies. There are various ways to become a Cyber Builder, whether creating new services within your organization to protect other departments, being the CEO of a bootstrapped startup, or developing software.
I hope you're finding Cyber Builders helpful so far. As a writer, I always seek to improve and provide the best content possible. Let me know what you think and if there's anything I can do to make it better. Any comments or suggestions are welcome. Please take the time to fill out the 5 mins questionnaire. Thanks for reading!
SMBs are being takedown by criminals.
The cybersecurity of small and medium-sized enterprises remains a colossal and unresolved issue. Over the past three years, we have seen an explosion of ransomware attacks targeting this organization. Criminals are no longer hesitant to automate their searches to find the best target candidates, analyze companies' financial results, and extort increasingly large sums of money from profitable businesses, which are often lifestyle businesses built by entrepreneurs who have put all their expertise and energy into them.
In March, I attended a conference where the company's CEO, with 200 employees, recounted his experience dealing with a criminal group using ransomware. On August 15th, 2020, while he was taking a well-deserved week of vacation, he was awakened by his chief information officer, who informed him that all of the company's servers had been encrypted, including financial data, accounting data, file servers, hosting servers, source code for their applications, and cloud instances where they provided software as a service.
"Don't worry; we are professionals; we will handle your case quickly." Criminals said in the language of their victims as true “professionals.”
Everything was at a standstill and encrypted, and the only thing left on the server was a simple file called README.txt. When they opened this file, they discovered a complex URL behind which they could converse with the criminals.
They were extremely courteous and reassuring. "Don't worry; we are professionals; we will handle your case quickly." They spoke in the language of their victim without making any mistakes or showing any lack of commitment. They quickly demanded a ransom of 2.5 million euros.
The CEO who recounts this story was visibly shaken, and as he spoke, one could sense that even though this story dates back several years, there is still a great deal of emotion, anger, and fear attached to it. He was afraid of seeing the work, his entrepreneur life, his employees, and his clients, who relied on him for an essential service to their business, all come to a stop. He was clearly in an inextricable situation that he had not anticipated that he had never imagined. How could he imagine that everything could come to a stop overnight?
So he replied, "No, I'm sorry, we cannot pay." He was not willing to negotiate with the criminals. He was already told not to pay ransoms. And there, very calmly and professionally, the criminals replied:
“Of course, we understand, but you are mistaken. We have analyzed your company's balance sheet, income statement, and the extracts from your bank accounts. You generate a reasonable profit and have a cash reserve of around 4 million euros. We are asking you for 2.5 million euros, which is a significant amount, but your company can afford it and will not disappear due to this payment. We think it is fair.
As soon as the payment is made, we will be sure to give you the procedure to get the data. If you wish, we can show you that we can do so.
Please send us some critical encrypted files, and we will decrypt them for you to prove our good faith."
The CEO then explained how he fought for two years to recover his company data without paying the ransom but still spent up to 1 million euros on incident response, data recovery companies, and contingency plans to save his business.
Lessons to be learned
This testimony was astonishing. On the one hand, because the victim told it, we realize how extraordinary the situation is and how it remains an unforgettable experience in the minds of its leaders. This testimony shows us that we have not yet solved all the cybersecurity problems, that no matter what figures we hear and sometimes have difficulty understanding the scope, there is a considerable cybersecurity problem for small and medium-sized enterprises in Europe, the United States, and worldwide.
The criminals are no longer “script kiddies” as depicted in Hollywood movies. They are organized mafia, specialized per vertical (hospitals, software vendors, manufacturing) and per role (initial infection, data transfer, financial analysis, negotiation). All CEOs must understand this landscape, whether they are a lifestyle business or a large global corporation.
Large companies, big banks, governments, and the military have made significant progress in recent years by massively equipping themselves with solutions and, above all, by recruiting experts whom they have trained and whose expertise they maintain through training and dedicated time to be in the state of threat intelligence that allows them to be ready to respond to threats. But small and medium-sized enterprises do not have the time or the means to implement all of this.
The story of being hit by cybercriminals can be a scary and traumatizing experience. It can leave you feeling violated and vulnerable, wondering how it could have happened to you. But it can also be an opportunity to learn and grow from the experience. Perhaps it was a wake-up call to improve your online security practices or to be more vigilant about suspicious activity.
It is essential to have more testimonials like this to raise awareness about the impact of cyber attacks on small and medium-sized businesses. Sharing these stories helps to highlight the need for better cybersecurity practices and solutions for SMBs. It’s a chance to raise awareness about the importance of cybersecurity and share your story with others so they can learn from your experience. Remember, you are not alone in this; resources are available to help you recover and prevent similar incidents from happening.
Being aware is not being an expert. A new mindset is needed.
So, how do we address these challenges?
We must dispel the belief that every company will have cybersecurity experts tomorrow. This is entirely false. This is not what we see in other fields and makes no economic sense.
Why should every company become an expert in the cyber domain, keeping up with a constantly changing threat and knowing what new protection and control to implement?
What's the point of doing this? Why create within a company a function (e.g., Security XX Leader) related to this threat that will, by definition, be difficult to maintain? It is not affordable for SMBs anyway.
The cybersecurity industry needs to distinguish two different topics:
Yes, we need to raise awareness about cybersecurity. The below CEO testimonial is participating in this effort. It demonstrates that “No, it is not a movie plot. It is real. It would happen to your company”. CEOs and their staff need to understand the threat which might impact their business. As their headquarters building can be on fire, they must prepare to face a cyber attack and be asked for a ransom. They must invest at least 10% of their IT budget for security - a milestone we are far from reaching.
But we should not merge this need with an “everybody needs to be an expert.” Being an expert means being able to understand in depth the threats faced by an organization. It requires training and a willingness to keep learning new skills. It requires a passion for reading the latest security news, updating the security tools, and attending security conferences (from the most technical ones like 🇪🇺 STTIC, 🇪🇺 Greyhack, 🇪🇺 CCC or 🇺🇸 Defcon, 🇪🇺 BSides to the most business ones, such as 🇺🇸 RSAC or 🇪🇺 FIC and 🇪🇺 ITSA)
Conclusion
In summary, the challenges small and medium-sized businesses face in cybersecurity are enormous, and we must find new ways to address them.
Cybersecurity threats are not only real but also increasing in number and complexity. Hackers and cybercriminals are pros, constantly evolving tactics, making it harder for businesses to protect themselves from attacks. This means that small and medium-sized companies are at an even greater risk of being targeted, as they may not have the resources or expertise to keep up with the latest threats.
The cybersecurity industry needs to do more than raise awareness about the importance of cybersecurity. While this is undoubtedly an important step, it is not enough. The industry must also develop new technologies and tools to help small and medium-sized businesses protect themselves from attacks. This could include everything from automated threat detection systems to user-friendly cybersecurity software explicitly designed for non-experts.
By taking a new approach to cybersecurity and addressing the challenges faced by small and medium-sized businesses, we can help ensure that companies of all sizes are better protected against cyber threats.
I hope you enjoy my perspective on Cybersecurity and SMBs. Stay tuned for the next post of the series. Don’t hesitate to transfer this email to your friends. :)
If you enjoyed this edition, please give it a little love by clicking on the heart. It will give me force.
Have a great week. Cheers
Laurent. ❤️