VIEW TRANSCRIPT >

Transcript - #9

[PT. 1] Why Are Cyber Attackers Targeting Small and Medium-Sized Businesses?

Ron

Welcome to the Geek Freaks Podcast! Before we get started, make sure to hit the subscribe button on Spotify, Apple Podcasts, Google Podcasts, Breaker, Castbox, Stitcher, and all other platforms you may be tuning in from!

In the spirit of national cybersecurity awareness month, we have split the first three episodes for the month of October into a three-part series. I, as well as our project leads Nick and Thony will be discussing the whys, the how’s, and the what’s regarding cybersecurity for small and medium sized businesses. So, without further ado let’s get right into part one of our cybersecurity series Why are Cyber Attackers Targeting Small and Medium Sized Businesses?

October is cybersecurity awareness month, something like that right, I think I’m right about that anybody know that. Yup, that’s what it is…got the thumbs up from Luis. So, I guess if you had to look at it as a small business – medium business what are…why, I guess let’s start with the why. Why are people attacking small and medium sized businesses?

Thony

I would say the biggest reason is because most of them aren’t updated in terms of equipment that will protect them or even software that is updated.

Ron

So, because they are a low point of entry for being targeted?

Thony

Yeah.

Ron

Yeah, I guess the other thing…I mean that is kinda spot on. I guess we can go deeper into that. Why do you think that the smaller to medium sized businesses are having such a struggle with protecting themselves?

Nick

Well I would say it’s partly a training issue and the other part of it…how do I put it…it’s an entry way that they can actually branch out to others because they probably have more interaction with their actual customer base than like bigger corporations do. So, like whoever gets those emails is more likely to open them and more likely to click on them. It just makes it easier to spread whatever they want to spread.

Ron

Well, I think the other thing to is that they are more likely to pay the ransom. So, if they do get crypto locker, if they get ransomware they are like Bob and you know Textiles Incorporated that’s got four employees is probably a better target to pay the $500 than a massive company. I guess we have seen cities…I think it was Boston or something just paid $5000,000 for ransomware to be cleaned up. So, I think it’s everybody, but I think they are more keen now to go after the small businesses because they will pay it and I guess it’s lower barrier to entry for hacking is like bad habits.

Thony

Yup.

Ron

Not all of them are partnered with an MSP or an MSSP, so they just kind of hey, yeah, I get email I get it on my yahoo.com and I get all my forwards from my golf buddies and so on and so forth. It’s just training and yeah not having that operational maturity when it comes to technology that most companies should have.

Nick

I mean the other part of that is just having the proper equipment to counteract that. The easiest way to counteract ransomware is backups and it’s whether they actually have a valid backup or not. And I probably wouldn’t be surprised with how many companies just don’t even have backups at all and that’s why they are forced to pay the ransomware.

Ron

Yes, I think it’s way more than you think that wouldn’t have backup. I don’t know…I mean we’ve walked in and talked to a company that’s been around since the 70’s and their backup is that server one day that’s never gonna break and they are running on a raid and this and that. So, it’s kind of difficult…people don’t want to spend that money. Think of an EDR like Sentinel One that resells for $7 a month per endpoint so you’ve got let’s say 10 people now you’ve got $70 a month in anti-virus a month. I don’t think people are used to paying that kind of price. So, you are not getting the advanced threat detection or any of that kind of stuff. So, you’re right I think it’s just low cost of entry and people preying on the vulnerabilities of small businesses that really don’t see themselves as a…

Thony

Threat.

Ron

Yeah. Or a victim. Yeah, a potential victim.

Thony

They think I’m a small company what’s…

Ron

What do I have that they want?

Thony

Yeah, exactly. It’s not what you have it’s the fact that they can get to you and they are going to exploit that for themselves and try to get money out of you.

Ron

Do you think that it’s becoming…I have to wonder that maybe it’s getting this way because more and more devices are available to the network like a lot of small businesses now have mobile devices, tablets, that kind of stuff that they do work on that’s connected to the network so I feel like that as the threat plane spreads and devices spread, I think that also draws an allure to the small to medium sized businesses because again they don’t have the proper protections put in place. Like if you ask some of our users like what they do to protect themselves they are going to say you know you guys, or providers, or antivirus or…but they are never going to say they take the proper precautions to protect themselves, right. They are always reliant on something else. So, if there is a breakdown in what we do or what a vendor does the end users have nothing to fall back on. I think that goes back to your first point of the training like everybody is very undertrained in this arena.

Nick

Well the other part that gets into that actually the one thing I wanted to talk about was social engineering. That’s just getting more and more and more…uh when you think about it, I mean granted some of the stuff I’m going to talk about is a little old, but it’s still relevant. Like back in 2011 The Department of Homeland Security did a test of basically government locations that they dumped USBs and CDs on just to see if anybody would plug them in…

Ron

Oh, I’m sure a lot of them got plugged in.

Nick

Well It was 50% would plug them in, okay…

Ron

That’s crazy.

Nick

…well it even got worse cause they…if they went and put a massive corporation’s logo on it, it actually went up to 90% would actually plug it in. So, then just a few years ago, 2016, the University of Illinois did the same thing to their own campus. Dumped about 300 USB sticks to see what would happen and now on their study it said it didn’t matter what they USB looked like. It was about a 50% - somewhere around there would plug it in. And when they asked them why they would plug it in it was on a basis of trying to find whose USB this was so they could return it.

Ron

That’s scary. To think about like how many trade shows you go to so or I go to as a business owner…

Nick

Oh, you went down the same path I thought of after reading this.

Ron

You know what I mean that’s swag, steal swag 101. You want to get that swag. You want to get in there and get out. But think about, let’s go back to the why. They’re doing it because we are, I don’t want to say uneducated, but we are not trained to see what the threats are on this level, right. Like we are not trained to see like we just said holy ----- USB drives are given to us on a daily basis at these conferences.

Thony

Yup.

Ron

And if you’re Bobby Boberton with Textile company and somebody hands you a USB, you’re going to be like oh that’s good that’s awesome I love those things I always look for them in my bag, but now I got ten of them. And what’s the first thing you do before you format it before you do anything else, you just jam that ---- into your computer and hope and pray that nothing happens. That’s scary and that’s exactly why the SMBs and even micro SMBs are being attacked because they don’t have the mindset like holy ---- this guy can cost our business.

Nick

Well and like to go off that and kind of tin foil hat this a little. When you think about it, it may not be the company that handed this to you that had the malicious intent. What if either the company that made the USBs for them or somewhere in the line of basically processing somebody else got their hands on those USBs hoping that at that trade show that company would then just hand it to everybody, so then his net just got really wide.

Ron

Blockchain. That’s how we can guarantee the thoroughness of those USB drives. It’s crazy to think that. Or to think about how many small businesses don’t have spam filters and what they are exposing from that angle and how they are exposed on that angle. They why is because they have data. And the why is because they will pay the damn ransomware and the why is because they don’t have backups, so they have no choice. And that’s a really scary position for anybody to be in. I mean the last thing I ever think about is our anti-virus at work, our backup at work. We think about our customers, we think about everything else, but we never think about…

Thony

Our own stuff.

Ron

Our own stuff. You know what I mean. That’s the conversation we have to have on some basis. Think about how many phone systems on the holidays we set up for our customers to go to the holidays and you call us it does whatever it needs to do because we forgot about ourselves.

Thony

Yeah.

Ron

And it’s not that we are lazy, it’s just that we are busy, and can you imagine being a small business owner and being like oh yeah enjoy your Christmas break. They don’t think about the scary guy behind the door and sometimes we don’t think about our own scary guy behind the door I guess is what I’m getting at. I mean we have 2FA turned on for everything.

Thony

Pretty much.

Nick

Yup.

Ron

So, you think if you go to an SMB right now and go hey you got 2FA turned on right now? They would be like what the hell is that. Because predominantly people put that to banks or your bank account or anything else. They don’t put it towards everyday usage. So, do you guys have anything to add to the why. I mean our biggest threats too, while I have this sheet of paper in front of me from this presentation, 10% of the attacks are coming from the middle east, 32% of the attacks are from Russia, and 25% of the attacks are from China. And those are from our Merakis, the reports I pull from what we can see from our advanced threats. That’s crazy to think, but at the end of the day I guess our biggest threats are ourselves.

Nick

Yeah, cause like I was saying it goes back to that social engineering of whether or not they can get you to click on that or open whatever.

Ron

This is from Microsoft, so I have to credit the source, so it’s not just Ron. By 2020, 25 billion devices will be connected to the internet. 82% of companies expect to face a cyberattack in 2019. 2 Billion customer records will be compromised. 1 million pieces of malware are being created every day. That’s crazy. I don’t have the stats in front of me, but I was curious like 1 million pieces how much money does that take. But they’ve had to of made millions of dollars. There is so much money in this ransomware game that we don’t account for.

Nick

Well and the other part of that is when you think about it is some of the countries that are doing that… the reason they are doing that is because they’ve grown up doing it. That it’s been this push to learn code, to get a job, and well now all of sudden that job is creating ransomware for some guy to make some money. So, I wouldn’t be surprised if there weren’t several corporations in these countries that the guy, I mean I’m sure he knows what he is making, but he doesn’t care he is getting paid.

Ron

I don’t think they care. I mean some people do it for the thrill right, but some people are like getting that dolla dolla bils yo or yen yen yens I don’t know where they are from.

Nick and Thony

[Laughs]

Ron

So, like recently in the news I had this in the presentation. Genesis county was down for 24 hours, that’s in Michigan, they had been attacked by ransomware, Brickside E and T Hearing Center in Battle Creek closed permanently from ransomware. They will never reopen because they got ransomware and they had no plan to recover.

Thony

And I’m sure they didn’t have the funds to pay the ransom.

Ron

I think it came down to and I haven’t caught up with it, I think it came down to yeah, we aren’t going to pay it.

Thony

Yeah.

Ron

We are just going to shut it down. Which I get…America, support America do your American thing. I get because you don’t want to fund terrorism because that is essentially what it is, but at the end of the day that’s a ---- move.

Thony

It is.

Ron

City of Baltimore spent over 6 million dollars paying ransomware. Ottawa Community Health Systems, so they were a third-party biller who was breached, and it got back to their systems, 15,000 patients PI information was released and that was through phishing. Lansing Board of Water and Light was phished and encrypted so they got ransomware. Yeah, a phishing attack like this --- is happening all the time and people don’t…I don’t want to say they don’t care, but they’re really not putting in the efforts to care about it. You can ask any of the people who have come through these doors and out of these doors if they cared about you know lost sleep. I remember talking to one of our former colleagues and he was like I can’t sleep because I’m worried something is going to happen and we’re responsible for it. So, I mean it is on our head, but it’s not on a lot of people’s heads nor will they spend the money to do the protection.

Thony

No and I think it’s part like you don’t see this data right it’s not something you can physically see all the time and you don’t think is it protected or can someone just access it, you know hold it ransom.

Ron

Is it in harm’s way?

Thony

Right. That’s probably why people don’t think about it.

Nick

Well the other thing is they are putting too much trust in their employee cause they are like Susie Q is not going to click on that we will be fine and then Susie goes and clicks on it.

Ron

Well and a lot of the things. You guys both have been when we are meeting with potential customers is like no we have everything we have the spam filter, we have the firewall, we have the anti-virus, and we do have a backup, but most people have that. But when was the last time backups have been checked?

Nick

Mhm.

Ron

What’s your spam filter letting in, oh it’s letting in everything even those emails that I get from my golf buddies that are forwards that have attachments to it. The firewall hasn’t really been looked at or updated in ages, so the update pattern is a little screwy.

Nick

Or it’s the one that they bought off the Best Buy shelf, those are always fun.

Ron

Yeah. Okay, before we get down that rabbit hole let’s talk about how. How are these people getting to us? We know why they are getting to us, but how are they getting to us.