BSidesWLG 2017 - Sai Honig - Security for Small to Medium Businesses

Good afternoon everyone. How's everybody doing? We're almost done. So cool. I know I'm standing between you and a break so we'll get right to it. Small businesses. How many here work for a small business? It's defined as 50 or less. Keep your hands up. Okay. How many of you know someone who works for a small business? Add your hands. Okay. How many of you, keep your hands up, how many of you use the services or products of a small business? Okay, that should be the rest of you, okay? We love small businesses. All of us. Guess what? So do they. This is a picture of a cafe. I picked this picture because it's a picture within a small business. And the site that it's hosted on is

called Unsplash. They promote the work of photographers and all of their work is what's called CC0, which means you can download it for free and you don't have to do anything. And by the way, Unsplash. is a small business.

So a little bit about me. I work at Xero, so I want to give a big shout out to the security teams at Xero. Because of what they do, I can come here today and I can also do things like this, which is be on an international board. And on behalf of over 125,000 information security professionals around the world, I'm honored to be here and represent them. But I am really, really, really passionate about small businesses. In fact, the smaller the better. And if you guys are interested in something called micro-businesses, come talk to me later. I can even show you a way that you can personally change the world.

So any guess as to how many small businesses out there? Anyone?

I'm gonna let you know it's a little more than that. Anyone else?

Right, okay, keep going. Alright, did I just hear somebody shout out 42? Seriously. I mean, come on. Alright, seriously, okay. How's that? That's a really big number. In fact, I had to sit there and I'm dyslexic, so I like have to write stuff out and do all kinds of things. I actually wrote that number out because I wanted to see how many zeros there was. And yeah, so that's an estimate. Seriously, don't quote me on this one. It's anywhere between 100 million to 150 million, depending on who you talk to. And it seems like half of them are in the developing world, which is where a lot of the micro-businesses are. And they are, this is what's really cool about small businesses. They fit into these little niches

that not all of us think about or worry about. And they seem to thrive in doing small things like serving coffee or maybe at one service I had a friend of mine does. She is a concierge at a company and basically the employees could come up to her and say, hey, I need to get some stamps to mail some stuff out. Well, you come back at lunch and she's got a book of stamps and you've already paid for it through the company payroll system. Hey, I need to get flowers sent to my girlfriend and yeah, whatever, she'll take care of it. She's an operation of one and she's a small business and very successful at it, I might add. So this is the

thing. There are so many small businesses out there, but that number's really hard to kind of fathom. So I just thought, let's just look at it New Zealand here. In case you didn't notice, I am an American. I've been living here for about three and a half years. So I was really surprised to find out just how many small businesses there were in New Zealand. So you've got a country of about four and a half million people and you've got a little over 500,000 businesses. Now you Kiwis are going to have to help me out here. What does MBIE stand for? Say it again. Thank you.

I'm still working on understanding all the acronyms here. Ministry of Business, Innovation and Employment. They collect lots and lots of facts and this is something that they've come up with through their processes that there's just over half a million small businesses here in New Zealand. Now here's the interesting thing too. Almost all of those small businesses have less than 20 people in them. That's it. 20 people. produce 28% of New Zealand's GDP. Now, if you were to just include the ones between 20 and 50, that's adding about another 10% to that. So if you think about it, over one third of New Zealand's GDP is produced by small businesses. Now, I don't know, I mean, to me, that's really pretty cool. If you can't fathom what

that is. a third of this country's wealth is produced by these really small businesses. But here's where the challenge comes in. They're also one of the biggest targets out there. Here's why. They need data to run. Any business needs data to run. But when you're When you have to keep running every single day and not run with, not have a stoppage of any point in time, you're willing to pay a ransom to get that data back. And guess what? They've got really valuable data. They store financial information, personal information, you name it. which can be used for fraud and identity theft. Which, by the way, identity theft is becoming one of the biggest crimes here in

New Zealand, as well as around the world. They are an input and a way to get into larger businesses. So just recently, I'm sure you've heard of this thing called Uber, and yeah, they had a hack or something like that just recently. How did those hackers get in? They didn't get in to Uber directly, they went to GitHub, which is a small business, and found credentials and then got into Uber. So they're a gateway into larger companies. They're also a gateway into other small businesses.

So some other things. There is an amazing group of talent here today. Okay? this talent is generally not available to small businesses. So they may not have the knowledge to know you need to update your systems or you need to put in a firewall. They've got Wi-Fi and it's unprotected Wi-Fi. And the other thing is once you get in, it's a lot easier to get away with hacking a small business than a large enterprise.

And this is what scares me the most. $19,000 per incident. $19,000

per incident. I don't know very many small businesses that can afford that and afford it on a repeated basis.

The other part of it is that nearly half of the businesses don't even know that they've been hacked. And we know all about these issues, the computer virus, the phishing, Trojan horses, you name it, we all know about it. But to the average small business owner, they may not ever hear about it unless it becomes big news, like the ransomware viruses that we had earlier this year. And even if it does become big news, they don't know what to do about it.

So for those of you who work in small businesses or know of small businesses or use small businesses services, here's some things that we should really get an opportunity and at the very end I do have a challenge for all of you. They need to become aware of their cybersecurity needs. They need to know about some basic stuff, some training, some of which is free and I'll show you some of that. They need to understand that, yeah, it's easy if they have the same set of credentials going into their banking and their accounting and to the email and they share that same set of credentials with everyone on their staff, there's a potential there for disaster. The other thing is they need to learn that they don't need to

take information that they don't need. When I first came to New Zealand, I lived in the town of Hamilton, and I went into a coffee shop and wanted to sign up, you know, frequent coffee thing, right? Well, they were just asking me for a lot of information. Not just my name, not just my mobile number, but my birth date, my home address. like, hey, I just want to come in and get a cup of coffee and maybe I do on a frequent basis. Why do you need all this information? Well, it's because we want to send you something on your birthday. I'm like, well, look, I don't want something on my birthday, okay? I just want to be able to come in and get a cup of coffee.

Now, I think what the conversation should have been is what is your business strategy and why do you need to collect that information to support your business strategy. I think a lot of times we collect information or we give information just because it's asked of us. We need to start thinking, why am I giving this information?

Social media. I cannot tell you how much fun this is for anyone who's trying to find information about a business or just about anyone. posting things like, I'm going on vacation to the islands and I'm going to be, you know, blah, blah, blah. And of course, the entire world knows about it. And guess what? You might have a break-in, a physical intrusion during that time, or you might, that might be the time that, hey, that's when we should go and start emptying out your bank account because you're in the islands, you probably don't have access to the internet, and by the time you find out about it, it's going to be too late, we're gone.

Some more ways to protect. Backup. You know, I know a lot of this is going to be like, yeah, I know this, but this is what's important and it'll come be clear when I give you my challenge. Encrypting the data. A lot of people don't understand what this is and that's going to be part of the challenge too. Using strong passwords. This is something I've told people about and it kind of surprises me that they don't know about this because they'll say, I've got all these passwords I've got to remember, you know, from this, that, and the other thing. I'm like, well, have you thought about a password keeper? And they look at me like, well, what's that? You'd be surprised. A lot of people

don't know about these things. Two-factor authentication. And if you don't have it, get somebody else who will give you two-factor authentication.

We've seen emails that have been spoofed, and they will get a bill that looks like a real bill and the bill is paid and then they find out later that somebody had spoofed their email, was able to get in, send them a false invoice and guess what? They lost their money.

You know, checking with your vendors. Do they do updates? Do they patch everything? I mean, you know, people think, well, I'm going to get this update because I'm going to get some nice new cool emojis or the animojis or whoever or whatever. But as we know, a lot of those updates are protecting vulnerabilities. And of course, you know, updating everything.

Okay. So believe it or not, there's a ton of free guides out there for small businesses that they can go to to find some help. And this is just some of them that I just did a quick search on. A lot of them too might actually say, you know, now you can click here and you get some more info and you have to pay for it. But as a small business person, where do I start? So I want to show you something that is free, available, built here in New Zealand. Let me just get this all the way. Okay. It's called Digital Journey. And what they've done is create a digital assessment of a small business. It takes 20 minutes to do

and you only have to enter an email address. It provides a continuum of how secure you are. So one side, you're least secure, the other side, you're most secure. And the things that you can do to improve, and they're simple things. And there's tools on here to build those simple things, training, templates, policies, et cetera.

The other thing I just want to share is because as an initiative through ISC Squared, of which I'm a board member, we are using Garfield to educate children. So if you don't know of any small businesses, I'm sure you probably know someone who has children, you probably have children yourself, here's an opportunity for them to learn in a fun and interactive environment. about how to be safe. There's actually six lessons on here. And they include everything from downloading to cyberbullying to posting. And there's also kits for teachers if you want. So you can go to the site and just have fun with it.

So again, that's the digital journey, it's free education online.

So here's my request to all of you. Start talking to small businesses. Seriously. I have a friend who owns a hair cutting place in the United States and anytime I go back to visit, I go to her. And while she's cutting my hair, asking me questions about cybersecurity, about what she can do to keep her business safe. And I thought it was kind of odd, because I don't see her that often, but this is the conversation she'll have with me. And I asked her one time, and I said, why is it you ask me these questions? She said, well, you're the only one that I know that doesn't talk code. Think about that.

Share with them why they need to protect themselves their staff, and their businesses. This is their livelihood. And, you know, as we saw, it was $19,000 per incident. I don't know, again, I don't know of any small business that really can afford that and afford that on a repeated basis. You may even have to show them how to do it. Show them where they can get more information. Maybe even suggest a short training. 10 minutes, 15 minutes, that's probably all that it takes. If you have any other ideas, I'm hoping to hearing them. But again, we need to start doing more than just talking amongst ourselves about exploits and about vulnerabilities. These are businesses that if they go down, they could

really hurt somebody's lives. And we've had a lot of things happen to us this year. I mean, global ransomware, you name it, we've all seen it. It would seem like everything but the kitchen sink. has been thrown at us. And honestly, my prediction, we're gonna have the kitchen sink thrown at us. But it might not be a large company that gets hit that brings everything down. It might even start really small with a small business and go from there. And that's kind of scary when there's over half a million small businesses in this country alone. Now think about that when you go to sleep tonight. And think about ways that you can talk to them. And yeah, maybe it's a little scary to just

have that conversation, but sometimes five minutes is all it takes. I talked to somebody who had a certain type of phone that will not be mentioned, hadn't updated it in years, and I explained to her why. And within five minutes of that conversation, she had it updated to the latest patch and everything and went on her way.

So, any questions?

Would anybody like to know about micro-businesses?

Oh, okay. Sure. I do apologize. I originally thought this was a lightning talk, so I had originally planned it for like 15 minutes. But let me tell you about micro-businesses. Anybody know about Kiva? Anybody heard me talk about Kiva? Okay. Small, really small businesses around the world. And these are the micro businesses. These are the ones where usually in developing countries, but also in the United States and Australia as well, small loans. And what really started this, kick-started this was about 40 years ago in Bangladesh.

There was an experiment that was conducted by an economist with a group of people that did not, well, quite honestly, lived on about two dollars a day. So he went around and said, well, what do these people do? Well, they do a lot of things and they're working long hours, but they don't seem to get a big return for what they do. So he said, well, why don't they get a big return? Well, they're having to borrow money from loan sharks. And so they get an investment but then they're pretty much turning it all back around. So he created this scheme where he gave out loans to these people. And the loans that he gave out to about six people amounted to about 26 US dollars. Wasn't a lot

of money. But in six months it was all payback. And he had his students go out and say, well what happened? Well it turns out they were able to use the money and invested in things that they were doing. And in fact in one case it was this woman who was a basket weaver. This is an actual case study. She took the money that she got and she was now able to make more money. She would hire somebody else to help her with her business. So it went from business of one to business of two. So this is microfinance on a global scale as well. The idea is that these are individuals, these are entrepreneurs that have already been vetted and you can be part of this change too.

A small loan, $25. And that loan can be put into a pot with other people and loaned out to these small businesses and they will grow. And then you have the option that once the loan is paid back, what to do with that money? It's yours. You can then take it out, have fun with it, or you can reinvest it. So this is one of my passions. This is probably the smallest of businesses that you can get. Some of these businesses start up on like less than $50 and it's amazing to see where they go.

So thank you for letting me share my passion. And please, share your knowledge with those out there that are running the small businesses. I would hate to see New Zealand suffer. I would hate to see any country suffer simply because the knowledge wasn't out there. Thank you.