The State of Security in SMBs

bear with me I don't think I've ever spoken into a microphone before so um hopefully I can get this spacing right but yeah um my name's Justin I'm the owner of complete Technologies I've had kind of quite the experience I I never wanted to do computers I always thought I wanted to be a lawyer um I I found out that lawyers have to deal with a lot of paperwork and you have to be really organized um and that's not me um so I kind of fell into it because I've been playing with computers my whole life um started out as an IT monkey um moved on to project team and help desk um Paul and I worked at wbm together and then

anchor I was the sole employee until Paul showed up and came and saved me um and then started at complete tech and and moved on to to running it um that was me a couple of months ago sitting in the the server room at a client so I still do occasionally hop in um but I I'm definitely losing my skills um so yeah today I just kind of wanted to talk about what I'm seeing um at like new clients that are coming in um just general businesses in uh Saskatoon and the the types of threats that we're dealing with um so kind of evolution of cyber attacks obviously goes way further back than that but what

I'm seeing is we're still in the 2015 2016 um people haven't caught up to anything after that like when I when I talk to business owners um they're they're still thinking that um just running antiviruses is good enough they're they don't know what pii is um I'm asking them like do you store social insurance numbers what what information do you have and where is it kept so the the Cyber threats uh around somewhere I mean knock on wood this is probably going to jinx it but I haven't actually seen ransomware in the wild in six years at any of my client sites and now I'm going to pay for that but um yeah the so

yeah I mean I've seen some some nasty ransomware um hitting M365 hitting um the one that that I dealt with wasn't a client but they didn't have backups um and so recovering from that was a nightmare I think I spent three weeks pulling my hair out trying to get that solved um third party exposure um crowd strike I guess um not knowing where your data is stored how your your software is configured who's hosting it um we we support industries from nonprofit to manufacturing to everything and a manufacturing company that I've done work with is still running Server 2008 R2 um because that's the only soft that's the only operating system that there's software vendor can operate on

um it's now the third party's problem it's no longer on site but that's still a huge risk for them and it's their main line of business software um configuration mistakes um is basically my Talk's really simple it's all on the basics because what I'm seeing is that we're we're not getting the basics right um people are asking for a sock Sim um endpoint protection detection and response and they're still using password 123 um so not updating their software no network segmentation default configs on everything nobody thinks about their HP printer um and they just leave that default they're not updating it um times are times are changing um social engineering is probably the biggest threat that I deal with um in

Saskatoon um fishing spoofing phone calls um total I think in the past two years I've dealt with almost $2 million worth of stolen money um from couple of clients to just random um businesses contacting for for help after a compromise um and AI threats I won't get into that too much but what I have noticed is that AI has helped craft better fishing emails um and that's that's made a huge difference it's a lot harder now to to read um an email and know that it was a fishing attack um so I think I don't remember my slides there we go so I was called in um by a cyber insurance company after a psychologist office in Saskatoon was

hit it was not good they had client records notes stored in one drive their invoicing and everything was done through um email all users had Global admin no MFA and basic passwords clients were paying the hackers because they were getting sent fake invoices it was a massive privacy breach massive loss of reputation um and this was recent we're not we're not getting the basics right um going through and auditing your permissions like the principle of Le lease privilege we all talk about it we know about it um but it's getting Buy in from business owners and the people that have to make these decisions that's what matters um to prevent this and I mean cyber insurance covered them they paid

for remediation and that but you still have to um talk to the Privacy commissioner you have to notify all your clients like this could be business ending um so not a not a fun situation to be in um and then one of the other ones again they're all kind of fishing attacks or just basic simple things that people are are falling for um counts payable fishing attack at a large retail company cost them 600 grand um it was 100 Grand a month their AP clerk got an email to change Bank info for one of their vendors it was sent from a Gmail address and and they just they didn't they didn't check it looked relatively

legitimate um other than the Gmail address but they changed the bank info they were the only AP clerk they didn't notice um that that was going on for whatever reason um they weren't getting like overdue statements or anything like that six months went by they got a call from the vendor uh you guys owe was 600 Grand you haven't been paying what do you mean we've been paying you every month they were paying the hacker uh cyber Insurance paid them back a bit but not all of it and that's a massive hit for a business like if if I took a a $600,000 hit I'd be out of business um this is the the threats that we're we're dealing deal

with and the solution for this is free um that's what I pitch to most of my clients or anyone I talk to is all of the stuff that we're dealing with the solutions are free um to prevent this it's user training and calling to verify like when somebody asks you to change Bank info and you're changing your vendor payments and that why aren't you calling them um if they're calling you why aren't you sending an email as well two Factor verification on something like that that would have stopped this if they would have called and said hey you guys are changing your bank info can I confirm that and they would have said no we're not and that would have prevented

this money uh from leaving the the previous one not having there we go not having everyone have admin roles why why do you have an admin role they didn't have anyone that set up their system they didn't know what they were doing so it was just kind of the easy way to do that they didn't have MFA enabled and their password was simple I've seen Microsoft accounts get popped even with um MFA on them with a simple password so it gets even more critical to have MFA and a decent password on there let's see so what I what I deal with the most still is passwords hoy2 is a real password that I came across

I I've run some internal pen tests for clients and found password sheets in Excel and talk to the business owners and like why are you grabbing your employees passwords they're like well cuz we want to be able to log in and see that I'm like you can call us we can give you delegated access to their mailbox like nobody should be sharing their passwords and you shouldn't be keeping them in an unencrypted Excel sheet on the server named passwords like like this is this is still what we're we're dealing with um the average according to the internet um the average amount of passwords per person in the workplace is 87 the other thing that we're seeing is

you're incrementing your password you're going from one to two at the end and when one account is compromised and you're just using Bob company.com and you're incrementing your password now I can go and hit every website and try it and just try incrementing and you're going to get through um the majority of the time employees are tired of security nobody likes dealing with the MFA they don't like having to have 15 character long passwords how are they supposed to remember um seven passwords that are all different that are 15 characters long um so they're just doing what they can to get by password managers are great they have to be configured well um and I mean as

I've seen I demonstrate every once in a while I've I've used mimic hats recently and dumped Chrome passwords and stored Windows passwords um on computers so storing in Chrome can be safe but you need to have a plan in place um and what I found is using uh like a managed password manager having people take care of that um we're getting passwords up to 30 40 characters there's two factor to get into the password manager we can hide the passwords from employees um I've got clients that have fairly regular turnover of some employees we can make it so that the employee can log in but they can never see the password they can share accounts

um between staff members without having to worry that the password is going to get compromised it's not written down on on an Excel sheet um so just doing those things and and talking to businesses about Basics um and getting them kind of working towards um more security and which brings me to Simplicity and the basics um this is an example um from that picture of me sitting in the server room this was a 30 person company that had all of that in there it was a giant mess of cables how are you going to find the Raspberry Pi that I plugged into your network in that mess what is running on all of those servers like the majority of them

weren't even needed there's a mix of vendors in there HP Dell Lenovo super micro they're not even all managed by the same um I think of it as IO I can't remember what the actual term is but IO byra all of that's configured differently they're probably all still default um how many different vendors are you dealing with on software um I was at a conference down in Florida and talking to other msps and they're like we have these four different antivirus providers and we depending on the level of support that the client's paying us for they get a different one like how is your team managing that your team's going into four different portals to

manage antivirus alerts why are you spreading yourself so thin if you Pi single antivirus vend and you get as good as you can at it and you're not looking at four different portals you're going to catch threats uh more often if you're running EDR and you just put it out there you're not you just put it on there and think it's good to go you just it's uh the simpler the better um especially for for small companies um you don't need to be going to the the highest level because chances are when you're putting on a high-end product if you're using crowd strike you're not configuring it properly it's not being monitored um and so end user awareness

is getting Buy in from everyone um employees are the biggest threat to the company that I found um teaching people without scaring them um about personal security and cyber hygiene um the government of Canada's been running great programs that get Cyber safe is free um they have everything on there from securing your Xbox and talking about um protecting your kids online they have um get Cyber secure which um allows a business to kind of go through basic compliance um and I found that when talking to employees and business owners um without scaring them just talking about how um improving Security in their personal life um everyone's heard about somebody having funds stolen from their bank

account or falling for a a text message scam um when people start caring about Security in their personal life um they're more likely to care um when they come to work no before um example for like corporate um doesn't matter what it is if it's just somebody talking monthly um or if you're actually running a security awareness campaign but just continuing that conversation or starting that conversation um I know I'm kind of preaching to the choir with everyone in here but this is kind of my my sales pitch to small businesses um in Saskatoon because a lot of them are still thinking we're just in Saskatoon we're in saskatch one like why would anyone want

to Target us but when you're connected to the internet it's Global um a lot of these companies aren't getting hit by targeted cyber attacks it's just drive by scattershot um and they're like well I don't I don't need that I don't need to um secure this I don't need a password manager I don't want to pay for more security and I don't want that hit to my productivity um where password managers can improve productivity um if you if you just throw it out there and say you have to use a password manager you're probably not going to get much Buy in but if you take the time and you sit with every end user um you show them how

to use it and actually get them doing it it makes life easier it's more secure just taking the basics and and helping everyone so what I've done when kind of pitching and selling cyber security to small business in the city um highlight risks um by asking questions about downtime um how much um they could lose um like what would be an acceptable amount of money to lose what about reputation damage and then we can go about talking about how we can secure those things um Pitch productivity with the password managers um we've got onboarding down to five minutes at one client where they can put in a form say we're on boarding a new um employee with

a password manager um in tune deployments everything like that we can deploy new users faster and more secure and yes that costs some money but the productivity increase on that is something that the the business owner cares about they don't necessarily care about the security but when they can see productivity uh increase that's something they do care about um Simple Solutions um I've got some of my tools here um I love my OMG cable um I always show that I bring that to presentations um because the prevention C is free don't plug in a cable that I give you um and don't plug in a cable that you find on the ground don't grab USBS at trade shows and plug them into a

company computer um it was funny one of the conferences there people were giving away USB keys and nobody would take them um there's a whole bunch of security guys and we're like yeah no I had a guy want me to TAP his uh NFC ring that he was wearing to get his contact info I'm like not a chance that I am tapping that um local examples it's unfortunate but there's so many local examples of small businesses getting hit by cyber crime um it doesn't happen here it does um that's that's what we're here to talk about and it sucks that we have to bring that up but I found just kind of with these things it starts the conversation um and

that's what we're here to do uh mandatory pitch for watchg guard because they're sponsoring my talk so watchg guard um kind of like poret they got everything yeah that was me um I know it was kind of a basic simple talk but that was what my goal was [Applause] so that was absolutely great thank you Justin and you did well uh you you held the mic like a pro you didn't get any and uh so that was great