Guerrilla GRC – Helping Small Businesses Get Cyber Smart

If you've already eaten lunch, raise your hand. Oh boy, this is going to be good. There's a vending machine at the base of the stairs over here. So, if you want to go grab a candy bar or something, I'm not going to be offended. Um, great. I'm We're going to talk about gorilla GRC. So, that's a phrase that I made up, so you should be unfamiliar with it. Um, and to introduce myself, my name is Josh. I've got a bachelor's degree in cyber security. I've got a whole bunch of CS and I'm the VP of cyber security and operations for the Larry H. Miller company which used to own the Jazz and used to own the

dealerships and now they sold all that stuff and they own a bunch of stuff nobody knows about. They still own the theaters though. So if you go to Megaplex that's part of their empire. This is my family. Um I'm not good at selfies so you can see me up in the corner there. But you could just look at my face right here. So I figured it wasn't important that I be included in the selfie. So that's who I am. Um I want to get to know you a little bit. So raise your hand if you either have security plus or a higher or if you're stuttering studying cyber security. Go ahead and raise your hand. Good. That's

the majority uh people in here. So that's really good. Now, raise your hand again if you know somebody or are related to somebody or connected, friends with somebody some way that owns a small business or operates one or is a partner or investor or anything. Come on. Again, most of the hands raised, right? Isn't Utah fantastic? They're so industrious, right? So, lots of small business owners and the idea behind this is how do we help small business owners? That's the purpose of this whole thing is let's look at a problem that doesn't usually get a lot of attention which is the plight of small business owners. So there's a few stats up here. 70% of

small businesses are going to be targeted by fishing every single year. 30% well about a third of them will have a cyber incident in the next year. And of those that have a cyber incident, 25% of them are going to go out of business because of because of it. It's a really big deal. I mean, we we all know when CO happened, a lot of businesses went under because any interruption to a small business's income revenue can be catastrophic and a cyber incident can be just that, right? So, let's do some math. Statistically speaking, how long until every small business goes out of business due to cyber security attacks? If we use these numbers, we can walk through the math.

Anyone want to just guess who who knows it? Who knows all these how to do it? 12 years. 12 years. Exactly. How did you come to that conclusion? 33% of businesses go out. Yeah, exactly. Times that by three. Um, so yeah, at these rates, all small businesses would go out of business in 12 years, which is crazy to think about. It's such a huge problem. We know that's not what actually happens. Probably what really happens is some people fail over and over and over again. We're going to do another raise your hand, but raise your hand if you know somebody who falls for fishing tests or whatever over and over again. Yeah, everybody knows that

person. So a lot of people are suffering because small businesses are the victims of these cyber attacks and they don't have a lot of defenses. Who who performs these attacks? Doesn't know any ideas.

Cyber criminal gangs. Cyber criminal gangs. That's that's true. The majority of them are ransomware gangs. Right. So, and when they release those files like the Conti files, they release a bunch of chat logs. What we find is that those gangs are like businesses. They have HR departments and they have leadership and hierarchy and people complain about the food in the breakroom. Like, it's a big deal. These cyber gangs are huge organizations in other countries that target small businesses around here and can cause tons of damage. So, the question is, how do we help them? I guess before I get into that, I want to ask another question. Why are small businesses in an especially bad place?

Why is it especially hard for them? Why are they targeted so much? Lack of funding, training. Yeah, lack of funding and training for cyber security, right? Cyber security tools are expensive and small businesses like a baker doesn't have a lot of extra money. So, they can't afford to go out and buy CrowdStrike or Rapid 7 or Sentinel One or anything like that, right? what they get is the free version of Macaffy that expired six months ago and it's not great. So, we need to help them, right? Or somebody needs to help them. So, the solution to this is gorilla GRC, the term that I made up. So, there's two parts of it. Guerilla, which we will

talk more about later, is an irregular armed force that fights a stronger force by sabotage and harassment. We're all familiar with guerilla tactics, right? Guerilla warfare. But we will talk about that a little more. GRC is one of the three kind of categories of cyber security jobs, right? We've got red team and blue team and then no team at all is GRC. I'm naming them the green team. You can see down here. So I'll refer to them as the green team because I'm really hoping that that catches on. But the green team is governance, risk, and compliance. And the last one is what I want to focus on. Compliance. Compliance is really simply making sure

that an organization is following the recommendations in a standard. So an organization can be forced to follow a standard for a lot of reasons. They could be regulatory. Do you guys care if I walk over here and point and stuff? Can you still hear me in the back? Okay, good. Because I like to walk around. All right. So the standards could be regulatory or legal like HIPPA, which is for doctors and stuff. It could be contractual like PCI which is actually the credit card companies force people that use credit cards to do it. So this is not like a government one. It could be industry expectation. People want you to be sock 2 compliant to show that you

know what you're doing. Or it could be voluntary. You're going to follow something. Your organization is going to follow a standard because you think you'll be more secure if you follow it. So the GRC team comes in with one of these standards and they do an assessment to determine if you're compliant with them. That's the compliance part of governance, risk, and compliance. But compliant GRC kind of has a bad reputation. Anyone know why that is? What was that? Bureaucrats. Bureaucrats. Yes. What else? Following regulations a lot of times feels arbitrary. It feels arbitrary. Yeah. It has nothing to do with what you're actually doing in the business. Yeah. A lot of times it feels like it's outside of what you do. We've

heard that a lot. We the the Millers have a uh um a medical company that does care for people that are recovering from surgeries. And whenever we talk about cyber security, in our initial conversations after they acquired them, they didn't want to hear about it. They were like, "We care about people falling out of beds. we don't care about getting hacked. And we were like, "Oh, well, just you wait." Compliance can be about checking a box. It can be about bureaucracy. It can be irritating. It really can, especially when it's done poorly. And a lot of time it's done poorly because the compliance officer knows that they're asking stuff that's kind of annoying and they feel bad to be asking in the first

place and everybody is not enjoying that that interaction. It can also be about improving security. Compliance can be gen genuinely be about making your cyber security posture better, right? And when it's done that way, everybody gets a lot more out of it and fewer people are annoyed with you. Although some people are still annoyed with you. So the green team, remember what? What's the green team? GRC. GRC. The green team. We're going to make this a thing. post about it on Blue Sky. The green team, I'm arguing, are the unsung heroes of cyber. So, we've got the red team, which is offensive security. Everybody knows them. They're the cool ones that wear hoodies and hack into

stuff and, you know, when everyone says, "I'm going to get in cyber security." This is what you're looking at. There's the blue team, which are the less flashy but still important, you know, stalwart defenders. There's the purple team, which is just guys that were like, "I can't decide. Red or blue, I'm both." and they made the purple team. And then there's the green team, which as we already determined, just making sure it's good. Okay, as we already determined people are irritated about, but the green team is the unsung heroes. And to explain that, I'm going to use the example of basketball. How many people in here play basketball? Raise your hand a little bit. Why do you

play basketball? What's your name? Yeah. Tatiana. Tatiana. Why do you play basketball? It's fun. Yeah, that's great. Why do you play basketball? Yeah, it's fun. It's something that my whole family plays. Yeah. What about you, Patch? I have a whole movie dedicated on resol. It's a cultural thing. That's awesome. So, we have a lot of different reasons to play basketball. One that we hear a lot is health as well. Oh, that's funny. Free phone. Okay. So, a lot of people play basketball because it's fun or because they like to play with their friends, because it's cultural, because it's good for their health, right? There is another group of people that play basketball for another reason. Those are professional

basketball players. And they play And why do they play basketball? For money. For money. For lots of money, right? It's a big deal to them. So, while this court would be good for us to go play basketball on and we could have fun and we could wear, you know, gym shorts and whatever and play with an old ball, they have state-of-the-art facilities and nutritionists and all kinds of stuff, right? They have giant facilities where they practice and work out and they spend time learning complicated things like the triangle offense and a pin down screen and stuff like that, right? So the needs of a professional basketball player are vastly different than the needs of any one of us playing basketball who

want something out of it. But both of us are playing basketball, right? And we both benefit from it in different ways. Much like that, cyber security is a lot like basketball in that everybody benefits from it, but some people need a lot more out of it. So I was chatting with a friend of mine who is on the cyber security team at a hospital chain and their cyber security team is 150 people which is bigger than our entire IT department where I work right significantly bigger because the stakes are so high because if they get hacked lives are at stake right someone at a bakery who is a small business maybe they have three bakeries I don't know

why I keep talking about bakeries it's lunchtime that's why I'm sorry I'm just rubbing I asked who eat lunch and now I'm just rubbing in that there's food out there just so you know the thing down there is closed on Fridays the like on so no luck for for lunch for anybody anyway so somebody that owns a bakery doesn't need 150 person staff right they need cyber security too but they don't need the same thing that a hospital chain does so when we look at what the red team does the bakery doesn't need a red team they don't even need a blue team because they can't afford one for one. But if we look at what a green team does, which is

demonstrate cyber security standards and see if they're doing them, kind of show them what they could do and help them improve it. That's something that even a bakery would benefit from. They would benefit from the green team. Because even without these guys in here, what are some of the most important things you can do to be more secure? Change passwords. Change your passwords. Routers. What else? As an individual,

multifactor authentication, MFA, that's a perfect one, right? So, somebody could come in and MFA is in every single standard that exists, right? So, someone came in to a bakery and said, "Do you guys have MFA turned on?" And they said, "No." And they said, "You should do that." That is GRC. That's the green tea. That simple little thing, right? It's really crazy to think about. So now let's talk about what gerilla means. So remember our definition, an irregular armed force that fights a stronger force by sabotage and harassment. Think about harassing somebody with a spreadsheet. We're going to try and avoid the harassment part, but we may do something. No, I'm just kidding. All right, so let's break it

down. An irregular force just means using what you have. We think of guerrilla warfare as a modern thing, but it goes back thousands of years. One of the first records of guerrilla warfare was in China 2,000 years ago when a warlord conscripted a bunch of farmers to fight his battle, right? So, an irregular force is just using what you have available. The stronger force, when the opposition is better resourced, who are the people that are attacking small businesses? hackers, ransomware gangs, are they better resourced than a bakery? Probably. Almost definitely because they're getting all that sweet Bitcoin money, right, from their ransoms. And then when we say sabotage and harassment, what we really mean is any

way we can, however makes a difference, regardless of tradition. In textbooks around here, they always show the in the during the Revolutionary War, the red coats coming in in their lines, right? And then the American people were like hiding in trees and shooting at them. And the British were like, "That's not how we fight wars." And they were like, "It's a war. We just do what we do." Right? That's kind of the essence of guerrilla warfare is using whatever force you have when the opposition is better resourced to make a difference, to win battles, right? So Guerilla GRC is using what is available to help people who are outmatched in whatever way we can. So who are the people that

are outmatched? Bakeries. H bakeries. Bakeries. Yes. Thank you. The only small business we care about is bakeries. Gorilla is now bakery support system. Yeah. Bakeries. Small businesses. What is available? What resources are there? Or who is available? Us. Who said us? Us or rather whom is available? We are available. Almost every hand raised in this room when I asked if you've gotten your security plus or if you're studying cyber security, which means you know more than the average person about cyber security. So you can probably help them at least raise things up a little bit, right? So in our what is available? We are available to help people who are on match in whatever way we can. So let's talk about

how really quick. How can we help people? Now what I want to do, originally I plan on role playing, but this is taking too long. So, and I don't want to embarrass somebody um and have them roleplay a baker because is anyone here a baker? You're a baker? No, but back in the day. Okay. Well, I was going to do the role play anyway since we got a baker in our midst, but we'll just skip it. So, instead, I'll just kind of walk through the idea is that let's say that I know some people that own businesses, and I do. One of my relatives, um my wife's stepdad owns an HVAC company. So, what I

might do is find out if they're concerned about cyber security and if they feel they can do anything about it. Okay. Do you think most small business owners, most bakers are concerned about cyber security? No. Maybe. Yes. The vast majority are aware of it and scared of it. Do they feel like they can do anything about it? That's the no. They feel like cyber security is a meteor that is going to come shooting out of the sky and destroy their company and they have no way to stop it. Right? We can help them disabuse them of that notion and let them know that they can do anything. So first if I'm going to talk to my father

stepfather-in-law yeah I can say hey are you worried about this? And if he says yes I can say do you feel like there's stuff you can do? And if he says no I can say you know what there is stuff you can do. It's actually pretty simple, right? There's small things that you can do. This is a conversation I've had over and over and over again with my relatives and people that I know. So, you get to know their business. What does it look like? How many computers do you have? Um, how many people are accessing your sensitive stuff? Do you guys use Gmail or Microsoft or does everyone just use their personal email accounts? Right?

Just kind of get to know what they do and then find an appropriate standard. So you don't have to invent cyber security. It's already been invented. Instead, you can find a limited standard that's tailored to their needs. A good one I like to mention that we'll talk about later is the critical security controls from CIS. Um I'm going to skip ahead to show you this thing really quick. So they have a whole bunch of standards and the standards are broken down into implement implementation groups one, two and three which is based on the size of the organization. So if you look at this standard a small business only cares about implementation group one, right? So they've already broken it down into

this is what probably applies for a small business which is really helpful. So you put together a subset of controls, maybe start with five of the most important things that they can do and then you explain the controls to them and how they can implement them. So we mentioned MFA, right? So why does MFA matter? Somebody explain it to me. Passwords easily. person. Yeah, because with a password, you just have that one thing and if it gets taken, you're done, right? For a small business owner, I'd say it's something that can easily protect your bank account. Yeah, it easily protects the bank account.

Yeah, that's a really good point is hackers are all about the return on investment right? And if they come to you and if they see your business as slightly more protected than the next eye, you don't have to have perfect SEC cyber security. It's like that tail of the two people running from the bear, right? You just have to be a little faster than the guy next to you. So you can explain to them why MFA is important. And you could say something like, "You have passwords, which are really useful, but what happens if someone gets the password? They have your account. But when you use MFA, they don't have to have just your password. They have to have your

password and your phone that you keep in your pocket all the time. It's just like having a pair of keys, right? So, is it will that make you more secure? If someone has to have your password and your phone and they go, "Oh, yeah, definitely. Okay, then that's why we do this." Right? If you explain to them why this is important, then they're much more likely to understand it and go through the work of doing it, right? It's not enough to just say, "Hey, this is what you need to do." Like we were talking about what a lot of GRC people come in, they come down from their ivory tower and say, "Here's the standard and

here was what you need to do. Now get it done." If they take the time to explain to the engineers in like a corporate setting why these things are important, you get a lot more done. I promise that because I've experienced that, right? I've done GRC from a place of here's the standard, you need to do it, don't ask any questions. and also done it from a here's a standard and here's why it's important and it makes a big difference. Okay, so you hand them a few things to do. You say, "Here's some things that'll make you way more secure. It'll help you sleep at night. It'll protect you. It'll make you slightly more secure than that

other bakery next door." And the hackers will go after them instead of you. And then you check in later and see how it went. If it went well, then you say, "Hey, great. We've got a few more things we can do. What about automatic patching?" or what or what about installing up or um back backups or whatever. Right? So, you start with something simple, you explain it and then you check in and see how it's coming. Right? Those are the basic steps that we would have done if we had time for role play, but I talked too much. Any questions about this this idea? There's a few things that we'll talk about in the next section.

So the gorilla GRC guiding principles. So here's the main ideas behind this. The GGGP as they're called, as they're known far and wide. So the main idea behind you reaching out to people you know, maybe even if you just have a security plus or whatever, you're not an expert. Is that something is better than nothing because most businesses, most small businesses are at nothing. They don't have any cyber security protection whatsoever. If you go to a business and you talk to them and you convince them to just turn on MFA, are they more secure than they were? Yeah, everybody knows yes, definitely they're more secure than they were. And it didn't take a lot of work.

Something is better than nothing. That's always what you need to remember. So the second one is find the right wheel, don't invent one. So there's this thing in cognitive biases called additive bias. Anyone heard of that? One person has heard of it. Great. For all the rest of you, it'll be amazing. I'm this is super boring. 30 seconds. So these um scientists wanted to figure out how people solve problems. are they more likely to add something to a mechanical device to fix it or remove something? Right? So, they did all of these tests to try and figure out are people more likely to add something or remove it in order to fix something? And what they found is that

people always want to add something. Obviously, the name is additive bias. So if you look at a machine that's malfunctioning and you need to remove one part to make it work, most people won't remove the part. They will add other parts to it. Right? That's just how our brains work. It's how we're programmed, how we function. So whenever and this happens with cyber security programs. Anytime you go to an organization and they're starting a new cyber security program, everybody wants to reinvent everything. They're going to start everything from scratch. are going to make their own standards and their own policies and blah blah blah, right? And you don't need to, especially if you're helping a bakery because they

just need the basics, right? So, we want to avoid the additive bias. We want to make sure that we're taking advantage of what's already out there. Um, when you talk about, we were talking about basketball games earlier, right? For a professional, we know they need all of these things like this the uh facilities and doctors and nutritionists and you know all these different things to make their games better. What do you need to improve your game? What would help you Tatiana? Hiring a coach. Hiring a coach. Yeah, a little bit of advice would be super helpful, right? You don't need a bunch of stuff and you don't need to reinvent how the dribble works. you can just find

out who dribbles best and follow their example, right? And the coach will probably do the chair thing. They're not going to invent some new some new drill for you to do. They're going to pull out some chairs and go, "Okay, go back and forth and and then let's do some layup line, right?" Because it works. So, the goal is to find the right wheel. Don't invent one. So, the answers are out there. You just need to find the one right one. You need to make it approachable so it's not overwhelming, which is why we cut down to like five solutions instead of 50. You need to make it understandable so that they know why you're doing that thing and then you

need to make it doable so that they can actually do something right. Um so the next thing is that cyber security is a people problem not a technology problem. We're up to our eyeballs in technology. Every possible solution is out there and still there are cyber security issues. I mean, we talk about all the time, what's the weakest link in any business? Humans. End user humans. The people, right? It's a people problem, not a technology problem. So, I'm going to skip this exercise because again, I'm running out of time. I apologize, but let me ask a question. Which of these two books would make you better able to help the bakery? And which one of them would make you better

able to be a Red team engineer, bakery engineer. Trick question. It's both that one. Engineers need to communicate, too. Right. I know this is terrible. I just looked this. I was like, give me the most crazy name you can for communication skills help everything. They help every job. So learning how to communicate will help you help the baker and it will also help you in your job right in the future. And then the fourth kind of principle is to take the win-win. I want to be really specific about a couple things with the two minutes I have left. The first is that I'm not trying to convince everyone in here to go out and start a oneperson cyber security

consultant group because there's just not a lot of money in small businesses. If there if that were a market, there would be people in it doing it. Small businesses wouldn't need help. There would be people helping them, right? So there's not money in it. And I don't think this is something that you could pay people to do for you. Right? So, and I'm also not saying you should become some kind of cyber security missionary or evangelist, right? I don't think you should go door to door knocking and saying, "Have you heard the wonderful news about multiffactor authentication? Let me come in and take a few minutes." I don't think you should be doing that either. Remember our thing

about harassment and I said I'd get back to that. We're avoiding the harassment. We're not doing that part. But what I am saying is that you have special unique knowledge that other people don't have. And there are people that you care about that could really benefit from that knowledge. And I encourage you to go outside your comfort zone and just see if you can help them. whether it's people that own a small business or whether it's your friends and family or whatever, you can reach out and be a resource to them and really help them sleep better at night and you can potentially help them avoid losing their business, that's crazy to think about, but even a really simple act of just

getting someone to turn on MFA could protect them or just getting them to turn on backups. So, I'm saying take the win-win. Don't do it. And I had this whole other thing about trying to get into the cyber security space. This is valuable experience. Having those reps and going to talk to somebody and help them implement a tool or a program, even if it's on a small scale, is really good experience for someone that's getting into cyber security. So, it's a good opportunity to do that and build those communication skills. So, I cut out a bunch of it and I apologize, but hopefully it was useful for you. Any questions in the next one minute? Nope. Great. Thanks, everybody.

Go get lunch. [Applause]