Professor Alan Watkins demystifies cybersecurity for small business owners

Small businesses are often at a higher risk because criminals know they’re easier to hack. So, what’s a small business to do? During a podcast interview with Michael “Roo” Fey, Head of User Lifecycle & Growth at 1Password, Watkins revealed that having good “cyber hygiene” – which consists of a handful of basic principles anyone can follow – doesn’t have to cost thousands of dollars or upend other business priorities.

To learn more about what small businesses can do to reduce their risk of cyber attack, read the interview highlights below or listen to the full Random but Memorable podcast episode.

Editor’s note: This interview has been lightly edited for clarity and brevity. The views and opinions expressed by the interviewee don’t represent the opinions of 1Password.

Michael Fey: What was your journey into cybersecurity?

Alan Watkins: Those are two different paths. My journey into cybersecurity started in 1998 on a project for the city of San Diego. It was the Y2K bug! I was the manager for the wastewater department at the city, and put in charge of making sure all the systems continued to work. Because wastewater is a national infrastructure item, I got in contact with the national FBI office that was coordinating those things.

That took me into the cybersecurity realm even though Y2K wasn’t a security issue – it was a cyber issue. I started working with the FBI and had various roles at the city after that. Eventually I became the city’s IT security manager.

MF: What are the fundamentals of responding to a cybersecurity crisis?

AW: Most major cities and big businesses have emergency operations planned so that if something’s going wrong, they can pull the people together that need to be there to manage the crisis. Cyber needs to be part of that emergency plan because everybody depends on technology. If you don’t plan for a cyber event, then you’re not really planning for all the potential emergencies that could happen.

There are two main plan documents. One is called the Disaster Recovery Plan, and the other is called a Business Continuity Plan. Business Continuity helps maintain a minimum level of operations while a crisis is going on. IT is part of that. You have to have backup servers, backup communications, backup everything, to make sure that businesses can function.

The Disaster Recovery Plan answers: how do you get your business back to normal operations after the event is over?

MF: Has your guidance changed in recent years with the ramp-up of ransomware attacks? It feels like it’s not so much a question of if we’re going to need a disaster recovery plan, but when.

AW: “It’s a matter of when not if,” has been something IT security has been saying for more than a decade. Because the more people use technology, the more chance they have of being a victim of some sort of cybercrime or cyber attack. It’s like having a family plan for when your house catches on fire. When you have 15 minutes to get things together and leave, what do you take?

“The principle of “when not if” hasn’t changed – it’s just a matter of what you need to prepare for."

In the cyber and business world, what do you need to prepare for, and what do you need to manage that? The principle of “when not if” hasn’t changed – it’s just a matter of what you need to prepare for.

MF: Your new book focuses on cybersecurity programs for small businesses. Why do you think it’s important to have a non-technical guide specifically for small business owners?

AW: First, let’s define what a small business is. The Small Business Administration (SBA) says a small business is a company with less than 500 employees. That small business category makes up about 97% to 98% of all businesses in the U.S. by number count – not by number of employees, obviously.

To me, 500 is a rather large number of employees. My book focuses on businesses with 25 to 50 or maybe 50 to 100 employees. Larger organizations tend to have more resources and people who have technical training to help them out. But the small business owner is focused on doing their business.

With 50 employees or less, their focus is on their product or their service or whatever they do for their customers. So cyber and maybe some other things take a back seat.

While some business owners have a basic knowledge of how computers work and are familiar with the applications or the systems that they use normally, they’re not going to be familiar with the network security and the protocols and the things behind the scenes that cybersecurity is meant to protect. Or the configuration of things like firewalls. Most people know what a firewall is but ask them to configure it and you’ll get a blank stare.

MF: Do you think that cybersecurity is an afterthought for small business owners? Or they just can’t prioritize it?

AW: Some do and some don’t have it as an afterthought. I think that’s decreasing a lot because every day in the news there’s something going on with a cyber attack of some sort. This at least makes the small businesses aware but they’re probably thinking: “Ah, those are the big guys. I didn’t get impacted by that.” This is a false sense of security. About a decade ago, about 35% of all cyber attacks reported were on small businesses. In the last couple of years, it’s up to 45% of all global cyber attacks are on small businesses.

And it’s increasing. The reason is that the crooks have figured out there are weak points in small businesses. They can use these to get in and do damage either to them or another company.

An example is the Target breach in 2013. The attackers didn’t attack Target directly, initially. They went through a small business vendor of Target’s to sort of get in the back door.

“Crooks have figured out there are weak points in small businesses. They can use these to get in and do damage either to them or another company."

This has been going on for a long time. Once a small business is hit, then they obviously wake up and have to do something about it. But I think cybersecurity is becoming less of an afterthought and it’s more of a conscious priority decision.

MF: In your experience, what are some of the biggest cybersecurity challenges that these small businesses face, and how does your book set them up to meet those challenges?

AW: I’m going to back up a little bit. In the broad spectrum of things, cybersecurity is really a risk management activity. If you think about it, by reducing the potential for an attack or damage to your company’s assets, whether it’s information assets or its trade secrets, or whatever the case may be, by having cybersecurity, it reduces the risk level. This is good, all around, for business.

The challenge is twofold, in my opinion. Not many small businesses are mandated to have cybersecurity measures. So, the challenge is getting the small business owner to realize, 1) that it’s not going to cost an arm and a leg, and 2) it’s not going to divert too much from the business priorities.

It’s easy to get things started for a low cost. I can’t say no cost because even the low-cost items, you’re going to have to train employees. There’s going to be time and other things that the business has to put in. It might not be a big direct cost, but it would be a training cost.

A lot of the security measures in the book deal with setting up policies and procedures and then training the employees on how to follow them. What can employees do or not do that actually protects the information of the business. We call it “cyber hygiene.” There are about 10 or 12 basic principles that make up cyber hygiene that they could implement without shelling out thousands and thousands of dollars, or even having an employee on staff who is an expert in cyber.

MF: You’re an ambassador for CIS Controls. What are these and how do they benefit small businesses?

AW: The CIS Critical Security Controls (CIS Controls) started about 20 years ago and were formally called the SANS Top 20. They were trying to find a way to tackle what would be the best method for any business to be prepared for a cyber attack.

The intent was, if someone implemented those 20 controls, they would probably be protected from at least 85% to 90% of potential attacks.

If you’re familiar with ISO certification, the CIS Controls are similar. For example, with the ISO environmental certification, companies can be certified to show that they’re environmentally friendly. Similarly, there are ISO standards for cyber security, but those are usually on an international level. In the U.S., there is the National Institute for Standards and Technology (NIST) which provides the U.S. with standards and guidelines for cyber. The problem is, there’s over 300 controls in the document that NIST produces for control mechanisms.

So, CIS came along and said: “Well, we’ve got 20 basic controls.” In May 2021, CIS released version 8 and reduced the number of controls to 18.

In addition, the CIS Controls provide pretty detailed descriptions on implementation and they also offer an assessment tool to help a business assess where they are with cybersecurity and find out what they need to fill in the gaps.

MF: If one of the controls is malware defense or data recovery, are you saying: “Here are the safeguards that you can put in place to meet the standards for malware defense? And here are some tools you can use to assess how you would stack up against malware defense.” Is that the right way to think about it?

AW: Yes, that’s exactly right. I’m going to list off some of the areas that cyber hygiene covers.

For example, for user account management, who gets a user account in the first place, how do you manage that? Who authorizes it? What are they authorized to access within the company’s systems? What do you do when they transfer out to another division if it’s a bigger company or they leave the company?

User account management is one of the big ones. It’s also called Identity and Access Management because it’s supposed to certify, identify who the user is, and then based on the role, that user has access to particular resources. There should probably be a wireless access and remote access policy that dictates who and how, or even if remote access into the company’s network is going to be allowed.

Cyber hygiene would also cover something like BYOD, that’s bring your own device. Whether it’s a smartphone, iPad, tablet, or laptop, if you’re going to connect a personal device and use it for business purposes, there are a lot of caveats that have to go with that, and managing the business data that is stored on the device.

For systems' administration security, who is managing your systems? Whether it’s a third party contract or an internal employee, you want to make sure they’re on the up and up. You have to audit what they do to make sure they’re not trying to build some backdoor that if they become a disgruntled employee and leave, the next day your systems go down because they put in a Trojan or something like that.

Software updates and patch management. This is the operating system. Usually Windows has automated patches, they call it Patch Tuesday, it’s usually the first Tuesday of the month. Other software and applications issue patches that are on sort of a routine basis. You want to make sure that you’ve automated as much as you can for security patches, but there are certain updates you don’t want to have automatically load because they may cause glitches in your system. You want to test them first and then have them dispersed to the company machines.

“You want to make sure that you’ve automated as much as you can for security patches."

And third party access. We talked a little bit about who comes into your backdoor. You have suppliers and vendors. You also might have distributors on the other end of your process that are not part of your company, but that you interface with. You want to have policies that dictate who and how those interactions take place.

The last one would be protecting confidential or sensitive information. Probably every business has confidential information that needs to be protected, whether it’s the employee’s records or customer information, and there’s things like encryption and other tools that can be used to help do that.

MF: Where would you recommend that small businesses begin?

AW: Management needs to step up and say: “Hey, we’re going to take cybersecurity seriously.” And come up with a cybersecurity strategy statement that says: “Over the next three years or three to five years, we plan on becoming the most secure widget producer in the Northern American hemisphere.”

Strategy statements are intentionally sort of vague. Within that strategy you build a cybersecurity program that contains the policies and procedures that will drive what can and can’t be done.

“Doing the assessment will tell you where you have gaps that need to be filled."

Once that’s set, the actual implementation sequence, it can vary. It depends on what might be a high priority. Doing the assessment will tell you where you have gaps that need to be filled. What I would do is then prioritize those gaps: Which is the one that’s most critical or would do the most damage to the organization if something happened – and fix that. It’s basically damage control from the worst to the least.

MF: With small businesses, we’re talking about limited budgets. What do you think are some of the more cost-effective cybersecurity measures that these folks can put in place?

AW: One other area that I didn’t really mention is that for training employees, it is not just about following policies and procedures, but how can they recognize when there might be a potential cyber attack occurring? What’s going on with their computer, what’s going on with files, how to recognize an attack?

There are several forms of social engineering. Phishing emails that try and trap you into providing information or clicking on a link that you shouldn’t click on, and the link downloads malware. If you “see something, say something” is what it boils down to. And even if it’s not something that’s really bad, at least they’re trying and hopefully, depending on who they’re reporting it to, someone will follow up with them and say, “Thanks for that report. Turns out that it was an off-cycle update of some software that we forgot to notify the employees that we were going to do. So, it glitched a system or something.”

"“See something, say something” is what it boils down to."

Or the alternative, “Thanks for letting us know, that same attack has been occurring across the country in different businesses and we stopped it in time. Kudos. The CEO is going to give you an award of some sort for saving the company.” Actually, that brings up incentives. Some companies incentivize employees to make reports. If it turns out to be a report that leads to a definite attack that can be thwarted, then potentially there’s an incentive reward for that.

MF: In the past we’ve interviewed folks who have done physical penetration testing and their assessment is like, “Yes, you should have antivirus and yes, have your firewall set up and malware protection. But if you aren’t training the person who is running the reception desk to not let me into the building, it doesn’t matter what you do. As soon as I get physical access to that machine, it’s game over.”

AW: Right.

MF: So it’s fascinating to hear you double down on that same message of there are some inexpensive things that you can do that will significantly up your cybersecurity game.

AW: Social engineering is probably one of the main mechanisms for cyber criminals to get a foothold in a company. And it’s been around for eons. Maybe you’ve heard of dumpster diving? Cyber crooks will go into the trash cans of big corporations looking for bits and pieces of information. They go into personal trash cans too, to look for your bank records, gas and electric, telephone, utility bills, trying to get information about you and your accounts.

“Cyber crooks will go into the trash cans of big corporations looking for bits and pieces of information."

They put a profile together of their victim so that when they go and talk to that person, they can talk intelligently about, “Oh, I’m calling from the gas company and your account that ends in the last four digits,” which are the last four digits of their account. Because guess what? They went in their trash and they found a statement.

Another physical attack method is piggybacking. If you’re in a building that has card key access or restricted access and you’re an employee walking in, there may be someone waiting by the door with their arms full of papers and a briefcase or whatever. They say: “Oh, I can’t get to my card key right now, can you just let me in?” Of course, most people say, “Oh sure, I’ll let you in.”

We have people that steal utility uniforms or other uniforms for service companies and they’ll put the uniform on, they’ll make a fake ID badge, and they’ll go into the company and say: “We got a service call to check on X, Y, Z.” It could be air conditioning, it could be computer related – almost any maintenance task. And their whole thing is to get them inside the locked doors so they can find the computer room and get the stuff.

MF: For small business owners or for people who work for a small business, do you have any advice or words of encouragement when it comes to creating a robust cybersecurity program?

AW: You don’t have to buy my book, but you should probably get some sort of resource that talks about how to set up basic cybersecurity measures. Because it truly is a matter of “when and not if” every business will be attacked.

The book that I have is in basic business terms, so of course I would recommend it. It has templates that come with it, such as for setting policies and for doing a strategy.

A common question that businesses ask is “how long does it take?” It depends on how complex of a program you want to implement. I would say a minimum of six to eight months and a maximum of a year to really get into and through everything. Because some of it you don’t want to rush, and even for policy-related things, you need to have sufficient time to get them incorporated and assimilated into the business culture.

MF: If folks want to learn more about you, your new book, or CIS Controls, where should they go?

AW: I have a LinkedIn profile. You can get my book at cisodrg.com or on Amazon. And go to CIS to get information on the CIS Controls.

Jenn Marshall

Contributing Writer