We’ve all heard of the high profile cybersecurity breaches that make the headlines. But, what about the cyber attacks that happen to small businesses? Should you be concerned as a small business leader, or are cyber attacks exclusively a “big company” issue? Do you have to spend a lot of money to protect your business? Is this just a risk you have to accept?
Marcin Kleczynski, CEO of Malwarebytes, spoke about all of these topics and more at Elevate 2021, a virtual event that brought together powerful changemakers to elevate the way we work. An expert in the cybersecurity space, he has been helping small businesses prevent breaches and attacks for over a decade.
Marcin was interviewed by Jim Lippie, CEO of SaaS Alerts. A fellow provider of cybersecurity software, Jim also has experience as a Managed Service Provider (MSP) for businesses in need of cyber protection. Together, they set out to demystify cybersecurity for small businesses.
The Evolution of Cybersecurity Breaches
Marcin traces the mission behind Malwarebytes back to his own early experiences on the internet, and says the level of risk faced by small businesses has evolved significantly in this relatively short time frame.
“Let’s go back to 2003. I’m a pretty young guy at the time, we have a shared family computer, and all of a sudden I get it infected. This was back when threats were primitive, we’re not talking about ransomware taking down hospitals, we’re talking about a purple gorilla jumping around my screen trying to sell me advertising”
Despite paying for antivirus software at the time, Marcin’s computer was rendered unusable. He turned to Google, and found a forum of volunteers who helped him bring his machine back to health through a series of scripts and reboots. “I realized how ridiculous it was to be paying for a piece of software that couldn’t remove the problem, or even prevent it in the first place.”
In 2008, he launched Malwarebytes, and it quickly took off. “We were there to clean up after the traditional antivirus failed,” he says. At the time, the company’s vision was for a world without malware. Since then, they have broadened this mission to encompass the increasing sophistication of today’s cyber attacks and breaches.
“Now, it’s not just malware that’s affecting people and businesses. The vision for Malwarebytes’ today is ‘cyber protection for everyone’. The idea of democratizing access to security, and making it effective, intuitive, and inclusive is really how we’ve transitioned. And it’s frankly because the world has gotten more dangerous and the techniques that these criminals use have evolved.”
What is the Impact of Cybersecurity Breaches on Small Businesses?
The impacts of modern cyber attacks are far more severe than in the early days of the internet, and not just for high-profile targets. “Now, we have real-world attacks. We have people dying as a result of a ransomware attack on a hospital, we have pipelines being shut down for days. These are the attacks that end up in the media because they are impactful on the world. At the same time, attacks are happening every day to SMBs that go completely unnoticed,” says Marcin.
“These small businesses have less support, knowledge, and access to people who can help with the situation. Let’s take an example of a gardener that employs 5-10 people. They get hit by ransomware. They have no backups, they have no security solution, maybe they’re using a local version of an invoicing system, and now their entire business is offline. We’re talking about a major business impact. It’s not going to make national news that this gardener was offline for a week or two, but their livelihood could be destroyed.”
How Much Should Small Businesses Budget to Avoid Cybersecurity Breaches?
As it’s difficult to determine a one-size-fits-all formula for cybersecurity budgets, Marcin encourages SMBs to reach out to their managed service providers for advice.
“Nobody cares about insurance until they absolutely need it. Especially if you’re a small business trying to get off the ground and turn a profit. I do think MSPs and MSSPs are some of the unsung heroes here, and I do think that the onus is on the MSP or MSSP to take their customers on a journey around what could happen and how to prevent it. The best MSPs educate their end users as to why they’re spending the dollars they are, because the alternative is potential complete business destruction. It’s tough to say but it’s a reality.”
For SMBs not yet using an MSP, Marcin urges them to consider the efficiencies that come with the upfront cost.
“Frankly, I feel an SMB that’s looking to buy all of the solutions they may need, negotiate the contracts with vendors, and pay for an IT or security practitioner to implement those solutions, would actually spend more money than if they contracted out to an MSP. A good service provider has great deals on all this technology, has a unified stack, and knows how to manage it..
What Are the Biggest Cybersecurity Challenges for SMBs?
The potential for human error has always been, and likely always will be, the greatest risk factor in cybersecurity for small businesses, says Marcin.
“Malwarebytes has 1,000 employees. On March 13 last year, all 1,000 employees went home. Some were working on their home devices that they share with their kids. We had to very quickly mobilize a ton of hardware. The perimeter was gone, no more firewall, people weren’t on VPN, the user became – well, continued to be – the weakest link in the chain.”
“Malwarebytes is a security-heavy company, we have people that have worked in the industry for 25-30 years. But, we also have people who have never worked a day in a security company, people who have just joined us. The risk is real and we have to educate those users. If people aren’t asking the right questions and are just clicking various links and installing various software, that is the biggest challenge.”
“It’s about educating your users and then putting in the failsafes should they click on something noteworthy. I always say, I could make the best security software in the world, but then nothing will ever run on your device. It will be so locked down that you can’t even log in. There has to be a balance to that.”
“Security that’s difficult to use or that creates friction for a user in the course of doing their job will ultimately result in an attempt to bypass it. Don’t make your own user an enemy by implementing security software that doesn’t work well or that brings up more alerts than necessary.”
No Business is Too Small to Fall Victim to a Cybersecurity Breach
What does Marcin say to small business owners who believe they are too small or insignificant to attract the interest of cyber attackers?
“It’s simply not true. While you may not be a target for people who try to physically break into your network, there are plenty of cyber criminal gangs out there that prey on mass attacks. They basically cast a wide net, see who they catch, and move from there. They blast out emails, one of your users clicks one of those emails, and now they have ransomed your entire network. You’ll hear from them very shortly for a nominal fee. Certainly not millions of dollars, which they know you can’t afford, but $1,000, $2,000, or $10,000. We’ve seen this time and time again.”
“I’m not here to fearmonger. Ultimately, this is preventable with the right user training. But don’t think you’re immune because you’re a startup. We’ve seen supply chain attacks that ultimately serve small customers, so if they’re not attacking you directly, they’re attacking you indirectly on top of that.”
Cybersecurity Breaches for Small Business are Preventable
“Reflecting on many of the cyber attacks that have happened over the last few years, many of them were preventable,” says Marcin. But, small businesses need to be realistic about their level of risk. “These events aren’t going to stop. Over the next few weeks, I’m sure there will be yet another one in the news. I think it’s important to note that it’s not hopeless…becoming intimate with these technologies, picking the winners, and deploying them across your user base is super critical.”
To learn more about protecting and growing your business in today’s distributed environment, check out the speaker sessions from Elevate, now available to watch on demand.