Small Business, Big Risks: Cybersecurity Best Practices That Actually Work Artwork

Beyond the Firewall. Powered by HUB Tech

Beyond the Firewall is a podcast designed to help business and IT leaders understand how technology shapes performance, resilience, and long-term growth. Each episode delivers expert perspectives and actionable insights to help organizations stay ahead in a rapidly evolving digital landscape.

You’ll hear deep dives into today’s most pressing technology topics, including artificial intelligence, cybersecurity, IT modernization, and cloud transformation. Conversations center on real-world challenges and practical strategies leaders can apply to strengthen their operations, safeguard their environments, and prepare for the future of IT.

Powered by HUB Tech, the podcast is hosted by Chris Daggett, Director of Managed Services and Security at HUB Tech, and Adam Shaffer, an IT and eCommerce leader. Together, they sit down with CIOs, CISOs, CTOs, IT practitioners, public-sector leaders, and other technology innovators who bring forward the ideas, lessons, and perspectives shaping the modern IT landscape.

For more information about HUB Tech IT Solutions and Services, please visit https://hubtech.com/

All Episodes

Beyond the Firewall. Powered by HUB Tech

Small Business, Big Risks: Cybersecurity Best Practices That Actually Work

May 07, 2026 • HUB Tech

0:00 | 53:28

A lot of small businesses still assume hackers only chase big brands. The truth we see every day is simpler and scarier: attackers use automation and AI to hunt for the easiest door, and SMBs often have the fewest locks.

We sit down with Mark Hammer (Director of Partner Enablement and Evangelism at Acronis) to unpack what “cybersecurity for small businesses” really looks like when budgets, time, and staffing are limited. We dig into the threats hitting companies right now, from ransomware and business email compromise to browser-based credential harvesting, plus the growing wave of smishing and vishing scams that start on your phone. Just as important, we talk about why security fails in practice even when the right controls exist on paper.

From there, we get concrete: why identity protection and multi-factor authentication (MFA) must be enforced across every user, how to build layered defense with EDR and XDR, and why backups only matter if you test recovery on a schedule. We also explain how cyber insurance changes both your required security controls and your first moves during an incident, including a critical tip many people get wrong when ransomware hits.

We wrap with what we’d do first if we ran an SMB today, and how to treat security as a living operational discipline, not a one-time project. If this was helpful, subscribe, share it with a business owner, and leave a review so more SMB leaders can find it. What’s the one control you want to tighten up first: MFA, backups, or endpoint monitoring?

---

For more information about Acronis, please visit https://www.acronis.com/en/

The Beyond the Firewall podcast features discussions with technology leaders and practitioners who provide valuable insights into today’s IT and business challenges.

Follow the podcast to stay updated on new episodes, and watch full episodes and video highlights on YouTube.

To learn more about HUB Tech and the services that support IT modernization, visit the HUB Tech website at https://hubtech.com/.

Announcement 0:00

It's really driving the future of IT. Our leaders stay secure, efficient, and innovation. Welcome to the Beyond the Firewall Podcast. Powered by HubTech, where we go past the headlines to talk with technology leaders, industry experts, and IT practitioners shaping how we work, live, and live. Let's get into today's episode.

Adam Shaffer - Host 0:28

Hello, I'm Adam Shaffer, and welcome to Beyond the Firewall, powered by HubTech. Today, we're diving into a topic that impacts millions of organizations, but doesn't always get the attention it deserves. Cybersecurity for small businesses. There's a common misconception that cyber criminals only target large enterprises. The reality is, small and mid-sized businesses are often the most vulnerable and increasingly the most targeted with the challenge. How do you protect your business, your data, and your customers without the resources of a large enterprise IT team? Joining me today are two great guests who work on this challenge every day. Mark Hammer, Director of Partner Enablement and Evangelism at Acronis. Mark brings over 20 years of experience in leadership, training, and strategic business planning, and has helped transform how organizations approach cybersecurity and cyber protection. Chris Daggett, director of managed services and security at HubTech, who works directly with small and mid-sized organizations to secure their environments, manage risk, and turn cybersecurity into business advantage. Together, we're going to break down practical real-world strategies that small businesses can use today to strengthen their cybersecurity posture without overcomplicating things or overspending. Let's get started.

A Ransomware Hit That Closed Doors

Adam Shaffer - Host 1:53

Well, hello guys. Good to see you. Thanks for joining me today. Hello, thanks for having me. So, Mark, I've seen you on the circuit. You've been around for a while. I don't know if I did you justice. Uh, everybody knows Chris by now, but tell us a little bit more about yourself and how you got into this crazy world of cybersecurity.

Mark Hammer 2:14

Sure. So um obviously I'm presently uh with Acronis, love it, been here for almost coming up on nine years. Uh, but prior to that, I was an MSP. I owned a small business. Uh, and I did that for 13 years. And uh the impetus of me exiting the business was we were hit by a cyber attack. We, as the MSP, our data center, our co-location, we got hit by uh the server three variant of uh of ransomware. And it didn't put us out of business immediately, but six months after we were hit, we were we were closing, closing the doors and shutting down the shop.

Adam Shaffer - Host 2:49

So wait a second. You were you were you were a cybersecurity MSP and you got hit by cybersecurity attack?

Mark Hammer 2:54

Yes.

Adam Shaffer - Host 2:54

Oh my god. Okay, that's an awesome story. I would tell it at the ball.

Mark Hammer 2:59

So I can talk about it now, you know. You know, statutes of limitation. No, I'm kidding. Uh, it was pretty emotional because I identified myself as an expert, as a technical person, as the smartest guy in the room, as the person you would go to to solve your problems, and we were hit. We got uh absolutely ran, you know, what ransacked. Uh 51 servers got encrypted. We had to rebuild our co-location from scratch, you know, Saturday night, 10 p.m. I'm down at the data center, uh, you know, doing all that fun stuff. And so my background is as a small business owner, as an MSP in particular. Uh, and uh, and then I've migrated over into Acronis, which obviously is strong in cyber protection and cybersecurity. Uh, we want to help, you know, protect, manage, and automate all of your IT and small business workloads. Uh, and I'm happy to help have conversations about things I've learned. Some of them have been hard lessons. Uh, you know, had my teeth knocked out. That's that's the hardest way to learn. Uh, but those are lessons you don't forget, and I'm happy to share.

Adam Shaffer - Host 3:54

Yeah, well, um, I mean, uh uh Cronus is um uh is in good shape having you on their team. So I'm glad you're here and thanks for joining us. Chris, everybody knows you, but maybe just a quick uh intro on you, but I I haven't um asked you that much lately. So um tell us about the real Chris Daggett.

Chris Daggett 4:11

So I've been in uh I've been in IT for almost 30 years now. Uh spent quite a bit of time in the enterprise space, held various roles from solution architect to technology risk manager. Um a lot of those experiences uh in the past have enabled me to kind of uh put everything together and uh contribute to the current role that I have at HubTech. And you know, we're continuing to grow our managed services program out um, you know, year after year. But it's it's been a lot of fun. I really enjoy helping customers um, you know, be successful and uh help them with their business outcomes.

Adam Shaffer - Host 4:52

That's great. Well, you guys are impressive. Let's get into the fun stuff. And

Why Small Businesses Get Targeted

Adam Shaffer - Host 4:57

Mark, I'm gonna start with you, and you know, I'm gonna hit you guys with some questions, but let's turn them into awesome conversations. So just Mark, with the big picture, why are small businesses such a prime target for cyber cybersecurity attacks today or cyber attacks?

Mark Hammer 5:14

Yeah, so uh I would say it's it's kind of a multi-threaded conversation. I don't think it's just one thing. Obviously, we have the advent of modern AI, which makes the automation and the speed at which these attacks can happen and who has access to them. It's just, you know, it's it's kind of silly of how easy it is to go out on the internet and and and find uh a ransomware as a service. Uh and so, you know, just the availability of the bad guys is has increased. And then you have uh, you know, just this sense like you highlighted in when you uh you know led the show in, there's a lot of small businesses, and I talk to these people on a regular basis, they don't think that they're going to be targeted. They're, you know, I'm only doing six million dollars a year in revenue. I'm not gonna be targeted, I'm not a school district, I'm not a you know, a large enterprise, I'm not even a medium-sized manufacturing firm, I'm too small to be hit. And so there's a little bit of uh, I'm gonna say a little bit, there's a lot of ignorance uh and a lot of hope and a lot of faith out there that you know we're just gonna be fine. Uh the other thing that I see is uh talking to business owners, particularly on the in the C-suite CFOs and CEOs, they think, well, I'm spending money. I have either internal IT or I'm paying a managed service provider, or you know, we have cyber insurance, I've been audited. And because I'm spending the money and I have the people or I have the relationships and the service contracts, they think it's, you know, uh everything's safe, everything's good. They're spending the money. Uh, and the reality is, is that's only part of the challenge. You need to make sure that you're having constant communications and you're planning for these things. And when stuff happens, what are you doing? Are you remediating? Are you planning? Are you overcoming? You know, we have this concept of layered defense and incident response plans. And this isn't something that you just do once. It's not a service that you pay for and you check a green box and you're good. Uh, it is a living, breathing uh document and process. And whether you have internal IT or you're working with a managed service provider, have some kind of a hybrid approach, uh, these are things that you need to have, you know, at least quarterly conversations at the executive level uh and plan things out and discuss what's happening and have real conversations because nobody is 100% safe, nobody is a hundred percent secure. There's always little things. Human beings are the biggest problem in this equation. We don't always maliciously make errors or make the life more difficult, but sometimes we delete files or we accidentally unplug servers or you know, we put a backhoe through a fiber optic cable. Uh, these are all things that could be called cyber attacks. It isn't just ransomware, it isn't just phishing emails. It's a real it's a it's a real conversation to have at a business level. It isn't just technically.

Adam Shaffer - Host 7:49

I was I was actually gonna ask that, but um but but basically what you're saying is that small businesses A, we're too small, who wants to attack us? What what would they want from us? And and then it's I don't really want to spend a lot of money on this thing. Like you know, like I can I can't uh I can't afford all this extra protection. I'm not some monster enterprise and I don't want to hire people, I don't want to do this. So so I think I I kind of get it, they're an easy target, but but you know, Chris, like what are the attacks that you're seeing? Because I

The Attacks SMBs Face Today

Adam Shaffer - Host 8:22

don't think it's just ransomware. I think it's some of the things Mark just brought up.

Chris Daggett 8:25

Yeah, I mean, you see a lot of, you know, whether it's ransomware, business email compromise, you know, things of that nature, you know, uh there are some easy entry points. Um, and they will prey on the you know on the weak or the the uneducated, right? You know, there are some certain best practices that you know small businesses can implement and you know really lessen the um you know the blast radius. So um, you know, it's whether it's you know the malware, the ransomware, um, you know, that that's that's the big thing. And you know, the the web browser attacks are getting really popular right now. You know, um, you know, people are taking over your web browser and you know, gathering uh credentials, doing some credential harvesting. You know, we're seeing quite a bit of that these days. So in addition to you know, the the spam emails and the phishing and and things like that, you know, it's it's really, you know, they're just with the introduction of AI, they're they're able to, you know, spread this, cast this wide net. And you know, it they're not really necessarily, you know, focused on the size of the business at that point. You know, they're just looking for easy entry points.

Adam Shaffer - Host 9:37

Yeah. So Chris, so so Chris, where where are most small businesses falling short then when it comes to cybersecurity?

Chris Daggett 9:46

So it it what it is, the challenge is isn't intent, it's it's execution. So, you know, controls often exist and you know, but aren't enforced consistently. So they're not monitored, um, they're not validated regularly, and without operational ownership, you know, security stays theoretical. So, you know, if you think about it, right? An SMB may have multi-factor authentication, but only for the admins. And you know, if you don't have that for every single user and not for every app, on paper it sounds great. Um, but in practice, you know, one unprotected account can really um you know become that entry point. That's gonna, you know, become a major problem.

Adam Shaffer - Host 10:34

So so what they'll they'll protect everything, but they won't, they they might not protect one of their PCs or one of their servers.

Chris Daggett 10:42

Right, right. So uh, you know, with the multi-factor authentication in particular, um, I you know protecting your your administrative group um is is important, obviously. You know, you want to protect those accounts that have the elevated rights. Um however, if they compromise a somebody that does not have elevated rights, they're still able to get into emails and and things of that nature and navigate around and kind of do some recon without you know alerting anything. You know, it'll be you know normal user activity at that point.

Adam Shaffer - Host 11:20

That's interesting. You know, I used to sneak into this before all this crazy stuff, like back in the day. I used to sneak in this guy's office I didn't like, and he had his computer on and never was off, and I would send emails to the CEO from them that were nasty, and then I'd run out of the room and their CEO was like, What the heck? So, anyway, I was I was I was a bad child, but um I've I've matured as you can tell. Um, but but that's um interesting stuff. So staying with the SMBs and not my um lunacy.

What Criminals Want Beyond Ransom

Adam Shaffer - Host 11:50

Um when when somebody hacks an SMB, what are they trying to take? Are they trying to ransomware them or are they trying to just take their data? Like, what is it? Just it's out to both you guys. I don't care.

Mark Hammer 12:03

So what what I'm saying, it's it's kind of twofold. Uh is there is a ransomware component. If they can get uh $600 worth of bitcoins, they'll take it. Uh, but oftentimes what they're also trying to do is they'll then it'll like multi-tiered ransomware, well, they'll hold the information hostage and say, if you don't pay it, or if you don't pay again, I'm gonna make it public. Uh, or if you don't pay it again, I have access to your book of accounts. I'm gonna contact them and tell them that you that their data was, you know, reputational attacks, basically, is what we're talking about here. Uh, and like you said, they it's they don't scrutinize anymore. It's just they spray and pray and they'll go after little scripts and they'll scan you know the internet trying to find open ports or email uh lists and they'll just randomly send out text messages. There's a lot of different entry vectors, most of them human being related. Uh, and they they want to get in and and yes, the main goal is is the ransom. That's how they get paid, that's how they make their money. However, if they can't get paid, they can still do destruction and and make your life miserable and damage your reputation.

Adam Shaffer - Host 13:02

But they can get in through your phone.

Mark Hammer 13:05

Yeah, you know these these text messages that you're getting that you know, like I live in the state of Arizona, and there's a pretty big fishing campaign going on right now where people are falsifying voter registration or falsifying a ticket from the local sheriffs or uh PD police department, and there's a link there. You just tap on this and enter your this or the United States Postal Service. We couldn't deliver your package. Could you please update your information? It's a way to get your name, address, phone number, email, sometimes social security and other sensitive information, and it can just escalate from there depending on what kind of uh you know root kit they have on the websites, or you know, click down the attachment to run this installer. It's it's nasty, it's not very fun.

Chris Daggett 13:49

And in Massachusetts, we're actively dealing with um, you know, one of those campaigns around EasyPass. So that's you know, your highway payment system. And I get texts all the time, and I'm not the only one. Um, but you know, in those in those situations, right? Similar to a phishing campaign that comes in through your email, always validate, you know, go online and research, you know, is there a phishing campaign around this text? You know, they they call it vision, actually, with a V. And you know, you will find information out there to to validate whether it's a you know a good text or not.

Adam Shaffer - Host 14:25

You know, what is the what does the fishing mean? What's the V?

Chris Daggett 14:30

Uh well it's actually so there's vision, smishing, so SMS, there's fishing, uh, for email. Um, so the the vishing actually I misspoke. The vishing is for voice. So that would be uh fraud coming in through your phone. Um but the SMS, the smishing is is coming in through your text.

Mark Hammer 14:51

Um my favorite vision is when they call me and tell me I have a Windows virus and I'm on a MacBook Pro. That's fun. Right.

Chris Daggett 14:58

You know, there was a movie out called uh The Beekeeper uh that came out recently with Jason Statham. And um, you know, the premise of it was you know, there was a lady that um you know had a nonprofit she was ahead of and she fell victim to a fishing scam.

Adam Shaffer - Host 15:15

Okay, and they took her money, and I think I saw that.

Chris Daggett 15:20

But these these folks are happening. You know, people are getting creative, and you know, they're gonna prey on the people that aren't necessarily educated. You know, it's you know, I'm 52 years old right now, so I kind of have gone through all the different iterations of technology uh in my lifetime, but you know, with the uh the older generation that's out there, they really aren't educated or brought up to speed on the do's and don'ts. You know, they're a very vulnerable group, and you know, they don't have that experience to to second guess or question what's happening, you know, they're just gonna react.

Adam Shaffer - Host 15:57

Yeah, my my wife isn't that old, and I could tell her a thousand times, don't click that thing, and she still clicks it. So I I don't know what it is. I hope she doesn't watch this. So now uh going back to SMBs. You

The True Cost Is Reputation

Adam Shaffer - Host 16:17

know, so what's the actual impact? I mean, I'm a small business. Let the let let the people know like what's gonna happen to their business if they if they have an attack? Like, like do they get shut down? It sounds like your story, Mark.

Mark Hammer 16:30

So I I can add a little bit of color to that. Uh, and so a lot of people tend to focus on the technical or the financial damage that that can happen. And don't get me wrong, there are real financial costs, and it's very possible that you might have to rebuild a server or you know, reconfigure your mailbox or your identity management system or something of that nature. Or if you've got a firewall, change the ports. I mean, that was one of my problems that I had is I had the default RDP port open on one of my servers, and that's how they got in. Uh, and so you know, there's lessons learned and technical things that need to be adjusted. But the real damage at my business was the reputation. And not just reputation with my customers and with my vendors, but with my employees. You know, if you think about it, I'm a small business. I think I had 12 or 13 employees at the time. Uh, and they, these employees start thinking to themselves, is this a safe place to work? Do I have long-term success here? Is my future bright or is it somewhat dimmed because of what just happened? Uh, and you know, nobody wants to have to send out that email to your customer saying, your data may have been compromised. We're investigating and we'll let you know. And oh, by the way, here's a coupon for a free year's worth of credit monitoring just in case. Uh, you know, you lose, you do lose customers because of that. Uh, and so the reputation damage is is where I would say where it really hurts. And the latest reporting that I've seen, I think the report was from 2024. I haven't seen anything from 2025 yet, is when you get hit by ransomware, yes, there's a certain percentage of people that do go out of business immediately. I think it's like, you know, 15% or something like that, which is still pretty high. But if you fast forward six months later, it's double that. It's more like 30 or 40 percent of the businesses that get hit by ransomware, they're done, they're out because they couldn't survive the reputational hit, uh, whether that's because of supply chain issues or with their employees, or just people get so frustrated, they throw their hands in the air and they said, I don't want to do this anymore.

Adam Shaffer - Host 18:20

So the the so the the worst case is you're gonna go out of business. And that's that and they have to understand that I don't care how big you are, how small you are, you can that to me that's pretty pretty bad. So let's talk about another thing.

Remote Work And BYOD Raise Risk

Adam Shaffer - Host 18:37

So, you know, obviously during COVID, the world changed. A lot of people went to remote. We haven't come off 100% remote. Like we're still plenty of us are remote. Maybe all of us today are remote. So how has that changed the whole landscape of all these employees working all over the place? Has that made it much more complicated? I imagine so.

Chris Daggett 18:59

Yeah, I mean, I I we're we need to protect our identities more than ever. You know, if you think about it, the edge or you know, traditionally a firewall on a on a network would be your your perimeter, right? Um that perimeter has essentially moved outward. And you know, now we have to protect, you know, all of these different uh cloud applications, you know, and how our identities tie into that. Um so you know, the game has changed. You know, you you hear about the term of zero trust networking. Um, you know, that's a big, big thing uh nowadays. And if you're not protecting your identity, you know, that's gonna be problematic. You know, people will access your data. You know, it's not a matter of uh when, I mean, it's not a matter of if it's a matter of when, right? Um, you know, we really, you know, when your identity fails, uh, your identity protection strategy fails, everything downstream from from that is gonna be wide open.

Mark Hammer 19:58

Yeah, to build off what Chris said, you know, we talk about in cybersecurity world, we talk about attack surfaces. And and so if you were behind a firewall, that's a single attack surface, that's a single point. You can guard that with, you know, physical security, hardware, software. Well, COVID, as you said, is it expanded it. You just extended the surface and it gave a new surface for all these attackers for every single person that is now outside of your network that needs to go back inside your network from outside. And so you have to have the the humans have to be trained, the hardware has to be patched and firmware updated, the software has to be patched and updated. You just you it is more complicated and more difficult just because the attack surface is not getting smaller, it got bigger. And yes, even if you have all these things in place, you you still need to have the layered defense and things like backup, because it's not a matter of if it's when it's gonna happen something eventually.

Adam Shaffer - Host 20:51

So it got more complicated with people um being remote. Are are people the biggest vulnerability? Is it the employees?

Chris Daggett 20:58

Yes, absolutely, yeah. And not to mention, Adam, you know, many companies like the larger companies, they have uh standards for devices and things like that, right? Sure. Um nowadays, especially in the SMB space, you're dealing with BYOD. So people are using their own personal devices, you know, who's who's to say if they're patched, you know, and and all the necessary security protocols are in place. Um, you know, they're they're connecting to your network from a local Starbucks, you know, or something like that. You know, that's an unsecure network. So, you know, do they have VPN enabled on on their device? Do they, you know, there are just there are so many things to consider um that really will minimize the risk of you you or your network being compromised.

Adam Shaffer - Host 21:47

So people. It's it's there were no employees, should be in the cybersecurity. No, that that's horrible. So m then then there's always like the myths about cybersecurity.

Backups Training And Incident Planning

Adam Shaffer - Host 22:00

So like for both both you guys, like what's like the biggest myth you hear about uh SMB cybersecurity that you just wish wouldn't come up anymore? Am I making it up?

Mark Hammer 22:09

One I would hear the most is it's too expensive. Like I can't afford it. And the reality is, is with the advent of managed services and and the democratization of cloud, there's a lot that you can do with a managed service provider that is reasonably priced, that is definitely cheaper than you going out of business, uh, for you to go out and spend. And it's it's easy, it's acceptable, and it's and your MSPs, they are the experts. They do this for a living, and there's a very good chance you have a good one local to your geography. You're not going to be dealing with somebody in a in a developing country or on another side of a different ocean. Uh, and so I still hear to this day when I talk to friends just outside of work that oh, I have a small business, but you know, we we don't have enough money to spend on cybersecurity. And I'm just like, I mean, really? How can you afford not to, is what I argue.

Chris Daggett 23:00

Right. It should be a common practice at this point to have the appropriate budget in place for cybersecurity. It's not a one and done thing, it's a constant evolution. And you continually have to test, validate, report um, on your security controls uh to ensure that they all work. You know, a a big, a big um, you know, myth that I wish would go away would be, you know, having backups means uh you're prepared for a cyber incident, you know, which is you know, great, you you think you have a backup, but you know, are you backing up the right systems? And you know, what are the what's the priority, right? Um, in addition to that, do you test your backups and validate that you know you can recover the data cleanly? And during that exercise, right, your incident response plan comes into play. You know, who's you know, the the the whole chaos of of this whole, you know, oh, I've been breached and I have ransomware, you know, scenario, you know, who's reaching out to legal, who's you know, who's doing all these different steps? Because there's a lot to it uh to really minimize the anxiety of the whole situation. But you know, having backups that you know will work uh in the event of an emergency is super important. They need to be tested, they need to be validated um quarterly if possible.

Adam Shaffer - Host 24:25

I'm a little biased towards MSPs, the managed service providers, but um, does the managed service provider make sure that you're backing up and making sure that all this is happening? So that's on them.

Mark Hammer 24:37

The good ones do, uh, but you should be asking them when was the last time you tested my you know ABC server, whatever the high priority is, and do we know how long it takes? Uh and like, you know, because data should be encrypted. Do we have the right decryption key to make sure that we can get this back up? Do we have an appropriate standby server, whether that's in the cloud or locally or a spare hard drive or whatever? You know, every business has different needs, but as part of your incident response plan, this is all documented. And this is all, you know, there should be a table in there. Okay, we did the Q1 2026 test. Here's the results, here's what we learned, here's what we need to change or budget for or plan for next quarter or the second half of the year to make sure that we're uh adjusting or we're we're growing. You know, this plan was created two years ago. We've added four employees and have a now a satellite office. How is that modified it? It like you know, Chris said, it's not a one and done set and forget. It's a living, breathing document. It needs to be at minimum at a business level quarterly uh reviewed. And are we still up to speed? And your insurance company may have some questions about this as well that you need to be aware of.

Cyber Insurance Sets The Rules

Adam Shaffer - Host 25:41

Well, and I was gonna ask about cyber cyber insurance has become a requirement when you're working with you know vendor-to-vendor, uh, many of them are requiring it these days. And so whether you're an insurance company or an accounting company, but just even marketing companies as you're passing data, you you gotta have it. And so does having the cyber security platform or MSP help you with getting insurance or lower your rates? Like, is it like when you have an alarm in your house, just you get a lower rate?

Mark Hammer 26:13

Yeah. So in order to attain cyber insurance, we used to call this airs and emissions, and then over the years has kind of morphed into this separate category for cyber insurance. Your company that provides the insurance or underwrites you is gonna send you a form, like a survey. Do you have you know controls in place, whether that's training your employees, your backups, your do you have EDR, NDR, XDR? I'm not gonna go over the alphabet suit that you need to have, but it's an actual well-documented process. It's fairly industry standard, regardless of where you are in the United States, anyway. Uh, and if you don't have uh all these check boxes, your rates will either go up, your premiums will be higher, or you might be denied coverage. And so table stakes these days is you have to have security awareness training, you have to have email security, you have to have backup, you have to have uh, you know, EDR and XDR, which are you know more advanced uh antivirus that kind of corbate and and talk with each other and help each other out and help prevent further damage if somebody does get through. Multi-factor authentication, like Chris mentioned earlier, that used to be a nice to have. Now it's you can't even get a policy if you don't have that stuff. Uh and it's also not just you, it's for your vendors and your supply chain. Because oftentimes when you see the news, that's where the problems are coming from. It's not from inside your four walls, it's some other app or some other vendor or some other supply chain person is where the attack or the the challenge came from.

EDR XDR And Layered Defense

Adam Shaffer - Host 27:36

And and you talked about the you know, we talk about the endpoints a lot and how that's like uh almost where you catch a lot of these viruses or these issues because there's people using computers all over the place. So so Chris, what's like what's what what's the right approach to endpoint security?

Chris Daggett 27:53

I mean, you absolutely need to have in uh on the endpoint a good EDR product that will, you know, with responsiveness built into it, meaning, you know, it's tied to a SOC or it's gonna, you know, AI and machine learning are integrated within the platform, it's gonna actually, you know, self-repair, you know, whatever the case may be. Um what is EDR? You need to have a reputable product as well. You know, what's EDR mean?

Adam Shaffer - Host 28:20

What's EDR mean? Sorry.

Chris Daggett 28:21

Endpoint detector respond.

Adam Shaffer - Host 28:23

Okay. So it's like software that you buy.

Chris Daggett 28:28

Correct. So um a lot of the the better platforms or any modern platform these days is gonna have an EDR component built in. That's gonna leverage artificial intelligence and machine learning um to help identify um and respond to and potentially remediate whatever threats have been found on your machine. So typically, you know, you have folks that are out looking at you know social media, whatever the case may be, they're clicking on things, whatever, and they're downloading malware that they're not aware of. So these systems will actually, or these platforms will help you identify, okay, we found an infection, it's trying to do this, that, and the other. And it's either going to quarantine it, clean it, or roll it back to uh where you were previously.

Mark Hammer 29:16

Okay. And it's the more modern version of antivirus software. So back in the day, we all had, you know, McAfee Norton or whatever was installed by Dell little Novel or HP. That was a signature database that tracked the name of the file, the size of the file, the name of the executable, and things of that nature. And that was a there was a database that listed all the names, all the file sizes. And if that file were to show up on your computer, your antivirus software could zap it, quarantine it, and you're good. That's how it used to work. But like Chris mentioned, we talked about machine learning or machine intelligence or artificial intelligence. Some people you might hear the word heuristics. Basically, it's behavior-based. Because names change, file names change, we can't necessarily still have signatures, that's still part of it. But we also look at behaviors and how is your machine behaving? How is this app interacting? Is it encrypting files? That's not a normal thing. We can stop the behavior without necessarily knowing the name of the file or the size of the download or different characteristics that would maybe fit inside of a database like it used to.

Chris Daggett 30:19

Yeah, so it's actually going to learn how the end user operates on a day-to-day basis and detect anomalies. Posture management. It's uh it's pretty interesting stuff. You know, it's it's amazing, you know, and you could have a fantastic uh EDR platform, but you know, as mentioned earlier, your security posture and strategy needs to be based on layers. You know, the more layers you have in place, um, so as far as the layers are concerned, right, you could have an attacker compromise a security control that you have in place. So it's it's the name of the game is having different layers in place. If one control is compromised, then another will potentially pick it up. So the more things that you put in front of a hacker, um, you know, the more difficult it's gonna be for them to get to. So for example, um many financial institutions will put you know up to 75 to 100 different layers in place to get to their core network.

Adam Shaffer - Host 31:23

Really?

Chris Daggett 31:24

Yeah. Yep.

Adam Shaffer - Host 31:25

And is a layer another piece of software, or is it part of the same software?

Chris Daggett 31:31

Yeah, it could be hardware, it could be software, could be, you know, that there's a lot of different ways to implement uh security controls. Some controls are predictive, some multi-factor authentication is kind of a combination of the two. So right. So the more difficult you make it for the hacker, you know, they're just gonna move on and go to the easy target.

Adam Shaffer - Host 31:52

Okay, so it it it gets it gets painful for the hacker so they'll go to somebody else. Yep. Okay, my door's locked. Um, it's got a steel door, it's got five locks.

Chris Daggett 32:01

I heard a dog barking. Yeah, yeah. Because what they're doing, Adam, is they're going out and they're knocking on everybody's door. So, you know, every company has, oh, you know, brute force attack attempt, or you know, they're trying everything that they can do in the book, you know, to kind of get in that front door. But if you lock the hallway doors, the bedroom doors, the bathroom door, you know, all that stuff, you know, they're they're not gonna get to your basement, you know, kind of deal.

Who Must Own The Risk

Adam Shaffer - Host 32:32

Um so so with SMBs, like you look at you look at the companies and you know, in every industry, who who's the person that you got to shake and wake up and say, hey, listen, man, if you don't do this, uh you're risking your business. Like, who is it the CEO or the president, the founder?

Chris Daggett 32:53

Yeah, you typically have to get in front of the a decision maker, you know, whether that's the owner or somebody in the executive leadership team. And you you really need to articulate, you know, that your security strategy is going to support your business outcomes. And it's gonna help you have less disruption and less risk in your environment from something happening, which all ties into business continuity. So it's kind of the base layer of okay, we're looking to achieve X, Y, and Z from a business outcome perspective. How do we insulate and protect from that being disrupted?

Mark Hammer 33:33

Yeah. When I when I was selling services, I would have most success talking to controllers or CFOs. So the finance guys. The finance guys, because they're the ones in charge of making sure there's enough money in the bank, whether it's for payroll or you know, taxes, things of that nature, uh, and explaining to them how their cash flow can be affected, how their operational expenses can be affected by not doing this. Because it's usually, you know, I I don't like selling with fear, uncertainty, and doubt. Right. But with this particular topic, you have to paint the picture of if you don't do this, this is what will happen. And what is your acceptable level of risk? Most of the time, the finance guys are the ones that are like, wait a minute, you're telling me that my email server can be down for a week if I and I don't have a backup. What will that do? And he or she can quickly quantify what that means to the business.

Adam Shaffer - Host 34:25

And also that's an important decision maker. I know I didn't think I always thought it was like the the owner, but they were scared. But it's the fine, it's the finance guy.

Mark Hammer 34:33

Uh don't get me wrong, because they almost take the owner the decision maker, but the finance, yeah. And oftentimes, and if it's an owner, I always ask the spouse if I can give you access to the spouse.

Adam Shaffer - Host 34:46

That's a good strategy. And and do you ever go? I mean, do you ever meet any of these guys and they they say these owners or these finance people, and they say, uh, we don't need this. We're too small. Is that true?

Mark Hammer 35:00

It's not as true as it used to be. I mean, 10 years ago, I would say that was the default answer, probably by 85% of the people. I would say it's switched to me more about 50-50 right now, at least of the people I talk to.

Adam Shaffer - Host 35:12

It's funny, it's like it's like these contractors. I don't want I don't I don't want to call them contractors, they're not IT contractors, they're like construction contractors, pool people. I I I don't they're blue-collar kind of businesses, and they don't they're out in the fields, like they're they're doing their work all day, and they don't understand that somebody could be hitting them up. And like, but they're the first people to say, oh, I can't afford that, I don't want to do that. But but they actually need it because they're never watching the they're never watching the store.

Chris Daggett 35:41

Yeah, yeah. I mean, what I find is in and I've seen this recently firsthand, you know, you have customers out, well clients out there, right, that have been in business for 50 years, and say the dad's running the business, and he's like, Oh, I've been running the business for 50 years without an issue. Why do I need to invest in all this security stuff now? I've been fine until now. And then, you know, sure enough, you know, a breach happens and they're like, What the heck? You know, um, but you know, as an MSP, we need to continue to educate and advocate for good cyber hygiene. So the conversations are happening, it's whether it gets through or not is is the other piece of it. And being able to, you know, as Mark had mentioned, you know, being able to quantify, you know, that um is super important. So getting in front of those finance people to influence, you know, those older school owners um is very important because they necessarily don't have a pulse on you know the technology trends that are happening day to day.

Adam Shaffer - Host 36:46

Three Controls That Cut Risk Fast

Adam Shaffer - Host 36:47

so if you had to tell a small business whether they're cheap, afraid to spend the money, don't think they need to spend the money, but it or they do want to spend the money. If you had to tell them if you could just do these three things, what would what would you tell them? These are the three most important things you got to do, whether you want to work with me or not.

Chris Daggett 37:06

First, first and foremost, MFA across the board. Without what's MFA? Multi-factor authentication. So that's gonna not only help you internally with you know your internal network, um, it's gonna help you with all of your cloud instances as well.

Adam Shaffer - Host 37:23

Um and MFA, just so I make sure people understand it, because that's uh and probably everybody doesn't. I'm the only one that doesn't. That's like when you go you put in your your your uh email address and it says we we just sent you a code. Oh yeah, yeah.

Chris Daggett 37:35

Yeah, it's a second it's a second challenge essentially to uh validate you are who you are. Okay. Um you know the next one is you know maintain protected tested backups. You know, that's a that's a no-brainer.

Adam Shaffer - Host 37:50

You know, in the how often?

Chris Daggett 37:52

How often? Uh typically, you know, it's I I recommend quarterly. Um, you know, a lot of platforms can do it without any disruption to your production. Um so it's not daily, it's quarterly.

Mark Hammer 38:05

So the testing is what he's saying.

Adam Shaffer - Host 38:07

Oh, okay, okay, okay, okay, got it.

Mark Hammer 38:09

Make your backups daily or weekly, depending upon the workload, but test it at least once a quarter to make sure that it's actually making sure it's getting okay.

Adam Shaffer - Host 38:17

Right.

Chris Daggett 38:18

Because you don't want to be in that position where you know you do have a problem and the backups are either corrupt or you're not backing up the right things, or you know, whatever the case may be, you know, oh geez, I forgot that finance database. Yeah, that's what you're file.

Adam Shaffer - Host 38:35

So it's MFA, it's backup, make sure the backup is is not corrupt. And what's the thing?

Chris Daggett 38:41

And then uh, you know, monitored endpoint protection um that has a response capability. So we had talked about you know EDR earlier, you know, that that's super important. Um, but you also, you know, the newer flavors of uh EDR are coupled with a technology called XDR, and you know, that's gonna help all of your cloud instances and things like that. So that's where the industry is moving right now.

Adam Shaffer - Host 39:04

What does X mean? Extension.

Mark Hammer 39:08

Basically it means it integrates more technology. It isn't just antivirus, I can take a look at my identity management. So mentioned earlier how I can monitor a user's behavior. Uh, we can say, so if Mark is logging in at seven o'clock in the morning and he's online for eight hours and he typically accesses 100 megabytes worth of data, I can create like a uh it's called posture management. It knows what my normal posture is. And so if all of a sudden Mark logs in at two o'clock in the morning and starts exporting two gigabytes of data, red flag, stop that user, shut the account down, reset, force a password reset, and you might be able to save some future damage. This is a simple example of what XDR could do.

Chris Daggett 39:47

Yeah, I mean, if you think about it, right? This is, you know, think about when you buy a car, right? Would you buy a car without a seatbelt, without airbags, and without brakes? You know, those are those are you know, those three things are gonna reduce, you know, it's not gonna eliminate the risk, but it's gonna reduce the risk and protect you, you know, to a to a good point. Um you know, it's nobody would be driving down the road without those three things. So, you know, any business owner really should be focusing on those basics.

Adam Shaffer - Host 40:20

And so those are the top three. What's the biggest quick win? MFA. MFA. Okay, so that's at the top of the list. Yep. That'll prevent a lot. I I still don't get like I still I still don't get like so it it it texts your phone, but what if the bad guys got your phone or something? I don't know. My kids always take my phone, so they're always doing roadwalks and stuff like that.

Mark Hammer 40:45

Yeah, but your kids probably aren't trying to log into your corporate email account uh at the same time as they're what they want to play a game or buy something on Amazon.

Adam Shaffer - Host 40:53

Yeah, no, that's true. Absolutely true.

Chris Daggett 40:56

But others may argue that you know the backups are the most important. You know, it's it comes down to um, you know, they're all I feel as though they're kind of equally important um because they all serve a very distinct uh function. Um, but those coupled together really reduce uh your risk footprint.

Adam Shaffer - Host 41:14

And and you talked about the layering, like so. If you go into an SB, you talked about a bank, right? They got 75 layers or something, but like what's pretty standard? How many layers do you need to have?

Chris Daggett 41:25

Well, it it's not a matter of layers. It's you know, the the name of the the name of the game is changing. You know, it's important to have network segmentation, you know, separate your um your IT from your OT, so your information technology from your operational technology. Um, that's an important piece. You know, if somebody gets into your network, they can simply breach one of your um, you know, your OT devices or your IoT devices. Um, those typically aren't patched uh on a regular basis, so that's an easy entry point. Um but you know it's it's a matter of you know, just uh risk assessments are super important, and that's gonna actually um help you understand one, where your gaps are, two, where you can bolster uh different layers. And you know, we we have a program that you know we have you know several dozen layers in place right out of the gate, you know, turnkey. So, you know, it's it's a matter of you know understanding what the threat land landscape looks like, understanding your your customer, and you know, it it's all about protecting data and identity at the end of the day.

Adam Shaffer - Host 42:42

It's like going out in the cold, wear a lot of layers. I get it, man. So so so okay. So

What To Do During Ransomware

Adam Shaffer - Host 42:50

now the customer or a non-customer calls you up and they say, guys, we need your help. We have a ransomware attack, we we we can't get into any of our computers. Like what what do you what's the first thing you tell these guys either to do or not to do?

Chris Daggett 43:06

First question I always ask, do you have cyber insurance? Okay, seriously, because that's gonna dictate your next steps. And then so, for example, if you have cyber insurance, they're gonna dictate what protocols you need to follow.

Mark Hammer 43:23

Yeah, so if you don't break the if you don't follow those protocols, they're not gonna pay your claims.

Adam Shaffer - Host 43:27

I got it, got it. Okay.

Mark Hammer 43:29

So the person is no no, I got it.

Adam Shaffer - Host 43:32

Like, are you insured for this? But okay, so if they have cyber insurance, you gotta go take a look at what the protocols are that they are requiring. I don't have anything, I'm just some guy, and I don't I don't think your next question.

Chris Daggett 43:47

Yeah, I mean, I would recommend uh unplugging the physically unplugging the devices from the network. Do not turn them off, but physically unplug them from the network. Um, what happens if you turn a machine off? Off in fear, you potentially may uh erase forensic data.

Adam Shaffer - Host 44:05

Yeah, so a lot of things are resident in memory, and there's like a paper trail or a breadcrumb to um, you know, what so if you power if you power off, you it stays there.

Chris Daggett 44:17

No, if you power it off, it's gonna wipe it.

Mark Hammer 44:20

Oh, it dumps the memory. So okay. So bad guys, your computer is keeping track of what apps have open, what services were accessed, what websites you went to, so when you say unplug it, you're saying unplug it from the server, don't unplug it from the wall. No, no, you can't turn off the Wi-Fi or any of the network, not the button. Turn the machine off. Okay. So there's it's called a forensic backup. So if your cyber insurance company may tell you we need to, you need to make a forensic backup, which includes the memory state. Uh, and so you need, you know, all this all the major program are, you know, like Acronis, we have a forensic backup if that's what you need. And then you can submit that for forensic analysis. Well, they'll try to figure out at what date, at what time. They do like a kill chain analysis where they they walk you through what happened, when did it happen, what services were accessed, what username, what credentials, what password, what this, what port, all of that stuff is logged, and it can help you figure out where the damage came from and what they did while they were in there. And did they exfiltrate any data? Uh, and if you what Chris is trying to say is if you turn the machine off, you can erase or remove some of that information from our I hate to say it.

Adam Shaffer - Host 45:25

I bet you people do what I do, and they just reboot because they're scared. Probably, I I mean I've got to do it. I always I always reboot. And maybe it'll be better when it comes back on. Okay, don't write right here.

Chris Daggett 45:38

I was that was a good learning today. Thank you. Yeah, because so uh the modern strains of ransomware, they actually will, you know, they do it in such a way where things are only in memory, they're not leaving the paper trail like they used to, and that's all by design. So you know, they're they're expecting users to be to not you know follow that technique and just to reboot, um, you know, because they're experiencing whether it's performance degradation or you know, say for example, they have a ransom note and their machine's encrypted, you know. Oh, a reboot might fix this, you know, because they don't know what they don't know. And that's where you know folks like Mark and I come into play, and you know, we're able to kind of guide them through the process.

Adam Shaffer - Host 46:24

That's that's great. So a lot of good advice for SMBs today.

AI Governance And Shared Responsibility

Adam Shaffer - Host 46:29

Let's talk about like kind of the future. So there's because this is changing, I would imagine, by the minute. What excites you most about the future of cybersecurity? Both of you guys.

Mark Hammer 46:41

Um I like the fact that things are it's more transparent than it used to be. Yeah, I mean, it used I at least in my personal experience, it used to be that was the security guy or the security department. It wasn't you know somebody else's responsibility. I'm excited that the now the attitude is now it's it's a shared responsibility. Everybody has a part to play. This is how we uh keep each other safe, how we keep the business safe. It's I like the fact that that is the the mind shift has shifted towards a shared responsibility instead of just the IT guy or the MSP or the security department or the knock on the sock. Uh I think that mind shift is huge.

Chris Daggett 47:19

Yeah, I I would agree with you, Mark. Um, you know, typically in the past, it's been, you know, oh, this is an IT problem. And if you think about it, security and risk, everybody plays a role. It's a culture thing, and we continually have to reinforce, you know, good behavior, the do's and don'ts, the threats change at such a rapid rate that you know people really need to stay educated. Um, and I think in addition to that, right, with uh AI becoming such a huge thing, you know, what excites me about that is we're able to automate a lot of these low-end kind of problems. And really, you know, it's only when the big issues bubble up where, you know, we're engaged or we need to, you know, solve something for a customer. Um, but we've gotten to the point where we're able to automate, you know, a lot of these security response efforts and you know make it a better experience for the end user at the end of the day.

Adam Shaffer - Host 48:26

And I guess the thing that scares, well, scares me is just like when I read about or hear about anthropic mythos, which could hack you, but actually it helps you find faults in your software that you have today. I mean, you guys have heard about this, right? That sounds pretty scary. Um, that I mean it sounds good, but it also sounds like in the wrong hands, it could be evil. Right. So I imagine that's the future, right? Like you got to figure out how to use that.

Chris Daggett 48:56

I mean, there's with AI, AI is a very powerful in the wrong hands, it can be extremely dangerous. You know, it's it's you know, and this could be a whole nother, you know, episode, but you know, it's a matter of, you know, there's that human oversight piece, the governance, that's gonna be a major, major piece moving forward and ensuring that you know your data is gonna stay uh secure. Guardrails need to be put in place, you know, there's gonna be an additional learning curve, you know, everybody's gonna be creating, you know, bots and agents and things like that. And how how is that data? How do they how can they ensure that data's secure?

Mark Hammer 49:33

Yeah, you know, or is it backed up because AI hallucinates and it gets worse the longer it's available? So, how do you restore it back to the good state? Those are all new problems and new solutions have to be created.

Chris Daggett 49:43

Right, right.

Adam Shaffer - Host 49:44

Okay, well, that anthropic thing really it blew me away on that they've used it uh on most on all all the operating systems. I don't know, most of the operating systems, and they found issues with every one they've tried. They looked at bank software and they found issues that were there for 20 years. And like I don't know what's marketing and what's uh real, but it sounds like that's where it's going um for sure, like it's gonna go in that direction. So I don't know if you're following it, but I've it's I'm a kind of a news junkie, so I hear about this stuff all the time. And and so to to start trying to wrap up a little bit, I mean, if you guys could maybe just give your your your final thoughts or a last piece of advice to SMBs in general, you know, what what what do you got to say?

Chris Daggett 50:36

I mean, I would say treat cybersecurity as an operating discipline. You know, it's not a one-time initiative. Um, that's kind of a fallacy that people have in their head. You know, security isn't a project that you finish, it's a set of routines you can maintain, you know, patching, monitoring, training, testing, recovery, and improvement, uh, continual improvement. You know, these are it's it's something, it's a journey that we're all on, and you know, it's real, and we need to make sure that we're on top of it.

Mark Hammer 51:10

Yeah, I'd uh echo what Chris says. Uh, security IT is is not uh a capital expenditure. It should be an operational expenditure. It needs to become part of your day-to-day, week to week, month to month, quarter to quarter. Uh, and that's a mind shift uh change for a lot of people that grew up or that used to be IT was a separate department, or it was something that we called the IT department or guy or gal, whenever there was a problem. And you know, I agree with Chris that it needs to be more of a fluid motion that's constantly being tweaked and modified and revised instead of uh you know, point in time, it is a it is a continual flow.

Adam Shaffer - Host 51:52

Cool. Well, that's awesome advice. You guys have been great today. And um, Mark, you know, I know you're always on the road, man, and you're always somewhere. But if somebody wants to contact you, uh what's the best way to reach out?

Mark Hammer 52:06

Sure. I mean, I don't mind sharing my email address here. It's mark.hammer at Chronos.com. You can also find me at LinkedIn. I'm LinkedIn, you know, forward slash in forward slash Markhammer. I managed to snag that uh uh unique identifier when uh the literally the day LinkedIn launched those uh, you know, where you could modify your own URL. I was did it the very first day. So pretty easy to get a hold of, pretty easy to talk to, happy to help wherever I can.

Adam Shaffer - Host 52:31

Great. And Chris, how do people get in touch with you?

Chris Daggett 52:33

Same thing. Um, I can be reached at cdaget at hubtech.com. Um, I can also be uh found on LinkedIn as well.

Adam Shaffer - Host 52:42

Super. Well, that's great. And I also wanted to um, it's just a coincidence that Mark is on the show and he's from Acronis, but Acronis is a really good partner of HubTechs, and I wanted to do a shout out to them and thank them. They helped uh sponsor uh some of our podcasts. So thank you, Acronis, you're a great partner. And with that, um, we'll see you next episode. Thank you very much.

Announcement 53:06

Thank you. Thanks for tuning in to the Beyond the Firewall podcast powered by HubTech. If you found this conversation useful, follow or subscribe wherever you listen to stay updated on new episodes. For more information about HubTech's IT solutions and services, please visit hubtech.com.