Is Affordable Cybersecurity A Myth?


Who am I?

Hello everyone, my name is Ismael Amado, I go by Izzy for short. I’m here to talk about affordable cybersecurity.

I spent 15 years of my IT career working in the Silicon Valley with major enterprises like Facebook, Apple, Stanford University, Gilead Science, and Genentech before founding my company, IT Ninjas, here in Jacksonville. I’ve seen first-hand what several million dollars spent, annually, on cybersecurity tools and audits look like. Do you know what I learned?

These companies still have data breaches that cripple their operations.

Startling, I know.

That tells me cybersecurity isn’t something you can just throw money at. And honestly? That’s a good thing. Small and mid-sized businesses are becoming an ever-increasing target for cybercrime. We also don’t have the same technology budgets to spend on cybersecurity as large enterprises.

So what actually works? And Is Affordable Cybersecurity A Myth? Let’s dive in and find out.

The Lay of The Land

Imagine, for a moment, that there was a group of people standing behind you at all times, constantly trying to see what you’re typing or the pin you use for your debit card at the grocery store. Everything they see is logged on their handy notepad, and they frequently compare notes.

Group of men wearing masks in suits.
Hi. Watcha doin’?

Not only is this kind of creepy, but it’s also a great example of what we call social engineering. In a nutshell, people lurking on the internet follow you on social media and try to determine what other sites you visit.

Their goal is to eventually extort you. This is all a long play; they don’t need all of your information right away, they just need a little more than they had before. They’re either creating or updating their dossier on you.

If that wasn’t alarming enough, now imagine there were organized foreign mobs of criminals roaming the streets of your city and attacking businesses in broad daylight, extorting business owners for their hard-earned cash. They’ll destroy your property and livelihood if you, their victim, refuse to comply. In some cases, even compliance results in extortion.

Can you imagine the outrage? There would be a massive reaction from our citizens and our government.

These guys are NOT friendly neighbors.

Yet that’s exactly what’s happening. The only difference is that since this is happening in cyberspace it’s far less visible. And because of this, the reaction is almost non-existent. This is becoming an ever-increasing concern on the state and federal levels, but the situation is well out of their ability to fix at this point.

And if you think foreign powers are going to intervene on our behalf, think again. There are several countries like North Korea, China, and Russia that have state-sanctioned programs for conducting these attacks.

Alarmed yet? Politics aside, none of the countries I listed are terribly fond of American businesses.

The Cyber Threat is Real This Means Affordable Cybersecurity is a Necessity

Don’t believe me? Here’s a real-world example.

State-sanctioned North Korean threat actors are actively making attempts at hacking just about every Nuclear Think Tank on the plant using an Advanced Persistent Threat (APT) called Babyshark.

An advanced persistent threat (APT) is a sophisticated, sustained cyberattack in which an intruder establishes an undetected presence in a network in order to steal sensitive data over a prolonged period of time. An APT attack is carefully planned and designed to infiltrate a specific organization, evade existing security measures and fly under the radar.

Crowdstrike 2022

These attacks are incredibly targeted, even going so far as to stay completely dormant if the wrong person’s computer was infected. You can find the details on these attacks here.

Russia in particular has an entire segment of their private sector dedicated to developing ransomware and other software for cybercrime. Think about that. These are registered businesses, just like the LLC’s many of us run. They don’t conduct the attacks, they just develop software and sell it to people that do. And as far as the Russian government is concerned, they’re a legitimate business. Let that sink in for a second.

These businesses also sell said software to threat actors in the state-sanctioned programs I mentioned.

“It’s not that the Russian government is conducting these ransomware attacks, but they have an arrangement in which the Russian-based cyber-mobs can do their activities outside Russia, and the country turns a blind eye to it. The tacit agreement is, if you hack a Russian system, you’re in trouble.”

Dr. Herb Lin; Cybersecurity Expert at Hoover and Stanford Universities

How Does This Impact Small Business?

According to NIST (Nation Institute of Standards and Technology), small businesses comprise 99.9 percent of all firms, 97.6 percent of exporting firms, and 47.8 percent of private-sector employees. Small businesses accounted for 61.8 percent of net new jobs from 1993 until 2016.

Though dated, these numbers show how large of a role businesses with under 250 employees play in the US economy. We are the majority, not the minority.

With these numbers in mind, it makes sense that cybercriminals have been shifting their focus to targeting small businesses. There are plenty of targets, and most small businesses don’t have anywhere near the budget for cybersecurity that a large enterprise does.

I would venture to guess very few of the small business owners and operators reading this have a dedicated budget for IT improvements or cybersecurity this year.

But there is a silver lining, and all hope is not lost. While many small businesses have limited resources, personnel, and understanding of cybersecurity risks, small businesses are not necessarily less secure.

Small but mighty!

Because of our size, we are able to be more innovative and agile in our response to risks and attacks than larger organizations. We can quickly pivot and adapt to new policies, requirements, and risks.

Now that we’ve framed the problem, let’s talk about how to approach things effectively.

The Bad News

Alright! So I’ve got good news and bad news. Let’s get the bad news out of the way first.

There is no such thing as a company that is impervious to cybercrime. However, you can become resilient to cyber-attacks. This can lead to becoming antifragile, a term coined by the Lebanese-American writer, statistician, and former options trader Nassim Nicholas Taleb.

I don’t mean to go off on a tangent, but to summarize the definition of antifragile, you gain from disorder and chaos. What others may perceive as an event with negative impacts actually make you stronger.

I highly recommend this book.

The Good News

Now for the good news: people and training matter far more to cybersecurity than expensive systems. Again, people and training matter far more to cybersecurity than expensive systems. Furthermore, your staff doesn’t have to be highly proficient, IT savvy keyboard warriors to protect your business.

I worked as in-house IT for over 5 years in a national facilities service company. Generally speaking, the average employee’s highest level of education was a high school diploma. They were far from tech-savvy. To further complicate the situation, my team had a shoe-string budget and our department was tiny.

Still, during my 5 years tenure, we had only a single cybersecurity breach that was identified immediately and recovered from in under an hour.

With that in mind, in this series of blog posts, we’re going to dispel the idea that “Affordable Cybersecurity Is A Myth”. We’re also going to highlight the practical application of good cybersecurity habits that you can apply in your personal life, your Business, and use for developing your business team. Stay tuned and in the meantime if you are looking to speak to someone about how IT Ninjas can help secure your business from the growing cybersecurity threat landscape, give us a call today.

Leave a Comment