Small Businesses Are Prime Targets, But There Are Ways to Fight Back

Show Notes

"We're too small to be hacked" might be the most dangerous myth in small business cybersecurity today. As James Baierle, founder of SecurePoint Solutions, asks with a touch of irony – how exactly do you let the bad guys know to leave you alone? The hard truth is you can't, and that's why specialized security services for small businesses are more critical than ever.

The cybersecurity landscape presents unique challenges for the 13 million American businesses with fewer than 10 employees. These organizations – from your favorite coffee shop to your child's daycare center – face the same sophisticated threats targeting Fortune 500 companies but lack the resources for enterprise-level protection. SecurePoint Solutions was born specifically to bridge this gap, providing scaled security solutions that make protection accessible to businesses of all sizes.

For aspiring cybersecurity professionals, Baierle offers refreshingly practical career advice gained from his journey from Navy operations to founding his own security company. "Writing is what gets us paid," he emphasizes, noting that technical skills alone won't advance your career if you can't effectively communicate findings and impacts to non-technical stakeholders. He recommends starting a blog to showcase communication abilities and advises newcomers to manage expectations – you probably won't start as an elite penetration tester, but numerous opportunities exist in areas like Security Operations Centers where demand for talent is high.

Beyond cybersecurity, Baierle shares his passionate advocacy for foster care, having adopted three siblings after years of fostering children. With approximately 200,000 foster beds needed nationwide, he suggests respite care as an accessible entry point for those interested in helping but uncertain about full-time commitment. This personal mission reflects the protective instinct that drives many security professionals to make a difference both within and beyond their technical expertise.

Whether you're a small business owner concerned about cybersecurity, an aspiring professional looking to break into the field, or someone interested in making a broader social impact, this conversation offers valuable insights into protecting what matters most. Ready to chip away at building better security for your business or career? This episode is your starting point.

Socials

• Join our Chipmunk community Discord server: https://discord.gg/9yfWP6evYQ
• Follow us on Twitter: https://twitter.com/SecChipmunk
• You can find us online at: https://securitychipmunks.com

Chapters

• 0:00: Introduction to Security Chipmunks
• 1:22: Small Business Security Challenges
• 3:32: Social Engineering Prevention Strategies
• 5:19: SecurePoint's Origin Story
• 8:34: Breaking into Cybersecurity Careers
• 14:53: Value of Cybersecurity Conferences
• 20:00: Foster Care Advocacy Journey
• 26:45: Episode Closing

Transcript

Speaker 1: 0:00

is from a cooperative project for acquiring skills essential to learning. Welcome to the Security Chipmunks, the podcast, where we keep chipping away at it. I'm your host, edna Johnson, and today we have a special guest, james Baierle from SecurePoint Solutions. Introduce yourself, james.

Speaker 2: 0:19

Hey, thank you, edna, Appreciate being on the podcast. So yes, I'm James. I am the founder of SecurePoint Solutions. We are a small business focused managed security service provider, and when I say small business, I mean like your your kids daycare center with their two computers, or your favorite barista. We. We help companies as small as one employee all the way up, just trying to give them as good a security as a bigger enterprise environment would have.

Speaker 1: 0:58

Yeah, that is so important. We have so many small businesses in the United States. We have so many small businesses in the United States and a lot of them they can't afford like the enterprise level cybersecurity tools that larger companies have access to. So what do you think is the biggest challenge that small and medium businesses are facing right now?

Speaker 2: 1:22

Yeah. So one thing that we see still a lot of is that there's still a lack of awareness that they indeed are targets. I get a lot of people to say, well, we're too small to be hacked. And then I ask, how do you go about letting the bad guys know? Because I could maybe do that for all my customers. Just say, hey, they're too small, leave them alone. It doesn't work like that.

Speaker 2: 1:44

So having to educate, um, small businesses that, yes, those things uh do exist, they do apply to them as well as the big companies, Um, and then also, you know, kind of just talking about just making making that budget stretch, where you know their idea of a security budget was five licenses of Norton or something like that. Helping them understand that that's not going to 100% help you. You do need a little bit more things in this day and age, but we can help you with that. And you know, small businesses are likely, or seem to be, most targeted, especially with social engineering, phishing, things like that. So really trying to keep bad emails at arm's length is super critical.

Speaker 1: 2:40

Yeah, absolutely, yeah, absolutely. You know social engineering that is like one of the most targeted things now, with so many new ways that people can be targeted. There's, you know, like the ClickFix or Cloudflare has like the social engine well, not Cloudflare itself, but threat actors pretending to be Cloudflare or there's like deep fakes now, yeah. So what do you think? Businesses that don't have the budget to have these awareness campaigns, what are some of the things they could do to try to protect themselves from these novel social engineering attacks?

Speaker 2: 3:27

So I think one thing is is that if you don't have an IT representative or company or anything that can help you, go out and look at some of the information that, like the FBI, puts out about preventing scams I think even FEMA now has some of that. You know social engineering prevention, or you know phishing prevention and then print out a few things, have a lunch you know you're gonna probably host a lunch for your employees, so do it as a lunch and learn where you just all kind of talk about that, talk about your concerns. Don't make it feel like it's really training and make it feel more like it's everyone collaborating on thinking ahead, thinking how they could prevent further issues. It's a little bit of what we do with our own clients. We don't just hand them training and tell them good luck. We try to have more open conversations about it. It seems to work.

Speaker 1: 4:36

Yeah, that's great. I like the lunch idea, because who doesn't love going out for lunch? Free lunch is always a good way to get people to participate.

Speaker 2: 4:48

Absolutely.

Speaker 1: 4:50

Yeah, or like coffee. I love coffee Yay.

Speaker 2: 4:57

Third cup for the day.

Speaker 1: 4:58

Nice, I can't drink that much anymore because it will keep me up all night. Yeah, I can't drink that much anymore because it will keep me up all night. Yeah, so when you were starting your company, what was the motivation for starting the company and for getting into this area of cybersecurity?

Speaker 2: 5:19

Yeah, so I was already kind of on a security journey when I had started it, probably for a couple years. I'd worked for another company previously and overall the security culture, just everything it was starting to wear on me. I became a little bit vocal about it and they felt that my talents should maybe go elsewhere and it was sort of a blessing in disguise. So I started SecurePoint because I felt that maybe my way isn't necessarily better than other ways, but I feel that it's going in a direction of how we provide security and how we look at it. It's going in the direction that it needs to, and we continue to bring in clients. We continue to have customers that are very thankful for the services that we're able to provide, and it's just something that we're going to continue.

Speaker 1: 6:28

Excellent. So, looking forward, I know that you've been expanding SecurePoint solutions. Do you have any big goals for the future? What does the next five years look like for you?

Speaker 2: 6:45

goals for the future Like what? What does the next five years look like for you? So the next five years, um, first off is, I mean, just continue to grow. There's there's 13 million businesses in the United States that have nine employees or less, and a vast majority of those are like one and two person companies. Now, as much as I'd love to be able to support all of them, we definitely want to support as many as we can, as many that we can reach out to and help out and help them before things get out of hand. We all know that proactive is better than reactive. Other goals we want to increase our work-study cohort program, our internships, our scholarships, branch those out into other areas of the US. Right now we're kind of focused on the places where our employees live, work and play. So I have an employee in Florida. We're helping them out. But as we grow, try to continue to pay back into this community and help grow the next crop of security professionals.

Speaker 1: 8:17

Very nice. So that kind of leads me to the next questions that I wanted to ask you about. Was, you know, breaking into the field and I know that you run a work study program and do you think in the current cybersecurity environment, like what should people be doing and working on trying to break into the field?

Speaker 2: 8:34

So the two big pieces of advice I give to everybody that comes to me is first off, you are not going to be the super elite red team pen tester for some company right out the gate. You know a company that has that does both SOC services and pen testing. The SOC service team probably you know it's 10 to one the number of people just because you need so many people to run a SOC. But you really only need one pen tester if you're only doing one pen test at a time. So have an idea that you're going to fall into those junior level roles and just expect that. Now there are places where you can break out into areas that are maybe considered a little more involved than what a you know entry level person should be. But just understand that what you, what you want to be and where you're going to start are going to be vastly different.

Speaker 2: 9:42

The second piece of advice learn to communicate. Writing is what gets us paid. If you're a pen tester and you created some really cool exploit and you popped the box and you got in and all that, that's awesome. You'll get high fives all around. But if your report is terrible, they're not going to pay you or they're not going to pay you the next time, or something like that.

Speaker 2: 10:10

If you can't communicate, impact, if you can't communicate to people that are outside of our industry, you need to work on that. If you don't have a blog, start one. If you're doing things like try hack me, or if you're on some sort of a journey, just start a blog. It doesn't have to all be like TryHackMe walkthroughs, it could be just other cool things, and that's the one requirement we have for our cohort members is that you have to blog, because that's how I can at least look at it, um, look at how you're doing on things. So those are, those are the two real big things. And then there's so much free training out there. Just, you know, find, find the free training that works for you and, uh, run with it that's really good advice.

Speaker 1: 11:07

So I love that you said you know writing is a good skill to have, because a lot of I know that a lot of the stuff that I do. When I write about it it gets sent up the chain so my superiors can see what I've been doing and it reflects back on me like what activities I've been doing and what they need to be caring about. And if things don't get written down, they don't know about it and then they don't see the value that you're creating. So that is such a good advice. And blogs they do help you stand out professionally as well and they can get you jobs.

Speaker 2: 11:53

So I, when I, when I talk to people that are interested in applying or anything, those are my questions. You know, do you have a blog? Do you, you know, send me a link for it? I want to look it over. You know, do you have, do you have, any sort of a home lab? Or have you, you know, thought about it or how would you design it? Because I also know that, no matter what what you do, a home lab is going to cost you more, more money than you currently expected, so it's never a $0 thing, whether it's licenses or hardware. So I understand that not everybody can do a home lab, which is part of the reason why we have one for our work-study program. But I also I want you to be able to tell me what kind of stuff, if you had the dream home lab, what would you want to build out and do? And it's useful information for us to determine, really, you know, your interest and where it lies.

Speaker 1: 13:00

Absolutely. That's definitely good advice, and I like that you're giving suggestions on how to start for free, because when you're trying to find a job, you often don't have the money for all of the things that help you get the job and help you getting the experience that you get on the job, so that is a good idea. When you were breaking into cybersecurity, what was it that made you passionate about the field?

Speaker 2: 13:35

And how was your experience breaking in? So I think where the passion kicked in was I was previously in the Navy, so there was always the going after bad guys kind of concept. In the work that I did I did operations, threat intelligence, that kind of stuff. So seeing how security is more of a, you know, blue versus red, good versus bad, it really kind of made me realize that I don't need to learn how to you know reload firmware for this printer or I don't need to worry so much about creating high availability for VMware. I was on a system you know, system engineer sysadmin track with my career and then I got into a little bit of risk assessment work and finally I'm like no security. Security speaks to me and my my path of getting into it in general was was not not the most usual. I ended up having to go overseas and working to get any sort of marketable skills in the IT realm and was lucky enough that I could actually use them and get to stay on.

Speaker 1: 14:54

Wonderful. So you and I we first met in person at a conference. I believe we had interacted online before then. But do you think conferences are helpful to people breaking into cybersecurity?

Speaker 2: 15:10

Yes, they are, and really the ones that I'll throw out there. You know, like, find your local B-sides or find a B-sides that you're willing to drive for. Typically they're one day only, so, depending on driving, you don't have to stay over. The tickets are relatively inexpensive and they're just. They're that grassroots kind of way to get into a conference. You can go and then, with the price and with everything, if you feel that, okay, there's too many people, I'm out. You don't have to feel bad about walking away after you know, spending $20 to go to a conference, um, and also, the people that you're going to meet are really, uh, you know, they are your local peers for the most part, especially the organizers, um, and it's also a great way to meet, um, uh, meet people from outside your region.

Speaker 2: 16:12

One person that really got me started on this path uh spoke at a b-sides and he he works for uh cyber arc and lives in texas. He flew up and actually talked about the history of ransomware and that talk alone. I was sucked in. I was like, yes, taking notes just all the way down, um, so, yeah, do do a conference. Um. Another good thing, too, is volunteer for a conference If you're not as people-y um, or you feel intimidated by sitting in on talks or something. Volunteer, help out, help out to set things up and you know you'll, it'll give you an opportunity to start giving back into the community. Uh, but yes, the smaller conferences are amazing. Don't ever feel pressured to have to go to like DEF CON, like you're. Yeah, they'll be people to say, well, if you haven't made your pilgrimage to DEF CON, you're not really a professional. Now, I'm there's, I'm okay with, with somebody who just absolutely doesn't want to go to DEF CON, because I get. I get the reasons why somebody wouldn't, and so stick to the local stuff, make it fun.

Speaker 1: 17:27

I can tell you that going to DEcon it's so hot it it las vegas in august. It's an oven. It's like you're in a dry oven. So, yeah, I I get people not wanting to go there and, uh, there's also a lot of people.

Speaker 2: 17:46

I still love going, but, um, I can definitely see the the drawbacks from it yeah, well, I think too, like for you, you went to actually do things for defcon, not just walk around and observe. So I I think if, uh, you know, if you maybe weren't doing, uh, doing the social engineering stuff or the other things, you might kind of look at it like okay, this is like the fifth line. I've been in all day and um, and I I now have to do this and um, and I'm sure you experienced some of it, because it's not like you were participating in your thing the entire conference. But I'd have to imagine that there were definitely some times where you're like, can we just skip ahead to the part where I'm presenting or doing whatever?

Speaker 2: 18:34

yeah, well, I I tend to do a lot at afghan, and sometimes it's just a little too much we, we have to, we have to know ourselves and you know, especially when you're volunteering and things like that. I've definitely burned myself out from conferences and I've learned that the hard way.

Speaker 1: 18:57

Yeah, call that volunteer-itis. You got the bug, you got the volunteer-itis. Don't worry, I have that too. I volunteer everywhere. I have that too, I volunteer everywhere.

Speaker 2: 19:14

Absolutely.

Speaker 1: 19:16

Yeah, so yeah, and B-Sides you mentioned that. I love B-Sides. You know that because I'm the volunteer coordinator for my local B-Sides and that is a great way to get exposure and meeting people in your community and networking to get a job. If your goal is to get a job in your community, that is a wonderful way to do it.

Speaker 2: 19:47

Because people will notice the helpers and they appreciate it.

Speaker 1: 19:49

Yeah, yeah, um, all right. So you have a passion outside of cyber security and I really wanted to make sure that you get a chance to uh share that with our listeners, because I think it's a good mission that you have.

Speaker 2: 20:07

um, yeah, yeah, so let's jump in talk about that, sure so, um, my, my wife and I, we made the decision about 10 years ago now that we were going to get into foster care. We'd seen other people around us, in our neighborhood, in our church, that were doing it and they were open about the good, the, the good things, the bad things, the, the things they wish they knew. And so we went through the process and going through the process, you realize, um, you realize a few things about yourself, you realize a few things about society, and it is an amazing way to help people. Um, so I'm just going off of statistics that I remember Um, there's there's about a shortage of 200,000, um foster beds in the United States. So, cross the U? S, there's about 200,000 kids that are either in shelters or they are in not the most suitable situations. Maybe they're still living with their biological parents, but they're old enough to maybe take care of themselves. To a point they may be staying with elderly grandparents who it's not that suitable for them. So there's a massive need. And I always tell people the first rule that they teach you is know your family, know what you're capable of handling. So, as we went through the process, we realized what areas were going to be difficult for us to do, whether it was because of our uh, our work life balance that was already there. Uh, at the time my wife and I both worked in offices so we couldn't really take care of a uh, a kid that was medically needy, um, or something we'd have to. You know, we'd have to find a different path for.

Speaker 2: 22:11

But the other thing you can do is that a lot of um, a lot of States, they have what they call respite care. Respite care is an awesome way to kind of get your toes into foster care. You go through the process, but then respite care is typically you watch a foster kiddo, or two or five, five. You watch them for, say, like a long weekend, because the foster parents that have had them they need to go out of state for a vacation and the kids can't travel, or they have to go because there's like a death in the family. So it's a break away from the assigned foster care family and they go to another one that's licensed. The cool thing is is that you don't have to necessarily worry about getting attached, because you know that those kiddos are showing up Thursday night and they're going to go home Sunday night. It's almost like hosting a slumber party for new kids. You know, you can kind of spoil them a little bit. Love on them, you know, get them their favorite snacks, those kind of things.

Speaker 2: 23:14

The other cool thing about doing respite care is that you are getting unfiltered information about these kiddos from the people that have been caring for them 24 seven we. When we have spoken to caseworkers, they don't always know the story, so they might say, well, this kid has this condition, but we've you know. So they might say, well, this kid has this condition, but we've you know, nobody has seen it for like the last 24 months. And then the day after, um, the kid, the kid has a seizure because of his condition and you're completely like, what the heck? Like you know, why did it have to happen today? So, and that was actually something that did happen to us Um, so, uh, usually the licensing process, um, the things they look at is they look at your.

Speaker 2: 23:59

You know how are you raised as a kid, how were, uh you know what were like family traditions? Um, you go through a variety of case studies understanding different, uh, different groups. So, um, lgbtq, uh, um, foster kids are. Often they've had trouble with placements over the years, so that's been a focus of where they talk about that. There's also just the whole thing of the kids that are going to go home to their parents. So you have to understand that there's not always the option to adopt.

Speaker 2: 24:37

We fostered, we fostered a handful of kids over the years and then we had a set of siblings that came to us three of them and we really didn't know, like, what was going to happen. And probably about 10 months in was when we realized that they would be eligible for us to adopt. And, um, so we, we adopted them. Um, and although we don't do foster care, uh, anymore, we're obviously, we're advocating for it. Uh, we, we still give our time, talent and treasure into foster care programs around here. Um, but absolutely, and it doesn't matter. Um, you know, married, unmarried, uh, you know, you have an apartment, you have a house. Um, I know here in Iowa the things they were worried about is is your septic tank too close to your? Well, uh, do you have lead-based paint and do you have an actual bedroom for a kid? They can't just crash on your couch. So that was it. Anyone can foster if you have the heart for it. And I will step off my soapbox now.

Speaker 1: 25:49

Thank you. I just love hearing about that um helping foster kids and going through the adoption process you did. That's very heartwarming. I appreciate what you and your wife are doing.

Speaker 2: 26:05

They're they're, they're great kids. You actually will get to, you get to meet them, as long as they don't act up. I've warned a couple of them that I'm not afraid to cancel their tickets. Yeah, I mean all kids, all kids can be. You know a pain sometimes and but yeah, there's, yeah If, if you see less of us, you'll know why.

Speaker 1: 26:27

Gotcha. Yeah, it'll be great to get to meet the whole family.

Speaker 2: 26:32

Absolutely.

Speaker 1: 26:34

All right, and with that, that's our episode. Thank you so much, james, for being on the show. I appreciate you coming on and taking the time to be here with us.

Speaker 2: 26:45

Thanks for inviting me.

Speaker 1: 26:46

Yeah, absolutely, and for our listeners at home, please make sure to like, comment, subscribe, click all the buttons. Helps us out with the show and we'll catch you next time. Keep chipping away at it.