Mastering Cybersecurity for Small Businesses with Paul Tracey

Show Notes

In this episode, Paul Tracey, founder and CEO of Innovative Technologies, discusses the cybersecurity challenges faced by small and medium-sized businesses. He highlights the misconceptions about SME vulnerabilities, the importance of proactive security measures, and the impact of regulations like the NYS SHIELD Act. Paul also offers practical advice on protecting data while traveling and the evolving threats posed by IoT devices and AI.

Takeaways

• 43% of cyber attacks target SMEs. 
• Phishing is the top entry point for attacks. 
• No client has paid a ransom under Paul's watch. 
• Early detection is crucial for cybersecurity. 
• Training is key to reducing human error. 
• Regular penetration tests are essential. 
• IoT devices need better security measures. 
• AI is both a threat and a defense tool. 
• Compliance laws protect businesses. 
• Proactive security measures are vital.

Transcript

Francis Gorman (00:01.762)
Hi everyone, welcome to the Entropy Podcast. I'm your host, Francis Gorman. If you're enjoying our content, please take a moment to like and follow the show wherever you get your podcasts from. Today I'm joined by Paul Tracy, the founder and CEO of Innovative Technologies, a leading cybersecurity firm based in upstate New York since 2012. He helps small and mid-sized businesses strengthen their security, compliance, and IT resilience. Paul is also known for two Amazon bestselling books, Cyberstorm and Compliance Made Easy.

He's also a recognised thought leader and it's fantastic to have him here with me today. Paul, how are you keeping?

Paul Tracey (00:36.449)
I'm doing well, thanks so much for having me. I appreciate it.

Francis Gorman (00:39.992)
Great to have you on Paul. And I think I want to talk about a couple of areas today, but I want to start off on the space that you're in around the kind of SME marketplace. There's a perception and it's maybe because we only see the headlines when a big company gets caught in terms of a cybersecurity breach, but small businesses are just as susceptible. In your experience, can you bring that to light for me? Can you talk a bit about the SME market and the risk factors that they also face in this space?

Paul Tracey (01:10.669)
Absolutely. And that's a great point because it's a giant misconception, right? In the business world. And so just for a little bit of background, I worked in enterprise IT originally. And it was that disparity that kind of moved me to start my own business in that they had the funding, the knowledge, et cetera, and just didn't do anything with it. And very quickly I realized, well, if this is the case in enterprise, what do small businesses look like?

And what I found was was rather shocking. And so that's kind of where my business started from. You know, one of the things that we know is 43 % of cyber attacks now are going to small and medium sized businesses. But 100 % of the business owners in that market that I talked to don't think they're a target. Right. And so that creates a big problem.

And if you're a small business that, you know, the impact of an attack or an incident like that is much greater in that your resources probably aren't as robust to be able to handle not only the incident, but then the outcomes that that follow that. And so it's really a big issue, right? If you don't understand the risks, then how can you possibly protect yourself against them?

Francis Gorman (02:41.901)
And Paul, what type of attacks are you seeing against SMEs? So is it invoice redirection fraud? Is it ransomware? Is it phishing attacks leading to compromise and exfiltration of data? Is it all of the above? What do you see mostly occurring in these spaces?

Paul Tracey (02:58.193)
Well, kind of, you know, I hate to use the term low hanging fruit, but that's really kind of what we have in small to medium sized business. So we're seeing all of the attacks. Generally what we know is small businesses don't necessarily have the security infrastructure. So fishing becomes the number one point of entry that may not be the scope of the attack or how they get in.

to the network, but it is how they gather information that then gets them into the network if it doesn't directly. And so then we end up at the, you what security do we have on our email? Do we have multifactor authentication enforced? But then the big part of that is, are we training the staff against the phishing email if that's the number one entry point, right? For small and medium businesses, 95 %

of their incidents started out as a phishing attack in an email or potentially a fake website link, that type of thing.

Francis Gorman (04:07.105)
That is interesting. Yeah. So the initial vector has been still the phishing email in the SMEs. I suppose you can fire and forget with them and they don't necessarily have to be targeted attacks in that case. In terms of ransomware, I'm interested. So if a big corporation gets hit, they have the ability to bring in negotiators to maybe pay to restore from backups, et cetera. But when an SME gets hit, likelihood is they don't have any of those pieces of resilience built in to

their enterprise. I read that no one has ever paid a ransom under your watch, Paul. I'm not sure if that's fake news or if it's fact, but I'd like you to talk a bit about that if it's true. I suppose the methodology or the guidance that you provide when an incident like that occurs.

Paul Tracey (04:57.947)
So it is true. It shocking is that that may sound none of our clients have ever paid a ransom. And I think that comes from a couple of different strategies. First is prevention, right? But if anybody's been in cybersecurity or even watch the news, we understand that regardless of the security, there can be gaps and people can get in. And so if they get in and you have a ransomware attack, what does that mitigation look like?

What is your plan for dealing with it? Right? I think all throughout life, we have examples where things have happened to us, right? And we did or did not have a plan for that potentiality. And the outcomes when you have a plan are much greater in your favor than when you don't. And so immediate detection, right? How fast can we identify the threat and shut it down? If there is...

We, you know, someone gets into the network and is able to lock down equipment. The next step there is to make sure that they're not able to get to the backups, right? Because that's the really the key when you see people paying the ransomware is because they weren't able to restore from backup, meaning the hackers got in encrypted the backups as well. And now once that occurs, you're really in a situation where

you're almost forced to pay. I mean, you cannot pay, but most businesses can't handle losing all their data and continue to do business, right? That's a nearly impossible feat. So we want to make sure we're doing all the prevention that we possibly can, but there also needs to be mitigation. If something does happen, how far can it get? And the very last wall of that is making sure that you have backups.

that are secure, that are not accessible if someone does get into the network so you can restore that data. Does it still suck to have an incident like that? Yes. There's no way around that. It's not a fun time. You've got insurance companies involved. You got all kinds of moving things and regulations. But paying that ransom certainly doesn't make it better.

Paul Tracey (07:24.003)
So we want to make sure that we're doing everything we can to that to defend against that. The other thing is if you pay the ransom, unfortunately, what you've done is told criminals that when this happens, you are willing then to pay a ransom. So your immediate remediation better be yesterday or this is just going to happen to you again in the very near future because they know you're going to pay.

And so that's what we focus on is making sure that we have every prevention that we can have in place within reason, and then making sure that there's plans in place. If an event does happen, that we're not put in a position where we need to pay a ransom.

Francis Gorman (08:11.397)
You talked there Paul about the kind of the fast response and I've heard you talk about the 35 second rule before. How important is that early detection piece and have you a couple of things that you look for across the companies that you have under your remit to identify as well as anomalies that may indicate a breach scenario?

Paul Tracey (08:30.545)
So obviously there's a lot of tools in the market. Every day there's a new tool that comes out that says it's the best tool. I believe in a lot of testing in that. And so things like managed detection and response using AI and tools like XDR so that we're scanning for user behaviors and anomalies can then be noticed right away.

Obviously, if anything malicious tries to run, we want that to be, you know, that execution to be stopped immediately. And then behind that, there needs to be a team of security folks to then go through. As soon as those alerts come up, identify if it's an issue and take action. And so industry wide, we have what I consider a complete failure in that point in that the average time to detect

An incident and contain it is a hundred days and a hundred days compared to 35 seconds is a big variable in a lot of time for someone to do bad things. so one, want to use zero trust. We want to make sure that applications aren't talking to applications that they, don't need to. Right. So stealing.

cookies from a Chrome browser can get you around multi-factor authentication now. We want to make sure that Chrome can't talk to PowerShell. It can't talk to command prompt. It can't talk to any application that it doesn't need to. And so those things are then restricted at that level. And then we need to have constant scanning and analysis of all the other data flows.

And that can become a cumbersome project if you don't really sit down and work out a strategy into how to form that stack, make sure everything's running, and then test against it to make sure it's doing what it's supposed to do, which is probably the most important part of the whole thing.

Francis Gorman (10:53.713)
aware of the complexities of trying to, know, needle in a haystack. I've become a strong believer in exposure based detection. And what I mean by that is architecturally driven security events identified, pen test results formulated into gaps in your event, in your event logging and detection capabilities. And then, know,

different blends of red and purple and other teaming to fill the gaps there along with an extrapolation of threat intelligence over the top where appropriate. But I'm very conscious that an SME doesn't have that level of either personnel or capability to put that together. I suppose a lot of the tools in the market have to be relied on in this space. it's, yeah, think logging is one of those things that, you

you can take every login and you'll always miss something because they're finding new ways around them or it's an exploit that hasn't been seen before in terms of a zero day or something. So yeah, it's definitely an interesting field. And then as you say, if somebody gets fished up front and just give the credentials away and they don't have MFA or a conditional access or whatever, the bad guy's in anyway. it's definitely one of those areas that is cumbersome to say the least to get right.

Paul, you talked a little bit about regulation there a minute ago, and as I was doing a little bit of reading on yourself, came across the NYS SHIELD Act 2019, I think it was envisaged. Can you break down what that means for business owners? I'm always intrigued to hear about different pieces of regulation, and I'm fascinated that in the States, each state has a different nuanced regulation from the next one. So it's different to Europe where we have kind of set regulation that applies to all.

But I like to learn from different regulatory spaces and see if it's something that we may have missed ourselves. So if you don't mind, if you're from in here, can you just give me bit of an overview of what that act is, please?

Paul Tracey (12:57.519)
Yeah. So, you know, I think GDPR is really where, where all this started. Right. and in the U S now we have several states, California was first, New York was second. We now have several other states that are, that are coming out with state regulations. One of the interesting nuances about, New York state shield act is it does, it's not contained to New York state.

Right, so basically what that law says is if you do business with any business or person that is in New York State, you are now covered under New York State Shield Act. So if you have a business in California or elsewhere and you have customers that are in New York, you have to adhere to those rules or you can face, obviously the government action is fines.

And those fines aren't, know, they're $5,000 a piece, right? And so, you know, that doesn't seem like maybe a whole lot. If you have 50 employees and none of them have MFA and you're not protecting that, so each one of those incidences now becomes that $5,000 fine. And yes, there's upper limits on that, but I think...

we miss a lot of times when we look at fines for regulations is the number. Okay, well you didn't have multi-factor. That's not a fine for the entire thing. That's a fine for each incident or each instance of that. And so I think we have...

a growing compliance market. Like at some point each state, you know, we do this all the time in the U S where each state comes out with a law, enough states start to have that law and then we get a federal law. Not that we don't have them already, but incorporates those new pieces that are coming out from each state. And I think that, you know, the big takeaway from from shield act is that you don't have to be in the state. That's the,

Paul Tracey (15:15.567)
law reaches outside of the state as it pertains to business owners.

Francis Gorman (15:25.805)
is interesting. The compound effect of each violation, I think, would scare the bejesus out of some companies in Europe if you brought that one in. We're used to a penalty for non-compliance, but not a penalty for non-compliance per user. That would be a game changer, I suspect.

Paul Tracey (15:48.145)
Well, you know, it comes down to like we had a, there's a local government recently that, that just had a breach. and it comes to come to find out a few weeks later that that's because they had employees that had left, those accounts were left active. They didn't have MFA on them. Right. And so as much as those fines are steep, the compliance is actually there to help you. Right. To protect your business.

And so it's unfortunate that we need to have fines in my mind. I've been trying to put out as much content and education around these issues as I possibly can. but we need to understand just like the rules on the road. don't want drunk drivers driving on the road because that puts everyone else at risk. And so these compliance laws really to me are the basics, that you should be having to drive your, your business.

in that market.

Francis Gorman (16:50.615)
It's also human nature, know, if there's no carrot and no stick, know, it's people just keep the carrot. That's money I don't need to spend. But when there's a bit of a stick there and some implications for, I suppose, poor posture, that does help in securing down environments and getting things a little bit better for all of us. Thanks for those insights Paul, that was great.

I want to swap tack now and I want to talk about something I think you're quite familiar with, is travelling with technology and protecting yourself on the road. I think it's an area that you're interested in around hotel, Wi-Fi, airports, know, ports for charging your phone and public spaces. Can you talk to me a little bit about that space and what advice would you give to people who are travelling with technology?

Paul Tracey (17:41.531)
So, you know, this is a conversation that I've had both publicly and with friends and so forth. And people usually think I'm a little bit crazy. So we'll start with that. sound a little bit out there. You shouldn't do any of those things, not the public charging station, not the public wifi, none of those things without serious thought and consideration, right? If we have a cell phone, generally we have

Cell phone connection, right? If we don't then maybe we're switching to public Wi-Fi if you do not have a VPN and you're connecting to public Wi-Fi You are potentially giving away all your data. So like There's just no easy way to say that right? For those of us in the business world, we go to conferences a lot Last year, I went to a conference showed up at the hotel

And it's a tech conference that we're full of cybersecurity folks and the hotel had been hacked. No one could check in because the hotel had been hacked. Right. And this happened just prior to a cybersecurity conference. Right. And so it's those kinds of incidences where had those folks already been checked in and conference going on and using that wifi unprotected.

What were those hackers gonna get? Potentially the keys to their accounts and all of their client accounts. And so we don't necessarily view that. We want the instant gratification. I need to be on the wifi. I have to check my Facebook. I have to check my email. I promise you it's not that important. I promise you that losing your identity, having your information stolen.

is definitely not the outcome that you wanted by I needed to check my email real quick. There likely wasn't anything important enough in your email to lose all your information and get your identity stolen and all the negatives that come after that. In terms of the airport, you know, and using those little chargers, what I tell people all the time is,

Paul Tracey (20:09.179)
Bring your own charging block, always. You can actually buy them now where they don't transfer data. They just don't have that capability because it's very easy. So we look at things like the gas stations. They replace the keypad and then they're stealing your PIN number and so forth in the card skimmers.

It's just as easy as easy to be in an airport where no one's watching those chargers and pop that out and pop in your own charger that's designed has a script in there that just pulls the data from whatever it's plugged into. And it sucks that we're in that world, but that is unfortunately the world that we live in. So if you don't have a VPN, no public wifi, you know, I tell people when you leave the house,

Turn your, never have your WiFi set to automatically connect. And that's something that a lot of folks do, but if there's a WiFi out there without a password and you automatically connect to it, it was likely there for a reason.

Francis Gorman (21:20.449)
great for finding out who's hanging around your house though.

Paul Tracey (21:26.737)
There's, there's just so many tools now, you know, that are available. used to be, you know, back in the, the day you had to have knowledge on, on how to create scripts and how to exploit things. And unfortunately, there's a lot of tools now that you can just purchase that do that for you, which expands to criminal element that did not have that capability.

Right. They can just go on the dark web, buy what they need, or in some cases, you know, buy a flipper zero and, and do a little bit of coding there and create their own.

Francis Gorman (22:06.349)
I do have to say though Flipper Zero is one of my favourite tools in the whole world. I like it.

Paul Tracey (22:11.309)
It is such a fun tool. I don't disagree with that. But like anything else, the tool is the tool. What you do with it depends on how we look at that usage, right? So Fliffer Zero is a great tool. There's people that are gonna misuse it just like any other tool. So, you know, we just have to be aware.

Francis Gorman (22:34.721)
No, we sure do Paul and it kind of brings me then what are your thoughts on the dangers of IoT devices? I have some particular dislikes to IoT and their lack of software updates and their poor security but I'd like to get your perspective on the IoT market and the smart home devices that everybody seems to be ramming in from either connected doorbells to lights to change color in their houses. Have you got any perspectives on the IoT world?

Paul Tracey (23:04.891)
I think IOT devices can be secured. I don't think they currently are right. And especially in home use, you can lock down your home network. Don't believe that your ISP does it for you, regardless of what their marketing says, it's connected, it's secured. No, it's not. That's absolutely false. You know, we saw with Ring camera years ago that these things could be exploited.

I definitely do not think there's been enough move in that industry to get those devices secured. So I was in an office the other day meeting with a client and in the office next door, they have like five printers, all the wifi is on for the printers and open. Right. And even the client said to me, you know, I thought about messing with them and connecting and just printing out something that says you've been hacked.

And it's, yeah, that's because you're the nice neighbor. The hacker doesn't think that way. And what we don't realize a lot of times with the IoT devices is they have network cards in them. They're not these simple devices anymore. You can run scripts from them. You can get a layout of the entire network and find out what's there. So in terms of cameras, sometimes people are just looking to look at a camera, right? They want to

get into your cameras to see what's going on. That's dangerous in that if you're on vacation, somebody's been checking your cameras for three days. They know nobody's home, right? That potentially leads to theft at your home. The bigger issue that I see is once they get into those IOT devices, the next step is getting into your computers and your phones and other devices from that launching point.

and even if you detect on your computer, Hey, you had a virus, this happened and you stop it. If they have persistence on those IOT devices, they're not going away. Right. And so we don't really have software solutions on those IOT devices, at least not to the degree that I think manufacturers should be installing them. And so that point of entry becomes the network.

Paul Tracey (25:28.113)
We've got to make sure that our home networks are locked down and we have some rules in place. Obviously as soon as you get an IoT device, first thing you're going to do is change that default password. There's nothing easier for a criminal or a hacker to get in and say, we're just going to run the default password that we know goes to these cameras. If you haven't changed that, now they're in, have admin.

The farm away.

Francis Gorman (26:00.789)
And I can't tell you how many times I've run a pen test in an organization. I've gone onto something silly like a printer or a camera device. And then I've been able to pivot from there, use Nmap, map it out, start to relay the brand names. And with a simple Google of what's the default login credentials, boom, in.

straight at full access, know, especially especially a router or a switch or a camera system, you know, I can count on more times than I would. I would like how many times that default credential has has remained in situ. You know, it hasn't hasn't been switched off and it does give you demarcation point on the network. And Paul, I'm interested. And just because of the absolute wave of conversation at the moment around.

artificial intelligence and generative AI, are you seeing shadow AI in small medium businesses that you're looking after at the moment? Are you seeing that becoming a problem the same as the corporations are? Are SMBs using generative AI or is the hype cycle just not there for them at the moment?

Paul Tracey (27:14.129)
So I think small businesses are definitely using AI. That might be with or without the management or ownership knowledge, right? And that to me is kind of the big danger there is that if we're using AI, we need to make sure that we're securing those platforms, right? That we're not giving our business data out to a large learning model, right? First of all.

That's not good for your business that has potentially very bad outcomes depending on what data is there. And then, know, do we have our our employees using AI and we're not aware of it. Right, which is a bigger issue because that means they're generally going to be using free services, right? And I think after, you know.

this many years, we understand that free services aren't free, that there's data collection happening. There's other things happening, right? And so if we're going to use AI in the business, let's make sure that it's on a secure platform and our information isn't getting out there. But in the same time, we need to be using AI in our defense because we're going to get attacked with AI. Right. And this is generally the difference that

that criminal organizations have is speed to market. A lot of small and medium businesses are talking about how do we use AI? How do we use AI maybe in our security?

but there are already being attacked by AI. The reason why phishing emails have not only been good, the human error problem, but they're getting exponentially better because we don't have a lot of the same identifiers we used to have. You could look at a logo, you could look at the language in a phishing email and say something doesn't seem right.

Paul Tracey (29:23.057)
Now that folks are using AI, they can literally go in and say, I am in New York. I want to use this vernacular from this area. That email, the logo is going to be AI generated to look like Microsoft or whoever else. That email is going to be exponentially more difficult for end users that already had trouble identifying phishing emails.

So if we're not using AI to look at those things, we have a big security gap here now where it's being used against us. We're not using it to defend. And I know there's, you know, people have a lot of opinions on AI. It's terrible. It's great. What we know about technology is it's here. And regardless of your opinion on it, it's not going anywhere. And criminals are going to use it.

You need to have a plan on how you're going to use it and how you're going to defend against it.

Francis Gorman (30:26.647)
That's very true and I think there's been a paradigm in terms of the shift in the phishing space as well around security culture. I remember the psychology behind the misspellings in a phishing email used to be not to draw awareness that they were phishing email but to weed out the vigilance so that the person that clicked on them was an easier target because they weren't paying attention. Whereas now with AI it's been crafted to the individual. It's specific to the information that pertains to you and therefore

It's the psychology has changed. It's actually it's familiar. It's targeted. It's trying to draw you in a far different way. It's not trying to weed you out in terms of vigilance. So it's it's far more dangerous because you get a a higher click rate in when you go out of that way, when you can, you know, I can I can take information that's either been made available through a breach or to to something else. And then I can target. And I had I had Michael Freeman on a couple of months back.

And he was talking about attacks where they were seeing company Slack accounts being hijacked, all of the data pulled out and then extortion attempts made based on that information to executives saying, well, you were told about all of these problems and you covered it up, et cetera. So if you don't transfer this much money, et cetera, you know, and that's only available through large language models being able to contextualize and to drive through huge amounts of data. that's, you know, that's...

That's quite a frightening change in the attack surface, especially from a data driven attack perspective, not just, know, which are the vulnerability and broken. So it is a watch item. I think we're gonna see lots of interesting breaches over the next year or so as, you know, bad actors come up with more creative ways to use this technology, this capability for gains that are not exactly to be.

to admired but you know sometimes the bad guys have great ideas and you know they just apply them to the wrong causes. Paul before we wrap up if you were to give small medium businesses a couple of pieces of advice to protect themselves today for tomorrow what would those be?

Paul Tracey (32:42.539)
two really huge ones. One human error has always been an issue. It's always going to be an issue and it stems from lack of training. You not only have to do your compliance thing and do the annual security training depending on your industry, but that should be followed up. You should be doing it weekly and monthly in the form of, of small tech tips or, know,

company meeting, however you wanna facilitate that, but training for a culture of security and people understanding their role in that culture is paramount. Second would be, well maybe not second, these are probably equal. I can tell you whether you have vulnerabilities based on one question always. When was the last time you had a penetration test? If your answer,

isn't within the last 90 days, and even sometimes if it is, but if it wasn't within the last 90 days, there's something. And I say that from a place of doing tons of penetration tests for people and finding that exploit. And a lot of times the answer is we did one last year. Well, as you alluded to earlier,

In the security space, we wake up every morning to a giant list of alerts and zero days and all this new stuff that that came out. If you're not testing quarterly to make sure that your security is working the way it should work. I can. With 100 % certainty, tell you that there's vulnerabilities you don't know exist. And the unfortunate thing is. I always look at.

at cybersecurity folks when hiring and so forth. And does this person think like a hacker? Because that's probably why I'm as good as I am at this industry is that I look for the threats first. Right. And the problem is that some of us have a moral compass and we play on the right side of the team trying to protect businesses, but don't underestimate the folks on the other side just because they took an easier route. Right.

Paul Tracey (35:03.941)
There are folks out there that are highly skilled at getting into your systems. And if you're not testing to make sure they can't, they will.

Francis Gorman (35:16.051)
Paul that's great advice to take away. I really appreciate you coming on today and I'm hopeful that know the listeners get some value out of that conversation especially in the SMB space which is an area that I'm very aware doesn't get a lot of attention when it comes to security but needs it just as much as everyone else so I really do appreciate you coming on to talk to that space.

Paul Tracey (35:38.117)
I appreciate you having me on so much. think, you know, I really respect what you're doing. think it's vital that we're having these conversations because there's an education gap that needs to be filled. So thank you for doing this and having me on.

Francis Gorman (35:54.977)
Thanks a Paul, and have a good day.

Paul Tracey (35:57.199)
You too.