How Small Businesses Get Hacked – Interview with Mike Storm

Did you know 60% of small businesses are forced to close within months of being hacked? Meraki Go speaks with Mike Storm, Cybersecurity Distinguished Engineer at Cisco and 15-year CCIE Security, about how businesses get hacked and the best ways to protect your network.

Kimberly Truhler: Hi everyone! I’m Kimberly Truhler, Integrated Marketing Manager for Meraki Go, and I am so excited to be speaking with our guest today – Mike Storm. 

Mike has spent over 30 years in the networking and cybersecurity industry. He’s the Cybersecurity Distinguished Engineer at Cisco and 15-year CCIE Security. He is also the host of the online reality series Cisco IT Security Makeover along with the popular podcast Unhackable

Welcome Mike Storm!

Mike Storm: Great to be here. Thanks for having me, Kimberly. 

KT: I’m so excited for this conversation. We have so much to talk about with security.  But first, I need to know – how did you get started in this field? Why cybersecurity? 

MS: You know, I think it was a natural evolution for me. I actually got into networking really early when networking and security were kind of somewhat the same set of nomenclature. I don’t think there was a distinct cybersecurity element back then, it was just trying to secure networks and so forth. And that’s always been my passion.

But when security became, you know, a kind of a thing, it was very, very interesting. And one of the things that I found is that cybersecurity is an amazing career because there are always new challenges. We’re always battling the bad guys. [laughing] And regardless of who we are – if we’re just a consumer or we’re an industry professional – there’s just so much to do and so much to learn and it’s always changing. And I think that’s what keeps me interested. Because, as you can tell from my background, I’m not very satisfied just doing one thing.

KT: Right. Well, even the things I listed in your bio, it’s like, you just do not take time off!

MS: I really enjoy this stuff and I appreciate being able to talk with you in your audience today.

Evolution of cyberattacks

KT: You have actually led us into one of the questions I have for you. You’ve seen it all over the past 30 years. How have you seen cyberattacks evolve, and then from a more positive standpoint, cybersecurity evolve? 

MS: You know, it’s, it’s interesting because when you look at the evolution of cyberattacks, it started way back in the day of just kind of messing around. I mean, hacking was not really a bad thing. It was more of, you know, how do I get more out of a system. You’ve heard of life hacks? How do I get more out of a soda machine or a TV or whatever it is I’m using.

But when the time really came where they realized that monetization could happen, that people could actually make a living from attacks, that’s when everything really started to change. And it took some time. But, you know, inevitably just the general sense the way our world works for someone to be able to sit in complete anonymity in their basement and be able to make millions of dollars off of people who are either too trusting or simply just don’t know they’re at risk just became too easy.

And unfortunately for us as professionals, the cyberattacker, the bad actors, they have the entire industry – all the technology, all the connectivity, all of the brains of the entire industry that they can innovate with. We are limited by our knowledge of what they’re going to do. We are limited by our investments.

And if you’re a small business, if you’re a consumer, typically, those investments are not very great. They’re not typically not a lot because it’s not something that you think about every day. In most cases, with a small business or a consumer, it’s not your core competency. So you’re not supposed to think about it. 

And so I believe that’s the big difference in what’s taken place – the ability to monetize an attack against somebody who doesn’t know that they’re at risk, or they’re exposed, or that they’re going to be attacked.

Fortunately, for all of us, it has become critical thinking these days to do everything we can to protect the consumer. You know, it’s evident through everything you do every day. With more and more sites, as you probably have noticed, that you go to online and they’re wanting to send a code to your email, or wanting to send you a code to your cell phone, and you didn’t ask for that. And that’s good because that means the industry is doing its best to keep up. Because one of the best ways to protect your identity and your credentials is through multi-factor authentication.

Misconceptions about security

KT: Right and we will talk more about multi-factor authentication a little bit later in our conversation. Once upon a time, I grew up on a Commodore 64 doing basic programming…

MS: So did I!

KT: …But now, especially since the pandemic, all of our world has shifted online and shifted to the cloud. That’s true for small businesses, of course. And there’s a lot of good in that. But then we need to have this all-important conversation with you to protect ourselves. So what’s one thing you think people have a big misconception about as far as security?

MS: Well, I think there’s probably 2 or 3 things that I can immediately identify. And unfortunately, like you said, the pandemic has changed the severity of those.

So here’s the first. Many small businesses that are micro-sized businesses [with 1-50 employees] think “I’m too small to have anything that anyone cares about” or “I’m too small to be hacked.” And that’s absolutely not the truth. The reality is that the attacker realizes the quality of the data that’s typically stored at these organizations – be it financial data, medical data, or whatever – is just as valuable. Even though not in the same quantity, it’s just as valuable as that which would be associated with some of the largest businesses in the industry. 

The second thing they know is that typically these smaller micro-sized organizations are not going to have the same level of IT expertise or budget to protect their network. Maybe they’re using what their service provider gave them to make an internet connection to their office. Hackers realized that they’re low hanging fruit, so small businesses have been the subject of attack for years and years. You know we have a stat right now that 60% of small businesses actually go out of business in the ensuing 6 months following an attack.

KT: 60?! 6-0? 

MS: Yeah, 60%. That’s a big number. 

KT: That’s a big number. 

Cloud storage

MS: Now, I will say this. I think that one of the things that the pandemic accelerated – because I think it was already in process a little bit – when you think of attackers and what they can attack, the assets that they attack the least are often cloud storage. Cloud storage is a little bit harder for them. Not that they can’t, it’s not impossible, but it’s not as prevalent for them to be able to gain access to a cloud-based system.

And so, prior to the pandemic, there was a lot with medical records and financial records where a lot of the stuff was being moved to the cloud. And that was actually a good thing because the micro-businesses were not storing it on-site (where, if there’s an attack, the attacker gets in, they get to their local database). Micro-businesses started taking all their financial records, or whatever, and started to move them to the cloud, which is actually a good thing. And I think the pandemic accelerated that.

KT: I love you saying that. I just did a few articles on the cloud – being “cloud first” and cloud security, for example. And I think a lot of smalI businesses think – and this is probably the biggest misconception – that being on the cloud, storing on the cloud, running your business on the cloud, that it is more dangerous. And you’re saying it’s actually less, that it’s more secure to be on the cloud than it is to have your own storage on site. You’re smiling.

MS: Well, I, I think you kind of have to weigh both sides. You know, it’s not impossible and I’m not going to say in the future that the cloud is going to be impervious to attack. I guess more my point was if you’re a small business and you know that you have very little security capabilities protecting you, and you have a local database on a server, my ability to get in there and take that data is very, very easy. That’s a known factor. 

In contrast, as soon as I go to the cloud, all of a sudden I have to deal with the cloud’s capabilities. That isn’t to say that all clouds are secure or that everything I have implemented in the cloud has been done in a secure fashion. So that’s kind of why I was smiling.

You know, the cloud is only as secure as you make it. But one of the benefits is that if the cloud provider has the security mechanisms, they’re automatically applied when you opt in. So if they update, you get the updates. If they change, you get the changes. You don’t have to worry about being the one that actually adapts to that, which can help to keep you safer in a more rapid fashion based upon how things are changing.

Cyberattacks and human error

KT: That’s fantastic. So, on the negative side, I just read an article (and I think it was in Inc. magazine) that said 85% of cyber attacks are due to – surprise! – human error. Would you say that that’s coming from phishing largely or some other source? 

MS: Yeah, there are actually quite a few sources. I would say anything that requires interaction hackers can use as an attack vector. Emails are big – email is still the #1 attack vector because it’s very easy to craft emails that look very legitimate. 

KT: Absolutely. 

How hackers attack

MS: The thing that’s challenging – and I talk about this on Unhackable a lot – is that multi-factor authentication, when done correctly, is the best course of action that you have because attackers want credentials. Attackers know that we are humans and humans are easier to attack than machines because we have human nature. They understand that part of human nature means that I’ve only got so much memory. And if I have a lot of places that I go online, I’m probably going to reuse those credentials in more than one place.

So they’ve been after our credentials for years, and they’ve done a really good job with literally billions and billions of accounts. They will then turn around and attack en masse. When they do that, what they’re trying to do is reuse the credentials that they’ve taken. They also have prediction algorithms, which allow them to figure out – based upon your history of all these breaches that have happened over the past 10, 15 years – the likelihood of what your password is going to look like for the next 2 to 5 iterations. And they can guess them. So without multi-factor authentication, you’re pretty much open to attack if you’ve reused your credentials. This is pattern #1 that you have to be aware of. 

Why is that important to your question? Well, as soon as I have credentials, I can begin to learn about you and I can begin to craft things that look legitimate towards something that we could expect you to click on and could expect you to open, which is where I can get more information. It’s not just credentials that they’re after, obviously. Sometimes they want to install malicious software of some kind that can give them further access. 

Even multi-factor authentication these days is being compromised through what we call MFA fatigue – where people are getting constant notifications when they’re trying to log in. They finally get sick of it and just say, “Yes, leave me alone.” And that’s all the attacker needed. They’re suddenly in whatever that was, but again it all comes back to the human response. 

And so without education, without technology, it’s created what we call the “security poverty line.” It’s a delineation between those who have the budget and the IT expertise versus those who do not, such as non-profits and smaller companies that do not have this core competency. We have to make sure that they’re able to be secured as well through education.

Education and training

KT: Well, perfect segue to the next question. What kind of training do you recommend? Because at Cisco and other corporations I used to work at, cybersecurity was one of the things we were regularly trained on, sometimes multiple times a year. So for small businesses that don’t have the infrastructure to have this kind of formalized training, what should training look like for, say, a small business of 1 to 50 employees?

MS: Anything that you can do. Whether it’s on your own, or in partnership with one of the MSPs you might work with, pick an industry professional that you like to listen to and listen to some of their basic stuff.  At Cisco, one of the things that we do pretty regularly is the IT Security Operations group sends out emails that look like they come from within Cisco, or they send out text messages that look like they come from within Cisco. They are spam. They are designed to teach. And the goal there is to show people “Wow – I had no idea that an attack-based email or an SMS message would look this legitimate.” The key is awareness and understanding that you really just have to fix your click reaction time, and understand the email or text you received may actually require some additional investigation. 

I’ll give you a simple story that everyone can use. I had my bank call me one day. It literally was my bank, but I’m paid to be paranoid. I’m not going to believe that. 

KT: That’s right. [laughing] 

MS: So this guy calls out of the blue. I had no request in. He called up and he said, “Yeah, we’re just calling some of our tier one customers just to find out what else we can do to make your experience better.” And he started asking me those questions, you know which ones I’m talking about, to verify my identity. And I’m like, “Ok, hold on. Hold on. Where did you say you’re from?” And he told me the bank and I said, “Is this a local branch?” He said, “Yes, I’m here.” I said, “Ok, good. Well, I’m going to hang up and I’ll call you back.” So I hung up. I called that branch and I asked for the gentleman that had called me. The branch manager there had said “Oh yes, he’s here. No problem.” He got on the phone. The guy thanked me. He said, “I really appreciate the steps that you took. I was not offended at all because I completely understand.” 

Him calling me out of the blue? That was red flag #1. Red flag #2 – it was financial. Red flag #3 – the questions that he started to ask. Everybody should have that caution. You’re not going to offend anybody if you just say, “Stop. I’m not going to click on that text message or that email message. But I am interested. Let me go through my own channel.” A channel that I control to that entity, whatever it may be, and verify. Believe me, if they want to notify you and you call them or email them directly, they will know that they wanted to notify you. And that will legitimize the entire path. I mean, it’s as simple as that. We just have to be smarter about the way we interact.

Multi-factor authentication (MFA) and other security

KT: So on the subject of multi-factor authentication – would you say that that’s the biggest way that small businesses can enhance their security? Are there other ones you would recommend?

MS: I would say that MFA should be universal for everyone right now. But it has to be done correctly. There are some not-so-good ways to do multi-factor. And probably the #1 not-so-good way is just to get a simple text message. Only because it’s just way too easy to be able to intercept those messages or become that phone. 

We’ve seen it with crypto currencies now for years. People’s entire identities, all their money, everything locked out with literally just one bad authentication attempt. They lose everything. So email is always safest, a phone call is the best. An authenticator application – we have DUO that we use at Cisco. And DUO has just been recently upgraded to include a code, which is locally generated. They ask for it and you actually have to put the two in to make sure that it is a sync. So that way it eliminates MFA fatigue.

But MFA – multi-factor authentication, 2-factor authentication, whatever you want to call it – that’s probably the very first thing you can do human-wide, not just business-wide, but use it in your daily life with your banking, shopping, and everything else you do. That’s #1. 

The second thing is behavior. I would say, start your behavior with text messages and email learn how to look at it. You know, one of the biggest giveaways in emails is the email address that it came from. It’s not always obvious, but most of the time it will come from some really strange email address that doesn’t look right. Immediately that should stop you, right?

So I think [being careful about] email and using MFA are the top 2 ways businesses can protect their security. 

DNS protection

MS: The next thing that I would say for small businesses – protecting the connection at the lowest layer. The best way you can do that  is through DNS protection. DNS protection covers everything. So if you’re a clinician, if you have a small business, maybe you’ve got kids coming in to get dental work or something. They use a system in their facility. Their connection on WiFi is protected and it’s also protecting you. 

So those are probably the three simplest things. There’s much more. Meraki Go has some amazing capabilities as well that cover this.

Meraki Go

KT: So let’s talk about Meraki Go. We’ll talk about VPN in a minute, but what do the Router Firewall, Router Firewall Plus (which has VPN), and the access points offer as far as security?

MS: Well, I like to think of Meraki Go as a means of having enterprise-level protection without having to have either the financial or human investment in that. And that’s really the key. So when I first started doing the Cisco IT Security Makeover series in 2017, we were talking to really small micro-companies. They maybe had 2 or 3 employees. And one of the first things we learned from them was that they were constantly under attack. Because, as I have said, their data was just as important as data from bigger companies. 

But secondarily to that, they just didn’t have access to technology. They didn’t even know who to call. Cisco was this big behemoth that was too big and too complex to work with. They had no idea that we actually had providers that were designed to help these really small organizations. Meraki was a big part of it back then as well.

But, you know, one of the things that was really interesting about it was because it wasn’t a core competency for the micro-business, there was such a distinct separation between – What is my risk? How much should I invest mentally in this? How much should I invest financially? And it just wasn’t feasible for them to think about it and continue to do their business.

And so, I think the niche that Meraki Go really fills is if you need to have this enterprise-level security but you just don’t have the IT expertise. Meraki Go literally takes anybody only minutes to set up. And the way we’ve set it up to the point where all the defaults that you have, and the way that we put it together, it’s going to protect you just like an enterprise-class security solution would. And it’s designed for those folks that just don’t have the finances for a subscription or the contacts to be able to get someone in to manage their environment. And that’s what’s most important. Your WiFI needs to have baseline protections. Your firewall/router ISP connection should have baseline protections. And all those are built into Meraki Go. You don’t have to think about it. You just click and go, and that’s what’s really nice about it.

Virtual Private Networks

KT: Thank you for that. So let’s talk about virtual private networks. We have recently brought VPN into Meraki Go Router Firewall Plus – we started with client VPN and now it has site-to-site VPN as well. Can you speak to the value of that? 

MS: Absolutely. So VPNs. The first thing I’ll say about them – just generalizing here – a virtual private network would be like you and I having our communications for this conversation encrypted. So no one could understand us if they were not watching through the approved channel. They would have no idea what we were saying. But I am on my end point and you’re on your end point, and those two things are wide open. Meaning VPN does not protect you and it does not protect me, it protects what we’re saying. So that’s one thing to consider – you have to have security at both ends. 

So there’s definitely a difference between the line encryption versus the entire session encryption. When you establish VPN between two secured entities, all of a sudden VPN becomes very powerful because now both ends of the conversation are secure as well as the channel that’s being used to send the data is secure. And that’s really what we’re after. 

So client VPN, as long as the client is not compromised, that VPN is good to go. From the site-to-site VPN perspective, because the Meraki Go devices are inherently secured, that channel should be safe as well. So the reason I’m saying this is I just want to make sure people realize that just because you have something that says “VPN,” it doesn’t mean 100% trust. Never trust anything 100%. If my phone is compromised and I’m using a VPN to talk to Cisco, guess what? That compromise can go all the way to Cisco. 

KT: That’s not good. There’s an ongoing discussion with IT pros about whether they should advise their employees to VPN in, especially small businesses that may or may not have it yet. So where do you weigh in on that issue?

MS: The biggest concern from that statement would be – how much control do you have of the device that’s making the connection? Because again, if you’re just letting anyone on their home machine use software that you’ve given them to do VPN but you don’t know what the status of that system is, that system could actually be imposing a larger threat to your business than if you didn’t use VPN at all. The one thing about VPN that’s bad about it being good is that it’s an encrypted channel, which means you’re not going to be able to see what’s being sent. So it’s really hard sometimes to understand the level of risk or the level of threat that’s actually being carried out.

So I would say, as long as the end point itself has its own protections, and you can verify that the end point is not compromised, then VPNs are a good idea.

Mobile Device Management

KT: Okay, great. So let’s talk about another thing that the pandemic kind of changed, which is that employees started using their own devices. This was happening at businesses of all sizes because they needed their employees to get back to work straight away. And then now with remote and hybrid work, we still haven’t really solidified protocol for it. And then, of course, small businesses – most of them are not supplying devices to employees like a big corporation like Cisco does. So what are your thoughts on Mobile Device Management?

MS: You could probably look at it from a few perspectives. I think that some of the things we’ve already talked about…First, If my applications are in the cloud, then I don’t need a VPN. I’m going to have secured connectivity to that cloud. And because of the way that cloud is arranged, all the activities are happening inside of that cloud interacting with my business. So that’s actually a very safe way of doing business. And that’s why we actually saw the acceleration during the pandemic of many more organizations moving their users to using cloud front end apps, because it afforded that level of security that you just don’t have when you’re the one that has to manage all the devices. 

Now, on the flip side, you know at Cisco we are one of the most open companies on the planet from the standpoint of allowing employees to bring their own device. I use my own device. But we also have very, very tight security restrictions on those devices. And rightly so. If they can’t control the device, you’re simply not allowed on.

Things like SharePoint, as an example, which is a cloud app. It is much easier for me to get onto SharePoint from my phone than it is for me to get onto an internal Cisco site because that device just doesn’t have the same level of protections that would be necessary if I was actually on-site. So that’s really what the distinction is.

You know, you’ve got to be able to determine how much control you have of the end point device. Otherwise, you want to find other mechanisms. ZTNA – Zero Trust Network Access – is a concept out there right now, which is kind of a VPN-less type of access control that allows you to do individual authentication and posture from the human point-of-view on the end point. And then only allow access to the application where the trust exists. So different from a VPN where a VPN could potentially give you access to all of the local assets on your network. ZTNA may only give you access to one application, which is a much easier element to control individually than it would be to open it up to everything.

KT: Indeed. So for small businesses, you’re not saying this is my strong recommendation – every small business needs MDM. You’re saying that there is other security in place that can protect the devices in a business network. 

MS: Yeah. And and it really depends upon the use of the device. So when we think about a user interface to an app, that’s relatively straightforward to protect. If, on the other hand, if I’m storing data on this device, now MDM is an imperative. Because if the device is ever lost or stolen, that’s intellectual property that could now be in the hands of anyone and I have to be really careful about how that device is handled.

Of course Mobile Device Management’s job is to do things like petri dishes or containers where that data is stored, and then be able to do remote wipe or various things. And I will tell you that Cisco does, in fact, have MDM policies for any device that joins their network. If it’s ever stolen, not only is the device encrypted, but they have the ability to wipe out everything on that device just to make sure that the intellectual property does not end up in the wrong hands.

Benefits of enterprise-grade security

KT: Right. So in closing, what would you say are the top 3 benefits for small businesses to invest in enterprise-grade security?

MS: Well, top 3 benefits for a small business. It’s almost too easy!

KT: Right. [laughing] 

MS: To have the access to enterprise-level security at such a small price point with so much simplicity from the standpoint of how to get it deployed. I mean, honestly, I’ve never seen anything like Meraki Go. Meraki Go should be available to everyone, including consumers. You have that enterprise-class capability and this is not something that people expect. They really don’t even have to understand what they’re getting at the enterprise level because it’s not their job to investigate that. But I think it’s really important that they realize: “This is so easy.” You don’t need to have an advanced skill set. You don’t need to go hire someone to do it. It could be done very easily and very inexpensively. 

And all of a sudden, it’s now just up to the human factor. As long as you can keep yourself in check, you’ve got the technology, which is one half of the battle. I mean, it’s all about humans and technology working together. So, I mean, I don’t even know if there’s 3 benefits. I think it’s just one big one. [laughing]

KT: One big one. [laughing] My take away from this conversation is keep yourself in check.

MS: Knowledge is power, yes.

KT: Yes, that’s right. Well, on that note, thank you so much for joining me today. I know how busy you are, and all this conversation was so invaluable – to me personally, I’ll tell you that, as well as the small businesses that are in our community. So thank you very much. 

MS: My pleasure. Anytime. Thank you!

Final thoughts

  • No business is too small to be hacked – your data is just as valuable as data from large corporations
  • Your business could be more vulnerable to hackers if you’re only using the equipment from your ISP
  • Never trust anything 100%, even VPNs
  • Business data is safer stored in the cloud rather than on-site due to its layers of security and automatic updates
  • Multi-factor authentication (MFA) is one of the best ways to protect yourself
  • Phishing can be avoided by slowing down your click reaction time and investigating the source before sharing any information
  • Vary your passwords and make them complicated – hackers have prediction algorithms that figure out what your password is going to be for the next 2 to 5 iterations
  • Mobile Device Management (MDM) is imperative if any business data is stored on a personal mobile device
  • IT security training and education for small businesses can include learning from an expert online, such as Mike Storm in his Unhackable podcast or Cisco IT Security Makeover series
  • Meraki Go’s enterprise-grade security is as valuable for consumers as it is for small businesses – it is also affordable, requires no IT knowledge or experience, and can be set up in under 10 minutes