How B2B Companies Can Improve their Cybersecurity
This week’s conversation takes us into the ever-changing world of cybersecurity with Dominic Vogel (Founder & Chief Strategies, Cyber.sc). In our interview, Dominic elaborates on the importance of having cybersecurity measures in place that go beyond software and plugins, the most common misconceptions that businesses have, his top trends and predictions, and how “cyber resilience” is imperative to prevent company websites, data and information from getting compromised.
Topics discussed in this episode:
- The cybersecurity components: External threats and competitive advantages. [7:47]
- Debunking the common cybersecurity myths:
- Cybersecurity is a business risk, not an IT risk – Strategic governance, oversight and due diligence is the responsibility of the executives and the board. [14:26 / 23:15]
- Cyber insurance is not the solution – you need to address the inherent risk first. [20:43]
- You cannot rely solely on antivirus. [25:49]
- Dominic on the most common cyber threats, ransomware and business email compromise. [16:14 / 18:37]
- SMEs should start doing the basics and do them well, prioritize their cyber risk, invest appropriately, and stop the false sense of security. [42:40]
Christian Klepp, Dominic Vogel
Christian Klepp 00:08
Hi, and welcome to the B2B Marketers on a Mission podcast. I’m your host Christian Klepp, and one of the founders of EINBLICK Consulting. Our goal is to share inspirational stories, tips and insights from b2b marketers, digital entrepreneurs, and industry experts that will help you to think differently, succeed and scale your business.
Alright, ladies and gentlemen, welcome to this episode of the B2B Marketers on a Mission podcast. I’m your host, Christian Klepp. And today I’d like to welcome a guest into the show who has an established track record as a cybersecurity leader in Canada. He’s also regular guests on Global BC, CK&W, News 1130, the Vancouver Sun as well as the BBC News. And on top of this, he’s also a comedian, mentor, and most important of all, an amazing father to two kids. So Dominic Vogel, welcome to the show.
Dominic Vogel 00:59
Christian, that was a heck of an intro. Thank you very much. Pleasure to be here.
Christian Klepp 01:03
It was a mouthful, man, but you know, your reputation precedes you.
Dominic Vogel 01:08
Very honored to be here, my friend.
Christian Klepp 01:10
Thank you. So let’s, let’s get this party started. And you know, I’ve done a little bit of an introduction, but you know, give us a bit more background about yourself, you know,
Dominic Vogel 01:18
Sure. Yeah. I mean, gosh, where to get started. I mean, career wise, I’ve been in cybersecurity my entire professional career. You know, it’s the only career field I’ve ever really known and loved. Yeah, so the first 10 years of my career were mainly in the financial services sector here in Vancouver, BC, where I reside. And I worked my way up the corporate ladder during my 10 year corporate career and venture was in charge of cybersecurity for a fairly large credit union. And then one day I realized how much I hated the 9-5, and went out on my own and I went on an entrepreneurial journey. And past five years have been building Cyber.sc, which is my advisory firm. And we write just on the SMB market, small midsize businesses. That’s where the good people are. And I love working with those types of organizations. And God bless you. And it’s been a ton of fun, you know, it’s allowed me to do a lot of speaking opportunities. Being on podcasts like this one and I very much now that’s how I spend a lot of my time is relationship building and brand building. And it’s been a hell of a lot of time on LinkedIn as well. So that’s me, professionally. Personally, I have amazing wife and two young kids, 10 year old daughter and 3 year old son, James, who’s often a, I get a lot of good stories and lessons learned I get from him that I always share on LinkedIn as well. So for those who aren’t following, please feel free to follow along.
Christian Klepp 02:46
Yeah, no, I mean, thanks so much for sharing that, Dominic. And yes, I dare presume that I think James has becoming even more of a LinkedIn celebrity than you are these days.
Dominic Vogel 02:57
I think he is. I mean, he’s got the cuteness factor down pat. So that’s I struggle with but what’s really neat I think and a lot of people they truly miss the boat on and don’t understand is that at the end of the day, we’re all humans, and you know, people talk about b2b, b2c, all those other crappy acronyms. And I remember there was a friend of mine, told me and she said, you know, that really the only acronym that matters is H2H. And I said, well, what’s that she said, human to human. At the end of the day, it doesn’t matter what someone sells. If they, if they know you, they like you, and they trust you. That’s a strong human bond there and you don’t get that bond by just being an expert. I mean, obviously, yes, it’s important to be an expert. You need to have that pedigree. But you can’t just be hopping that out, day in and day out. You need to be human to truly start building something.
Christian Klepp 03:55
Yeah, no, absolutely. And you know, that that’s such a great point. I mean, you know, in fact, I was on a, I was on a podcast interview the other day. And, you know, the host asks me about, like, you know, some of the things that are going on in the world of b2b and you know, where it’s going and how we can improve and I think one of the things and I’m sure you’ll agree with me… let me just say for the record, not everybody, okay, but more often than not B2B tends to be the repeat offender of like, let’s not make our marketing too exciting. And let’s not focus too much on the human aspect of it. But you know, fortunately, the tide is beginning to turn in that regard. So that’s why I had to throw in that caveat and say, not everybody is guilty of this, right. But at the end of the day, it really is about, you know, people interacting with people. I mean, certainly like what you’re what you’ve just rightfully alluded to, certainly they’re also after technology. They’re also after expertise and solutions and so forth. But at the end of the day, they also want to know, who’s the person behind all of that. Right?
Dominic Vogel 05:04
Yes, yes, exactly. And that’s where you, especially when you talk with a lot of you can tell sort of when people are more of a traditional marketing mindset and those that are a bit more modernized for lack of a better term. And those who just say no, you know, what, work is for work, you know, we separate work from personal life and that type of… Sure, you may have been able to make that argument prior to COVID. Now, during COVID, if you think that’s true, then you’re an idiot. You know, it’s those lines aren’t just blurred, there are no lines, you know, they’re one in the same, you know. And at the end of the day, I’m a firm believer that humans have that longing to be for connection, for community. And, you know, I’m looking at 2 or 3 different experts, let’s say for a marketing function or arms function, how even for if I need like a CFO as a service type function? To me, it’s like, Okay, well, if they’re all obviously experts in their own right, and I’m able to call it they are experts, then that those all negate themselves. To me, that’s it. Well, the next level of differentiation is, Do I like you? Are you someone that is able to let their guard down so that I can get to know. You know, it to me, I truly believe that leading with that type of…, to me is almost a level of emotional intelligence and empathy, that modern leaders need to embrace. Leaders that are still stuck in that mindset of the 1950s of You know, we’re not friends outside of work. That’s by the wayside. And we don’t have to be chummy buddies. You know, going out for beer after every meeting, but because the fact of things like LinkedIn, and because of video conferencing platforms, we can have friends globally, you know, it’s not just restricted to your backyard. So I truly believe that that human factor is going to be more and more of a competitive advantage for people who embrace that.
Christian Klepp 07:10
Amen. Amen. Absolutely. Absolutely. Dominic, let’s talk about the key focus of our discussion today, which is something that clearly has affected a lot of people, not just during this pandemic, but even you know, prior to that, and it’s clearly a topic that, you know, you’ve built your career and expertise upon and that’s on cybersecurity. Okay. So, for the benefit of the listeners, just walk us through what you believe constitutes a cyber threat, which in turn requires cybersecurity in order to protect the assets of a business organization.
Dominic Vogel 07:47
Yes, great, great question, Christian. I’ll sort of lay out the narrative like this. So especially during COVID, we’ve seen even more organizations move online, maybe even just through the context of SME, small midsize businesses and organizations, because of the need to be increasingly more digital, because of the need to be increasingly more virtualized. Coming with that, and moving deeper and deeper into a digital economy comes cyber risk. It’s like there’s a physical risk in the world, to physical stores, there is a cyber risk for the digital organizations of which you know, pretty much every organization now has a digital footprint. And again, further, sort of scraping that down and breaking it down to different components.
One component is the external threats. So external threats are, especially for small midsize organizations are cyber criminals that are going to try and digitally break into your organization, steal data, they’re going to try and hold that data for ransom, they’re going to try and maybe hold your systems for ransom. So you’re unable to access any of your digital systems. If you any SMB right now, if you were to say, Okay, if we were to walk out your IT systems for a day, would you be able to proceed as a company? The vast majority of organizations would just not be able to work. How you just take away email, people lose their damn mind. You know, so these are the types of things when the external point of view that many SMBs haven’t really thought of, you know, they’re thinking, well, we’re too small to target, or you know, the bad people are only gonna go after the large companies that type of thing.
The other component, though is… we referred to as a business competitive advantage. And this is especially true for organizations that I know I just trashed the acronym earlier, but I’ll still use it the b2b organizations, so companies that sell to other businesses. What we’re seeing, especially to large organizations, what we’re seeing there is that the larger enterprises are clamping down on downstream risk or third party risk through vendor risk management capabilities. And really, if they’re engaging with a small vendor, they don’t want to take on that vendors’ cyber risk. So as a result, these larger companies are now doing incredibly in detail due diligence to find out the cybersecurity capabilities or the cyber risks of potential vendors. So let’s say your small company A, and you know, your competitors, small company B. Let’s say you both sell the same Software as a Service platform, to large enterprises. If small company B is able to quickly demonstrate their cybersecurity capabilities, and company A is not, company B will get that contract. And that’s right now is a huge, huge swing, which we’re seeing, rather than just focusing on the external bad, and the threat actors and all that is bad. But now you can equate cybersecurity with actually losing revenue and losing out on big contracts. Now, there’s a very clear business case as to why you need to invest in cybersecurity. If you don’t, well, you’re truly you’re putting yourself at a competitive disadvantage.
Christian Klepp 11:06
Well, that’s incredible. And you know, there was a couple of things on that you brought up, which I think were really spot on. So are you saying pretty much like that, larger organizations, for example, I’m sure they have vetting processes and especially if they’re looking at getting services from like, you know, external providers and such. Are you saying that if these external providers are more, I guess the word is “cyber compliant”? Then the probability of them securing the business is actually higher?
Dominic Vogel 11:38
Absolutely. Absolutely. You know, and we’re seeing that more and more, even in organizations that aren’t in regulated sectors. You know, it used to just be… You know, the banking sector was paranoid and healthcare sectors. Now, it’s everyone.
Christian Klepp 11:53
Yeah, no, exactly. And I know, we’re going to talk about this later on. But you know, this is definitely interesting. And I think this probably hits close to home for a lot of small businesses, Dominic. And maybe break it down a little bit for us. Because, you know, certainly when you’re talking about things like cybersecurity, for those that are not familiar with that territory, the first thing as a small business that’s probably coming to mind is like, it’s going to be expensive. Right? And that’s probably one, certainly one impediment, which is preventing them from actually exploring that path and actually taking those necessary precautions. So can you talk a little bit about that?
Dominic Vogel 12:28
Yeah, for sure. You know, and I think it’s important for especially SMB owners and executives to keep in mind that cybersecurity doesn’t need to be expensive, it doesn’t mean that you need to drop, you know, 10s of 1000s, or hundreds or 1000s of dollars, on the latest and greatest technology or gear. That couldn’t be further from the truth. I’m a firm believer that even just a matter of taking the time to invest in things like security culture, having a more aware employee base and staff based in terms of what the online threats are, and how they should act online. Developing secure data handling practices, making sure that you’re leveraging security technologies, like multi-factor authentication for email access, remote access, these are all things that they already have, the ability to do. It is just a matter of going ahead and doing it and allocating time and resources to it. It doesn’t require any additional capital expenditures, or hits to the budget. Just doing some of those that I refer to as cyber hygiene, basically, the equivalent of brushing your teeth going, having a shower, that type of thing. That can go a long, long way. And so many SMBs just even fail to do the basic cyber hygiene steps.
Christian Klepp 13:50
Right. Cyber hygiene. I like it! So, yeah, I mean, you know, and it’s really interesting, but I’m like, um, you know some of these things that you’ve talked about the past couple of minutes, I mean, what I’m hearing you’re saying is, you know, taking those necessary steps to ensure you know, that your cybersecurity in your business is up to par, doesn’t necessarily just require the installation of a certain software. It’s also systems and processes. And also like, it needs to be somehow infused into the culture because it’s about cyber resilience, too. Right?
Dominic Vogel 14:26
Absolutely. And it’s such a great term that you bring up there, Christian, cyber resilience. And again, really trying to break this myth that cybersecurity is the domain of IT. You know, so many small and midsize business leaders and executives still say, Oh, well, you know, our IT guy deals with it. Our you know, it’s the responsibility of our IT service provider. The operational aspects of cybersecurity, you can outsource. You cannot outsource the strategic governance and oversight and due diligence that is owned by the executives that’s owned by the board. Let’s say there was a data breach and you say, Oh, well, we trusted our IT service provider. And if this went to court, and your shareholders were suing you, that argument, you’d be laughed out of court, the judge would throw the book at you figuratively, literally. You know, pleading ignorance is no longer a valid legal argument in the digital age. So, yeah, that’s what’s so important to understand is, at the end of the day, this isn’t an IT risk. This is a business written.
Christian Klepp 15:32
Wow, that advice itself, my friend is worth its weight in gold. People listening to this, should rewind this part of the interview and take notes. I mean that man, I mean it. Speaking of which, and you’ve been in this business for quite a long time. So why don’t you talk to us about some of the most common cyber threats that you’ve seen in your line of work? And if you can provide some examples of how you dealt with them.
Dominic Vogel 16:01
Yeah, for sure. For sure, Christian, you know, right now what we’re seeing in the small midsize business scene, there’s two main threats, which are just running amok and causing so much damage.
And the first one is ransomware. So for your listeners who don’t know what ransomware is, is basically sort of the equivalent of kidnapping for the 21st century basically is kidnapping access to your data and access to your systems. And it’s basically focusing on the availability of your data. If you’re an organization that you say, Oh, we don’t have any sensitive data, okay, well, maybe the confidentiality of your data isn’t important. But I’m pretty damn sure that the availability of your data is. And that’s what ransomware is really prying on right now. The ability to take away those systems. And there’s so many, so many small midsize businesses are just not…. And I’ll use the term that you mentioned earlier, resilient, or have enough cyber resilience to recover in the face of ransomware. Right now, the stats are very hard to come by. But the guesstimates are that upwards of three quarters of at least Canadian small midsize businesses are being forced to basically pay a ransom, they do not have the abilities to recover that data. What’s even more startling, though, is that there is a sizable minority, I’m gonna say probably anywhere between 15 to 25%. of at least, let’s say just small midsize businesses probably in North America. Typical numbers would be similar in the US that not only do they get hit once and pay, but they get hit a second and third and fourth time, and they choose to keep paying, I have had conversations with prospects who have said they would rather keep paying a ransom than to invest proactively in cybersecurity. That’s the type of mindset that, as a practitioner, makes me want to smash my head through a wall or smash their head to the wall, obviously less painful for me, but but it’s shocking, you know. And it speaks to just how dangerously out of touch many small midsize business leaders are, you know, there’s still so much awareness that needs to happen in that space. And this is why cybercriminals are just keeping the pedal down when it comes to ransomware. This is so so lucrative for them. Hell, if I was in their shoes, I would keep doing what they’re doing, because there’s so much ignorance on the SMB side right now.
The other the other threat, sort of a 1b to the ransomware 1a, is what it’s basically an extension of phishing is referred to as business email compromise. And these generally take the form of fraudulent wire transfer requests. And the funny thing here is that these aren’t exploiting a technical vulnerability, per se. What they are exploiting is a procedural immaturity. And I’ll explain what I mean by that in a sec. But generally, it’s an email that looks like it’s coming from a CEO, CFO, VP of Finance someone high enough up in the food chain, that they are asking someone in an Accounts Payable or someone who has the authority to initiate a wire transfer, to send a wire transfer of 10s of 1000s, hundreds of 1000s of dollars, maybe to a new vendor or someone who’s owed money by the company. And there’s often a great sense of urgency. These tend to be sent as well when the CEO or the executive is out of office. So basically, these email accounts are being compromised, and it basically looking like it’s coming from the CEO or CFO who have you. And the procedural immaturity, which is being exploited is that for most small midsize businesses, there isn’t an additional form of validation when it comes to initiating wire transfers. With larger organizations, there’s a bit more rigor in terms of initiating a wire transfer over a certain threshold. Again, depending on the organization’s threshold, it could be 5000, 10000, 15000, 50000, what have you. But with many small midsize businesses, there isn’t that extra form of validation. And this is where, back to what I was mentioning earlier about, you know, investing in cybersecurity can just be, you know, showing up from a policy and process perspective. This is a great example, all you have to do here is add an additional form of validation, you know, rather than just blindly taking that email as validation, whoever receives that email needs to validate that through another communication mechanism. So by texting the person or, or calling them or sending the message on the company instant messaging platform, what have you… or send a carrier pigeon, but you are validating it through another form, not just that same communication mechanism. Just doing that pretty much eliminates that threat. So it’s a good example of how, you know, just a little bit of awareness can go a long, long way.
Christian Klepp 21:07
Yeah, well, that’s, those are really great points. And, you know, it’s, it’s interesting that you bring that up, I mean, like, I don’t know, if I should call that a hack, but it kind of is. But you see that kind of like, resilience, if you will, transcend across to other companies as well. For example, Wealthsimple, pretty big company here in Canada, they’ve recently added this second layer of security onto their platform. So it’s not just you log in with your username and password, you actually need to enter in a security code, which they will send either to your email or to your mobile device, you know, to a mobile phone or something like that. And then you can, you know, you can enter the platform that way, you know, whereas previously, you just needed, you know, they just had that one layer, and then that was it.
Dominic Vogel 21:58
Absolutely. And, you know, I think that’s a great example of organizations are trying to take that level of security seriously. What’s funny is that, at least, you know, given maybe more of a Canadian spin as well here, that many Europeans when they come and live here in Canada, and then they use the banking services here, they’re blown away by the fact that most of the online banking services here do not require an additional form of authentication. It is still human password. Europe is lightyears ahead of European privacy in that regard, and there have been multiple calls for action for the banks to take that more seriously. And I’m sure that these coming soon, but I mean, that’s a good example, especially something like Wealthsimple, that, you know, that’s just basic table stakes now.
Christian Klepp 22:55
Yeah, exactly. Exactly. You spoke about this a little bit earlier, but I’d like to jam on this a little bit further. Let’s try to separate fact from fiction here. So talk to us about some of the major or the top misconceptions that businesses have about cybersecurity, and you already mentioned one of them.
Dominic Vogel 23:15
Yeah. When it comes to sort of those prevailing myths and, you know, there’s a couple in which I’ll hit on. So one is, again, to just revisit that one, which cyber risk is the domain of our your IT team, your IT service provider. Dangerous mindset, you know, again, you outsource operational aspects of security, but you cannot outsource that ownership. At the end of the day, any type of risk has to be owned by the board and the C suite. Doesn’t matter if it’s financial risk, operational risk, personnel risk, cyber risk is part of that Enterprise Risk portfolio. You own that. Otherwise you are asking for trouble. So that’s myth number one.
Another common myth is that, oh, we have cyber insurance. You know, we’re not worried. And it’s like, well, you know what, and the reason why that’s a myth, and I love busting that one is that I like to tell people hey, you know, what, if we’re playing Monopoly, sure, then yeah, that can be your get out of jail card. But this is real friggin life. The cyber insurance is not a get out of jail card when it comes to cyber-attacks. That’s like me saying, Hey, you know what, I have fire insurance. I’m going to rip out all my smoke alarms. I’m going to throw a bunch of dry wood around the place, and I’m just gonna walk around lighting matches, I’m gonna toss my fire extinguisher. That’s what people are basically doing in digital sense. They just say, oh, we’re just going to take our cyber insurance. Cyber insurance and insurance in general is a very good risk management tool. You know, don’t get me wrong. But it’s meant for addressing residual risk. It does not address inherent risk. And I cannot tell you how many organizations have reached out to us basically crying, saying, we we’ve spent money on cyber insurance, we didn’t realize we actually had to do something about it. Now, we’ve been hitting our insurance provider saying, we did nothing to address the inherent risk. Now we can’t get the payout. And what should we do? Well, you know, the first thing you should do is invent a friggin Time Machine. But other than that, there’s not much you can do you know. So it just again, that is a myth, it just blows me away that people still think that is a get out of jail card. Again, that’s a false sense of security mindset. So for your listeners there cyber insurance. Again, fantastic. risk management tool, an instrument, I’m not saying not to get it. But it is not the only tool, it is not a get out of jail card, You have to address the inherent risk first. So that’s another common myth.
And so the third myth, which I hear quite a bit is, oh, we have antivirus. And we know not to click on a Nigerian prince scams, and we’re good. You don’t need to worry about cybersecurity. Too much, I always, you know, mockingly clap back and say, Hey, you know what, this was 1995, there’ll be nothing more for me to do. But this is 2020. So you can keep living in the past like a child, or you can modernize and realize that the threat landscape of 2020 is far far far different than what you were dealing with in 1995. And again, that goes back again to that level of awareness, and especially in the SMB arena, there’s that false sense of security. All three of those myths tie back to a false sense of security. Organizations really need to understand that cyber risk, especially for small and mid-sized organizations, it’s an existential risk. And people always struggle when I say, you know, what type of company has the most to lose when it comes to cyber risk? Is it a large enterprise company? Or is it a small company? And inevitably, most people say, what’s a large company, they have the most money to lose? And they say, no, it’s actually not. You know, the studies have shown over the past 20-25 years or so, all the massive data breaches, which you know, that mainstream media covers, for large organizations, they all recover. Their stock prices all recover, none of them go out of business. What you don’t see is the small businesses. Those small businesses, if they get hit by a cyber-attack or something by ransomware, do they have an extra 100,000, laying around 200,000, a million, especially during COVID, most SMBs are struggling just to make payroll. This if you get hit by something like that, it can be a death blow. It is an existential risk, your very business can go out of business. And that’s the bit that I think is that fundamental disconnect, which is missing so much is that it’s not a… we’re not at that spot where it’s just for big businesses to worry about. Those who should be sweating it the most are the small businesses, and they’re not.
Christian Klepp 27:59
Indeed, indeed. I mean, Dominic, if I may, you’ve laid that out so beautifully. And I’m going to use this 90s term, right, you’ve laid out so beautifully, and I hope people you know, listening to this are aware of the clear and present danger. Thank you for getting that. Thank you for getting that.
Dominic Vogel 28:20
Nicely done, my friend.
Christian Klepp 28:22
Yes. But it’s so true, though. I mean, you’ve listed you listed the different types of threats, and then also the misconceptions that people have. And you know, believe me, there’s still plenty of people out there that feel that you know, they’ve gotten that cyber insurance, and then they’re good to go. And they’ve got that antivirus. And then that’s it. All right, and they don’t have to worry about anything else.
Dominic Vogel 28:41
Christian Klepp 28:42
So hopefully, when they listen to people like you, they’ll think twice and go back and have a look. Right.
Dominic Vogel 28:48
So that’s the hope.
Christian Klepp 28:51
Right, one can hope. Yeah. I mean, you spoke about it earlier. And I mean, you know, this is probably the massive understatement of the year. But these have undoubtedly been very challenging times. And you’ve had to work with clients that have either had their budgets reduced, or taken away from them. Right. And you and I both have probably spoken to people that are one of those two categories. So tell us about how you’ve helped clients deal with these adversities. So in your particular case, I would say how do you deal with clients that go to you or come up to you and say, Hey, listen, Dominic, you know, we’ve got some issues, we need your help, um, you know, in terms of cybersecurity and whatnot, but listen, you know, it’s been hard. Budgets been cut, or you know, what can we do?
Dominic Vogel 29:39
Yes, yes, you know, and especially during this time, really, what it’s focusing on is just trying to prioritize your cyber risk, wherever areas where you can get the biggest bang for your buck, in which if you’re only able to invest a little bit of money, which one’s going to give you that biggest bang. And it’s where in following something like the 80/20 principle, can go a long, long way. You know, I’m a firm believer that you don’t need to try and tackle everything, especially during a pandemic. But you need to at least take a risk based prioritization approach. So if something like as I mentioned earlier, investing in the security awareness capabilities of your team, or shoring up the security data handling practices, that’s the type of stuff in which that can have a very high ROI and doesn’t require too much of an investment other than a time investment. So I think it’s really important to even just get those outsider eyes. And hopefully, this doesn’t sound too self-fulfilling here. But you might be able to engage with an advisor to be able to help you identify what areas, what gaps should you address, and which gaps will give you again, that biggest bang for your buck. And that’s what we’ve been able to help our clients and, both our existing clients and our new clients that we have on board and during the pandemic is, again to just be able to take whatever security dollars they have, and stretch them as far as we possibly can.
Christian Klepp 31:06
Exactly. Because, you know, like, for lack of a better description, it’s kind of about like, you know, helping them to survive and just get over that hill somehow, right? in one piece.
Dominic Vogel 31:20
Exactly. You know, and that’s so much the mindset, you know, is, you’re all in survival mode right now. Let’s just make sure that we’re able to least address the most critical needs when it comes to cyber risk during this time.
Christian Klepp 31:37
Yeah, that’s right. That’s right.
Hey, it’s Christian Klepp here. We’ll get back to the episode in a second. But first, is your brand struggling to cut through the noise? Are you trying to find more effective ways to reach your target audience and boost sales? Are you trying to pivot your business? If so, book a call with EINBLICK Consulting, our experienced consultants will work with you to help your b2b business to succeed and scale. Go to www.einblick.co for more information.
Alright Dominic, let me drop some statistics on you before I ask you my next question. But I’m going to be very honest and say that, you know, when I first saw these statistics, I was a little bit taken aback. But we’re going to talk about that in a second. All right. So those are reports that came up by the Canadian Internet Registration Authority (CIRA) right. So, four points, and this is probably, you know, this is clearly talking about 2020. And some of it is talking about like next year.
So first point is fewer companies expect to increase resources dedicated to cybersecurity in the next 12 months. And that’s down from 45% in 2019. I mean, that in itself, for me was a shocker.
Point number two, 3 in 10 organizations have seen a spike in the volume of attacks during the pandemic, as you’ve said, in the past couple of minutes, right.
Point number three, slightly more than half of organizations implemented new cybersecurity protections directly in response to COVID-19. Slightly more than half. And the last point, one quarter of organizations experienced the breach of customer and/or employee data last year, and another 38% don’t know if they did or did not. Another 38%. Right.
So here’s the question based on the report. So why do you think that there’s so many organizations out there at least in Canada, that are not giving cybersecurity, you know, the time of day or the attention that it deserves?
Dominic Vogel 33:36
Well, you know, we’re still very much in the, what I’ll referred to as the reactive stage, when it comes to investing in cybersecurity. You know, and then again, enterprises, large organizations went through this same trajectory as well, 15-20 years ago, and you know, it’s small midsize business are going to be going through that same trajectory as well. So it’s not surprising that we are in this reactive state. It’s just the evolution of how cybersecurity will eventually be adopted by organizations. And that’s true with a lot of just law of change or technologies. It does take time, you know, and what I’m expecting to see as well is normally the analogy I’ll give us sort of what we saw what happened with the automobile industry. So cars were inherently unsafe, I mean, they were death traps, right until the 1980s. And it wasn’t until there was greater consumer advocacy, mainly led by Ralph Nader in the US, that led to significant safety changes. And now when you flash forward to today, when you watch an average car commercial, you just pick a random car commercial, where you’re competing on: safety, they’re talking about the safety features, safety crash ratings, the safety awards they’ve won. It has gone from being no thought to, you know, an afterthought, to then being a source of competitive differentiation and then that sort of the evolution that we will see right now. We’re sort of straddling that – no companies, small midsize businesses don’t give it any thought, or an afterthought. But over the next I’m gonna say 5-15 years, it will become more and more of a competitive advantage for every organization. Big or small.
Christian Klepp 35:18
Yeah, yeah. No, that’s a great insight. And I and I love that you use the automobile comparison, because that’s probably the most straightforward way to explain it. Right?
Dominic Vogel 35:27
Yes, yes, for sure. It’s a real world example.
Christian Klepp 35:32
Yeah, no, exactly. Real world example. That’s absolutely it. You know, we talked about cyber resilience a little bit earlier. Right. Let’s just, let’s just circle back to that. And like, you know, talk to us about… what are some of the steps that b2b businesses or small medium businesses can take, and why cyber resilience should be in the interest of… you know, well why should it be everyone’s business?
Dominic Vogel 36:03
Yeah. Good open ended question. Yeah, I mean, the reason why I would say it should be everyone’s business is that… To me, it’s something which is fundamentally tied down to the fact that organizations are increasingly more reliant on digital technologies. And whether your organization falls under regulatory requirements, whether there’s contractual requirements, and as I alluded to just a few minutes ago, they’ll soon be competitive requirements as well, you know, so to me that we are at a point in time where organizations can either embrace it, or to me, it’s almost a form of innovation. In the old adage, innovator die, we saw what happened, Blockbuster Kodak, you can either be part of the past, or you can be part of the future. And for organizations that want to be part of the future. Invest in cybersecurity. Otherwise, you know, pull out your VHS and enjoy your time at Blockbuster.
Christian Klepp 37:21
And have a Kodak moment.
Dominic Vogel 37:22
Yeah. Do share my friend.
Christian Klepp 37:26
Yeah, sorry, had to jump on the bandwagon there.
Dominic Vogel 37:31
Christian Klepp 37:32
Yeah. What are your top 3 future predictions for cybersecurity? And let’s face it, it’s not going anywhere. It’s just going to continuously evolve.
Dominic Vogel 37:44
Yeah, for sure. For sure, you know, and to me, I’m looking at my crystal ball or magic eight ball… To me, and one of them already mentioned, we’re going to see more of a focus on security being a competitive advantage, rather than just dwelling on it as being, you know, stopping or protecting against the bad guys, has been the main narrative. So I think that the narrative of business advantages is gonna become more of the forefront. My opinion there.
The second one, I’d say is that we’re going to see a lot of organizations that mostly disappear but become less relevant to somebody somewhat of an offshoot or callery to the first point is that those that embrace security are going to be part of that, you know, digital economy 2.0. Those that ignore it and choose not to, their shelf life is… their time to expire is rapidly coming in over the next 5-15 years, we will clearly see who has invested and who hasn’t in cyber security.
The third one is that we’re gonna, especially in the short term, we’re gonna keep experiencing a lot of pain, especially the SMB community ransomware is going to continue to be just running rampant. Over the next, I’m gonna say at least the next 3-5 years, it’s going to be very, very present and be a lot of growing pains, a lot of organizations are going to suffer and either they’ll go out of business or they’ll be able to recover and learn a valuable lesson. So is this whole lot of short term pain coming over the horizon.
Christian Klepp 39:36
Yeah, well, some of it is good. Some of them are grim predictions, but you know, like, you got to paint it for what it is right? Like, you know, and this is going back to the whole, you know, concept of cyber resilience. This is the reason why you’re, while you’re continuously driving that point home about, you know, companies have to take those necessary precautions. They shouldn’t be complacent when it comes to cybersecurity.
Dominic Vogel 40:00
Exactly, you know, complacency. Complacency and a false sense of security is the greatest risk right now, you know, I often get asked by many prospects, you know, and they’ll say, well, what’s our greatest, you know, risk right now? You know, is it ransomware? Is it this? Is that? Or should we be worrying about the Russians? I’d say, you know what your greatest risk right now is yourself, you know, if you, if you’re not taking this risk seriously, you know, it doesn’t matter what the hell the Russians are doing, you are your greatest enemy. So that’s why I would say to a lot of organizations is fix the mindset first, the rest will follow.
Christian Klepp 40:40
Yeah, that’s absolutely right. That’s absolutely right. We come to one of my, you know, one of my favorite parts of the interview – it’s discussing, commonly held beliefs, right. But this one has a bit of a twist to it. So talk to us about a commonly held belief in the field of cybersecurity, that you strongly disagree with and why.
Dominic Vogel 41:05
Oh, good question. One of the things that often bothers me about cybersecurity professionals, and this isn’t all of them, but there’s still many who do believe this and many professionals as well, where they’ll blame the user. You know, they always say, Well, you know, things would be so much better if people weren’t stupid, and users are a bunch of idiots. That is such a crappy mindset. You know, and that further, wedges that divide us vs. them further enforces the stereotype of why, you know, there’s the business side of things and the IT side of things. And neither side seems to understand one another. There’s a complete lack of empathy and understanding there. And wanting to help. You know, it’s come a long way, it’s a lot better than from when I first entered industry, and even just referring to people as users, you know, the name is just so cold, you know, especially for an internal security person, or you work for a company and you’re internal IT person, they’re not users, they’re your colleagues or your fellow employees, you know, they’re not users. You know, so that, to me, is one of those long held beliefs, which has always pissed me off. (laugh)
Christian Klepp 42:22
You know, for lack of a better word. (laugh)
Dominic Vogel 42:23
Christian Klepp 42:26
Yeah, no, but no, but that’s absolutely true, though. Um, so, name one thing that you think people should start and one thing people should stop doing when it comes to cybersecurity?
Dominic Vogel 42:40
Good question. When it comes to, I would say, from a start perspective, start doing the basics and start doing them well. You know, assess what those basics are. Assess the foundation. So many organizations will, especially people who are really caught up on technology will say, Oh, I just bought… drop 200,000 in the state of the art security technology as well. Okay, but you’re not using multi-factor authentication on your, on your email or your remote access. That’s short, like saying, Wow, look at this really great satellite system. I put in my house but I leave my front door open so someone can come and steal it. No, start doing the basics and do them well.
From a stop perspective, I almost probably beat the same john, where’s john drumbeat I’ve been hitting quite a bit is stop the false sense of security. Stop saying that we are a small business. No one’s gonna come after us. Stop saying that we don’t have any valuable data. Stop saying that you were secure but you have no way of proving it. Stop that false sense of security. That is the most dangerous thing facing small businesses right now – is that false sense of security.
Christian Klepp 43:54
Yeah, yeah. those are those are definitely some like, you know, fantastic insights. I mean, like, you know, all of the advice that you’ve given on this interview, man, that was worth $10,000 already. Well, I mean, you know, Dominic, this has been so incredibly insightful, engaging and extremely informative. I mean, I certainly hope that, you know, people that are listening to this interview, that not only do they get a lot of value out of this, but most importantly, they’ll start to take cybersecurity seriously, especially when it comes to their, you know, their businesses and organizations. So, thank you so much for coming on and sharing. What’s the best way for people out there to connect with you?
Dominic Vogel 44:05
Great question. People can reach out to me on LinkedIn. Just find me Dominic Vogel, I’m the only one out there. I love it when people reach out and connect to me on LinkedIn. People can just even just go to our website cyber.sc. Drop an email there that will eventually make its way to me or you can just email me directly firstname.lastname@example.org but your listeners, please. There’s an open invitation for them to reach out anytime.
Christian Klepp 45:08
Fantastic. Dominic, this session has been nothing short of incredible. Thank you again so much for your time and, you know, take care, be safe and I’ll talk to you soon
Dominic Vogel 45:17
Christian it was an absolute blast my friend, truly humble. Thank you again.
Christian Klepp 45:21
Thanks, bye for now.
Thank you for joining us on this episode of the B2B Marketers on a Mission podcast. To learn more about what we do here at EINBLICK, please visit our website at www.einblick.co and be sure to subscribe to the show on iTunes or your favorite podcast player.