Just because you run a small business doesn’t mean you’re beyond being targeted for a cyber attack. Small businesses often hold the same sensitive customer information as larger enterprises. That, combined with fewer resources to devote to cyber security knowledge and mitigation, makes them an attractive target to hackers.
RBC’s Chief Information Security Officer Adam Evans sat with Michael Argast, CEO of Kobalt.io, to discuss the small and medium-sized business landscape and the importance of cyber security.
Listen to the full podcast:
+ View transcript
Adam Evans 0:00
Hi everyone, this is Adam Evans, Chief Information Security Officer at RBC. Today is our Cyber Awareness Month podcast and I’d like to welcome a special guest, Michael Argast from Kobalt.io
Michael Argast 0:12
Great to be here, I’m really looking forward to this conversation.
Adam Evans 0:15
RBC has sought to extend its value to its client community by collaborating and working with third party companies to help our client communities with their security posture, Kobalt.io has worked with a few hundred small and medium sized organizations across North America to protect and grow their businesses by maturing their cybersecurity programs. Michael has over 20 years of cybersecurity experience across organizations large and small, and is working to bring the capabilities of enterprise security to organizations and make them more accessible to smaller firms. In 2021, we did a survey across small and medium sized organizations in Canada. And let me give you some insights. 44% of small and medium sized businesses think their businesses might be a victim of cybercrime in the next 12 months. One in four small businesses have an in house technology team also taking care of their security needs. One in five hire an outsourced IT consultant or a cloud service provider to provide technology services to them. Cybersecurity measures taken consists mostly of having an updated antivirus software installed as well as having firewalls for their internet connections. Limiting authority to install software introducing multifactor authentication and mandatory employee training is less common in small and medium sized businesses. One in three business owners or operators admit they are not prepared for potential Cyber attacks. And cybersecurity and data protection is regarded as the most important parameter or need when they’re choosing a financial institution protecting the privacy of the information. And this is why we’re working with companies like Kobalt.io is one of many ways to go above and beyond traditional banking to help entrepreneurs, small medium sized businesses manage, protect, and grow their businesses more efficiently. So very excited to have Michael on the show today. And Michael, I’d like to start to start sorry to dig into the survey results a little bit and get your thoughts on some of the things that obviously we pulled out of small and medium sized business owners and operators with regards to their knowledge first about cybersecurity, and the things that they’re concerned about operating their business.
Michael Argast 2:23
Thank you very much. And I’m really excited to speak to this small business audience today. We definitely see a lot of correlation with our experiences, the survey data that you shared, you mentioned 44% believes they can be a victim of attack. And pretty much every small business we talked to is experiencing attacks, whether or not they actually cause damage and other questions. But we help our clients really understanding what cyberattacks are likely to impact your business, and what they can do that are meaningful steps to reduce that risk. And that’s not always about spending money. You mentioned earlier, this idea of limiting authorities install software, multi factor authentication, and employee training. Those are all measures that can be taken that don’t need to cost a lot and have a really big impact on their cybersecurity risk. Losing that we find when we talk to small and midsize businesses, protecting their client data addressing those privacy risks. And educating employees not only is important to protecting day-to-day operations, but helps them achieve compliance and accelerate the growth of their business. It doesn’t matter if you’re an RBC or any other large enterprise or government organization, you’re looking for your small businesses that you work with and your suppliers have security of the data they exchange with you. And so security for small businesses can be a key element to driving growth.
Adam Evans 3:44
I totally agree. And I think what’s really interesting is when you think about that in the context of the business landscape; this new digital business landscape that we’re all operating our organizations in and we’ve got the Cyber threat landscape that’s evolving right along-side of this digital business landscape transformation that’s been going on, for the last 10 or 15 years. In the small and medium sized business community that you service, how have you seen the Cyber threat landscape evolve for those businesses?
Michael Argast 4:15
Yeah, there’s a couple of key evolutions, right? There’s just a huge volume of attacks, especially since they started the COVID pandemic. I’d say a doubling of the overall volume of attacks. Phishing, vishing, business email fraud especially, any sort of financial fraud has really gone through the roof. And you don’t hear about financial fraud nearly as much. In the press in the news, as you hear about something like ransomware, it’s actually a hugely prolific attack. The other thing that we see a lot of is that they’re leveraging a lot of public data sources, even when they’re targeting small businesses, right. So a good example of this is LinkedIn had a breach about two or three years ago. And they scraped everybody’s email addresses and contact information. And they’re able to use that information to target people who work inside of companies where they use personal email addresses where they can perform email impersonation at scale, right. So even if you’re a 10 person company, you can receive what appears to be a very targeted message against your staff. The other thing that we’re seeing is like in the past, and often see small businesses try to deal with cyber risk by buying Insurance. In cybersecurity Insurance has been a hot seller for Insurance companies, the last four or five years. Last year, insurers actually paid out more than they took it in premiums, and that’s made Insurance increasingly expensive and more difficult to get. And so that ability to kind of defer or share the risk that insurers are starting to dwindle.
Adam Evans 5:39
Yes, certainly. You mentioned it earlier, it’s a numbers game, they’re trying to, to hit as many targets as they possibly can, and make or opportunistically either steal funds, harvest information that can be then taken back into this underground economy and sold as secondary and tertiary revenue for Cyber criminals. So we are certainly seeing this, you know, small, medium, large organizations, individuals, that commoditization or democratization of crime has become very prolific, and it’s continuing to grow because of the amount of revenue that is being generated by Cyber criminals across the globe. And if I can shift gears for a second, Michael, I want to talk about sort of mid size companies, and the kinds of things that midsize companies are seeing and how does it differ from the smaller organizations? Is there an attack profile or a set of attack profiles that would be more geared to medium sized businesses; and certainly, what have you seen in the customers that you service?
Michael Argast 6:44
We’ve definitely seen a willingness for attackers to be more long term and persistent. And going back to the kind of financial fraud or transaction fraud, like small instances, you might see, a whole bunch of spam type emails that will say “hey, buy some gift cards, the CEO needs them” for some events or something like that, right. So kind of high volume, not incredibly sophisticated attacks. I’ll just walk through really quickly an example of a long term persistent attack pattern that we see in mid-sized organizations more commonly. So start with an account compromise, they’ll get into the email system, they’ll move laterally throughout the accounts or the email system until they have administrative privileges. And then they’ll persist long term, they’ll register fake domain names, they’ll read the emails that go back and forth. And they’ll wait for a very large transaction, typically $100,000 or more to be in discussion. And then they will insert an email redirect during that transaction to their own kind of bank accounts and stuff like this. And the willingness for an attacker to be persistent long term and target an organization in a really sophisticated way. You know, in the past, you would see that against military organizations or large enterprise, but now you’re seeing that against organizations that have 50 or 100 employees.
Adam Evans 8:05
Yeah, it’s a great point. A lot of organizations wait for the event to happen, and that funds the development of a cybersecurity program. And trying to justify the need, before the event happens to a lot of business leaders is a hard hurdle to get over. So when we’re thinking about building out a security program inside of an organization, the fact that you haven’t had an event yet, doesn’t necessarily mean that you shouldn’t be investing in your cybersecurity journey and your posture. So can you talk a little bit about the experience that you’ve got with the clients that you serve? And, and how they start their journey? And how do you sort of talk about some of the things that they need to integrate into their security programs?
Michael Argast 8:47
Yeah, that’s a great question, Adam. One of the things that we believe, fundamentally at Kobalt.io is that cybersecurity is an area that needs to be focused on risks to business, right. And every organization is different, you have you collect different types of data, you interact with clients differently, your internal resources are different. And so no being able to understand which cybersecurity threats are actually likely to impact you, and what are the steps that you can take against each of those different threats is really important. One of the reasons that we take that approach is ultimately long term, the resilience of your organization is going to depend on building a culture of cybersecurity. So a culture that isn’t just some person in a closet in IT working on the problem, but actually starts with a Board in tax leadership and management, all the way down to the frontline employees who interact with customers and deal with all the day to day work for the company. And by taking risk and working it all the way through a roadmap and implementation, you’re able to draw that connective tissue between what the leadership cares about the strategy of the business down to the day to day operations at the frontline. And so, that approach we have found has worked really well for our customers. One of the things that personally as an operator I’m most proud of is the fact that our customers do experience a significant lower rate of incidents and significant incidents. But I do want to come back to that kind of whole thing that we see a pattern that occurs again and again, within security, which is – organizations often under invest until they experienced that kind of black swan event that says unexpected, large incident. And the reality is, we’re dealing with incidents all the time in life, right. I like to think of it as like a traffic analysis. Alright, so you might be thinking about something that’s really big incident in traffic, which would be like, I don’t know, bridge collapse or something like that, that’s going to cause a complete catastrophe. But the reality is these fender benders and car crashes and things like this that happen all the time. And the same thing happens in cybersecurity and building culture and resilience and visibility and awareness. enables you to build the organizational muscles so that when the big thing happens, you have the capability of dealing with that rather than kind of running around and having what it was originally a medium sized issue becomes bigger because of an inability to properly respond.
Adam Evans 11:16
Yeah, the culture is such an important point, when I think about companies that I’ve gone in and looked at in my career or working within RBC with our supplier community and some of our business clients, the culture is really, really important. And I think there’s a couple of reasons that have really crystallized the idea for me, and obviously, the first one you sort of touched upon where when you get the support at the top of your organization, that security is a priority to the viability of your organization, and maintaining the trust and the relationship that you have with your client, it now gets embedded into the DNA of the organization. The second part of it is really about aligning security priorities with your business priorities, and they don’t have to be mutually exclusive. And the way that we’re thinking about it is we believe that the security priorities can align, and evolve and actually make the business priorities that we’ve set in the institution more successful, because they’re highly available, they’re more resilient to this digital threat landscape that we’re operating our business services in. So that that really starts with a cultural shift inside of an organization and making sure that everybody in that organization understands the priority that Cyber has in the delivery of Business Services, and the overall success of the business. I’m going to shift gears on you for a second. And we’re going to, we’re going to flip into another question that you know, talks about the growth of business and how you can affect or how effective cybersecurity practices can have a positive impact on the growth of your business. And when you think about your client community, Michael, can you talk a little bit about, when you you’ve referred to it, as people get more resilient to the digital threat landscape, that they’re operating their business, and obviously their services are up for longer, they’re uninterrupted, they can continue to deliver business to their clients. Can you talk a little bit more about the growth of business services in the success of business based on sound security practices?
Michael Argast 13:21
There are two kinds of areas that I’ll talk about here. So one is operational growth. And you talked about cybersecurity. And I’m going to paraphrase is a business enabler, right, so supporting all these different business initiatives. And it kind of a classic example that in recent years is, many organizations shifted to remote work. Alright, many have widely adopted cloud services. And those two things fundamentally have cybersecurity underpinning. If you don’t have the strong remote work capabilities and support that can enable people to access to data and work with that data in a remote fashion, then you’re forced back into offices. And that just has not worked well, for a lot of organizations in the last few years. So this is operations, being supported by Cyber security is critical. But one of the things that we’re seeing a lot of within our customer base is, small businesses are suppliers to larger businesses, this is just kind of the way the world operates today. And if you think about an organization like RBC, you probably have 1000s of suppliers that provide the software and services and all the things and you work with those suppliers, you want to make sure that your client data and the data that you have seen goes suppliers to secure. And so businesses that invest in that security and are able to prove to their clientele, that they’re doing the right things, find that their sales cycles are faster that they’re able to win larger and more complex deals with more mature clients. And in the past, you’d see organizations the size of RBC, caring about this. But frankly, you can be talking to an organization with 50 or 100 employees today. And they’re also now doing third party risk management and looking at their suppliers and making sure that those suppliers are robust and resilient. And so it doesn’t really matter how small your business is anymore. You’re going to be speaking to customers that are going to be caring about cybersecurity in a way that just was not on their radar a few years ago. So obviously addressing that effectively, being able to communicate what you’re doing around your city program. Being able to demonstrate that you’re partnering with a company like Kobalt.io, really can make a huge difference in terms of your ability to quickly acquire customers and achieve your growth objectives.
Adam Evans 15:27
Yeah, it’s a great point. I think the supplier ecosystem that all businesses are building for themselves to deliver services, to your point, maybe delivered by a company of five people, or a company of 5000 people. And it’s the integrity of the services that really matter. And when that supply chain starts to break down, because there’s a lack of resiliency in that supply chain, to the Cyber threat landscape, it becomes problematic for a financial institution like RBC, or a small and medium sized business to maintain the integrity and the trust of their clients. Now, I’m going to move into the some closing remarks here, the first thing I want to talk about or reiterate, is the support for small and medium sized businesses looking to improve their security posture in Michael and I have talked about this doesn’t have to be a massive undertaking, it doesn’t have to be a very expensive undertaking for small and medium sized businesses to get involved and take the first steps into improving their security posture and their security hygiene. Whether it’s through risk assessments, talking to a company like Kobalt.io, about what are the things that I need to be concerned about? What are the things in the assets that I want to protect? And how do I want to monitor those crown jewels of my organization for any sort of behavior that we would consider threat actor behavior or bad behavior. That piece is a very important first step for small and medium sized businesses risk assessments, and figuring out what you want to monitor for. At the bottom of the recording, we’re going to include some links and instructions on how people can leverage MFA, how they can utilize MFA that’s available to them, whether it’s free applications online, and you can implement these things on your cell phones, and you can start to leverage multifactor authentication, Mike and I both talked about it. And it’s an incredibly important step to take to protecting yourself online. And it will help you not just protect your bank accounts with RBC, but as your Operating online with your Gmail accounts or your Amazon accounts, the multifactor authentication just makes it much harder for Cyber criminals to gain unauthorized access to your information, or your accounts. And, Michael, I would like to thank you for taking the time today and joining us on this podcast for Cyber Awareness Month; great conversation. It’s always interesting to hear perspectives, from people that are involved in different segments of the client population, certainly that we serve you working with small, medium sized businesses and large organizations throughout your career, gave us some great insight onto how we improve our cybersecurity posture as individuals as well as the companies that we work in and maybe with that, I will leave the last word to you.
Michael Argast 18:22
Thank you so much, Adam. We are so excited to be collaborating with RBC in protecting the security of your small and midsize businesses. I’m personally a huge believer that small midsize organizations are the engine of growth and Innovation inside the Canadian economy and pleased and proud to be serving them. We will mention that we’re providing a 10% discount to RBC clients. As for our risk assessment, security, monitoring and program services, but more importantly, all of our prices are really targeted towards the needs of small and mid-sized businesses and our services are designed with that in mind. And so, if you have any needs insecurity, we’d love to hear from you and Adam, again, thank you so much for the opportunity to talk to you talk to your audience, and everyone out there… stay secure!
Surprisingly, many small businesses still don’t take steps to protect themselves. A recent RBC survey revealed that only 1 in 4 small businesses have an in-house IT Team, and one in five hire an outsourced IT consultant and/or cloud service provider. But, effective cyber security practices set small and medium businesses on the path to business growth.
Adam explains that it’s “about aligning security priorities with your business priorities … the security priorities can align, and evolve and make the business priorities that you’ve set in the institution more successful because they’re more resilient to this digital threat landscape that you’re operating your business services in.”
Learn more about Kobalt.io offers and programs for small or medium-sized businesses.
How to improve your personal cyber security
Small businesses are comprised of individuals with personal cyber security concerns — protecting yourself from cyber crime or helping educate your children on the safe ways of interacting online. Michael points out a few things to keep in mind.
The first is to turn on 2-Step or multi-factor authentication (MFA) anywhere you can. As he explains, “It doesn’t cost a lot of money, and it might be a little bit of an inconvenience when you first set it up, but it gets easier. And it dramatically reduces the probability that one of your accounts — and all of the data behind it — is likely to be compromised.”
For example, RBC offers MFA at no cost to retail accounts. Click here for more details.
The second is ensuring your password is properly protected, and you’re running updates and anti-malware software from a reputable vendor.
For more information, visit RBC Cyber Security for Business.
For more news, resources and cyber tips visit rbc.com/cyber
- Verification codes with Google Authenticator
- Verification codes with Microsoft Authenticator
- Two-factor authentication for Mac devices
This article is intended as general information only and is not to be relied upon as constituting legal, financial or other professional advice. A professional advisor should be consulted regarding your specific situation. Information presented is believed to be factual and up-to-date but we do not guarantee its accuracy and it should not be regarded as a complete analysis of the subjects discussed. All expressions of opinion reflect the judgment of the authors as of the date of publication and are subject to change. No endorsement of any third parties or their advice, opinions, information, products or services is expressly given or implied by Royal Bank of Canada or any of its affiliates.