As Cyberattacks Escalate, It’s Time to Change the Conversation and Focus on Real Change

The volume and complexity of cyber threats continues to escalate, but some businesses still don’t recognize any perceived value or ROI from security solutions. So, it’s time to change the way we develop and sell those solutions, according to Theresa Payton, president and CEO of Fortalice Solutions and co-founder of Dark3.

“My focus is on human-centered design. Think about how hard SMBs are working and taking care of customers and clients. That decision to spend a dollar on cybersecurity products and solutions is a dollar not spent on R&D or improving customer service. So, you should always think ‘how do I design for the human,’” said Payton in a keynote session during ChannelCon Online 2021.

Too often, technologists try to explain complex security processes and solutions to those without technical backgrounds. That’s a failing proposition, Payton said, and we need to change the way we explain what’s going on, how we aim to fix it, and why the customer should care.

To start, Payton shared some startling statistics that can be used as conversation starters with customers, eye-opening figures and statements intended to get their attention, such as:

• A business is hit by ransomware every 11 seconds (Cybercrime Magazine)

• 94% of all forms of malware still comes from email (CSO)
• There are easy and free tools available to know if hackers have your password
• There are simple ways to tell If your organization is under cyber surveillance right now
• Hacking tools and kits to launch cyberattacks, identify theft, ransomware and more can be purchased for as little as $1 (Cisco/Cybersecurity Ventures 2019 Cybersecurity Almanac)
• The cost of global ransomware damage is expected to reach $20 billion this year, 57 times more than 2015. (Cybercrime Magazine)

In addition, tell customers that paying ransomware is no guarantee that you’ll get the keys to unlock or decrypt your data, she said.

“I’ve seen firsthand where businesses paid and the criminal syndicates are so large, they may provide the wrong key, or not provide all the keys, or it’s corrupting your data as it’s decrypted because the attack was poorly designed,” she said.

What to Watch for in 2022

During a Q&A portion of the presentation with CompTIA CEO Todd Thibodeaux, Payton said cybercriminal behavior is as bad now as it’s ever been, in part due to the pandemic and other economic and governmental crises.

“But I have optimism that we’ll figure out what’s going on and batten down the hatches. There’s a lot of information sharing and collaboration going on right now between businesses and between businesses and the FBI and DHS,” she said. “Information sharing is happening for the greater good and it’s going to help us accelerate the offensive and defensive controls that we need to implement.”

But Payton also warned that cyberattacks could shift again toward new targets. For example, that extended-reality (XR) applications will be hacked, that a financial institution could fall victim to a run or mini black swan event caused by a cyber incident, and that artificial intelligence could drive even more misinformation campaigns without human intervention.

“Augmented reality platforms can collect your heart rate change, your breathing, all of which comes together to create a digital footprint of you. If that could be hacked, someone could digitally, biometrically [get through locked doors],” she said. “Meanwhile, cyber criminals will set up chatbots on social media and start to play up [that a bank is failing]. This will create a sense of concern and lead to longer wait times for customer service, which will then get into our psyche and cause a mini run on a bank. Banks are already thinking about how to combat misinformation campaigns.”

Prescriptive Advice for Tech Companies

So, what can MSPs do to best help their small-business customers? For one, assume clients will be a victim at some point—and get them to assume that too. Knowing that it’s a question of if, not when, have a set of situation playbooks in place to ensure that proper procedures are followed to minimize damage and further risk.

“If you’re a victim of a misinformation campaign, someone says your product is horrible, what does that playbook look like? If you’ve been in a cyber incident, what does that playbook look like? Those playbooks can be developed in business meetings with customers,” she said.

Second, start implementing micro-segmentation strategies with customer data. The more you can segment information, the lower the risk that all of it can be compromised.

“Think about it from human center design perspective. We can’t prevent cyber criminals from attacking a platform, but we can make it hard to run off with that information. from the ground up to ensure when an attack occurs, all information can’t be accessed,” Payton said. “Identify and access controls are the least sexy side of cybersecurity, but they are the biggest weakness. Make sure that user access controls and identity controls are tight.”

Opportunity Ahead for Tech Companies

Finally, the frequency and severity of attacks is causing business leaders to worry more, creating opportunities for solution providers to add their own value and become trusted business partners, Payton said.

“When I talked to CEOs in the SMB space, they’re scared that their company will be next and be in the headlines. But they’re not sure what to do. They don’t have the resources to hire best and brightest and biggest team. It’s a real challenge for CEOs,” Payton said. “Most of them want to do the right thing, but they’re not sure where to get started. Instead of getting focused on all the complexities, figure out what are the real tangible things that make a difference without needing big checks. If you can start there with a CEO, then you can set aside some budget for cybersecurity.”

Gone are the days when business leaders thought “this can’t happen to me,” said Payton. Now they’re starting to pay attention, or they’re scared.

“Crisis got us to this point, but at least attention is being paid there now,” she said. “Remember, this is a starting conversation, not an endpoint. You don’t start talking about a security framework and you’re done. A framework needs to evolve as cybercriminal tactics evolve. Your roadmap has to evolve with it.”