Kelly Sabo [00:00:00]:
In reality, 43% of cyber attacks are actually aimed at small and medium businesses. So hackers say that SMBs are easier to breach as they often have, you know, less resources, lower security measures sometimes, and they actually still have access to a lot of valuable data, which could be used for compromised credentials, which is obviously still one of the largest attack vectors.
Karissa Breen [00:00:38]:
Joining me now is Kelly Sabo, Head of SMB and Mid Market ANZ from Cisco. And today, we’re discussing cybersecurity essentials for SMBs, protecting the backbone of ANZ’s economy. So, Kelly, thanks for joining and welcome.
Kelly Sabo [00:00:53]:
Thank you, KB. Awesome to be here.
Karissa Breen [00:00:56]:
Okay. So, Kelly, let’s just get straight into it. Now, would you say with your experience of working SMBs that SMBs believe that cyber incidents won’t happen to them? Now I know that’s sort of a common sort of talk track. There’s always this thing in the industry of like, oh, it won’t happen to me. But however, because you’re at the forefront of the coal face, a lot of these businesses are really keen to genuinely understand what the sense is from businesses that you’re sort of working
Kelly Sabo [00:01:25]:
with. Absolutely. So I think a lot of small and medium business owners still assume that they aren’t targets for a cyber attack. And a lot of that misconception often stems from the fact that they believe attackers are going after bigger businesses with perceived more valuable data, and there’s probably still a bit of a lack of understanding about the frequency and impact of cyber attacks and just how vulnerable they actually are. So in reality, 43% of cyber attacks are actually aimed at small and medium businesses. So hackers see that SMBs are easier to breach, as they often have, you know, less resources, lower security measures sometimes, and they actually still have access to a lot of valuable data, which could be used for compromised credentials, which is obviously still one of the largest attack vectors. I think also SMBs are a gateway into larger networks and supply chains, and so cyber criminals know that SMBs supply larger companies. So breaching a small business can lead to sensitive data access in larger organisations a lot of the time as well.
Karissa Breen [00:02:22]:
So when you’re setting up with a company or client and they’re like, oh, yeah, but Kelly, it won’t happen to me. What is sort of your response? Do you think that again, it’s I get where they’re coming from because we often do hear in the media around, you know, big companies that are having these issues. Very rarely do we hear about the small ones. We can get into that a little bit later. But what is sort of your first response to that?
Kelly Sabo [00:02:46]:
I think for people, it’s understanding the real cost of what a cyber breach could do to your business. Right? And there’s a lot of statistics around the fact that up to 60% of small businesses that suffer a cyber attack actually go out of business within 6 months. Right? So it’s a big gamble to play to say that, oh, it won’t happen to me and depends on your risk appetite. Right? But there’s a lot more cyber, depends on your risk appetite. Right? But there’s a lot more cyber criminals going after small businesses just due to the fact that it is an easier way in. So if you’re at the point where you’re saying, okay, well, it won’t happen to me, and I think I’m willing to take the gamble, there needs to be a better understanding across the industry in general about just what can happen when you are a breach, and the fact that it is much more commonplace. And I think there’s, you know, the data breach notification, that now is actually you have to actually notify a lot of the time, and a lot of small businesses actually are under that, framework as well, and they might not even know that. So I think having that understanding is super critical in terms of knowing how to protect your business and that it actually, the pendulum is swinging from if you get hacked to when you get hacked.
Karissa Breen [00:03:51]:
And when you say the when you get hacked, what do you think people should say then? What do you think their responses to you? Well, what do we do to prevent that?
Kelly Sabo [00:03:59]:
Well, I think there’s there’s a lot of gaps when it comes to SMBs. Right? So SMB owners, they often lack time, they lack resources, they lack cash flow, and that doesn’t lend well to dealing with the complexity aligned to cyber security. Right? So there’s this perceived notion still that, you know, cyber security is an IT problem rather than an everyone problem, or there’s the, you know, the idea that I have a firewall security, so I’m actually protective, so I don’t need to worry. So I think there needs to be the understanding again that what do you do if you are have you got an incident response plan, and putting the right steps in place, because there’s still so many gaps in terms of what people actually an understanding of where do we even start. And that’s the thing. It’s such a complex industry. And I know when I started, it was about, okay, where’s the one framework or place that I go to understand as a small business what I need to do to protect myself? And it’s not easy.
Karissa Breen [00:04:52]:
Okay. I’ve got a couple of things going on in there, but I wanted to zoom out for a second. And this sounds like a counterintuitive question I’m about to ask you around the media always talking about the larger breaches considering I’m, you know, running this interview. We’re sort of a little bit different because obviously we’re a trade publication. But in saying that, why do you think there is being such a focus then on the larger companies? Is it because if it’s not a large organization, it’s kinda like the outside public maybe doesn’t care as much? So they’re like, oh, well, you’ve never heard of the business. Like, who cares? You think there’s a little bit of that? And then so what that then generates is perhaps SMBs believing that, oh, what never really happens to companies of our size because we don’t really hear about it?
Kelly Sabo [00:05:33]:
Yeah. Absolutely. And I mean, obviously, the the big businesses, get headlines. MedBank and all those carpet things where you realize, okay, I can actually have my data breached for my medical records. Right? Which is, incredibly terrifying for people. But then, if you go that one step down, what about your GP? Right? And that’s one of the big ones we looked at. You know, there was the GP grants recently where, you know, GPs were getting $50,000 to digitise them. What did that mean? Right? And you would hope that a lot of them said, okay, we are actually protecting frontline medical records.
Kelly Sabo [00:06:04]:
We need to have had an incredibly stringent cybersecurity posture. So I think there is that idea of, you know, big businesses get big headlines. But at the same time, it is still really tough. So there’s a lot of government frameworks around what you should do for small for big businesses. So Essential 8 is a great example, but that still requires a bit of security knowledge to actually implement that. So I think there is a lot of content out there focused on enterprise businesses, and it’s easy because there’s there’s so much knowledge and everything else. But for small businesses, the one thing that I’m taking at the moment, and we do a lot of work with, you know, Council of Small Business Association Australia. We work with a lot of the big service providers.
Kelly Sabo [00:06:45]:
We work with a lot of industry bodies, and there’s a lot more of these businesses coming together. And we’re in multiple workshops at the moment where we’re all sitting down and saying, how do we actually uplift the overall knowledge for SMBs on cyber? So we have our networking academy at Cisco and skills for all free courses. And then we’re partnering to look at, okay, 1st and foremost, people need to educate themselves. SMBs also need to understand their regulatory environment surrounding cybersecurity as well. Right? So making that easy. But first and foremost, how do you make that content consumable for SMBs? So is it smaller training courses, you know, a couple of hours that you could get across the the main, hacks that might be aimed at small businesses? Can you get download a checklist so you can actually just make it really easy to tick off the things that you need to do to protect yourself? And therefore, if you were hacked, what do you actually do next as well? So I think creating content and making consumable, but really great to see that the industry is actually pitching together in a sort of corporate social responsibility way to say we actually need to uplift the general education. More SMBs are digitising, which is great, but it means that there’s more potential for them to be hacked. So how do we actually work together to protect them and uplift the general knowledge of the population? Because let’s face it, if if big businesses are reliant on small businesses.
Kelly Sabo [00:08:05]:
Right? So if they’re getting hacked, they’re often the vector into big business, and it’s actually their industry and the sorry, the country as a whole that needs to be involved in this.
Karissa Breen [00:08:16]:
Okay. So some great points. I wanna get back a moment. You touched on something which was interesting. I’ve been thinking about this, considering my background working in a large enterprise, large corporate in security myself. They’ve got big budgets. So Yeah. What I’ve often seen, especially in my position and working in the industry historically would be a lot of these companies out there that are selling these services primarily is they’re for enterprises.
Karissa Breen [00:08:40]:
They’re expensive. A small business can’t fork out, like, 1,000,000 and 1,000,000,000 or 1,000,000,000 of dollars for all of this stuff. And historically, you just sit back and wonder, how come no one or no one no one, but a lot of people aren’t super focused on, hey, we’re just gonna create a service and x company who’s an SMB doesn’t have the time like you, you know, you mentioned before. And it’s just like it’s going to wrap it up as a service and, you know, we’ve got all the things covered. I haven’t seen a lot of that in the market, as opposed to the big enterprise stuff. Again, why do you think that is? You think these people sort of just get relegated a little bit?
Kelly Sabo [00:09:18]:
I mean, in our space, we have a lot of managed service provider partners that are trying to do exactly that. Right? So that whole if SMVs don’t have, huge budgets to, fork out initially, and a lot of them are growing. So you don’t wanna set up the infrastructure yourself and then not have it be able to scale with your business. So we have a lot of managed service provider partners that are looking to play that trusted partner and advisor as well. Right? Knowing that sometimes SMBs don’t have the knowledge. We strongly recommend working with, you know, a partner that can either talk out initially to set up your infrastructure or alternatively provide a managed service into your business. So it’s more of that, you are paying a monthly subscription to actually build out your cyber practice and especially around software as a service and things like that, which will scale as you grow. So we we do have a lot of great partners in this space, that are trying to make it bespoke and differentiate and say, okay, what do you actually need? Because I think if you look at the strengthening the posture for SMBs, right, it first of all, it has to be Siebel.
Kelly Sabo [00:10:21]:
And at its most basic, you need to take accountability potentially for updating your own software, backing up your information regularly, and running a risk assessment to understand what the gaps or, you know, vulnerabilities are in your business. But then if you’re partnering with someone and you’re building out your cyber practice, working with that, team to understand what are the most prevalent threats to SMBs and start there to protect yourself. You know, looking at budgets, right? You need a layered defense strategy, but where are the actual risks for you? Because I know there’s a lot of talk about XDR and SIEMs, and we get, you know, customers coming to us and saying, oh, I think I need a SIEM. And we’re like, well, do you? Or is that an industry term that you’ve heard? Right? So I think if I look at what I would tell people at its most basic so start with email, right? Most phishing attacks are via emails, so they look at an email security solution. Next is web. If an email does get through, how do you actually block people clicking malicious links, for example? And finally, prioritise multi factor authentication to stop compromised credentials, right? So implementing NFA adds an extra layer of security, which makes it harder for attackers to gain unauthorised access. And for us, Cisco Duo and Umbrella, which are our, web blocking and NFA solutions, are 2 of the most popular products we actually see in market in the SMB space.
Karissa Breen [00:11:37]:
So Okay. So going back to the partner side of things, now how would a client or an SMB determine who’s a good partner? And what I mean by that question is when you don’t know what you don’t know, it’s sort of hard to discern if this is a good partner or not. Like, if someone is renovating a house, like, how do you know who’s a good painter unless she’s done it before or you’ve got people that are in there? Like, How do you sort of know? Is there any sort of advice that you could share on that front?
Kelly Sabo [00:12:03]:
Yeah. I mean, for us, we are absolutely be but we’re in the market of making sure that our partners have got the necessary information, that they’ve got the necessary skills to actually help our customers. Right? So I would suggest coming to us first and foremost, and we will actually sit down, understand what it is that you’re looking for. As we said, we will actually then work with you on a risk assessment, so you actually understand the gaps and the vulnerabilities for your business specifically. And then we can actually recommend a trusted partner or advisor to work with you, right? So is it a managed service? Do you want to hand it off and you don’t actually have to want to have to worry about it? Do you want a partner that can help provide, infrastructure to you so you could actually build out your own infrastructure and manage it yourself? So there’s so many different partners that have different skills in market. And I think for us, that’s our job, right? To bet that they are the right partners in market that can actually help you go on that cybersecurity journey. So you’re not going out of the way. So I think if we speak to SMBs, just the concept is, it’s all too hard, 1st and foremost, because it’s so complicated.
Kelly Sabo [00:13:04]:
And secondly, I’m so time poor as it is, and I don’t have that many resources and cash flow is not something that is, you know, incredibly abundant. So when you mix all that together, you need a partner that can actually come in and go, okay, well, let’s work on a monthly billing. Let’s work on us taking off some of that resource load. Let’s work on, you know, implementing some of the AI strategies that you can actually reduce your workload on your staff and do that low level, doesn’t have to be done by you anymore. So I think that is something that we are incredibly across and making sure that we have the right partners in market to support our brand as well.
Karissa Breen [00:13:39]:
In terms of knowledge gap, what is the common sort of thread that you’re seeing with SMBs around? Is it like to your point before, oh, we need to see him. It’s like, well, I don’t know if you do. So do you think it’s more so they hear these terms that are thrown around, they’re thrown out there in the market and they just assume, oh, I need the thing? Or is it just to your point around there’s so much going on and I’m being bombarded with things all the time. I don’t even know where to start. I don’t even know what’s good, what’s not good. Do I have anything at all going on for me, like, in terms of security? What’s sort of the common sort of, you know, talk track there?
Kelly Sabo [00:14:14]:
I think yeah. As I said, it’s often around that cybersecurity, it’s an IT problem, not an everyone problem. Right? And I think the the number one thing that gets people is it’s actually your employees that are the ones that are probably most likely to trip up by clicking on a phishing link or something like that. Right? So, yes, there is all these, you know, big vectors for being attacked, and do you need a full seam or XCR to look at your entire network? But a lot of the time, you’re not even at the point of having those products to need that, solution in the first place. Right? So looking at it that, okay, what at its most basic, am I employees educated? Am I making sure that I don’t have outdated software or insufficient patching? So because that’s another thing. People think they’re protected when they’re actually not right. And so I think for us, it’s about ensuring that people are aware of what they have in the 1st place to know how to protect themselves, because that’s the biggest thing, right? You need to actually understand. And that’s why we say, do a risk assessment so you actually know it.
Kelly Sabo [00:15:12]:
With a distributed workforce where employees are working from anywhere on any device, there’s more vulnerabilities than ever before. But don’t get bogged down with the complexities of the overall market. Actually make it specific to what you have and how you could best respond for your business.
Karissa Breen [00:15:29]:
So I’ll turn it over now to the content side of things, which you sort of touched on. And again, I thought about this as well. And as we probably both would agree that there is a lot of content out there in the market that’s focused on enterprises, government, etcetera, isn’t super applicable to a lot of SMBs. And you said something before, like, making it like, digestible so people can consume the content that makes sense to them.
Voice Over [00:15:54]:
Where
Karissa Breen [00:15:54]:
do you think in terms of we should be going then as an industry to perhaps target content that is more digestible to to SMBs as opposed to a government or an enterprise? Because you are right on that front. And I think the industry is trying to change that. But again, I mean, I’ve been in this space for about a decade and I’ve seen people say we need to do the thing, but I haven’t seen the needle moved substantially over the last decade.
Kelly Sabo [00:16:24]:
Yeah. I think that’s the thing. Putting it back into the hands of the organisations that are at the call fund of working with SMBs is kind of critical. So we’re, as I said, members of Council of, Small Business Association Australia, and they’ve got cyber wardens as a program. Right? So distilling a lot of that content down to make it, a forum that SMBs can actually understand in a language that they use. Because realistically, if you look at essential 8, some of those frameworks, you you already have to have a fairly decent baseline understanding of security to actually even implement what they’re telling you to do. Right? So I think more and more, we are now partnering with organizations that are saying, okay, some of the service providers now are saying, well, we wanna create content. Bespoke for SMBs and getting them all to, you know, a couple of hours workshop knowing that they don’t have all day or weeks to kind of sign up to courses and things like that, and making it really consumable with a checklist of what do you actually need to do to tick off.
Kelly Sabo [00:17:20]:
Okay. So I need an MFA solution. Well, what is an MFA solution? Right? Even that is, you know, it’s not accessible language for a lot of people. So understanding that, okay, if my employees are on the go, and they are clicking on a link, do I have more than one point of accountability for credentials to ensure that they’re not going to be hacked out on the road? Or they’re not signing up to their public Wi Fi at the airport, which we’ve all been guilty of. Right? And there’s an immediate threat there. So I think there is more and more that the industry bodies are doing, that the service provider partners and again, a lot of them are still at the point of building it, and they don’t know what they don’t know. Right? Because a lot of the time, they’re not the expert. But for me, it’s really refreshing to see that, you know, people would come into us and say, how do we sit down and build this to make it, consumable and something that SMBs can understand and actually execute on as well.
Kelly Sabo [00:18:11]:
Right? So it’s not information for information’s sake. It’s really practical and tangible about what they can do to protect themselves for their size of business.
Karissa Breen [00:18:21]:
Yeah, that’s a good point around information for information sake because, I mean, I’ve spoken to a lot of people in the industry, as you know, and then the people saying, oh, but, you know, you could just look up the NIST framework. I’m like that. Have you read that frame? It is so long and convoluted. Like, there’s no way on Earth someone who doesn’t understand cybersecurity is going to go and read that and then try to comprehend what that means and then implement it. Like, feel like sometimes people have this really, wild view on how outside, you know, people as cybersecurity are really gonna implement this stuff. I’ve I’ve heard this a lot. I was a little bit taken aback by that. Like, are you kidding me? Like, no one’s actually gonna do that.
Kelly Sabo [00:19:00]:
Oh, absolutely. And and small business owners are are everything. Like, they’re the ones running the business. They’re the ones trying to do, you know, the the financing. They’re trying to make sure that they’ve got enough resources. A lot of the time, it’s just, you know, you can see why they put it on the back burner because it’s out of sight, out of mind. And it’s okay. Well, I just hope I don’t get hacked because I then might have to deal with it.
Kelly Sabo [00:19:20]:
But at the moment, it’s it’s too complex for people. If you don’t even, have the baseline understanding of cybersecurity, and that’s why I think it’s overwhelming. Because when I first took on this job, I sort of put it into Google. Okay, where’s the one place naively thinking that there’s one place that you could go? And that’s almost the hardest part is that that information overload makes it do you just sort of shut your laptop and just go, okay, well, it’s just it might be easy to be hacked? So I think making it really tangible in terms of a checklist of, okay, I just need to tick off these three things and put a reminder in my diary every 3 months to make sure that I update my software or I and backing up my information. So if I was had, those are kind of tangible steps for people rather than going, okay, you’ve got a statement, you’ve got, you know, extended threat response, and, you know, they’re they’re terms that aren’t everyday language, and I can see why people get overwhelmed.
Karissa Breen [00:20:13]:
Yeah. And a lot of these things are a little bit over the top for what people need. So in terms of a checklist, what are maybe 3 to 5 things for people listening that can do straight away? But then also you mentioned baseline. What are just some fundamental things from your experience with working at SMBs that people just absolutely need to have?
Kelly Sabo [00:20:32]:
Yeah. I I think I’ve probably touched on it, but I mean, going back to, at its most basic, so updating your software and backing up your information, running a risk assessment to understand what are the gaps or vulnerabilities in your business. So if you don’t understand what you have in the first place, it’s hard to understand how to manage it, right? So getting rid of this idea of like, I’ve got a firewall, therefore I’m okay. Well, is that actually the number one vector where you’re most likely to be attacked? Or do you need to look at something else, right? Have you got employees that are remote working from anywhere? Because as I said before, right, you need a layered defence strategy, but looking at the threats that are most realistic for your business. So start with an email, security solution so that, you know, most phishing attacks are via email. Ensure that if an email does get through, you need to be able to block people clicking malicious links. And as I said before, prioritizing multi factor authentication is one of the it’s part of the essential ache, but for SMBs, that is probably the one the place I would start. So compromised credentials are still one of the biggest attack vectors that we see.
Kelly Sabo [00:21:39]:
So if you’ve got a security solution in place that gives an extra layer of security, when people are logging onto systems, that is absolutely where I would start. So as I said, Cisco Duo, for us, hugely popular in terms of the SMB space, and that is where I would start, and also having an Internet response plan. So if you are hacked, what can you do to actually minimise the, minimise that attack and get your business back up and running as soon as possible?
Karissa Breen [00:22:10]:
You mentioned before as well around leveraging AI, which can, as a result, sort of reduce, like, cost around things. So I was talking to someone the other day, and one of the they’ve gone to a new role, like, probably at SMB, actually. And they were asking me around, like, you know, the podcast and stuff like that. But then say, oh, like, one of the things that’s coming up a lot internally is how do we leverage AI for security? So is there anything like that you can sort of talk on that, you know because again, everyone has this different version of what AI looks like in their mind. I’m really keen to hear yours.
Kelly Sabo [00:22:42]:
Yeah. And I think that is one of the biggest things. So attending some of the National Small Business Summits, and Small Business Week, and we we attend a lot of those conferences to hear firsthand what’s happening in market. And it was interesting because AI was super prevalent at these conferences. But we need to actually move AI from a buzzword in market to especially in an SMB level. What does it mean for me and how can I leverage it to the best of my advantage? So I think there’s at its foremost, I think leveraging AI to automate some of the tasks associated with managing security is a great place to start. So you can actually reduce the workload on existing teams and you’re actually improving security at the same time. Right? So So from a Cisco lens, that is looking at a platform approach, which is actually supplemented by Talos, right? So Talos is our threat research organisation, and it can actually provide significant benefits to small business by enhancing cybersecurity posture.
Kelly Sabo [00:23:40]:
So 80% of network traffic flows through a Cisco device. So we’re actually taking, able to take the learnings at an enterprise level and apply them to SMB. So our AI solutions, at its most basic, you can help monitor unusual activity, manage endpoint security, and provide threat intelligence that’s often only accessible to larger companies. Right? So SMB can leverage Cisco’s tools to automate threat detection and response. So reducing the need for dedicated security staff, and then you’ve got around the clock protection, right? To some of these solutions, it’s just about being able to use those to automate what you were doing and sort of remove low level tasks from some of your existing staff. And I think we’ve now got AI integrated into a lot of our platforms. So there’s, you know, things like, AI assistant as part of WebEx or at it’s most basic as well for some companies. How do you actually leverage their machine learnings as part of AI to come up with a better marketing strategy, for example? Or how do you use some of these things rather than just the really large end of AI, which is what a lot of people talk about, the data centers and everything else? So understanding the tangible benefits of what AI can provide for your company, is really critical.
Karissa Breen [00:24:53]:
You said before, come up with a better marketing strategy. Talk me through that. What does that look like? If can you provide an example?
Kelly Sabo [00:24:59]:
Well, I think for a lot of companies and SMBs, right, they’re looking at how do they digitise. So SMBs are incredible in terms of their innovation in market. So I think it’s something that 25% more R and D is actually coming from, small media businesses compared to larger companies, right? So a lot more of them are looking at how they compete in market, and a lot of that is included in digitising and getting online. So providing more competition in markets, and that can include things like, okay, I’ve got an online business now and I’m getting inundated with queries. So how do I actually look at what are the top queries that are coming into my business? So you can run AI over the top of that to sort of say, okay, these are the the main queries that are coming up. Can I therefore create a chatbot that can respond to some of these, queries that we’re seeing time and time again, right? Can we actually look at what are the most popular products and run sort of, AI workloads over that to say, okay, we’re seeing this is really popular, so I now need to create a marketing strategy that looks at what are the most popular products and how am I actually leveraging, what I’m doing and driving more output through that by looking at, more AI work sort of force of transport there. But I’m sure we could just cut that bit out, but I think you’ve got the idea there.
Karissa Breen [00:26:17]:
Yeah. That’s absolutely fine. Okay. So now I wanna move towards you mentioned we thought automation. Now, in my sort of job asking people around automation, depends on who you ask, to get different responses, etcetera. Just for what you’re saying, Kelly, and what sort of coming from my mind is that perhaps SMBs, probably more for the automation because they don’t have the bandwidth. They don’t have the extra people that a large corporate or enterprise has to do the extra thing. So would you say the adoption towards automation, etc, is there potentially over enterprises just due to the nature of what you said? They are very innovative.
Karissa Breen [00:26:57]:
You know, they don’t have big budgets. Are you seeing that as well?
Kelly Sabo [00:27:02]:
Absolutely. I think it it automation is really interesting in terms of it’s actually baked into a lot of our tools and platforms, and it’s sort of a integration into what we drive. The big thing for small and medium businesses is if you don’t have a huge team of people and you’ve got these repeatable tasks that you actually need to, like, automate and outsource, that is critical. So what we are seeing is more and more yeah. Small businesses are saying, okay, I want to be able to leverage what AI capabilities there are to automate low level tasks. So therefore, I can free up my team to actually work on higher value projects, higher value, outputs, so I can continue to grow my business. And the good thing is a lot of what we see in marketing in terms of even the cybersecurity posture is that, as a service is is huge in terms of F and Bs. Right? Because it means that you can actually continue to try our products, run it across your business, and then scale it out as you grow.
Kelly Sabo [00:27:59]:
So you’re actually focusing on growing your business rather than having to respond to, yeah, low level tasks that are taking up time and attention. So absolutely, yeah, we’re seeing more and more the automation side of AI being of increased interest to SMBs, so they could actually free up. Because a lot of the time, if you’re a small business owner and you’re trying to do everything right, you’re trying to do your marketing strategy, you don’t have to then do payroll at its, you know, across everything. Right? So how can you look at a payroll solution that hooks free up your time?
Karissa Breen [00:28:33]:
Okay. Another area that I want to get your thoughts on is security awareness, training, etcetera, for SMBs. Now I’ve spoken to a lot of people on the show about street awareness training. I’ve had very differences of opinions. Some people saying they don’t believe in training at all. They think it’s banal. They think that it’s repetitive. It’s boring.
Karissa Breen [00:28:53]:
What are your then thoughts specific to SMBs on security awareness training, for example?
Kelly Sabo [00:28:59]:
Yeah. I think if you don’t know, you can’t respond. So again, it’s an idea of, okay, well, cyber security is someone else’s problem, but if you are not actually educating yourselves on the risks. So, continuous cyber security training programs, I personally think are crucial to educate employees about the latest threats, what are safe practices, even things like phishing simulations, right? So you can actually just, make it really tangible for people to send that out and see how many people actually click on the link and go, okay, well, are you aware that, you know, this is something that opens up the entire business now to being hacked. There’s a lot more of the emails being sent out from, you know, malicious attack vectors and people kind of not understanding what the risks are to the business. So I think if you don’t know, then you can’t react. So but it has to be, again, simplified training that makes it real for people to understand, okay, well, what are the risks? What can I do to help? And and how can I actually respond better if I am in a situation where I think something’s not quite right? Where do I actually go? What do I actually need to do in that situation as well? Because that’s the next thing is, this email looks a little bit dodgy, but I need to actually find this information. So what should I be doing in that situation? Who should I speak to to ensure that I am protecting the business, I am protecting myself? So if you don’t know, it’s hard to respond, in my opinion, but I also completely empathise that small and medium business owners are time poor.
Kelly Sabo [00:30:28]:
So if you can’t make it consumable in a format of sort of like small bites of trading, right, so an hour of training that really gives you what you need to know and a checklist at the end of it to sort of tick off what you need to do as an outcome, rather than week long training courses or, you know, a 6 month training course that gets really into the weeds of things that may or may not be relevant to you.
Karissa Breen [00:30:51]:
Okay. So a couple of other things that we’re gonna move towards now is, as we know, evolution of cyber threats have evolved, especially for SMBs. So I wanna hear your thoughts around that. And the reason why I asked that, because that’s a prelude maybe to get towards the budget side of things. So obviously now things are more intense than they’ve ever been as historically, say even like 10 years ago, for example, or even a couple of years ago. So I want to hear your thoughts on that. And then I want to sort of move into, well, things are getting worse. People’s budgets haven’t necessarily grown with the threats.
Kelly Sabo [00:31:25]:
Yeah. Yeah. Absolutely. So I think there’s as you just mentioned, there’s a lot of evolving threats. Right? So there’s more and more that we don’t even know about. And so there’s obviously ransomware attacks or increase in frequency, so they might, you know, target SMBs that don’t have as robust security defenses. Phishing campaigns, as we’ve mentioned, so there’s a lot more of targeted email because that’s an easy way in to get employees to click on a link, and you’ve got, you know, ability to get into someone’s network, stay there, and then build out over time. Another one is actually supply chain attacks.
Kelly Sabo [00:31:58]:
So they’re often increasingly targeting SMBs through their supply chain. So you’re actually exploiting vulnerabilities in third party services and software. And then obviously, as we said, employees, unfortunately, a lot of the time, number 1 in terms of not having that understanding, being out on the road, not having, their, you know, systems updated or compromised passwords and things like that. So I think, to your point, there’s more and more attack vectors, so it feels like it’s coming from everywhere and people are going, well, how do I where do I even start to ensure that I am protected at its most basic level? Because the budget may or may not be increasing to actually,
Karissa Breen [00:32:37]:
you
Kelly Sabo [00:32:38]:
know, take on what the market is telling you you need to have. And again, it comes back to that idea of getting a trusted partner to actually look at your business and understand where are the gaps and where do you need to go to protect yourself, because it’s not one size fits all. And the complexity around it, you don’t need everything, but you do need to have a basic security posture to ensure that you’re protected. And again, looking at those as a service type offerings so you can scale up as you grow, so you don’t need to go all in at the beginning on everything. Ensure that you’ve got something that continues to scale out. So if you’re looking at as a service to fit your budget for opex modeling, so you’re paying, you know, price of a cup of coffee per day. Right? That’s not much in order to protect yourself in terms of what you actually need. So those are some of the things that I think.
Kelly Sabo [00:33:23]:
And then as we mentioned, leveraging some of the AI capabilities around automation, so you’re actually getting better protection for a lower price overall.
Karissa Breen [00:33:34]:
Do you think as well, one of the things come a budget. So again, go at your earlier point around like what you don’t know, you don’t know. For example, if someone was again, example, renovating a house and I don’t know, you get some fancy marble in from some fancy part of the world and it was like more than what you sort of thought in your mind. Are you seeing as well because a lot of people out there haven’t really had a lot of exposure to, like, biode security services and solutions and things like that.
Voice Over [00:33:59]:
Are you seeing that there’s a people blindsided perhaps? But then to your point around, hey, a
Karissa Breen [00:34:03]:
cup of coffee every day, like, that’s a little bit more that people can relate to in terms of, oh, well, I can. That’s a bit more feasible, but also they can relate to, well, how much is a cup of coffee cost? Have we just historically in the industry just been so focused then
Voice Over [00:34:18]:
on these enterprise customers that again and I’m seeing this shift now from everything
Karissa Breen [00:34:23]:
that you just explained here today, that there is that change for SMBs on how we approach their budget and how we approach their security, for example.
Kelly Sabo [00:34:32]:
Yeah. And that’s the the hard part in market is that if you were to look at everything in terms of the framework that you would need, you’d be up for 100 of 1,000 of dollars upfront, right, to be able to run that if you were looking at enterprise security solutions that would fit a big business. Right? And that’s, I think, where people stop and go, well, I can’t afford that. That’s that’s not for me. I don’t need that level of security. And they’re probably right a lot of the time that there is much more sort of smaller measures that you can take in order to protect yourself, some of which are free, right? So education, there’s a lot of education out there that is free that people want to actually help people understand and therefore take some of the security measures. So what are you doing at its most basic level? Because if you go out there and start looking at these these huge costs for the business, absolutely, it’s not relevant, it’s not tangible, and business owners go, okay, that that’s not me. I can’t afford that.
Kelly Sabo [00:35:23]:
And that’s why I think there’s a lot more of that sort of marketing idea of if you look at, okay, at its most basic, you’re trying to protect less than 10 users for a price per product, per point, product per month, whatever else. And it makes it a lot more consumable for businesses to actually go, okay, I can afford that. And it’s, bespoke for me as I’ve got a trusted partner who’s actually come and looked at my business and got, okay, these are the the biggest areas of where you could potentially be attacked, and this is where you need to protect yourself. So that’s why, for us, as I said, sort of Duo and MFA, they’re the big selling products for us because it’s, much more consumable. People can actually understand what that is. And they go, okay, actually, yeah, I understand why I need that because I’ve got 5 employees. They’re all travelling. They work remote.
Kelly Sabo [00:36:09]:
And now I understand that if they’re on an unprotected Wi Fi network, that there’s much more risk for that person not being in the office where they’re not protected on the corporate network. Right? So understanding that shift in employee behaviour, and SMBs getting online as well. So understanding that, okay, as an SMB now, in order to compete in market with big business, I need to digitise, but digitisation means that I’m actually online, and that’s where a lot of attack vectors are also coming in. So how do I protect myself getting online? And it’s not just that all in in the top end of town that we hear about, obviously, in the media as well.
Karissa Breen [00:36:46]:
And would you say from your experience, primarily SMBs are, hey, here’s a managed service. You guys manage it in terms of your partners because people just don’t have the time. Are you seeing more of that in terms of, like, a trend, would you say? Or would you say it’s like, oh, you guys can manage some of that and we’ll manage some of it in house? I was just sort of curious to know.
Kelly Sabo [00:37:05]:
Look, it’s a it’s a pretty big mixture. Mixture, and for us, right, with SMBs and depending on size, resourcing, everything else, but we do see that, especially in the cybersecurity space, it’s really hard to get resources that understand that there’s a bit of a resource drain in cyber security. So a lot of people, it’s really expensive to get really good cyber security professionals into your business. Right? So there’s a lot more that are saying, actually, I do wanna outsource. I do wanna find someone that already has that knowledge and can do, you know, pen testing, all that kind of stuff. I wanna find someone that’s an expert in that field rather than becoming an expert myself. Because again, it’s that, you know, idea of being time poor, resource poor, and budget constrained. A lot more of them are saying, okay, I actually just want to find a trusted partner adviser that will do that for me, and I just pay, therefore, the per month fee to have peace of mind and know that someone else is actually taking on that for me.
Kelly Sabo [00:38:01]:
Again, though, we have a we do have a lot of customers that are saying, okay, well, I’m building up my business, and I wanna make sure that I understand what’s happening behind the scenes. So I wanna build up my own security posture and, you know, infrastructure and everything else. So there’s there’s a really mixed bag, but I think at its most basic, a lot more are looking to outsource. And even, with the big service providers, for example, I’ve got a bill with my service provider. What can I actually add on as a monthly billing just so I’ve got one bill to pay? I don’t even have to worry. It it just comes into that. So I think even at its most basic, being able to look at that as an option is actually great because you’re actually taking a count of a bill in, but it’s still less time that you have to spend thinking about it yourself.
Karissa Breen [00:38:43]:
So, Kelly, do you have any sort of closing comments or final thoughts you’d like to leave our audience with today?
Kelly Sabo [00:38:50]:
I think we, as Cisco, understand that it’s incredibly complex. There’s more than ever that people need to understand and act on. But I think knowing that you’re not alone, that there are other experts out there and there are places to go, you know, come to us and have a conversation and we can actually build out from there what you need to do as a business to protect your business, not protect the entire market. And don’t get confused with what other people are doing, make it tangible and make it easy for you. And that starts with having conversation to actually acknowledge, okay, I know I need to do something. I don’t know what it is yet. It’s an incredibly complex space, but even just having that conversation and starting to put forward some of those really basic checkpoints, that’s a great place to start, in my opinion.
