[00:00:00] Speaker A: In reality, 43% of cyber attacks are actually aimed at small and medium businesses. So hackers see that SMBs are easier to breach, as they often have, you know, less resources, lower security measures sometimes, and they actually still have access to a lot of valuable data which can be used for compromised credentials, which is obviously still one of the largest attack vectors.
[00:00:23] Speaker B: This is kbcas.
[00:00:25] Speaker A: Are they completely sized as a primary.
[00:00:27] Speaker B: Target for ransomware campaigns, security and testing.
[00:00:30] Speaker A: And performance and scalability, risk and compliance? We can actually automatically take that data and use it.
[00:00:38] Speaker B: Joining me now is Kelly sabo, head of SMB and mid market ANZ from Cisco. And today we're discussing cybersecurity essentials for SMBs, protecting the backbone of Anz's economy. So, Kelly, thanks for joining and welcome.
[00:00:53] Speaker A: Thank you, kb. Awesome to be here.
[00:00:55] Speaker B: Okay, so Kelly, let's just get straight into it now. Would you say with your experience of working SMBs, that SMBs believe that cyber incidents won't happen to them? Now, I know that's sort of like common sort of talk track. There's always this thing in the industry of like, oh, it won't happen to me. But however, because you're at the forefront the coal face, a lot of these businesses are really keen to genuinely understand what the senses from businesses that you're sort of working with.
[00:01:25] Speaker A: Absolutely. So I think a lot of small and medium business owners still assume that they aren't targets for a cyber attack. And a lot of that misconception often stems from the fact they believe attackers are going after bigger businesses with perceived more valuable data. And there's probably still a bit of a lack of understanding about the frequency and impact of cyber attacks and just how vulnerable they actually are. So in reality, 43% of cyber attacks are actually aimed at small and medium businesses. So hackers see that SMBs are easier to breach, as they often have, you know, less resources, lower security measures sometimes, and they actually still have access to a lot of valuable data which can be used for compromised credentials, which is obviously still one of the largest attack vectors, I think. Also SMBs are a gateway into larger networks and supply chains. And so Cybercriminals know that SMBs supply larger companies. So breaching a small business can lead to sensitive data access in larger organizations a lot of the time as well.
[00:02:22] Speaker B: So when you're sitting opposite a company or client and they're like, oh, yeah, but Kelly, it won't happen to me, what is sort of your response? Do you think that again, it's, I get where they're coming From. Because we often do hear in the media around, you know, big companies that are having these issues, very rarely do we hear about the small ones. We can get into that a little bit later. But what is sort of your first response to that?
[00:02:46] Speaker A: I think for people, it's understanding the real cost of what a cyber breach could do to your business. Right. And there's a lot of statistics around the fact that up to 60% of small businesses that suffer a cyber attack actually go out of business within six months. Right. So it's a big gamble to play to say that, oh, it won't happen to me, and depends on your risk appetite. Right. But there's a lot more cyber criminals going after small businesses just due to the fact that it is an easier way in. So if you're at the point where you're saying, okay, well, it won't happen to me, and I think I'm willing to take the gamble.
There needs to be a better understanding across the industry in general about just what can happen when you are breached and the fact that it is much more commonplace. And I think there's, you know, the data breach notification that now is actually, you have to actually notify a lot of the time, and a lot of small businesses actually are under that framework as well, and they might not even know that. So I think having that understanding is super critical in terms of knowing how to protect your business and that it actually, the pendulum is swinging from if you get hacked to when you get hacked.
[00:03:50] Speaker B: And when you say the, when you get hacked, what do you think people should say then? What do you think their response is to you? Well, what do we do to prevent that?
[00:03:59] Speaker A: Well, I think there's a lot of gaps when it comes to SMBs. Right. So SMB owners, they often lack time. They like resources, they like cash flow. And that doesn't lend well to dealing with the complexity aligned to cybersecurity. Right. So there's this perceived notion still that, you know, cybersecurity is an IT problem rather than an everyone problem. Or there's the, I don't know, the idea that I have a firewall for security, so I'm actually protective, so I don't need to worry. So I think there needs to be the understanding, again, that what do you do if you are had, have you got an incident response plan and putting the right steps in place? Because there's still so many gaps in terms of what people actually an understanding of where to even start. And that's the thing. It's such a complex industry And I know when I started it was about, okay, well, where's the one framework or place that I go to understand as a small business what I need to do to protect myself?
And it's not easy.
[00:04:52] Speaker B: Okay, I've got a couple of things going on in there, but I wanted to zoom out for a second, and this sounds like a counterintuitive question I'm about to ask you around the media, always talking about the larger breaches, considering I'm, you know, running this interview. We're sort of different because obviously we're a trade publication. But in saying that, why do you think there is being such a focus then on the larger companies? Is it because if it's not a large organization, it's kind of like the outside public maybe doesn't care as much, so they're like, oh, well, you've never heard of the business, like, who cares? You think there's a little bit of that?
[00:05:25] Speaker A: And then.
[00:05:25] Speaker B: So what that then generates is perhaps SMBs believing that, oh, well, it never really happens to companies of our size because we don't really hear about it.
[00:05:33] Speaker A: Yeah, absolutely. And I mean, obviously the big businesses get headlines, Med bank and all those type of things where you realize, okay, I can actually have my data breached for my medical records. Right. Which is incredibly terrifying for people. But then if you go that one step down, what about your gp? Right. And that's one of the big ones we looked at. You know, There was the GP grants recently where, you know, GPS were given $50,000 to digitize. And what did that mean? Right. And you would hope that a lot of them said, okay, we are actually protecting frontline medical records. We need to have an incredibly stringent cybersecurity posture. So I think there is that idea of, you know, big businesses get big headlines, but at the same time, it is still really tough. So there's a lot of government frameworks around what you should do for small. For big businesses. So Essential 8 is a great example, but that still requires a bit of security knowledge to actually implement that. So I think there is a lot of content out there focused on enterprise businesses.
And it's easy because there's so much knowledge and everything else. But for small businesses, the one thing that I'm taking at the moment, and we do a lot of work with, you know, Council of Small Business Association Australia, we work with a lot of the big service providers, we work with a lot of industry bodies, and there's a lot more of these businesses coming together. And we're in multiple workshops at the moment where we're all sitting down and saying, how do we actually uplift the Overall knowledge for SMBs on cyber? So we have our networking academy at Cisco and skills for all free courses and then we're partnering to look at became first and foremost, people need to educate themselves. SMBs also need to understand their regulatory environment surrounding cybersecurity as well. Right. So making that easy, but first and foremost, how do you make that content consumable for SMBs? So is it smaller training courses, you know, a couple of hours that you can get across the main hacks that might be aimed at small businesses?
Can you get download a checklist so you can actually just make it really easy to tick off the things that you need to do to protect yourself and therefore if you were hacked, what do you actually do next as well? So I think creating content and making consumable, but really great to see that the industry is actually pitching together in a sort of corporate social responsibility way to say we actually need to uplift the General Education More SMBs are digitizing, which is great, but it means that there's more potential for them to be hacked. So how do we actually work together to protect them and uplift the general knowledge of the population? Because let's face it, if big businesses are relying on small businesses, right? So if they're getting hacked, they're often a vector into big business and it's actually their industry and the company, sorry, the country as a whole, that needs to be involved in this.
[00:08:16] Speaker B: Okay, so some great points. I want to go back a moment. You touched on something which was interesting and I've been thinking about this considering my background working in a large enterprise, large corporate, in security myself, they got big budgets. So what I've often seen, especially in my position and working in the industry historically would be a lot of these companies out there that are selling these services primarily is they're for enterprises, they're expensive. A small business can't fork out like millions and millions and millions or billions of dollars for all of this stuff. And so to sit back and wonder how come no one or no one, but a lot of people aren't super focused on, hey, we're just going to create a service and X company who's an SMB doesn't have the time like you, you know, you mentioned before, and it's just like it's going to wrap it up as a service and you know, we've got all the things covered. I haven't seen a lot of that in the market as opposed to the big enterprise stuff. Again, why do you think that is? You think these people sort of just get relegated a little bit?
[00:09:18] Speaker A: I mean, in our space we have a lot of managed service provider partners that are trying to do exactly that, right? So that whole if SNVs don't have huge budgets to fork out initially and a lot of them are growing, right? So you don't want to set up the infrastructure yourself and then not have it be able to scale with your business. So we have a lot of managed service provider partners that are looking to play that trusted partner and advisor as well, right? Knowing that sometimes SMBs don't have the knowledge, we strongly recommend working with, you know, a partner that can either fork out initially to set up your infrastructure or alternatively provide a managed service into your business. So it's more of that you are paying a monthly subscription to actually build out your cyber practice, and especially around software as a service and things like that, which will scale up as you grow. So we do have a lot of great partners in this space that are trying to make it bespoke and differentiate and say, okay, what do you actually need? Because I think if you look at the strengthening the posture for SMBs, right, first of all, it has to be simple.
And at its most basic, you need to take accountability potentially for updating your own software, backing up your information regularly and running a risk assessment to understand what the gaps or vulnerabilities are in your business. But then if you're partnering with someone and you're building out your cyber practice, working with that team to understand what are the most prevalent threats to SMBs, and start there to protect yourself. Looking at budgets, right, you need a layered defence strategy, but where are the actual risks for you? Because I know there's a lot of talk about, you know, XDR and siems, and we get, you know, customers coming to us and saying, oh, I think I need a siem. And we're like, well, do you? Or is that an industry term that you've heard, Right? So I think if I look at what I would tell people at its most basic. So start with email, right? Most phishing attacks are via email, so look at an email security solution. Next is web. If an email does get through, how do you actually block people? Clicking malicious links, for example, and finally prioritize multi factor authentication to stop compromised credentials, right? So implementing NFA as an extra layer of security which makes it harder for attackers to gain unauthorized access. And for us, Cisco Duo and Umbrella, which are our web blocking and NFA solutions, are two of the most popular products we actually see in market in the SMB space.
[00:11:37] Speaker B: Okay. So going back to the partner side of things now, how would a client or an SMB determine he's a good partner? And what I mean by that question is when you don't know what you don't know, it's sort of hard to discern if this is a good partner or not. Like if someone is renovating a house, like, how do you know who's a good painter unless she's done it before or you've got people that are in there, like, how do you sort of know? Is there any sort of advice that you could share on that front?
[00:12:03] Speaker A: Yeah, I mean, for us, we are, absolutely. But we're in the market of making sure that our partners have got the necessary information, that they've got the necessary skills to actually help our customers. Right. So I would suggest coming to us first and foremost and we will actually sit down, understand what it is that you're looking for. As we said, we will actually then work with you on a risk assessment so you actually understand the gaps and the vulnerabilities for your business specifically. And then we can actually recommend a trusted partner or advisor to work with you. Right. So is it a managed service? Do you want to hand it off? And you don't actually have to want to have to worry about it. Do you want a partner that can help provide infrastructure to you so you could actually build out your own infrastructure and manage it yourself? So there's so many different partners that have different skills in market. And I think for us that's our job, right, to vet that they are the right partners in market that can actually help you go on that cybersecurity journey. So you're not going out of the loan Because I think if we speak to SMBs, just the concept of it's all too hard, first and foremost, because it's so complicated. And secondly, I'm so time poor as it is and I don't have that many resources and cash flow is not something that is, you know, incredibly abundant. So when you mix all that together, you need a partner that can actually come in and go, okay, well, let's work on a monthly billing. Let's work on us taking off some of that resource load. Let's work on, you know, implementing some of the AI strategies that you can actually reduce your workload on your staff and do that low level doesn't have to be done by you anymore. So I think that is something that we are incredibly across and making sure that we have the right partners in market to support our brand as well.
[00:13:39] Speaker B: In terms of knowledge gap, what is the common sort of thread that you're seeing with SMBs around? Is it like to your point before, oh, we need a siem. And it's like, well, I don't know if you do. So do you think it's more. So they hear these terms that are thrown out there in the market and they just assume, oh, I need the thing, or is it just to your point around, there's so much going on and I'm being bombarded with things all of the time, I don't even know where to start. I don't even know what's good, what's not good. Do I have anything at all going on for me, like in terms of security, what's sort of the common sort of, you know, talk track there?
[00:14:14] Speaker A: I think, yeah, as I said, it's often around that cybersecurity, it's an IT problem, not an everyone problem. Right. And I think the number one thing that gets people is it's actually your employees that are the ones that are probably most likely to trip up by clicking on a phishing link or something like that. Right. So, yes, there is all these, you know, big vectors for being attacked and do you need a full SIEM or XDR to look at your entire network? But a lot of the time you're not even at the point of having those products to need that solution in the first place. Right. So looking at it, that, okay, what at its most basic, am I employees educated?
Am I making sure that I don't have outdated software or insufficient patching? So, because that's another thing, people think they're protected when they're actually not. Right. And so I think for us, it's about ensuring that people are aware of what they have in the first place to know how to protect themselves. Because that's the biggest thing, right? You need to actually understand. And that's why we say do a risk assessment. So you actually know with a distributed workforce where employees are working from anywhere, on any device, there's more vulnerabilities than ever before. But don't get bogged down with the complexities of the overall market. Actually make it specific to what you have and how you could best respond for your business.
[00:15:28] Speaker B: So I flip over now to the content side of things, which you sort of touched on. And again, I thought about this as well, and as we probably both would agree that there is a lot of content out there in the market, that's focused on enterprises, government, et cetera, which isn't super applicable to a lot of SMBs. And you said something before, we're like making it like digestible so people can consume the content that makes sense to them.
Where do you think in terms of we should be going then as an industry to perhaps target content that is more digestible to SMBs as opposed to a government or an enterprise? Because you are right on that front. And I think the industry is trying to change that. But again, I mean, I've been in this space for about a decade and I've seen people say we need to do the thing, but haven't seen the needle moved substantially over the last decade.
[00:16:24] Speaker A: Yeah, I think that's the thing. Putting it back into the hands of the organizations that are at the coal front of working with SMBs is kind of critical. So we're, as I said, members of Council of Small Business Association Australia and they've got cyber wardens as a program. Right. So distilling a lot of that content down to make it a forum that SMBs can actually understand in a language that they use. Because realistically, if you look at Essential eight, some of those frameworks, you already have to have a fairly decent baseline understanding of security to actually even implement what they're telling you to do. Right. So I think more and more we are now partnering with organizations that are saying, okay, some of the service providers now are saying, well, we want to create content bespoke for SMBs and get them along to, you know, a couple of hours workshop, knowing that they don't have all day or weeks to kind of sign up to courses and things like that, and making it really consumable with a checklist of what do you actually need to do to tick off. Okay, so I need an MFA solution, but what is an MFA solution? Right. Even that is, you know, it's not accessible language for a lot of people. So understanding that, okay, if my employees are on the go and they are clicking on the link, do I have more than one point of accountability for credentials to ensure that they're not going to be hacked out on the road or they're not signing up to their public wifi at the airport, which we've all begged guilty of. Right. And there's an immediate threat there. So I think there is more and more that the industry bodies are doing that. The service provider partners, and again, a lot of them are still at the point of building it and they don't know what they don't know. Right. Because A lot of the time they're not the expert, but for me, it's really refreshing to see that, you know, people are coming to us and say, how do we sit down and build this to make it consumable and something that SMBs can understand and actually execute on as well. Right. So it's not information for information's sake. It's really practical and tangible about what they can do to protect themselves for their size of business.
[00:18:21] Speaker B: Yeah, that's a good point around information for information's sake. Because, I mean, I've spoken to a lot of people in the industry, as you know, and then there are people saying, oh, but, you know, you could just look up the NIST framework. I'm like, that. Have you read that framework? It is so long and convoluted, like, there's no way on earth someone who doesn't understand subsecurity is going to go and read that and then try to comprehend what that means and then implement it. Like, I feel like sometimes people have this really wild view on how outside, you know, people, cyber security are really going to implement this stuff. I've heard this a lot. I was a little bit taken aback by that. Like, are you kidding me? Like, no one's actually going to do that.
[00:19:00] Speaker A: Oh, absolutely. And small business owners are everything. They're the ones running the business, they're the ones trying to do, you know, the financing, they're trying to make sure that they've got enough resources. A lot of the time it's just, you know, you can see why they put it on the back burner, because it's out of sight, out of mind, and it's okay. Well, I just hope I don't get hacked because I then might have to deal with it. But at the moment, it's too complex for people if you don't even have the baseline understanding of cybersecurity. And that's what I think. It's overwhelming because when I first took on this job, I sort of put it into Google. Okay, where's the one place naively thinking that there's one place that you go? And that's almost the hardest part, is that that information overload makes it. Do you just want to shut your laptop and just go, okay? Well, it's just. It might be easy to be hacked. So I think making it really tangible in terms of a checklist of, okay, I just need to tick off these three things and put a reminder in my diary every three months to make sure that I update my software or I am backing up my information. So if I was hacked, those are kind of tangible steps for people rather than going, okay, you've got a Steve and have you got, you know, extended threat response? And, you know, they're terms that aren't everyday language. And I can see why people get overwhelmed.
Yeah.
[00:20:13] Speaker B: And a lot of these things are a little bit over the top for what people need. So in terms of checklist, what are maybe three to five things for people listening that can do straight away. But then also you mentioned baseline. What are just some fundamental things from your experience with working at SMBs that people just absolutely need to have.
[00:20:31] Speaker A: Yeah, I think I probably touched on it. But I mean, going back to at its most basic, so updating your software and backing up your information, running a risk assessment to understand what are the gaps or vulnerabilities in your business. So if you don't understand what you have in the first place, it's hard to understand how to manage it. Right. So getting rid of this idea of like, I've got a firewall, therefore I'm okay, well, is that actually the number one vector of where you're most likely to be attacked or do you need to look at something else? Right, have you got employees that are remote working from anywhere? Because as I said before, right, you need a layered defence strategy, but looking at the threats that are most realistic for your business. So start with an email security solution so that, you know, most phishing attacks are by email. Ensure that if an email does get through, you need to be able to block people clicking malicious links.
And as I said before, prioritizing multifactor authentication is one of the. It's part of the essential eight. But for SMBs, that is probably the one place I would start. So compromised credentials are still one of the biggest attack vectors that we see. So if you've got a security solution in place that gives an extra layer of security when people are logging onto systems, that is absolutely where I would start. So as I said, Cisco Duo for us, hugely popular in terms of the SMB space and that is where I would start. And also having an incidence response plan. So if you are hacked, what can you do to actually minimize that attack and get your business back up and running as soon as possible.
[00:22:10] Speaker B: Mentioned before, as well around leveraging AI, which can as a result sort of reduce like cost around things. So I was talking to someone the other day and one of the qu, they've gone to a new role, like probably at SMB actually, and they were asking me around like, you know, the podcast and stuff like that, but then saying, oh, like one of the things that's coming up a lot internally is how do we leverage AI for security? So is there anything like that? You can sort of talk on that, you know, because again, everyone has this different version of what AI looks like in their mind. I'm really keen to hear yours.
[00:22:42] Speaker A: Yeah. And I think that is one of the biggest things. So attending some of the national Small Business Summits and Small Business Week and we attend a lot of those conferences to hear firsthand what's happening in market. And it was interesting because AI was super prevalent at these conferences.
But we need to actually move AI from a buzzword in market to especially in an SMB level. What does it mean for me and how can I leverage it to the best of my advantage? So I think there's at its foremost, I think leveraging AI to automate some of the tasks associated with managing security is a great place to start. So you can actually reduce the workload on existing teams and you're actually improving security at the same time. Right. So from a Cisco lens that is looking at a platform approach which is actually supplemented by Talos. Right. So Talos is our threat research organization and it can actually provide significant benefits to small business by enhancing cybersecurity posture. So 80% of network traffic flows through a Cisco device. So we're actually able to take the learnings at an enterprise level and apply them to SMB. So our AI solutions, at its most basic, you can help monitor unusual activity, manage endpoint security and provide threat intelligence that's often only accessible to larger companies. Right. So SAP can leverage Cisco's tools to automate threat detection and response, so reducing the need for dedicated security staff. And then you've got around the clock protection. Right.
So some of these solutions, it's just about being able to use those to automate what you're doing and sort of remove low level tasks from some of your existing staff. And I think we've now got AI integrated into a lot of our platforms. So there's, you know, things like AI Assistant as part of WebEx or at its most basic as well. For some companies, how do you actually leverage their machine learnings as part of AI to come up with a better marketing strategy, for example, or how do you use some of these things rather than just the really large end of AI, which is what a lot of people talk about, the data centers and everything else. So understanding the tangible benefits of what AI can provide for your company is really critical.
[00:24:53] Speaker B: You said before, come up with a better marketing strategy. Talk me through that. What does that look like? Can you provide an example?
[00:24:59] Speaker A: Well, I think for a lot of companies in SMBs, right, they're looking at how do they digitize. So SMBs are incredible in terms of their innovation in market. So I think it's something that 25% more R& D is actually coming from small medium businesses compared to larger companies. Right. So a lot more of them are looking at how they compete in market, and a lot of that is included in digitizing and getting online. So providing more competition in markets and that can include things like, okay, I've got an online business now and I'm getting inundated with queries. So how do I actually look at what are the top queries that are coming into my business? So you can run AI over the top of that to sort of see, okay, these are the main queries that are coming up. Can I therefore create a chatbot that can respond to some of these queries that we're seeing time and time again? Right. Can we actually look at what are the most popular products and run sort of AI workloads over that to say, okay, we're seeing this is really popular. So I now need to create a marketing strategy that looks at what are the most popular products and how am I actually leveraging what I'm doing and driving more output through that by looking at more AI work. What I sort of want to try and thought there, but I'm sure we could just cut that bit out. But I think you've got the idea there.
[00:26:17] Speaker B: Yeah, that's absolutely fine.
Okay, so now I want to move towards you mentioned before, automation. Now, in my sort of job, asking people around automation depends on who you ask, they get different responses, et cetera. Just from what you're saying, Kelly, and what's sort of coming from my mind is that perhaps SMBs are probably more for the automation because they don't have the bandwidth, they don't have the extra people that a large corporate or enterprise has to do the extra things. Would you say the adoption towards automation, et cetera, is there potentially over enterprises just due to the nature of what you said? They are very innovative, you know, they don't have big budgets. Are you seeing that as well?
[00:27:02] Speaker A: Absolutely. And I think automation is really interesting in terms of it's actually baked into a lot of just tools and platforms and it's sort of a integration into what we drive. The big thing for small media businesses is if you don't have a huge team of People and you've got these repeatable tasks that you actually need to like automate and outsource. That is critical. So what we are seeing is more and more, yeah, small businesses are saying, okay, I want to be able to leverage what AI capabilities there are to automate low level tasks. So therefore I can free up my team to actually work on higher value projects, higher value outputs, so I can continue to grow my business. And the good thing is, a lot of what we see in marketing in terms of even the cybersecurity posture is that as a service is huge in terms of SMBs, right, because it means that you can actually continue to try out products, run it across your business and then scale it out as you grow. So you're actually focusing on growing your business rather than having to respond to low level tasks that are taking up time and attention. So absolutely, yeah, we're seeing more and more the automation side of AI being of increased interest to SMBs. So they can actually free up. Because a lot of the time if you're a small business owner and you're trying to do everything, right, you're trying to do your marketing strategy, you don't have to then do payroll at its, you know, across everything. Right. So how can you look at a payroll solution that helps free up your time?
[00:28:33] Speaker B: Okay, Another area that I want to get your thoughts on is security awareness training, et cetera, for SMBs. Now I've spoken a lot of people on the show about security awareness training. I've had very differences of opinions. Some people saying they don't believe in training at all. They think it's banal, they think that it's repetitive, it's boring. What are your then thoughts specific to SMBs on security awareness training, for example?
[00:28:59] Speaker A: Yeah, I think if you don't know, you can't respond. So again, it's an idea of, okay, well, cybersecurity is someone else's problem. But if you are not actually educating yourselves on the risks. So continuous cybersecurity training programs I personally think are crucial to educate employees about the latest threats, what are safe practices, even things like phishing simulations. Right. So you can actually just make it really tangible for people to send that out and see how many people actually click on the link and go, okay, well are you aware that, you know, this is something that opens up the entire business now to being hacked? There's a lot more of the emails being sent out from, you know, malicious attack vectors and people kind of not understanding what the risks are to the business. So I think if you don't know, then you can't react. So but it has to be again, simplified training that makes it real for people to understand. Okay, well, what are the risks? What can I do to help and how can I actually respond better if I am in a situation where I think something's not quite right, where do I actually go? What do I actually need to do in that situation as well? Because that's the next thing is this email looks a little bit dodgy, but I need to actually find this information. So what should I be doing in that situation? Who should I speak to to ensure that I am protecting the business, I am protecting myself? So if you don't know, it's hard to respond in my opinion. But I also completely empathize that small and many business owners are time poor. So if you can't make it consumable in a format of sort of like small bites of training. Right. So an hour training that really gives you what you need to know and a checklist at the end of it to sort of tick off what you need to do as an outcome rather than week long training courses or you know, a six month training course that gets really into the weeds of things that may or may not be relevant to you.
[00:30:51] Speaker B: Okay, so a couple of other things I want to move towards now is as we know, evolution of cyber threats have evolved especially for SMB. So I want to hear your thoughts around that and the reason why I asked that because that's a prelude maybe to get towards the budget side of things. So obviously now things are more intense than they've ever been as historically, say even like 10 years ago, for example, even a couple of years ago. So I want to hear your thoughts on that. And then I want to sort of move into, well, things are getting worse. People's budgets haven't necessarily grown with the threats.
[00:31:25] Speaker A: Yeah, yeah, absolutely. So I think there's, as you just mentioned, there's a lot of evolving threats. Right. So there's more and more that we don't even know about. And so there's obviously ransomware attacks or increase in frequency. So they might, you know, target SMBs that don't have as robust security defenses.
Phishing campaigns as we've mentioned. So there's a lot more of targeted email because that's an easy way in to get employees to click on a link. And you've got, you know, ability to get into someone's network, stay there and then build out over time. Another one is actually supply chain attacks. So they're often increasingly targeting SMBs through their supply chain. So you're actually exploiting vulnerabilities in third party services and software.
And then obviously, as we said, employees, unfortunately a lot of the time, number one, in terms of not having that understanding, being out on the road, not having their systems updated or compromised, passwords and things like that. So I think to your point, there's more and more attack vectors. So it feels like it's coming from everywhere and people are going, well, how do I, where do I even start to ensure that I am protected at its most basic level, because the budget may or may not be increasing to actually, you know, take on what the market is telling you you need to have. And again, it comes back to that idea of getting a trusted partner to actually look at your business and understand where are the gaps and where do you need to go to protect yourself? Because it's not one size fits all and the complexity around it. You don't need everything. But you do need to have a basic security posture to ensure that you're protected. And again, looking at those as a service type offerings, so you can scale up as you grow. So you don't need to go all in at the beginning on everything, ensure that you've got something that continues to scale out. So if you're looking at as a service to suit your budget for OPEX modeling, so you're paying, you know, price of a cup of coffee per day, right. That's not much in order to protect yourself in terms of what you actually need. So those are some of the things that I think and then as we mentioned, leveraging some of the AI capabilities around automation so you're actually getting better protection for a lower price overall, do.
[00:33:34] Speaker B: You think as well one of the things from a budget. So again, go back to your earlier point around like what you don't know, what you don't know, for example, if someone was again, example renovating a house and I don't know, you get some fancy marble in from some fancy part of the world and it was like more than what you sort of thought in your mind, are you seeing as well? Because a lot of people out there haven't really had a lot of exposure to like buying security services and solutions and things like that. So are you seeing that there's. Are people blindsided? Perhaps. But then to your point around, hey, a cup of coffee every day, like that's a little bit more that people can relate to in terms of, oh well I can, that's a bit more feasible. But also they can relate to, well, how much does a cup of coffee cost? Have we just, historically in the industry just been so focused that on these enterprise customers that again, and I'm seeing this shift now from everything that you've just explained here today, that there is that change for SMBs on how we approach their budget and how we approach their security, for example.
[00:34:32] Speaker A: Yeah. And that's the hard part in market is that if you were to look at everything in terms of the framework that you would need, you'd be up for hundreds of thousands of dollars upfront. Right. To be able to run that. If you were looking at enterprise security solutions, that would fit a big business. Right. And that's, I think, where people stop and go, well, I can't afford that. That's, that's not for me. I don't need that level of security. And they're probably right a lot of the time that there is much more sort of smaller measures that you can take in order to protect yourself, some of which are free. Right. So education, there's a lot of education out there that is free that people want to actually help people understand and therefore take some of the security measures. So what are you doing at its most basic level? Because if you go out there and start looking at these, these huge costs for the business. Absolutely. It's not relevant, it's not tangible. And business owners go, okay, that's not me. I can't afford that. And that's why I think there's a lot more of that sort of marketing idea of if you look at okay, at its most basic, you're trying to protect less than 10 users for a price per product, per point, product per month, whatever else. And it makes it a lot more consumable for businesses to actually go, okay, I can afford that. And it's despite for me, I've got a trusted partner who's actually come and looked at my business and gone, okay. These are the biggest areas of where you could potentially be attacked and this is where you need to protect yourself. So that's why for us, as I said, sort of Duo and nfa, they're the big selling products for us because it's much more consumable. People can actually understand what that is. And they go, okay, actually, yeah, I understand why I need that because I've got five employees, they're all traveling, they work remote. And now I understand that if they're on an unprotected WiFi network, that there's much more risk for that person not being in the office where they're not protected on the corporate network. Right. So understanding that shift in employee behavior and SMBs getting online as well. So understanding that, okay, as an SMB now in order to compete in market with big business, I need to digitize. But digitization means that I'm actually online and that's where a lot of attack vectors are also coming in. So how do I protect myself getting online? And it's not just that all in, in the top end of town that we hear about obviously in the media as well.
[00:36:46] Speaker B: And would you say from Your experience primarily SMBs are, hey, here's a managed service, you guys manage it in terms of your partners because people just don't have the time. Are you seeing more of that in terms of like a trend, would you say? Or would you say it's like, oh, you guys can manage some of that and we'll manage some of it in house. I was just sort of curious to.
[00:37:04] Speaker A: Know, look, it's a pretty big mixture and for us, right, with SMBs and depending on size, resourcing everything else. But we do see that especially in the cybersecurity space, it's really hard to get resources. But understand that there's a bit of a resource drain in cybersecurity. So a lot of people, it's really expensive to get really good cybersecurity professionals into your business. Right? So there's a lot more that are saying, actually I do want to outsource. I do want to find someone that already has that knowledge and can do, you know, pen testing, all that kind of stuff. I want to find someone that's an expert in that field rather than becoming an expert myself. Because again, it's that, you know, idea of being time poor, resource poor and budget constrained.
A lot more of them are saying, okay, I actually just want to find a trusted partner advisor that will do that for me and I just pay therefore the per month fee to have peace of mind and know that someone else is actually taking on that for me. Again though, we have a, we do have a lot of customers that are saying, okay, well I'm building up my business and I want to make sure that I understand what's happening behind the scenes. So I want to build up my own security posture and you know, infrastructure and everything else. So there's, there's a really mixed bag. But I think at its most basic, a lot more are looking to outsource. And even with the big service providers, for example, I've got a bill with my service provider, what can I actually add on as a monthly billing, just so I've got one bill to pay, I don't even have to worry. It just comes into that. So I think even at its most basic, being able to look at that as an option is actually great because you're actually taking accountability. But it's still less time that you have to spend thinking about it yourself.
[00:38:43] Speaker B: So, Kelly, do you have any sort of closing comments or final thoughts you'd like to leave our audience with today?
[00:38:50] Speaker A: I think we as Cisco understand that it's incredibly complex. There's more than ever that people need to understand and act on. But I think knowing that you're not alone, that there are other experts out there and there are places to go, you know, come to us and have a conversation and we can actually build out from there what you need to do as a business to protect your business, not protect the entire market. And don't get confused with what other people are doing. Make it tangible and make it easy for you. And that starts with having a conversation to actually acknowledge, okay, I know I need to do something, I don't know what it is yet. It's an incredibly complex space. But even just having that conversation and starting to put forward some of those really basic checkpoints, that's a great place to start in my opinion.
This is KVCast, the voice of Cyber.
[00:39:51] Speaker B: Thanks for tuning in. For more industry leading news and thought provoking articles, visit KBI Media to get access today.
[00:39:59] Speaker A: This episode is brought to you by MercSec. Your smarter route to security talent MercSec's executive search has helped enterprise organizations find the right people from around the world since 2012. Their on demand talent acquisition team helps startups and mid sized businesses scale faster and more efficiently. Find out
[email protected] today.
