Karen Scarfone is a recognized cybersecurity expert, she develops publications for federal agencies, media companies, and other organizations. She was formerly a Senior Computer Scientist at the National Institute of Standards and Technology (NIST).
Karen has co-authored over 100 NIST Special Publications and Interagency Reports on a wide variety of cybersecurity topics. In addition, she has co-authored or contributed to 18 books and published approximately 200 articles on cybersecurity topics.
Karen recently published a report on Cybersecurity Guide entitled Latest attack surface: Small business and cybersecurity.
Learn more about Karen at Scarfone Cybersecurity.
Listen to the episode
Summary of the episode
- Challenges for small businesses: Small businesses face significant cybersecurity challenges due to limited IT and cybersecurity resources. Understanding risks, vulnerabilities, and threats is a major hurdle for them. Most cybersecurity guidance is tailored for professionals, making it complex for small businesses.
- NIST cybersecurity framework: This framework, around for about 10 years, focuses on desired cybersecurity outcomes without specifying methods. It’s outcome-focused and adaptable for all businesses, but it doesn’t delve into legal or compliance specifics.
- Importance of cybersecurity planning: Small businesses should engage with cybersecurity experts for planning. Formal documentation is ideal, but at a minimum, businesses should be prepared for potential cybersecurity incidents.
- Training employees: Interactive challenge courses are recommended for training, as they engage employees more effectively than passive methods. Training should include awareness of common scams like CEO scams and phishing.
- Common cyber threats: Ransomware, phishing, and password credential theft are significant threats. The use of multifactor authentication is encouraged to mitigate these risks.
- Staying informed: Small business owners should stay updated on cybersecurity trends and threats by following resources from government agencies like NIST, the Small Business Administration, and CISA.
Here is a full transcript of the episode:
Steve Bowcut:
Thank you for joining us today for the Cybersecurity Guide Podcast. My name is Steve Bowcut. I’m a writer and an editor for Cybersecurity Guide and the podcast’s host. We appreciate your listening. On today’s show our guest is Karen Scarfone. She’s the principal consultant for Scarfone Cybersecurity in Clinton, Virginia. We’re going to be talking about small businesses and cybersecurity.
So a little bit about our guest, Karen is a recognized cybersecurity expert. She develops publications for federal agencies, media companies, and other organizations. She was formerly a senior computer scientist at the National Institute of Standards and Technology, NIST. Karen has co-authored over 100 NIST special publications and inter-agency reports on a wide variety of cybersecurity topics.
In addition, she has co-authored or contributed to 18 books and published approximately 200 articles on cybersecurity topics. Karen recently published an article entitled Latest Attack Surface: Small Business in Cybersecurity here at Cybersecurity Guide. Welcome, Karen. Thank you for joining me today.
Karen Scarfone:
Oh, thanks, Steve. It’s great to be here.
All right, thank you. This is going to be fun. I’m really looking forward to this. I’ve been thinking about this all week and looking forward to this conversation. So let’s start by helping our audience understand your journey, if you will, to and through cybersecurity. So how did you first become interested in cybersecurity, and then how has that affected your career since then?
Karen Scarfone:
So I was already a computer science… I had a computer science degree. I was working in IT, I was sort of like a jack of all trades. This was back in the mid-90s when companies largely weren’t on the internet yet. I was actually working for a small business, about 50 employees, and I did tech support training, software development, hardware repair, networking, like anything you can think of, I was the whole IT department, and that was a little unusual at the time.
Computer science majors were typically software developers. I was really the only one out of my graduating class that went into more of a support role. Anyway, so years went by and I ended up working for a large electric utility, and Y2K was coming.
And because of all the concerns about Y2K, the electric company started up a security team and it sounded pretty interesting to me. But I was actually cautioned by people not to go into security because they said it was just resetting passwords and “Why would I want to throw my career away to go work in cybersecurity?” And I didn’t listen. Yeah, I made the jump.
At the same time, I was working on a master’s degree at University of Idaho, and I have to be truthful, but I ended up choosing the cybersecurity concentration in their program because I didn’t have to take math classes and I didn’t have to do programming because I’d been away from programming for years.
They used Java, which I did not know at all. I’d been away from math for years. It’s not that security was the easy way out. It was certainly very challenging to study, but for me, it was the best fit. So it was just sort of the convergence of those two things that got me into cybersecurity and I was hooked, and I’ve been hooked ever since.
Very good. Well, thank you for that. I appreciate that. So let’s kind of dig into the topic a little bit. So as I said earlier, we really want to focus on small businesses and cybersecurity, some of the challenges for small businesses and things that they can do to protect themselves. And that’s kind of a hot topic right now, and I think we’ll probably get into that. But what are some of the unique challenges small businesses face when it comes to implementing cybersecurity measures as compared to larger organizations?
Karen Scarfone:
Unfortunately, there’s really a lot of challenges that small businesses face. Very few small businesses have a lot of dedicated IT resources, let alone cybersecurity resources. A small business with 20, 30, 50 employees isn’t going to have a full-time cybersecurity expert on staff.
So just understanding what the risks are, what are the vulnerabilities, what are the threats, how do you handle these things? Just understanding what needs to be done could be a major challenge. And nearly all of the guidance and books and all the information out there tends to be geared to cybersecurity professionals, which makes sense.
Cybersecurity is very complex and a huge domain at this time. It used to be that you could have a fairly small amount of knowledge about cybersecurity, and it was enough to kind of get by. But now the field is just so huge and there’s so many laws and regulations and you need to have an understanding of cybersecurity from a technical perspective, but also from a legal perspective, a compliance perspective.
A small company might be… There’s so many things to think about, all the different types of data that a small business might process, and securing all that data and being prepared for a million different things that could go wrong. And small businesses don’t have the tools they need, they don’t have guidance that’s understandable. It’s really a nearly impossible situation, I would say. The challenges can be overwhelming, and there are a lot of small businesses that are going out of business because they can’t meet those challenges.
And that’s really unfortunate. And I agree. I think that small businesses, and I think we’re seeing the numbers are starting to bear this out, that small businesses are seen by red actors maybe as low hanging fruit because they don’t have sophisticated protection in place and they really can’t afford to do that. So small businesses, I believe, are much more dependent on their vendors, whoever provides their cybersecurity tools and consultants to help guide them through some of these challenges. So it’s a fascinating thing to think about.
So from your bio, it indicates that you spent some time working with NIST, and so let’s talk about the NIST Cybersecurity Framework, and could you briefly explain what this framework is and how it is particularly useful for small businesses or how small businesses could apply this framework to their protection?
Karen Scarfone:
Sure. So the NIST Cybersecurity Framework has been around for about 10 years, and what it does is it defines a set of desired cybersecurity outcomes. And so what I mean by outcome is it talks about the results that you’d like to achieve through your cybersecurity, but it doesn’t specify how to do it.
A lot of times that really puts people off if you tell them that, “Oh, well, it doesn’t tell you how to do things.” People would like to be told how to do things in many cases. You’re looking for someone to tell you, “How do I achieve cybersecurity?” And the guidance back is, “Oh, well, here’s a bunch of things. You have to figure it out yourself.” But-
Steve Bowcut:
Yeah. Here’s the outcome you’re looking for. Good luck. Right?
Karen Scarfone:
Yeah, yeah. And that’s again, a huge challenge for small businesses. A large business has the staff that can figure that out, can figure out what the best implementation is whereas a small business doesn’t. But the problem is the cybersecurity controls that I would recommend that say a small medical office implements, versus a freelance photographer versus a small retail shop.” They have fundamentally different challenges. They have different types of data that they’re dealing with — I would have fundamentally different recommendations for each of them.
And it depends what software they’re using or what hardware they’re using. And there’s so many factors that it’s just impossible to have one recommendation out there that just magically says “Okay everybody do this thing and you’re going to be secure.” Unfortunately, it’s a lot more complicated than that. So the cybersecurity framework is this outcome focused so that it does work for everybody.
Even a small business can look at the outcomes or have a consultant say, who’s helping them look through outcomes and understand, “Oh, okay, I have to protect my data. I have to patch my systems.” It covers throughout the whole security life cycle, all the things that any organization really needs to do. And part of the reason for the cybersecurity framework is to improve communications so that cybersecurity professionals and other people who are highly technical, people in management, people in the business side can all talk to each other.
And a lot of… Oh, I’m sorry, go ahead.
No, that’s interesting. It just made me think, one of the things that I worry about is probably not the right word, but I think about is compliance. So small businesses have data and then they have to comply with government regulations to protect that data.
Does the NIST Cybersecurity Framework help them understand the regulations they need to comply with? Or does it just help them protect their data generally, but they need another source to tell them “This kind of data is PII, so you can do this with it, but you can’t do that with it. If you’re doing business overseas and there are these kinds of restrictions.” Does the framework get into that or is it basically just how to protect data and then you have to figure out what data you have to protect?
Karen Scarfone:
No, it just focuses on the outcomes and protecting your data and your systems. It does not get into the specifics of laws, regulations, and the like, because it would be, I keep saying the word impossible, but it would pretty much be impossible to keep track of all the security privacy laws all around the globe. And they change all the time.
It depends on something like GDPR, which is the big privacy regulation in Europe, it’s not whether you do business in Europe. It’s whether you have people from Europe that are doing business with you. There’s a lot of laws out there like that, and keeping track of them all is daunting. There are great websites out there with information about cybersecurity laws. There are places like that to go that keep up with that. The framework gets updated about every five years.
Steve Bowcut:
Oh okay, so you need to stay on top of that as well if you’re a small business owner?
Karen Scarfone:
Unfortunately, yes.
So let’s see if we can offer some tips. So let’s talk about the importance of having a cybersecurity plan in place for small businesses and maybe some tips or things that they can do to manage this.
Karen Scarfone:
Yeah. There are some guidance documents and articles, white papers and such out there that can help you to do cybersecurity planning for small businesses. But a lot of it, I think is best done by engaging with a cybersecurity expert and a consultant, let’s say, and meeting with them and talking about what your business needs.
I’m a small business owner, I’m self-employed and I’ll get requests for copies of my disaster recovery plans and all sorts of things, and I just don’t have those things. And it’s not that I haven’t thought about them, it’s just that I don’t have everything formally documented. And I think that would be my top recommendation.
It’s not so much that you have a formal plan in place, although that would be wonderful, it’s that you’ve thought about it. You’ve thought about what could happen, and you’ve made some preparations for those things, you have backups of things. You have… I had an issue some years ago where I lost access to my email account, my business email account. That was a huge problem because the response that you get back from the vendor is, “Oh, well talk to your tech support.” I’m like, “No, no, no. I am the tech support. I’m-“
Steve Bowcut:
“I am the tech support and that’s why I’m calling you.”
Karen Scarfone:
Yeah, exactly, “That’s why I’m calling you.” And we just went around and around and around and you take these things for granted. I’ve worked in big companies and hey, anytime you have an IT problem, there’s always somebody you can call. But small business, it can be very different. And you may make assumptions about data being automatically backed up and preserved, things like that, that turn out not to be true. So you really-
Steve Bowcut:
And it’s just-
Karen Scarfone:
…. need to educate yourself.
I suspect that there are, and more and more, instances where small businesses need to provide some kind of documentation. So I’m envisioning in my mind a small business who does business with a large business, and that large business now looks at them as a third party vendor and they want to know that this small business is protecting the data that they’re going to be exchanging one with another to do business.
And so more and more I suspect small businesses, if they haven’t already, they’re going to be faced with those kinds of challenges where they need to show their customers, the large business, that they are protecting the data and that their software is secure and all those kinds of things. Have you seen that kind of thing to be true?
Karen Scarfone:
Absolutely. I’ve noticed a sharp uptick in requests I’m getting maybe in the last three to six months from small businesses who are being asked to state that they comply with sets of requirements and they just do not know where to start. And I’ve taken that and it’s really concerning to hear that.
I never thought about it that much before, even though I have my own business. I never really thought about what a burden that is. But I’ve had some people approach me who work for small companies who are subcontractors or vendors for large companies who themselves are government contractors.
Steve Bowcut:
Yeah, there you go.
Karen Scarfone:
Then they’re passing down those government requirements to these small businesses and they have no idea what to do.
Steve Bowcut:
Yeah. Anybody who’s tried to understand a government requirement, reading it out of a document it’s… Can relate to that. It’s almost impossible to understand what the government even wants.
Karen Scarfone:
But this is the livelihood of these businesses. These are huge customers that they want to sell to. And you can’t just say, “Nope, I’m not going to sell it to you anymore.” You have to find a solution to the problem, but yet-
Steve Bowcut:
Yeah, exactly.
Karen Scarfone:
… they’re being asked to attest that they comply with requirements that they don’t even understand what the requirements are.
Exactly. So I think we’ve talked about some of the misconceptions that small business owners might have, but are there any other misconceptions about cybersecurity needs or risks that you’ve run across with small businesses?
Karen Scarfone:
Definitely one is that the mentality that, “Oh, no one’s going to target me. I’m a small business.” That’s really common, but I think that’s just human nature. You think, “Oh, well why would anybody-“
Steve Bowcut:
That’s true we always-
Karen Scarfone:
Yeah.
Why would anybody? But I think we have to realize that it data is now the currency that the threat actors are after. And you don’t have to be a large business to have access to or be responsible for, I guess is a better way of saying it, large amounts of data. A few guys with a website, if you’re collecting personal data from people then, and of course that’s how businesses do business with one another is they exchange data. And so having the data has value. So it doesn’t really matter the size of the business, it’s more the data that you have and are responsible for. That’s interesting.
Karen Scarfone:
Yes, yes. And things like ransomware attacks have become a real problem for small business.
Steve Bowcut:
Oh, man.
Karen Scarfone:
It’s a case where an attacker may purposely target small businesses because they know that they may lack the cybersecurity resources and blocking access to their data and systems may effectively put them out of business completely.
Steve Bowcut:
Exactly.
Karen Scarfone:
So these are people who are maybe more likely to pay ransoms and go along, not involve law enforcement or others and just say, “Hey, I’ll just pay you, give me back access.”
Steve Bowcut:
Yeah, that’s interesting-
Karen Scarfone:
It’s a terrible situation to be in.
Yeah. And I often wonder, and I don’t expect you to have these statistics at your fingertips, but I often wonder how often that happens that we never hear about it, right? How many small businesses are being affected by this? And as you indicated, they just look, “All right, I’ll just pay it and take the hit because if I don’t, I’m out of business and I don’t have the time to fight it. I’ve got to open back up.” So it’s a scary and unfortunate situation. All right, so training. So let’s talk about maybe some examples of how small businesses can effectively train their employees. We always hear that, and I don’t like this expression at all, but that the employees are the weakest link. I think the employees are as good as the training that they get.
And so how do you train your employees to be more aware and cyber-hygiene, those kinds of things?
Karen Scarfone:
So there’s certainly lots of training providers out there that have courses available that you can take online. And I would recommend, my personal preference, what they call challenge courses. So a standard training class is very passive. You’re sitting there and you’re looking at slides and listening to someone talk for an hour, and then you’re done.
A challenge course is more interactive where you’re given scenarios, someone’s talking, maybe you hear a simulated conversation between two people who one of them is an attacker trying to trick somebody on the phone, let’s say, to fish information out of them. And then you’re asked how you would respond in given choices. So it’s a more interactive, engaging and as much as training can be entertaining way to get the messages across and to get people actually more engaged in thinking about the situations and answering the questions.
So I definitely favor challenge courses as a more effective way to do training. I also strongly encourage, especially small businesses to make sure that their training includes things like all the CEO scams that have been going around.
These are things where you’re trying to trick someone into doing a wire transfer, a bank transfer, other things like that. That would definitely be a common target in a small business because it would be relatively easy to know who to contact. And all it takes is one mistake for a lot of money to be gone and be unrecoverable.
Steve Bowcut:
Yeah.
Karen Scarfone:
So-
And it seems like a lot of that is probably just making people aware. If you’re aware that those kinds of scams are happening, then you’re more apt to stop and think, “Now wait a minute, how do I know that this is real?” It may seem real and it may seem urgent, the thing that you feel like you may want to do to make business run smoothly. But if you know that there’s a scam out there that is operating on that kind of a basis, then I can see how that would be helpful.
And also, I know there are some training courses that use, for example, they’ll send emails and try and fish and then they see if you fall for it, right? Then they report that back to your employer and then… Have you seen those kinds of tools be effective?
Karen Scarfone:
I’ve had clients who do fishing tests, I personally find them useful. There are people who actually don’t really like them. One thing that it sort of encourages you to do is if you know that your organization is going to do testing, maybe you start really looking at every phishing email and really scrutinizing it to try to find out if it’s real or not, versus just ignoring things that go in your spam folder. And so in a way, it can get you to actually spend more time interacting with suspicious emails than you would otherwise.
Steve Bowcut:
That’s interesting. And I know I’ve also heard people say that sometimes it could be a negative experience for the employee depending on what happens with that information. If you fail the fishing test and now you have a demerit at work, or it goes in your permanent report or your file, that kind of thing. That can be very discouraging for employees.
Karen Scarfone:
Yes. One thing that’s critical for small businesses is to not make it a punishment culture. Mistakes are going to happen, incidents are going to happen, you’re going to have problems, whether it’s caused by human error or other reasons, bad things are going to happen. And so you need to be adopting a mindset and a culture of being prepared for the bad things that are going to happen.
Yeah. So we’ve talked about business email compromise. We’ve talked about phishing emails. What are some of the other cyber threats that small businesses face and how can they mitigate these risks?
Karen Scarfone:
Ransomware, phishing are definitely way up there on the list. Certainly password credential theft is still a big one. Everyone continues to be encouraged to use multifactor authentication, things like that that make it less likely that someone’s going to reuse a password and get into your accounts. So that’s certainly still out there.
Steve Bowcut:
Yeah. And that’s an interesting one for me as well. Just from my personal experience, I have literally hundreds, and I think most people have different passwords, and I wish I could say that they’re all unique, but they’re not. But most of them are because I’m in the business, and so I try to keep them as unique as I can. So do you favor password managers or-
Karen Scarfone:
I do.
Steve Bowcut:
Do you. Okay. Because not-
Karen Scarfone:
I do.
Steve Bowcut:
… everybody does, and then things happen like the LastPass breach, and then everybody’s like, “Oh, see, I told you, you shouldn’t have used that.” Personally, I use LastPass. I love it. It seems to work for me as I don’t know how else I could manage the hundreds of user credentials that I have to manage without it.
Karen Scarfone:
Yeah.
All right. So I think we’ve probably talked about most of the ways that owners can stay up to date with trends and threats, but is there anything else that you can think of along those lines? If I’m a small business owner, how do I even just stay on top of this stuff? Do I have to subscribe to some different websites? What do I do to even know what the threats are?
Karen Scarfone:
There are several government agencies including NIST, the Small Business Administration, and CISA, which is the Cybersecurity Infrastructure Security Agency. I have a feeling I didn’t say that quite right.
Steve Bowcut:
Cyber Infrastructure Security Agency, right?
Karen Scarfone:
Yes. But there are government agencies out there who are actually here to help you. And for example, NIST has their small business corner, and it’s a website with resources all dedicated to small business cybersecurity. And certainly the small business administration has many articles and other things online that are specifically intended to educate small business owners and provide them with guidance on the most important things that they’re facing today in terms of cybersecurity.
Steve Bowcut:
Yeah. And I know that CISA will do that as well. You can subscribe to their alerts. And so if you don’t… Obviously if you’re a big enough company to have a security team, they’re going to be doing that, right? But if you’re not, if you don’t have a security team, if you’re a small business owner who’s trying to do this himself, I would recommend that you subscribe to these alerts and then at least you’ll get the emails and you’ll be able to say, “Well, does that apply to me or not?” And they’re usually pretty easy to understand.
Karen Scarfone:
That’s right. NIST is also just standing up a community of interest for small business cybersecurity.
Steve Bowcut:
Oh, very good.
Karen Scarfone:
And I would expect that, say CISA would probably give you more, “This is the major bad thing that’s happening right now that you need to know about,” more of those sorts of alerts. Whereas NIST is going to be more on best practices and guidance and also announcements of events and things like that. They have events targeted for small businesses to bring together people and learn and as a community discuss these topics.
Very good. Okay. All right. Let’s see if we can capture some resources that you might recommend for small businesses. Are there tools, vendors that you found that work really well or programs that you found that work very well? Even books or websites, any kind of resource that you would recommend for small businesses?
Karen Scarfone:
I shy away from recommending specific tools-
Steve Bowcut:
Specific tools, yeah.
Karen Scarfone:
… or resources. Unless I’ve used them myself and can vouch for them myself, just not comfortable doing that. But there are definitely companies emerging that are focused on small business cybersecurity. Now I’m more used to saying, Office 365, those sorts of things. Okay, well, we’ll have Microsoft take care of our email and they’ll take care of the cybersecurity concerns for that email.
And that’s a great step. But there are businesses out there that are actually heading more toward a managed security service provider model for small businesses, which is really interesting. But I think that’s an emerging field, and it may take some time for the vendors in that area to mature, but I’m definitely looking into it and trying to find out what the state of the art is.
Yeah, and it certainly makes sense because I know small businesses have done that in lots of different areas. Maybe not cybersecurity so much, but they’re tending to do that now. If you don’t have a security team, then what you want to do is find someone who will do that for you so you don’t have to bear the entire cost of a security team. You’re sharing that with other small businesses that this particular vendor caters to. So that can be helpful as well. Okay. Well, let’s try and end here. We’re about out of time, but let’s try and end on a high note.
Are there any success stories or case studies with small businesses that have effectively implemented cybersecurity measures that you’re aware of?
Karen Scarfone:
So for whatever reason, I only hear the bad stories.
Steve Bowcut:
Yeah, that’s true. In your role, I can see where that’s true. That is the depressing part of being a cybersecurity consultant. Nobody wants to talk to you when they don’t have a problem. They want to talk to you when they’re circling the drain. I understand.
Karen Scarfone:
But I would take this opportunity to say, I would love to hear from small companies, small businesses that are making cybersecurity work. I’d love to hear what you’re doing and how you’re doing it, and hopefully help share that information with the larger community. So anyone’s free to contact me, my email’s karen@scarphonecybersecurity.com. I would love to hear what’s working for you, but also hear what’s not working for you. I am always fine with hearing complaints and questions and people wanting to know, “Can we do better?” Because I know we can do better.
I think small business cybersecurity has been largely put to the side for a long time for a lot of reasons. And we’re finally at a point now where we really need, as a whole security community, to pitch in and all do our part to help small businesses improve their cybersecurity. We need to all help protect each other.
Steve Bowcut:
Excellent. I love that idea. So thank you very much, and thank you, Karen, for being with us today. This has been a blast. I appreciate it. I’d also like to thank our listeners for being with us. Please remember to subscribe and review if you find this podcast interesting. And join us next time for another episode of the Cybersecurity Guide Podcast.