"Hackers don't hack Monday through Friday, 8am to 5pm." -─ An interview with Laura Whitt-Winyard, CISO at Malwarebytes

Cybersecurity Risks and Your Small Business

Tips from the experts on what you can do to protect your business.

An interview with Laura Whitt-Winyard, CISO, Malwarebytes

Did you know that one in five small businesses are victims of cybercrime each year? Whether it’s a hacker breaking into your system and stealing your data, or a ransomware locking down all your files until you pay up, cyberattacks can be costly and damaging for small businesses. In this article, we speak with Laura Whitt-Winyard, CISO, Malwarebytes to dive into this important issue and to hear some tips on what you can do to protect your business. 

We hear a lot about security breaches in the news and it seems to happen to large companies. Does that mean small businesses are of lower risk?

On the contrary. The reason we aren’t hearing about this is for multiple reasons. 1. They aren’t as newsworthy and 2. Many times small businesses have breaches and they don’t even know it. The average time a hacker is on a business network is around nine months. Unless the business owner receives a demand for ransom, they may never know that they have experienced a breach. Bad actors know that small businesses are limited in staff and tools, which put them at equal risk of a cyber attack as their larger counterparts. 

What are the most common cybersecurity risks facing small businesses today?

Phishing is the number one risk facing a small business. These types of attacks are easy for bad actors to execute because a small business won’t typically have a budget for tools and training to identify and protect themselves. Additionally, if they do have a person on staff to manage their Information Technology needs, they may not have specialized training in the areas of managed detection and response solutions. This would be an area that small businesses may want to consider outsourcing to better protect themselves from data breaches. Research partners that focus on small to medium sized businesses, as they will have a better understanding of your needs and concerns. Malwarebytes offers a whole suite of cybersecurity tooling, check that out as a starting point for your research. 

With so many risks, where should small businesses focus their efforts in the beginning, considering they may have limited time and budget to dedicate to this?

I recommend finding a partner that can provide managed detection/response services. The cost of a breach to a small business averages approximately $180 per record. If a business has 3,000 customers, and assuming each customer has only one record, the cost would be $540,000. This includes legal fees, identity protection services and the expense of hiring a forensics company. Additionally, the impact of a data breach to a small business isn’t only monetary, the reputational impact is astronomical. The average small business that suffers a data breach is often out of business within one year. The benefits of working with a partner that can provide security services and understands the needs of a small business is well worth the investment considering the risks and impacts. 

Our CEO, Marcin Kleczynski created Malwarebytes in 2004 after he had accidentally infected his family computer with malware. This experience led him to build a solution for individuals like himself and he gave it away for free. More than 17 years later, he continues to offer a free version of Malwarebytes to individuals, plus a reasonably priced enterprise-grade version for small and medium-sized businesses. 

With the rising cost of hiring a dedicated security professional and the current labor shortage of skilled staff, the benefits of using an outside firm should be a consideration. Even with a full-time staff member, it is important to remember that hackers don’t hack Monday through Friday, 8 am to 5 pm.

With so many businesses operating remotely these days, are they of higher risk, lower risk or about the same?

Higher. Small businesses often have limited team members that wear multiple hats. Doing more with less is the name of the game for growing organizations but this can open up the door for things to get missed. Cyber criminals are sophisticated in their approach and phishing attempts can be very believable. As team members are juggling multiple priorities, it is reasonable to think that something may slip through the cracks, resulting in an accidental click on a malicious link. Adding to that, remote organizations may be using remote desktop software and communications through this method may not be secure. 

What recommendations do you have for small business owners that they can implement today to begin to protect their business, employees and customers?

Security professionals are a hot commodity in the market and garner a high price tag in terms of salary. For this reason, you may want to consider outsourcing this function to ensure you are protecting your customers data and your business around the clock. As mentioned earlier, hackers don’t hack Monday through Friday. 

Additionally, my recommendation is to focus on training. With limited budgets, this would be the most valuable area to focus your time and resources. You can find a lot of free security awareness training modules online and this would be a beneficial step in ensuring your employees are helping to protect the business. Training modules on phishing should be a primary focus. Educate yourself and your team on what it is, how to spot it and what to do if a link is inadvertently clicked. Create a culture that encourages people to report those errors early without repercussion. The quicker you can spot a data breach, the more successful you will be in recovering. 

I also encourage you to talk to any trade groups you are a part of. As a member of these groups, I encourage you to ask “What are we doing about cybersecurity?” This is something that is important to all businesses in all industries. The more we talk about it the better positioned we are to fight back against it. 

Cybersecurity threats are becoming more sophisticated every day. If you’re a small business, it’s important to take the necessary precautions to protect your data and your customers. Luckily, there is free training available online that can help you get started. In addition, managed detection and response services can help identify potential threats and provide support if an attack occurs. By taking these steps, you can rest assured knowing your business is doing everything it can to stay safe from cyberattacks. 


About Laura Whitt-Winyard

Laura Whitt-Winyard is the Chief Information Security Officer (CISO) at Malwarebytes. In addition to her role at Malwarebytes, Laura is a Fellow at the Institute for Critical Infrastructure Technology (ICIT). As a Fellow, she has contributed to the Cyberspace Solarium Commission’s report on cybersecurity plus The Cybershield Act S.965 of the 117th Congress. She is also an International Advisory Board Member and Women in Technology board member at HMG Strategy. Prior to her time at Malwarebytes, she was Global Chief Information Security Officer for DLL Group, Director of Security for Billtrust, and held senior leadership positions in security at Comcast and Bloomberg, LP.

Laura has been a member of the cybersecurity community for over 20 years and was featured in the book: Women Know Cyber: 100 Fascinating Females Fighting Cyber Crime. She and her teams have been nominated for and the recipients of many awards spanning multiple years such as HMG Strategy’s Global Technology Executives Who Matter Award, ISE® North America & Northeast Project Nominee & Finalist, ISE® North America & Northeast Executive of the Year nominee, CSO 50/40 Awards winner, RSA Archer Innovation Awards & Excellence Awards.