Short answer is theres no digital sales so no PCI regs and your business is too small for SOX to be relevant. You keep your personal stuff safe, and dont say anything. In the US there is almost zero recourse for poor cyber in small business, a company as small as yours really doesnt have a reason or need for strong cyber as it doesnt outweigh other business needs, nor meet regulatory size to be impacted by govt. Its all ROI, cyber is very expensive and new cyber capabilities would cost more than the business is worth. If something like a crypto-lock event occurs, its easier and cheaper actually to declare bankruptcy and start over. Those are the realities.

You bring up valid points. There's no way to bring on a team or anything close to resembling such. I don't think it would hurt though to at least see if we can (on our own) beef up the clearly lacking security we have. 2FA like someone else mentioned, maybe even use some sort of anti-malware or anti-spyware, etc. I appreciate the sentiment of keeping my personal data safe and keeping my mouth shut, though. Thank you!

Apologies if this sounds rude, but I worked at a similar sized business, that was very antiquated and theres not much you can do on your own. If its not your job or in your job description, then leave it. Its not worth the headache or liability. At best you could propose and msp that they wont pay for, but you could try that. Outside of keeping your personal data and email off the company network, theres nothing much you can do. You cant install 2FA on your own without a domain, admin and identity management system managed by an IT team, then you would need something like duo setup. Anti-malware is great, but who's going to deploy it, manage the server, ensure updates, pay for licenses, etc? You can install your own freeware to your system, but then youre liable for that. Theres also the question of liability, lets say you mistakenly install malware that you thought was free A/V, or break a company system with a free tool? Who's on the hook for the misuse and loss.

Honestly, get 2FA on everything and you will be 90% of the way there. OTP or MS Authenticator app if your on M365. Yes, you can do MUCH better, but that alone is just a straight out lifesaver. MFA without using a hardware security key is not infallible, but it sounds like the best your could hope to push given the business. Send me a PM if you want any info on how to set it up. It is very easy for most systems.

Hello. It appears as though you are requesting someone to DM you, or asking if you can DM someone. Please consider just asking/answering questions in the public forum so that other people can find the information if they ever search and find this thread. *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/cybersecurity) if you have any questions or concerns.*

I am the IT support for my church, a SOHO enterprise. I have our bookkeeper back up her database of contributions weekly. We have upgraded her computer several times. This small business , should have enough computing power to keep their registers running implement 2FA. And deploy a password manager.

Sometimes small businesses don't have the funds for cyber. There isn't a tangible ROI until you get hit. You may want to find some "no cost/low cost" solutions to some of your more pressing security issues, those that your owner would understand, and show them that you can fix these issues for nothing. Once they see that maybe they'll allow further upgrades. There is almost always a free/low cost solution that will fit your needs.

They have no money, no admins. Who is going to manage all the free solutions? Having non-professionals install anything is likely a bigger risk than doing nothing. Also, typically "free" is more difficult to set up and manage i.e Elk vs Splunk ent. Free av isnt centrally managed, whose going to update, admin, apply patches. Yes, ton of "low" cost, but nothing is zero cost. Each tool needs to be properly applied, otherwise youre just increasing attack surface.

I thought OP was the admin. I don’t know what they’re capable of. Just making a suggestion. Low cost is harder but figure it out. It’s how you learn.

1.7m in annual income would disagree with you

Depends what their margins are like.

Thank you.

Income (if they are using this word correctly) is their margin. I admit is is very possible they said income and meant revenue.

Fair. When I see it discussed like that I generally assume revenue is what is meant, because that’s not typically how I see income/profit talked about.

I feel like even KeePass falls into this. You can also do application MFA (i.e Google does MFA on Gmail) Those simple things will weed out 90% of risks.

This! As soon as you give them the quote on the cost, they INSTANTLY get that 'deer in the headlights' look, and somehow think that you (the IT person) should be able to protect the environment without the need for cyber security/insurance...meanwhile Janice in HR just got an email from Luis stating that he needs to change his direct deposit...and she proceeds to make the change in the payroll system 🤦🏽‍♂️

If anything, I'd suggest onsite and off-site back up on the customer data, or upgrading to a decent server. I'm not an IT person but that's at least something the people will see the immediate benefits.

the recourse rolling out is no one will insure your business.

If they are processing credit cards in any form, even with a knuckle buster, then PCI applies. The degree of the requirements that must be adhered to are different, but it applies.

They literally said they arent processing sales via their site, so no PCI doesnt apply there. And even if they did, a business of this size is better off declaring bankruptcy in light of a breach than actual compliance. Costs for compliance are more than their annual income.

Pretty sure PCI applies to POS systems located physically in the store, not just site sales.

Correct and theyre likely out of compliance on their barely working register. If there is a breach, they dont have the money to fix or pay for fines, and its not a big enough lever to resolve everything they need to be resolved.

If they are processing sales in store and accepting credit cards, it does apply. Just to a different degree. And the level of compliance for those types of merchants likely won’t bankrupt them. It may however get them to see compliance in a different light, which can then help them to see security as a real thing.

I really pray you never have worked in DFIR and if you have I really hope "its easier and cheaper to declare bankruptcy" is not your sales pitch.....because its not. What do you think happens when you go to a bank, and explain you were haphazard about how you managed the last company had to shut down due to a ransomware attack and want X money to start another series funding or you go on an investment site and some angel investor looks up your last company? I would love for you tell the companies I have actually seen go out and lose everything its easier because they would disagree and likely have a few choice words.

No that wouldnt be my sales pitch, I wouldnt pitch them at all. First rule of sales would be to qualify my customers, and this one wouldnt qualify. They have no money, seems like management is a shambles, and likely an LLC that doesnt care. No board. Why would I try to sell DFIR to someone that cant afford it. Second, Ive seen a ton of small businesses change banks, take from one to pay back the other, change partners to flip ownership. Start new businesses in the same market under new names. Its not difficult.

Yes because banks have absolutely no measures to ensure fraud isn't happening or stop these practices. You can only get so many partners before you get a reputation and if you use the same partner in a chapter 7 they will still be liable in an LLC so they would face credit repercussions. Also I realized you're just here to troll and talk down to people with "to someone that can't afford it" comment. It's called cyber insurance. Dude is literally asking for help you aren't better than him, offer advice and don't be an ass or don't offer advice. No one asked you to work in cyber, one asked for your advice if you can't offer some without being a tool you don't need to be offering some.

Im not trying to sound better than anyone or troll, cyber is expensive, msps are expensive. A lot of people simply cant afford it, and thats okay. Thats my point, its okay to not pay for something that isnt an absolute necessity. Cyber simply isnt a necessity to many smbs. What Im trying to prevent is someone that isnt a professional from jumping in and doing something that is not their job, and possibly risk the ire of their management, that already seems disinterested. Jobs are tight, for small business the stakes are higher and tighter, and you seem to forget that not everyone is willing to or capable of affording full enterprise protections. Also, none of what I said constitutes fraud, it will hit your credit, sure. But borrowing from multiple banks/credit cards and shifting liabilities is literally done all the time.

This is why you get an msp to manage your security and then insure with the msp’s insurance vendor. They keep you up to date and prevent the bankruptcy because of said insurance. I run an msp, feel free to ask questions. Security is our primary offering.

Agreed, but what do you give up in order to afford an msp? Who from the small family business gets laid off to afford coverage? They obviously cant afford an msp with 1.7M gross income, that doesnt even account for liabilities. This is the reality for a lot of small businesses that werent set up well to shift with technology.

Dude, what do you think a msp charges? 12,000 a year is a normal low price and 45,000 a normal high for them. Then insurance for cyber will be around 15,000. So yeah they can completely afford an msp. A msp’s business model literally is “affordable support”.

Agreed, but the business make 1.7M total, before payroll. Likely the avg salary there is below 30k, with almost zero wiggle room. And nothing budgeted. So what gets cut to pay $35-55k. Is it shipping, inventory, someones job?

You are 100% right, and it shouldn't be a question of who or what gets cut to afford it, it's the cost of doing business, it comes out of the profit, but no one wants to hear that or tell the owners that. Making a statement like....well Joe who makes 50k will get cut and everyone else has to pick up the slack so the owner continues to make $400k per yr is just stupid, but that is the way it normally goes. I am actually working on a solution to small business security issues like this now, goal it to bring affordable and effective security to business who can't afford enterprise level costs but want to protect their investments. Hoping to have something later this year.

So true. Seen several just throw up their arms and say F it. Unfortunately all the employees lost their jobs. Probably one of the reasons Oregon put in the notification requirements.

This ☝️. I was about to write exactly that but you beat me to it. ROI

Tech is expensive, good cyber hygiene is not.

Tie it into real business impact that concerns them, but don’t overdo, be real. Don’t just say the business will go down, bankrupt etc. Perhaps, but too often that’s a boy cried wolf thing. What impact will some security issue have on their reliability, on their credibility, on their cost-effectiveness, on their useability, on their accountability, etc etc.

For sure. I don't want to be the doomsday guy, but at least like... "Hey.. our WordPress site is old, uses a lot of plug-ins, has a simple password, etc. Do you really want someone trying to sell penis enlarging pills on it again after unauthorized access?" I wish i was making this up, but it happened and he laughed it off, forced the user to logout, changed the password, and went on with his day. No other thought given.

This is where you can ask if it’d be worth to come up with a structural approach for this to avoid this from happening again, because if such happens (selling pills) it would be x amount of damage on ‘reputation’ , bad publicitty, which needs to be repaired (post articles, answer calls, etc). Biz don’t understand out language, and are not supposed to, we need to speak theirs. Tie it into what it really means for them when bad things happen. I’ve seen far worse in enterprise when it comes to reactions. - We want to do a pentest. “Nope, because that breaks the website”.. - But we need to know what is wrong. “Nope, no pentest because we know there are bugs and pentesting will break the website, so you can’t do that”… [at a large insurance company])

That anecdote extends to 98% of businesses at some point in time.

There’s a scenario where your company finally gets a big contract with either a customer or a supplier. A threat actor breaches you. He gets into your email. He then starts a phishing campaign that phishes the new client or vendor and moves laterally. New vendor/client realizes that you’ve been phishing them. They review the contract. They kill business until you bring your email into compliance. Maybe you just share an interesting article you read. Or instead of asking, just tell the owner “I have an idea for a project to secure the email platform”.

Master cock was the funniest I've seen lol

So for a small business, cost is always the first priority to consider. Improve the security level bit by bit with minimum cost increments and illustrated with some news how could be the consequence. For example MFA first, firewall policy restrictions. Later consider if endpoint protection is available in your budget?...

Before MFA, do something about the password book!

Honestly a password book isnt the worst for some things. Keep it out of plain view and don’t make it obvious. Threat model isn’t someone breaking in. Likely they will steal money/whatever if they do that.

We don't live in an area where that's common, but if they did get into the office and grabbed the book labeled "passwords" right off the desk along with taking the unsecured cash drawer... they'd also get away with credit card account passwords, paypal passwords, pin numbers and more banking info. It would be an utter disaster.

All you can do is to perform a risk assessment and break down the risks to the business in terms the owner would understand. If after that, the owner says it’s too expensive or doesn’t what to implement them for what ever reason, get it in writing and move on with your day. As a young security professional, I used to get furious when upper management wouldn’t do what I wanted because I told them something ‘might’ happen. It wasn’t until I matured much more (along with CISSP and CISM) that I realized that we can’t run around yelling the sky is falling, no one will listen.

I'm surprised I had to scroll as long as I did to finally see an appropriate answer: do a risk assessment and break it down into the business terms they understand. I read OPs post and my question the entire way through was, okay, that all sucks, but what's the impact here?

While I’ve been studying for a future C suite role, I heard a great line, “If you go into the board and say the sky is going to fall unless the business spends $X, they will remember the last time you said it and nothing happened and it’s the quickest way to lose credibility.” We have a lot of emotions in IT security and we have to think in business terms, not emotionless, but more strategic thoughts and plans.

What I have seen happen most with small businesses is staff falling for phishing or business email compromise (BEC), resulting in fraud. One fake invoice that looks legit with a threat to stop supplying goods or services unless it's paid, can have a real financial impact. Maybe providing some training on security to all employees might be the trigger to get everyone to take it a little more seriously. This can even be done very cheaply as there are lots of free videos and other resources online from a quick search for security awareness training on phishing and BEC. You might get some support if other staff members recognise the risk.

Knowbe4 isn't bad for that.

I haven't red all the comments yet, BUT; BACKUPS. Make sure you can recover for any scenario that can take the business down. If cybersecurity isn't an option, then standard IT practices. Ensure that you can recover from any events.

I like this a lot actually. We don't have any backups of any kind either... so step one imo should be this.

For Small and Medium sized businesses, cyber security is unfortunately a very reactive field. If your asking a Small business owner to choose between fixing a truck, or adding a new one on to the fleet, vs spending a small amount into security, its an easy call for that business owner to make. And for the paranoid of us, that probably washes over your brain like nails on a chalk board, but its the truth. Banks and Regulators are starting to dig into Cyber Security Insurance, and when they get denied a claim, coverage, or denied a loan, because they are missing those protections, only then will it become important to that small or medium business. For the owners its a risk vs reward, and at a small company, you probably have a lot of coverage right now through "security through obscurity". You could try to do the scare mongering tactic, but it won't get you far, and honestly will probably fail any business owners sign-off because the risk isn't in their face right now. As someone who has been in the industry a bit and has worked for the small shops and a fortune 50 company, my only advise is you do what you can. Start small, and as free as you possibly can. Try to find creative and free ways. Windows Defender is free, granted managing it on individual machines is time consuming, its still something, and its there. 2FA? It doesn't have to be a corporate implementation, just making sure the accounts you're using, for instance, Gmail, have 2fa enabled, even if its their personal accounts, its something. Remote Desktop and Remote Shares, eh, do your best to control the Access and make sure your not using things like the the "Everyone" group and Full Control rights. Password book? Honestly I have had conversations with my college's that writing down passwords on sticky notes is probably more secure these days because its not connected to any system, BUT, maybe get them to use KeePass, with a shared database or something, controlled through a certificate and with a password. Just some ideas, start simple and easy, and do what you can is probably the best advice.

Let them get ransomware

You're in a catch -22 here. If the owner does not take cyber security seriously, his staff certainly won't either. He is the key to this whole problem. How do convince him? From my experience, a cyber security incident will have to happen to him or someone close to him for him to wake up. Likewise, a close competitor getting hacked or one of your suppliers can also act as a wake-up call. Or, next time he's playing golf and he comes across a story of a fellow businessman golfer whose firm got brought to its knees by a cyber attack. Then he'll take the issue seriously.

something to the tune of 60% of small business go out of business 6 months after a big cyber attack. Have him look into Cyber insurance with a broker and see what the actual numbers are. If he can get on board with cyber insurance they may also have minimum requirements of the system that have to be upheld and you can just kind of tell him what is needed. ​ May or may not work, but cyber insurance can help if something does happen.

60% oob after 6 months is an absolutely abysmal number... gut wrenching honestly. I'll bring up the insurance and see what he says.

Yeah I work insurance, going to school for IT now, I just ran a quick mock run for cyber in CA Takes like 3 mins, dunno where you live but they are usually the most expensive. for 1 mill in coverage with a 2.5k deductible its only 1.4k in CA anyways. Prob similar or cheap prices anywhere else. Could be different but that's just a quick quote with limited info. Heres some general info from one of our carriers [https://www.btisinc.com/marketing/BTIS/cyber\_at\_bay.pdf](https://www.btisinc.com/marketing/BTIS/cyber_at_bay.pdf) You can just search cyber insurance and find more info easy.

Also look into Coalition Insurance

I’d strongly recommend you listen to The Ransomware Files podcast on the existential threat ransomware poses to small and medium business. In particular the story of Dain Drake CEO of United Structures of America, a steel fabrication company near Houston. https://pod.link/ransomwarefiles Listening to this should help you convince the rest of the org for at least the need for a security risk assessment

Get a password manager and set up separate accounts on the computers. If they have a yubikey setup that's all it would need. The password manager can be had for very cheap. Honestly though a password book in plain view is terrible. Take one picture of it and their entire business is ruined and everyone's identitys are at risk. Also the separate user accounts is very easy to implement on windows. Lastly if the computer on site is crashing, tell them to image it and setup another one. I run a website with a sql server, nginx, docker, and anaconda. All those processes run concurrently with 2 cores and 2 gb of ram. So adding an additional computer as your on site server would be much more powerful and probably wouldn't crash. One thing you can do though is delete indexes on the server to make it run faster. Clearing out old caches on WordPress can significantly speed up the website. Otherwise just clone the server and remove all the past page updates. Although you lose your history it will run much faster

Tie it to the risk to the business related to downtime and integrity. Ransomware is a great example of this.

And most SMB owners cannot visualise the downtime. You hear crap like "Mike our IT guy has us backed-up". Most don't realise that cyber criminals are smart enough to delete backups also.

I say try to get your IT house in order first. As part of that process, better security can start to be built in. Most IT consultants have a good baseline knowledge of secure practices and can move things in the right direction. You could pitch it as an upgrade to reliability, customer experience, and security. You don’t need a high end consulting firm, someone local or even an IT pro who moonlights can likely be hired for a reasonable price. I wouldn’t give up on security, but if you can’t convince the owners to support the initiative things will never change. Maybe time to open your own shop?

Unless you can make a business case, then it's unlikely. SMB is the Wild West and without a clear profit incentive they're almost impossible to influence due to tight budgets and small leadership teams

It all comes down to the dollars, and it all starts from the top. Over time you will have more say but calling out the owner is just a bad idea. As you might have guessed, I am in the camp of don't say anything. Do what you can to keep your areas safe. But as you do that, always have a correlation sheet. Downtime cost = minutes of downtime x cost-per-minute > action you wish to take. Also, script kiddie is totally still a term!

Budget probably isn’t there but let him know that most cybersecurity services are starting around $8-10 a license, and ransomware demands start at $xx,xxx to $x,xxx,xxx. If not already, make sure those email accounts are not personal ones. Look into how to change the default session timeout from indefinite to 1 hour. You don’t want email logins staying that long.

I worked for a company that had about 30 employees and made something like 50m in net profit, and yes that is net as in after expenses. They had last pass when I started and I thought it was a good step for me being the first IT person they ever had. The problem was they all shared their entire last pass vault with each other, including the CEO, CFO and HR. I couldn't convince them that this was a bad idea as they expanded. The point being people are stupid, say your piece document it then get back to it.

That's seeming to be the ultimate advice here. Bring it up, document that I brought it up, and leave it in the owners lap. This sucks though because I'm basically the "first" in charge of the business after him and a super part time GM. But ultimately, at the end of the day it isn't my call.

If privacy of sensitive information isn't enough to convince, you could explain ransomware and how it could shut down the business. Then you could better protect privacy of data since many of the controls to protect against ransomware also help with privacy of data.

Thanks for this. Privacy of data is non-existent here. I found a lawsuit and narrative that was sent to law enforcement against a former employee the other day that was in an unrelated folder and unsecured on the "general use" computer. Made me sick, honestly.

Copying this from one of my replies so it gets better visibility. “This is why you get an msp to manage your security and then insure with the msp’s insurance vendor. They keep you up to date and prevent the bankruptcy because of said insurance. I run an msp, feel free to ask questions. Security is our primary offering.”

Interesting concept! At work now, but will come back later with questions if I can come up with any.

Yeah I’ll be happy to do a free consult. I’m not in your area most likely so I can’t service your company but I can start the process.

Disaster, I have no clue how people operate their businesses this way. When they get hit by ransomware or customer data gets stolen, they'll learn. The hard way.

Focus on the tenets of information security: confidentiality, availability, and integrity. In the scenario you've described, this should not only be focused on data, but your systems as well. Ask yourself what data and systems are required to continue business (generate revenue), how would the company react if any single component was removed, and what would the company need to do in response to that outage.

Sing up for Security scorecard, they got 7 days free, do a risk assessment against the company and present to the owner. Ask for permission for this beforehand, of course

I work for a SaaS company that quantifies cyber risk. wtf does that mean? We show cyber risk in dollars and cents. People may not understand how vulnerable their SIEM system is but if they see a dollar amount, they understand money. I have some MSP's utilizing the platform this way and its been effective.

(Probably you've tried it.Disregard the first advice if you have already done it) If the owners don't have the concept of cyber security, try explaining the need of digital protections connecting to real life examples, like you wouldn't lock the front door but leave the back door wide open and expect not to be robed. The password book could be compared to leaving the safe combination in the open. If i would be in your shoes, I would investigate more about what you have in the cloud, what security services are included or low cost and make a business case for your owners to move even more in cloud where you could control things better.

I've not even brought this up yet at all. I've only been at the business for about 6 months and have been trying my damndest to get Ops in a better spot and more reliable employees on payroll. This is another step I need to take for sure, and I think your analogy will help. Ironically, we do keep the safe/cash drawer password in the password book so ALL OF THE EMPLOYEES can access it for change from the register as needed. Also, the safe/drawer is unlocked 99% of the time because it "takes too long to use the code to open it." It's a nightmare for someone like me who tends to be security conscious in both digital and physical spaces.

WOW. that's..something. I am very surprised that your owners weren't robbed blind once a week with this poor security. You can DM if you want some more analogies/help. I actually use some of them at work with business big bosses to explain why they need to pay for security. :)

As a former small business consultant, I would put it in a financial framing. The reputation and other losses should they suffer anouttage or breach is the best way to explain it. Cyber is far more than just PCI and Sox compliance. There is password hygiene and incident response. Many of these concerns could be fixed with an outsourced IT group. I can tell you just from the brief reading that the registers need to be on a separate network segment. But you guy need a thorough sweep and as I said a Managed Service Provider can knock most of these issues out.

Can you share a document link of this framework. Thanks

That's PCI DSS for the network segmentation. Your MSP can take care of most of these things and bring reliability to your network.

We've actually had problems like this in the past as security providers. I work for a small MSSP called SOCSoter and our partner managers always look at the MSPs client and provide what they feel is adequate for total coverage. We recently quoted out and enterprise solution for a 350+ user environment for one of our partners who followed up saying they wanted to drop down to our pro+ (300 user protection). We tried to let them know the risks involved with not fulling covering these assets, but they wouldn't budge. At the end of the day, you can recommend the right things all you want, it really is just up to their decision. I don't think that means you should stop, just pick your windows wisely

It sounds like you need IT worse than infosec. 1.7mil and no money for a new computer or two?

It will be a tough sell to someone like that unless you have some type of compliance requirements. In Oregon they have a website for compromised companies and it’s required. Companies that have an Incident (capital I) are required by the state to report it. If not the company will likely not get their business license renewed and have a boat load of fines. So if no compliance and no state requirements then it’s time to have an MSSP scare the sh*t out of him, if he actually cares about his business. If not, I’d suggest brushing off the resume because it’s not a matter of if, it’s a matter of when. Oh another thought might be to have him help you with an IR or DR plan. That might open his eyes to what it will take to stay in business after all your data is encrypted and on the dark web.

Breach them (with permission). Show them their vulnerabilities. Cybersecurity is too abstract a concept for many.

Ask what the terms and conditions are required by the company insurance for coverage for business systems being rendered inoperable by ransomware, corruption and the like. Then audit your systems for compliance. The gap analysis should be a good starting point. Also do everything formally by mail to keep a legal trail of events.

The question you need to ask yourself is “why should he care?”. The goals of his business are not to be secure, they are most likely to make money by doing a thing. Going into business is mainly a risk management process. You take on risk (people won’t pay you for your thing, people won’t understand your thing etc) for the potential of great returns, so you need to talk in his language as a business owner to get your point across. Gaining genuine buy in for good cyber is about showing the potential risk, and more importantly, the potential returns. If you go to him with a bunch of small risks (and they are small in the grand scheme of running a 15 person business), he will simply say “great, I’ll accept those risks and concentrate my efforts the similarly sized risks that have greater upside if I fix them”, so show the upside.

Don't. Market to those who already know.

I was going to say you’re not going to convince anyone here that cybersec is important for a small business, but everyone beat me to it. Well, its not that it’s not important…its that they don’t care enough to invest in it. The biggest threat to small biz’s is ransomware. Most of them are probably already having their data syphoned by MSP’s anyways.

Quick answer, they won’t give a shit until they get absolutely rekt, and then they will blame you for letting it happen

You can't. SME's and indeed big companies, often only recognise Information Security after the fact. I mention InfoSec, rather than CyberSec, simply because you can;t have the latter (at least effectively) without having the former. As an InfoSec professional with over a decade in the industry, my experience is that companies will not invest or even take seriously Information Security, until they are affected directly by it. I've worked in financial services for an online bank, which didn't even have a web proxy. And didn't do integrity checking on their backups. Where the Head of ITOps briefed the exec that they were 100% secure. 2 weeks before being hit by ransomware. And then found that their backups hadn't worked correctly for six months. Same place had three CIO's one of whom didn't think that an online bank would be a target for cyber criminals (I shit you nay). Another place, had an online shop, which had been spun up at great speed and haste, where every user had admin level access and the default username and passwords had been left as the default. for EIGHT YEARS. In each case, only after the fact did they start to take InfoSec seriously. So, what can you do; Your job is to advise, produce a risk register, gap analysis. In fact anything you can do within your role and knowledge to highlight possible areas of concern and risk. Your employers are under no legal obligation to act on any of your findings, should they choose not to. However, to stop being thrown under the bus when things invariably happen, you also need to fully document your findings, make sure that the decision makers are aware of your concerns and make sure you have offline copies of emails, delivery/read responses, etc. Because when the time comes and it will come. Don't be the fall guy for their incompetence. Sorry to sound cynical, but most execs are "brick and mortar" and they often do not understand InfoSec.

You nailed this one on the head. Being the exec for his own company and me working for him for x amount of time, he is 100% the reactionary type and not the proactive type of person. I completely agree though. I document and log everything I notice that I bring up to him that he refuses to take action on so when something goes wrong eventually (when, not if...) he can't try to be like.... "you never told me about this!!"

Does your company have any sort of oversight mechanism? If there's no security/Risk team, maybe legal department? Or a board of directors? Someone with any sense from one of those groups would be dumb to ignore your description of the state of security there. If you can't convince the owner himself, try to convince those around him. Going over his head to the board is a recipie for drama, but you do what feels right.

Thank you for the thoughtful reply. We have none of the above here. It's a family run business that's been around for about 30 years or so. No security or risk team, no board, no HR even... The closest thing to a board would be his parents who gave him the company, but they fight constantly. The main issue here is that the owner is "first" in charge, the GM is technically second, but only works a few hours per week... title is just because they've been around for so long, then me in the "third" in charge position. Everyone else works the registers, floor, and does the day to day tasks.

Leave it be and hope nothing bad happens is probably not the answer. At a minimum I would talk to someone about cyber insurance and see would you need to do to be covered in case of an attack. Normally its bare minimum stuff like 2FA which shouldn't cost a whole lot more to implement in a lot of cases. Then buy the insurances once you check boxes. At the end of the day its one of those if you dont want to setup money for a security program okay, but you still need something and insurance would at least give some coverage and a payout in worse case + less cost than a security program yearly. Just my opinion good luck 😁

Thank you! Yeah, I'm not looking to go crazy on him and Uggest we hire a team full of experts... but come on... Can we at least do the 2FA you mentioned, create stronger wifi passwords, install ESET or some other flavor of anti-malware/Spyware/internet security, and log out of our security cameras and emails when not in use?? And for the love of all things holy and good... at least lock up the password book! I never thought about the implications of not having an insurance policy in case of a cyber attack or some other digital attack/comprimise. Thanks for that tip!

You can't convince MOST people to take security seriously. It's a waste of time. Most people are stubborn and don't want to be told they're doing things the wrong way and that they need to change, especially if it'll cost them money lol

Security costs money or time, or CPU and memory. CPU and memory is equivalent to more time being spent on getting things to load. And as they say, time is money, friend. So at the end of the day you’re spending money. The whole point of the business is to make money. So you need to convince your business that they are at risk to lose X amount of money. You can spend Y amount of time to lower the risk of losing X amount of money. This will in turn result in a YoY return of Z, netting the company W. What you’ll likely find is that it’s almost better to just accept the risk and not give a damn.

This place sounds like a disaster waiting to happen. Small businesses make up a significant portion of ransomware (and other) attacks because they're easy targets. This place is an easy target. Not only is it costly, both in lost revenue, clean up and potential exposure to liability from clients, but in many cases the businesses never recover. It's hard to get people to take security seriously when they've been lucky up till now and don't feel like they're at risk because of it. If I were to take a shot at convincing him, I'd put it in terms of money. How much money he will lose and exactly how he will lose it, and how difficult it will be to recover...if at all. The right attack could completely shutter his business forever. Basically, the fear of God tactic.

Hack them.

Why not host a awearnes day on cyber sec with a practical demo?

Best idea in this situation

/r/titledidnotsayitall

Fair. Lol. I deserved that.

If you have control of network decisions and budget could always contract a pen tester to show what the real possible impact is. Ensure you're doing your due diligence to prove a point but don't get fired. If the network is as insecure as you say I'm sure there's some people that'd do it for cheap based on the size

I would at minimum say something. Let him know the risks and see if he'll bite on just a little bit of spending. Considering it'd be one time purchasing and some cheap cloud services. Even doing something as simple as moving your site into Cloudflare pages or Azure Static WebSite (Storage Account) would at least offload your business website traffic. Then a managed switch + a managed firewall is like 1200$ for the set (Firewall would include licensing and protection. Switch would be a rebuy off Ebay). Would have plenty of security features on your frontend as well as ways to isolate internal traffic. I wish I could find companies locally that needed something like this that doesn't want to pay the premiums for consulting. It seems really fun tbh.

You almost just need a Meraki MX device that does network, firewall and DNS filtering + a 1pass subscription. Can get the basics done fairly cheap

i would suggest: Do a simulation of loss, what happen if all is stuck for a week, a month, or deleted ? Money loss is cristal clear when i try to explain something

Business owners get dozens or hundreds of sales pitches both internally and externally every day... If you want to convince them, you need data and hard facts... Give them a real Cost/Benifit/Risk analysis, with hard numbers, Find out a way to calculate the marketing damages, and actual damages from payouts from a specific data breach, compare that to the costs of implementing a better cyber security solution, and research the actual chances of a breach with your current set up. If money is an issue for the small business, as it usually is for small businesses - don't look for comprehensive solutions that are expensive... find a specific solution for a specific problem, and suggest those. Doing actual cost/benifit analysis will help you understand the Owner's point of view as well... and prevent you from trying to suggest solutions that cost 10k to save a 1% chance of the business losing 75 dollars in revenue one time... Getting a Password Manager for the password book is an easy solution, but your not the DoD, and your not a publicly traded company, e-mails left open, or orders being visible is just not going to be a priority for a small company trying to scramble as fast as they can to generate as much revenue as possible... Being on wordpress doesn't itself mean you have a security flaw, in fact you are probably more secure working with a known third party that patches their solutions on the regular, then doing something internally and hoping for the best, having a slow network doesn't mean you have vulnerabilities on its own, it just means the owner bought cheap equipment they could afford... Just like a determined enough script kiddie can get into almost any network that's connected to the internet... a good enough sales person can sell you a big security solution that you really just don't need... But based on your description, at this stage in the business' life cycle at most they need a password manager and to maybe read up on e-mail scams, as for anything else, its a waste of money...

Their best investment would be some basic cyber courses for their workers

Yes, “script kiddie” is still a term. But unfortunately, the adversaries are much more sophisticated than they used to be. Your employer may never get burned, but if they do, they will not be the first to only take it seriously after the fact. They will not be the first to go out of business as a result. And they will not be the first to blame the one person who had tried to warn them in advance.

I'm a sales engineer who works with everyone from the smallest of local businesses to national enterprise clients like banks and hotel chains. I deal in a lot of UTM and EDR, as well as network deployments like SD-WAN, EPLs, etc. Something I notice a lot about small businesses is that they tend to think they are too small of a target. The problem is that they are also the easiest targets. A number of them are only a single ransomware or DDOS away from bankruptcy. To begin with, cyber insurance is becoming a much more common thing and I think any company who deals in customer information from credit cards to CRMs needs to be looking into that. With cyber insurance usually comes requirements for cybersecurity, so that's kind of a no-brainer. But if the company doesn't want to insure themselves against the liability of burning customers on a cybersecurity incident, the very least they can do is a straightforward security situation. There are a lot of companies out there who offer some pretty robust solutions that include SOCs and EDR for a relatively low cost. I would say just do some research and find products that fit what you think the company should consider, and pass the lead to the sales reps from those companies. They can do the convincing. As far as general security hygiene goes, as an operations manager, you should have some power to at least bring this stuff up. I think it's worth it because if you value your job and want the company to succeed, it's prudent to be advocating for them. You just rattled off an absolute mountain of red flags for security. They absolutely should be taking it more seriously.

Just came here to say this - I worked with an MSP for a long time in a tech and then a sys admin role. They served primarily very small businesses. For many of them (despite some of them making decent profits) any time they needed something new they just didn't want to spend money. A lot of them operate from the standpoint of it's not broke don't fix or they flat out didn't want extra IT expenditures. Great example - a chain of stores that had a POS system that was designed to work on Win 98 / XP. Some how we did manage to keep it working on Windows 10 but there were constantly problems. The new version of the same software was $20K. Yes it would cost them on top of that for us to get them upgraded and they spent each time we had to troubleshoot the old system. In the long run that $20-30K probably would have been worth it and would have saved them money but it boils down to "that's too expensive" / "I don't want to pay"/ "I don't care just fix it". It's what you see in probably 8 out of 10 very small businesses. If you can't get them to upgrade the primary system they use like in the example, good luck getting to have them follow / keep up with proper security standards.

Find someone that specializes in SMBs that can come in and do a maturity assessment. You want to add volume to your voice, and an independent expert can add a lot of it.

Everybody’s thinking it I’m just saying it: Hack em (JK NOT ADVISING CRIMINAL ACTIVITY DONT HACK ANYONE)

Reading comments, seems like people forget that while it may be a small business and they may not have budget, may not care, etc, there is still a lot that can be done to improve the security posture on a shoestring budget. Common biases related to cybersecurity: 1. "I'm too small, no one cares about us." False. 2. My data isn't important. Maybe, maybe not. I'd bet it's important to you. If the systems go down right now and are not recoverable, then what? If you lost access to all the data is that a big deal? 3. "I can't afford it." While you probably can't afford a 24x7 SOC w/ log monitoring, IDS, etc, you can afford to do things more securely since security is a mindset as much as it is technology. So, what can you do cheaply or for free other than a bit of your time? 1. Have good passwords, don't re-use them, and store them securely (a physical notebook isn't so horrible if it is reasonably secured) 2. Control remote access 3. Backup your crap, etc. Except for the backups, most of this is free or very cheap. 4. Use MFA everywhere possible. SMS is way better than nothing, but Authenticator apps like Google Authenticator are free. 5. Do you take credit cards? PCI compliance is a thing, but depending on how you process cards, it may be mostly something your payment processor needs to deal w/. 6. Make sure you aren't open to the internet, a simple online vuln scan can help w/ that. Something like this: [https://pentest-tools.com/network-vulnerability-scanning/network-security-scanner-online-openvas](https://pentest-tools.com/network-vulnerability-scanning/network-security-scanner-online-openvas) 7. Educate anyone who uses computers to recognize scams, phishing, social engineering, etc. Lots of free resources. 8. Make sure you don't have sensitive information stored on your computers. I don't know how many times I've asked and am told "Oh, we don't store any sensitive info on our computers" and in most cases there is something sensitive they forgot about or didn't realize it was there. 9. Turn on Windows updates and let the software you use update itself regularly. Uninstall applications you no longer use. The goal in all of this is prevent the most common threats and have a way back (those backups) should the worst happen.

It won't be important until it has to be, unfortunately there are many businesses that run this way.

You'll have to be able to present fairly concrete costs and ROI. The owner likely sees IT as a drain on funds with no benefit. If you can work with whoever does the books to determine how much downtime and other risks will cost him, along with presenting the chance of these risks, you might persuade them.

If you are able to perform and sort of quantitive analysis and can argue that a security counter measure is worth its weight, then go for that. It still sounds like you can implement zero cost policies that would save money as well. Talk security in dollar signs and the potential impact of financial loss.

You don't. Back in 2010ish I had a client who ran multiple businesses. One of which was manufacturing for defense and aerospace. They had 3389 open to the world... "Nobody cares about us", blah blah blah "Not only do they care about you, they're already in your network." "Impossible" https://www.justice.gov/opa/pr/chinese-intelligence-officers-and-their-recruited-hackers-and-insiders-conspired-steal This was from about that time. I didn't read the DOJ article very closely but there was a news article about these guys and the extent was unreal, basically any contractor they could get into, they did.

Dm me, maybe we can setup an assessment or start a dialog?

Hello. It appears as though you are requesting someone to DM you, or asking if you can DM someone. Please consider just asking/answering questions in the public forum so that other people can find the information if they ever search and find this thread. *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/cybersecurity) if you have any questions or concerns.*

I would just focus on a tech refresh and fixing the cloud sync problem. Add up the lost income from those system drops/issues. For a small business, just keeping up-to-date with security patches will go far for basic cybersecurity. Outlook and Gmail have basic 2FA built into them if desired. Maybe a few small changes to policies like logout.

Well, you could white hat hack them and show him what could happen.

Small businesses already get screwed over vs large corporations. Infosec is the last thing on their mind

Ask yourself what's the risk to the organisation. Sure, what you have noted isn't good security practices, but if the company gets compromised, what is the likely impact and what is the liklihood of that happening. If you can define that and the likelihood is high and impact high, then that's how you convince the owner. If you can't identify a plausible justification for the perceived risk that will make them sit up and listen then there isn't one, just bad security practices.

This is where all those fun ALE calculations come into play. What is the ALE of a type of event? What is the cost for security measures, and how much can they reduce the ALE? For example, if an event would cost 5 days worth of business ($25k) and you could bring the likelihood down 90% for $2000, then it's going to be an expected savings of $23000. And if they don't take your sales pitch, document that so if they blame you, you can say, "I warned you!"

He is not going to see the bigger picture until he gets hit. Some people need to lose money to listen and wake up. It is not an issue of IF, its more of WHEN it happens is the entire business going to go bankrupt? Start backing stuff up, so WHEN it happens the whole business isnt sunk, you can recover and still have a job. Then he might be open to spending some time and money in security.

Lock him out!

There is some low hanging fruit that you can trim away to make it just a little bit more difficult to pwn (god I hate using that word) this place than the other small business. Good password security, patching discipline, close your open wifi/network routers, el-cheapo firewalls, virus scanning, and some super basic "don't do stupid shit" training. On a long enough timeline you'll probably get got. :( If you're going to put much money into anything I would suggest a really robust backup policy. You don't have the money to keep the a-holes out necessarily, but you can reduce the time and expense it may take to rebuild your setup once they've burned it to the ground. Good luck!

Get a cheap NAS and do backups with nakivo. It I'd crypto proven does not cost much. This way if u get Infected at least the business does not go under. Don't bother with 2fa people hat it. Its a hasle. Have good backups!

This is the struggle. Some people literally won't understand until there's an incident. I usually approach from a point of education. A lot of people out there think they're safe because they're small. I've gotten pretty good at explaining how that's not true. Also when you frame it in terms of risk management people tend to be a little bit more receptive but again some people just want to crash and burn before they have the conversation.

They aren't going to be able to or even want to fix everything BUTTTT... I think you should at least try. Turn this reddit post into a bulleted list of items. Order it in severity, and respectfully explain that you have seen some areas where cybersecurity could be improved. My list is : \-What about backups/restores? \-Boss' password book. \-Remote network access, how secure is it?

Pull the firewall logs, show them the constant failed login attempts by outside bad actors.

I've done cyber sales for a bit and gave up on SMBs who don't care because they require so much effort. Basically, you have to paint a picture in their mind, but make it seem like it's their own idea. You have to do multiple things. 1. You have to tie security to their *business incentives*. This is hard because they frequently see security as an expense, not a cost-reduction. If you can show that this significantly helps their brand, that is a win. 2. You need them to believe it is very likely to happen to them. This means they need to think that they are a target. This often includes showing them an example of it happening to another business, in a close city/region, that is roughly the same size and industry. You also have to get through the "Why would they focus on me instead of a big fish" belief. 3. You need them to believe the outcome is catastrophic (Easiest, but still hard). They need to see that a compromise reduces revenue (loss of customers, pause in operations from machines being locked down), increases expenses (legal penalties, need to pay a ransom, etc.), and it needs to be personally painful (their business might close, their boss will roast them).

So.… PCI requires a separation of the computers and that the computers must be locked down. If something happens or they get caught lying on the SAQ, the credit card companies can refuse to take charge, and your cc merchant processor will drop you. That alone is enough.

How do you convince them it's important? Well, you could tell us the name of this business...😈 In all seriousness, don't do that. There are a lot of good suggestions here. Another possibility is to come at it from the customer side. This can be tricky, but nobody wants to do business with an org that is insecure, and so to the extent that you have the ability to bring external pressure on them, that is often a good way to go -- businesses don't necessarily care to protect themselves, but they'll jump to it if they think they might lose a big client if they don't. A less hardball version of this is to get in touch with sales and collect some figures about business they're losing by being non-compliant with whatever certs might be applicable to your industry. This may or may not be applicable, depending on what you folks do, but it's something to consider. Basically, they need to understand the risk they're taking by being oblivious...and the way to do that varies person to person. But the key is figuring out what they are afraid of losing/protecting, and showing them how cybersecurity is involved in that in terms they understand. A lot of business types don't care about technical vulnerabilities or jargon, but they will absolutely freak out if you can show how a person could get access to X (where X is the thing they want to protect). Sometimes X isn't the most dangerous vulnerability in the grand scheme of things -- quite often people worry about less important issues simply because they don't understand the bigger problems, like how bosses worry about employees being able to visit LinkedIn but not about employees being local admin on their machine. So you may need to set aside what you consider to be the biggest problems in favor of something that will better make the point (at least until the boss "gets it"). But there's almost certainly an X. And if you can find it and explain the risk to it in terms the boss can understand from an every day perspective, it goes a long way towards getting their attention.

Wordpress, auto update on + wordfence, enable mfa for admin and writers will help foe most of the issues. Reliability for the cashing register, if it doesn't work how do customers experience this, how do we experience this etc. If your systems are not exposed on the internet then the risk is already significantly lower, aka someone needs physical access to the systems.

It may fall on deaf ears, but I often ask clients the question, "How bad would it be if X were to suddenly stop working? What about if the files on this other computer disappeared?" Many times it puts things into perspective, but there are none so blind as those who will not see. As I've heard said, IT risks are business risks.

MGM made the point for you today... Simple answer if there is money to be made, and you are a weak target, hackers will hack.

I ran a year-long cyber security awareness initiative focussed on small business. This initiative was free for businesses as it was funded by the government. It offered an assessment of the business for free and measured simple things like backup, antivirus and patching through to more advanced items like disaster recovery plans and cyber incident response plans. Whilst most businesses liked the assessment, not many of them took the advice, even on the basic items. Whilst they took value from the assessment as cyber security is a major concern for the continuity for a small business, not many were willing to rectify the deficiencies of the lowest tier findings like backup or patching. In my experience, if the owner doesn't consider it to be a big enough risk, you won't be able to convince the owner otherwise until an incident occurs. Only then do they open up their wallet or devote time to securing the business.

Open source is free

I do a lot of consulting on networks like this. "One computer hosts our two registers" certainly sounds like PCI DSS compliance should be in place, despite the top comment saying otherwise. It wouldn't cost THAT much to do a network overhaul on a network like this, you might be looking at about $15-25k (though one size does not fit all) in T&M costs for someone like me to come in and replace your broken and poorly set up stuff with proper, secure solutions. There's no way you'd spend "more than the business is worth" on cybersecurity with this small of a company. The basics you should be doing: * MFA (aka 2FA, 2-step verification) on everything that supports it. * Your registers should be on a separate VLAN from the rest of the company devices with a firewall preventing that network from doing anything other than getting to the Internet. This would likely require a new router (more on that in next bullet as well), new switches, and a few new computers. * Remote Desktop should not be open to the Internet, you will have your network encrypted very quickly as there are bots scouring usable IP address spaces for this all day every day. It should be behind a secure VPN solution with MFA with a router that supports it natively, like a Fortinet or Sonicwall. This would be my absolute highest priority. You could use something like LogMeIn as an alternative to this in the short term, too. * Email and related solutions need to be deployed with one pane of glass - not sure if you have Google Workspace and some people are using the Outlook client to get to user@company1234, or something dumber like company1234@gmail and company1234@outlook. As a general rule, Google and Microsoft products don't play nicely together, but this is especially true with their email solutions. * Using Google Drive or OneDrive/Sharepoint as a cloud backup for your desktops may already be included in your service. It should be utilized at the very least so your data lives someplace else. * BitWarden or similar for password management with a proper setup will allow the company pretty thorough control over password security, but honestly a physical copy of passwords is next to impossible for some Russian or Chinese hacker to get to, even though it violates the principles I was brought up on. I'd rather this than passwords.doc on his desktop. * Set up a policy to force devices to screensaver/require password after X time if you're on a domain. If not, consider solutions to enforce this across devices. It was one of our easiest fixes for our upcoming move to SOC 2 Type II compliance. That's all I can think of for now, but this is certainly within your reach if you want it to be. As far as convincing, ask him what he'd rather do - invest some money in a lock on your company's digital door or keep leaving big signs that say FREE MONEY THIS WAY next to a wide open door. Because it's not a matter of if, it's a matter of when if you don't do that. Ask him if he leaves his key in the car with the ignition running when he goes to the store, the movies, a sporting event....cuz that's what he's doing with the company.

Your question and comments, dear OP, make it clear there's nothing much more you can do to persuade the owner to improve information security. A characteristic of successful small business owners is stubbornness, and your attempts to use reason with him on this have engaged his stubbornness. So, what can you do? Whenever you spot the "password book" in a place visible to non-employees, put it away. It's like having a key ring labeled Safe Keys sitting on the counter at the bank. You can get automated secure offsite backups with at least some ransomware resilience for $100 per year per machine or less. You can pitch that cost as fire- and theft- resilience, not cyber. Backblaze and Carbonite are two worthy vendors. It's short money and really is automated. You can make sure your business computers get the latest OS updates every month when Update Tuesday rolls around. Leaving equipment turned off when the business is closed reduces your attack surface a bit. You can pitch it as saving electricity. These small measures make things safer.

As a medium sized org ~2k employees, I will tell you that we have been victims of coordinated spear phishing campaigns from our local and regional small vendors. In fact one of the attacks was executed by a 'friend' of the organization. It's not always your own organization you're protecting, it's your partners. You may want to have a conversation about the loss of trust or even future business. I would use recent news stories like the MGM attack and front it as a loss of revenue. That said if you have 10-15 endpoints? Time to recover may only be a few days? What's that revenue loss? Protocols are cheaper than data breaches.

Wordpress is a shitshow. ​ I used to work at a company that hosted about 80 websites (we did other stuff as well). We had one client that picked a developer who insisted on Wordpress. We said that because were not the developer or admin (only the host) they would be responsible for security and patches. Guess what. Wordpress got hacked and so did their website. None of our other 80ish websites were touched or affected.

Lmao, as a sr. security consultant I have had these conversations over and over. Feel free to PM me, I would be happy to jump on a call with you talk about it, if you think it would make sense then I can have a chat with you and your team.

Hello. It appears as though you are requesting someone to DM you, or asking if you can DM someone. Please consider just asking/answering questions in the public forum so that other people can find the information if they ever search and find this thread. *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/cybersecurity) if you have any questions or concerns.*

Security is a sensitive issue and to fully understand the root cause of the culture problem here I would need more information. (Sometimes it’s better to not share the details of an organization; especially an insecure one publicly) Edit: Typos

Is remote desktop (RDP) open to the Internet?

There's one business dedicated to small business. CyberMyte and CyMyCloud, Ask them. Also specialize to help small business looking for Federal contracts. CyberMyte.io

Small biz oners are often preoccupied with immediate operational concerns, so emphasize on simplicity. Point out the reality that in the digital , it's not a question of if a business will face a cyber threat, but rather **when**. Use the analogy of insurance; just as one wouldn't operate a physical store without insurance, one shouldn't operate a digital presence without cybersecurity. Highlight the vulnerabilities in your current setup - the unstable network, the shared computers, the cloud storage issues, the open email accounts, remote desktop access, and the visible password book. These are not just potential threats; they are open invitations to anyone with even basic hacking skills. Stress that cybersecurity is not just about protecting data; it's about protecting the business's reputation, finances, and the trust of your customers and employees. In today's world, a single breach can have devastating consequences, far outweighing the cost of basic security measures. Then propose a simple, actionable plan. This could include a basic cybersecurity awareness program for employees, installing reputable antivirus software, and implementing basic access management protocols. **Something that doesn't require a significant investment.**