December 10, 2024 • 34 mins
In this episode of Growing EBITDA, we dive into the critical topic of cybersecurity and its growing importance for middle-market companies. With cybercrime projected to cost the world $10.5 trillion annually by 2025, business leaders and private equity investors need to be more vigilant than ever. Our hosts, Mike and James, discuss the alarming statistics, the impact of cyber threats, and practical steps businesses can take to protect themselves. From understanding the basics of cybersecurity to implementing effective protocols, this episode is packed with insights and a touch of dry humor to keep things engaging.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
Welcome to the Growing EBITDA Podcast, where we unlock the doors to management and technology
(00:08):
insights in the middle market.
Join us as we explore innovative strategies to drive revenue and EBITDA growth, interviewing
industry leaders and technology experts.
Whether you're looking to streamline operations, understand the latest tech trends, or lead
your company towards exponential growth, you're in the right place.
Stay tuned and let's grow together.
(00:31):
Cybersecurity word of the day, cybersecurity.
Increasingly, we are finding cybersecurity being one of the top business priorities,
if not the top business priority for middle market companies.
And a couple of reasons why.
A report that came out that was affiliated with the FBI, but published in Cybercrime
(00:53):
magazine very recently reported that cybercrime will cost the world $10.5 trillion annually
by next year 2025.
$10.5 trillion.
Very interestingly, and also from the same report, more than half of all cyber attacks
are committed against small and medium sized companies.
(01:14):
So middle market companies, and 60% of them go out of business within six months of falling
victim to a breach or an attack.
Now 60%, I'm sure those numbers are a little bit skewed by smaller businesses, right?
And obviously our listeners tend to be running kind of more medium sized middle market businesses.
But nonetheless, those are some pretty scary figures.
(01:35):
Lots of dollars, high impact.
Probably the one of the most interesting to me is that 60% of all breaches are with smaller
and medium sized organizations.
I have my theory why, may or may not be accurate.
And that is bigger companies have more infrastructure, better systems, bigger IT departments.
I'm sure there's a lot of mid market companies out there, James, you'll probably speak to
(01:55):
this in a minute that don't have big IT teams, don't have sophisticated processes and protocols
in place to protect them from some of these breaches.
But anyway, obviously this is huge impact on companies, on businesses.
Almost every executive that I know, and every investor that I know is starting to think
more seriously about cybersecurity.
And hence, that's why we wanted to kick off our podcast by talking about that today.
(02:18):
So that's about all I know about cybersecurity.
As our guests will come to learn, I can operate my own laptops and my own emails, but that's
largely where my IT competency ends.
So thank goodness we have James here to guide us through today's episode and today's topic.
It's crazy to think that the 10.5 number you provided, that is three times the, or over
(02:39):
three times the value of Apple today.
It's crazy in our lifetime, we saw a business worth a trillion dollars.
I think it's such a huge business to think that something three times the size of Apple
is a total net loss globally.
It's a crazy number.
It's a lot of money.
A lot of money.
If I had that kind of money, I could retire.
Yeah, we'd get a better studio.
Absolutely.
Maybe a better producer.
Maybe.
I think we should introduce everybody to producer Matt.
(03:00):
Producer Matt here.
It was producer Matt's idea to start this podcast, if I'm not mistaken.
Is that?
Yes.
It's an origin story.
Yes.
It's an origin story.
Origin story.
He was talking about it.
It's a 10.5 trillion dollar podcast.
It just so happened to line up with today's number.
Back to business here, James.
Maybe we could talk about why it's a top priority to businesses.
Yes, definitely.
(03:21):
Let's do that.
So when we think about kind of the cybersecurity and the priorities around it, generally think
of it as three different major categories.
One of the things that we really say, and it's kind of the most important thing is cybersecurity
is protecting your organization's digital assets.
Those digital assets could be data, could be files, could be email, could be a lot of
(03:42):
things, but it's protecting those digital assets.
The next thing is we think about the reliance that organizations have, much like our podcast
today and all the technology surrounds us to your point.
We have a heavy reliance on systems.
And when those systems fail due to a cyber threat or cyber issue, it really does affect
our businesses and our ability to run our business effectively.
(04:02):
And then the last part, which I think is the reason anybody has a business, is the ability
to generate revenue.
And how does a cyber attack affect revenue?
It allows you to not be able to do the great things you do today.
And no matter what business you are in, cyber attacks find ways to halt revenue, which creates
stress and strain on business owners, especially in the middle market like our listeners.
(04:24):
I understand that it affects revenue, but maybe unpack that for us a little bit.
Tell us how you've seen it impact revenue in businesses either that you've been involved
with or that you've heard about.
Help our listeners understand that a little bit more.
Yeah.
I mean, when you think about the revenue side, when I have these conversations with folks,
a lot of folks immediately go to e-commerce sites.
My website went down and I'm not able to transact.
(04:45):
That's interesting.
That is one of the challenges folks face.
But it could be any sort of business.
If I'm not able to procure goods, if I'm not able to pay my people, if I'm able to collect
cash, if I can't even get to my bank, think about it as everything you do today not functioning.
And the way a lot of times that we talk about it with folks is, you know, we've all had
(05:06):
to unfortunately exit folks from an organization.
When you exit from an organization, we cut off all the access to that organization.
You no longer affiliate with the organization.
You no longer have any of the access.
Just imagine that you are that employee, essentially the business terminating you due to the cybersecurity
locking you out.
So that's the visual.
We all know what that visual is because we've locked folks out in the past.
(05:26):
It affects everything you do.
So when it affects revenue, e-commerce, sure.
Ability to procure, sure.
Pay.
The only thing it affects is the ability to just truly run your day to day, know the state
of your business, report on your business, have an understanding of your business.
It affects your employees.
Yeah.
And it also, when you have a breach, I imagine Murphy's Law kicks in.
(05:46):
It's never going to be a good time.
And it's probably when it happens, it's never going to be the right time.
And that's probably one of the reasons why it's so talked about today, not just that
it's beyond prolific and not just that the impact is huge, but it does, like you described,
it impacts every corner of your business.
They may not all go down at once, but they could.
(06:07):
There's been some recent examples of that, but it just has the potential to really bring
a business to its knees.
So James, stick it in the context of the mid-market, which is where we spend most of our time.
Give me an overview of what cybersecurity today means in the middle market.
This is an interesting topic.
The first thing I always talk about when we have this conversation is everyone has to
(06:30):
participate.
It's not the some participate, I'm a financial business, I'm a Bitcoin business, everyone
has to participate.
And that's a bit of a change.
It's no longer for just large organizations.
Mid-market has to follow the standards of everyone else.
(06:50):
And I think that the most important part of that is your clients and your employees expect
you to follow it because they expect you to safeguard and protect that data.
And so we think about compliance over the years, many years ago, for those who remember,
we went from the swipe credit card readers to the chip and pin where you had to insert.
And that was one of the first cyber changes because people are getting compromised credit
(07:11):
cards and it was a challenge.
No matter what size business you go into, pay attention next time, whether it's a small
business around the corner or a large multinational organization, they all have the same reader.
Why?
Because the industry standardized on the security protocol that was generally agreed to by all
folks and whether it's tap list or insert, there's no more, in extreme cases, maybe a
(07:32):
little bit of swiping, but very rarely as they're swiping, we agreed to that standard.
Think about mid-market is that same type of idea.
Those standards are out there, they're generally accepted.
Folks need to adjust to those to be able to align to even the way large businesses are
protecting themselves.
And in your experience, how many businesses, I'm sure for a lot of our listeners, they
can relate to the credit card scanner example in their personal lives, right?
(07:57):
But many, many mid-size businesses are more B2B in nature.
So that example may not draw immediate parallels to their mind.
Do you have any examples that are kind of in a more B2B environment?
So I think an example for B2B folks is the way that you wire transfer and do your wire
transfers today that is an interesting change on the validation side, right?
(08:19):
So I know as a business owner, you're familiar with the wire transfer process and maybe you
could tell me more from the business side, but I'll tell you from the technology side
that the way that you wire today and you have that handshake, which is a communication between
two systems is a large difference on how we do wire transfer today.
So if you remember back in the day, you put in your routing information and it wouldn't
give you any results.
(08:41):
Now you get that confirmation that says, are you from UMB blank, blank, blank, whatever
bank it is?
And you have that little bit of moment like, okay, I know I typed in that number correctly.
That's done because they built a trust with those banks to allow that information to be
sent out and returned so you the user can feel a little more comfortable.
That security to allow for that, there's a ton of work and a ton of protocols that sits
(09:02):
behind that very simple type in a number return a word, but there's a lot done there.
And I think for anybody who runs a business, you're very familiar with this being scared
of a wire transfer because you know when you transfer an erroneous wire transfer, it's
very hard to get back.
So those little nuances that protocols have been put in place to protect you, the consumer
also makes your life easier.
Got it, so I think what you're saying is there's different standards, cybersecurity standards
(09:27):
that are out there, but I'm sure a lot of businesses are less familiar with those standards.
Sticking with the middle market theme here, what percentage of middle market businesses
have cybersecurity, would you call them systems or protocols or how would you describe that
and what percentage of mid market companies have an adequate landscape, so to speak?
(09:49):
Yeah, I would say it is two numbers.
That's an excellent point.
It's how many have cybersecurity protocols in place?
I'm gonna go on a limb and say probably 100.
Everyone has something for cybersecurity because whether your vendors required it, your employees
have activated it, or your technology team has done it, everyone has something.
How many are using it to the degree in which we expect and know is required for the space?
(10:12):
It's a scary number.
It's probably around 25%.
Think about the number you talked about earlier.
You said 50% of the businesses are compromised.
Of those 50, that means that there's 50 that aren't compromised.
That's not to say that those 50 are protected and they got through.
They're probably underprepared as well.
And in my opinion, there's probably another 25% there that is exposed.
And so when you think about it, it's a target market of 75% of business have an opportunity
(10:35):
to be exposed.
Think about that as a bad actor.
It's a great easy way to make some money in an nefarious way by attacking those folks
aren't prepared.
So I'd say probably about 25% or where they need to be.
Wow, yeah, so if you are a bad actor, all you got to do is pick one company and 75%
chance you're getting in that one.
Pick two, the odds are with the bad actors.
I wish my Vegas odds were that good.
(10:56):
Building on that, what are some of the more common threats?
Because we all hear about, oh, there's this cybersecurity threat out there.
60% of businesses, small and medium sized businesses, $10.5 trillion annually impact
on the global economy.
Let's bring it home a little bit more though.
If I'm a mid market operating executive, I could be the CEO, CFO, head of IT, head of
(11:18):
supply chain.
What are some of the threats that are out there that are going to resonate with some
of these folks?
Bring it home for them a little bit.
Yeah.
So for me, cybersecurity, you can think of it as it's on a continuum, right?
So you can land anywhere in cybersecurity can be as much as you want.
Anybody who's a sports enthusiast or an outdoors enthusiast such as you and I, you know, there's
price points at all levels of outdoorness, right?
(11:41):
There's the REI price point, and then there's a crazy price point above that, and then there's
a Walmart price point below that.
Same type of thing applies to cybersecurity.
There's different levels.
What we really want folks to focus on is selecting the right level for your business.
The cybersecurity you need isn't the same that a bank needs.
So here's some areas to think about for a mid sized business that we're talking about
(12:03):
today.
My applications that run my business today, whether that's my ERP, whether that's Quickbooks,
whether that's my email, whatever that business system is that runs my business that I use
needs to be protected.
Number two, my collaboration tools.
Collaboration tools is a fancy way of saying email and chat.
Lots go through email and chat needs to be protected.
(12:24):
Number three, your clients and your employees data.
We all know all the time we hear about leaks every single week about the information getting
out there in those leaks.
Protecting that data should be high on your priority.
So number one, business applications, number two, collaboration and number three, data.
So how do you protect a business application?
(12:44):
Let's just start there.
I think you're describing for the listeners three really nice buckets to think about,
but how do you protect?
How do you prevent somebody from actually getting into one of your business applications?
Yeah.
So there's two types of business applications that are very common in the mid market.
Application number one is what's called a hosted application.
(13:05):
That's where I have a server in my back room that has that application on the server.
Type number two is a cloud based application.
That's the common applications we all know that are like software as a service that sit
in the cloud that I access.
So there's two different ways of protecting those systems.
The first system is what's called an on premises system.
(13:26):
It sits in my local server room.
It's near to me.
The way I protect that is I protect the servers and systems within my four walls.
So that's through firewalls, VPNs and lots of great other tools that are out there to
protect those.
And that's more of the traditional IT that folks have been protecting for years.
You protect those with very strong passwords, multifactor authentication and very good systems
(13:48):
that protect my four walls.
When I think about cloud based systems, we've all been there.
You go to a login page, I put in my email address, I put in my password.
Hopefully I have multifactor authentication or maybe I have a single sign on solution.
That is how I protect that data.
So the login of that data is the way I protect it.
Now we expect those providers to protect their data.
(14:11):
Because somewhere that data is still sitting on a bare metal server.
It's not truly in the cloud and floating around.
It exists somewhere.
So it's important to vet and ensure that those providers you're doing business with protect
your data much like you protect the data within your four walls.
So really for you, there's nothing you can do.
You're not going to build a go and give them standards that need to follow.
But you do need to do your due diligence to ensure those providers you're using are strong
(14:34):
providers in securing and protecting your data.
And I'm sure a lot of our listeners, many of them probably have on-prem, on-premise
servers with applications running.
I'm sure many of them, I'm sure almost all of them these days run some element of their
business in the cloud.
If they don't, they should call you.
You have to help them with that.
Not just to save money, but this probably improve a number of things for them.
(14:56):
So it's one thing to hear somebody like yourself say, hey, if you have an on-premise solution,
make sure that you have the right firewalls.
Make sure you have the right other pieces of equipment.
Make sure you have multi-factor authentication.
But it's an ever evolving landscape of new threats, of new bad actors, of new technologies.
(15:17):
And I feel like even companies who have a relatively well-established IT team or department
are constantly trying to catch up to the latest and greatest technologies.
And that's fine because you're protecting your business.
But what about companies without large teams?
I mean, how are they addressing this?
If I'm the CEO of a company and maybe it's my first day on the job and I do prioritize
(15:41):
cybersecurity and I walk into the business that I've just decided that I'm going to
spend the next number of years helping to lead and grow, how do I assess the current
state and how do I possibly keep up to these evolving changes in the threat landscape?
I think this is the challenge a lot of executives have.
And the thing we kind of jokingly say is you can't just walk through the airport because
(16:04):
we've all walked through the airport and we see the Barracuda sign or the kind of high
level of the folks who advertise because they know they're captive audience.
They know there's a lot of business folks who travel and see those things.
And unfortunately, that's only a small piece of the puzzle.
And you're correct.
You have to rely on your team.
So there's some things that you can you can start to think about as you talk to your team
and work through your team.
Number one is having open and honest dialogue with your team to say, where are we?
(16:28):
I'm joining the organization.
Let's go ahead and let the past be the past.
Let's have a real conversation of where we sit, where we're at and what our journey is.
There's a phrase in IT that's called technical debt, those things that you haven't accomplished
or haven't completed.
And we use this phrase a lot by saying paying down technical debt or the inverse of that
improving my IT system.
(16:48):
So having those conversations and open dialogue to your team to say, where are those areas
of technical debt?
And what do I need to do to pay those down?
Now, it could be monetary, it could be hiring, it could be education.
Those are different things.
That's number one.
Another one is being prepared to spend.
Not gonna lie, cybersecurity comes at a cost.
It's not cheap.
There's a lot of tools out there that are really great for the mid market that are affordable,
(17:12):
but they still come at a cost.
If today your team is not doing it and tomorrow you start to do it, the transition is not
gonna be free.
It's gonna be some cost.
And be completely honest, the cost is not only just a software, it's training your team,
bringing them along for the journey.
Because you have to train your internal team, that's your technology team, or maybe you
outsource it.
You also have to train your employees.
(17:34):
Cybersecurity is everyone at the company's responsibility.
I think that's important to note.
It's not just your team.
It's not just the executive that's coming in.
It's every single person.
So let's talk about cost.
Let's go back to that example I gave a minute or two ago about you're the new CEO or you're
the new...
Maybe you don't have to be the CEO, but you're an executive and you've stepped into an organization.
(17:56):
And cybersecurity is a business priority for you, maybe for the board of directors, the
shareholders.
How much should you be thinking about spending?
Do you have a benchmark number?
Because I'm sure if I was this executive, I could look at the P&L and say, hey, last
year we spent $10,000 or a million dollars, whatever the number is, on our cumulative
cybersecurity spend.
(18:18):
Do you think about it as like a percentage of revenue?
And is that a decent proxy for how much technical debt the business might have?
Or how should a mid-market executive think about this?
Yeah, I think that thinking about it as a percent of revenue is a smart way to do it.
And there's a couple factors that go into that.
Depending on the type of business you're in, it could affect it.
(18:39):
So if I'm a software business, my spend on cyber is going to be much higher than an industrial
business that has that type of data.
And so we do stratify that data by industry.
And I think it's important to think of it by industry.
But let's just take an example of a mid-market, easy example of a manufacturing organization.
We typically look for the total IT spend to be between 3% and 8% of total revenue.
(19:04):
Say that again.
3% and 8% of total revenue.
So the benchmark is for a mid-market industrial manufacturer, 3% to 8% of total revenue on
IT.
Now, that doesn't include just cyber.
Yeah, we don't have that subset out.
And I'll be honest, the reason we haven't been able to break that subset out is the
(19:24):
way folks organize their P&L today is we're lucky if the IT expense is mapped to a single
GL line for us to be able to do that analysis.
I think the industry has not really done a great job of capturing that cyber data.
One example is you can purchase cyber tools through Microsoft, but comes in on a single
invoice.
So being able to tease that out and having the discipline to tease that information out,
(19:47):
we don't see a lot of times.
I'm sure there's a benchmark.
What you're saying is it's tougher to break out cybersecurity spend from overall IT spend.
But 3% to 8% in the manufacturing space is a good benchmark.
You have benchmarks for other macro industries too that you can share?
Business services, for example.
We see business services spend up to 15% on IT systems because the amount of data they're
(20:10):
trying to secure or what they're doing.
Now when I talk about these benchmarks of spend, that's to run your operations.
If you're a software company, you're going to spend even more because you're not only
saving and securing the information within your four walls.
You also have a product that you're protecting.
And that product you're protecting, you also have spend on that as well.
(20:32):
So those benchmarks can vary and that one is another conversation for another day.
But about 20% on sometimes we see people spending in this space to be able to get the right
tools.
Let's go back to my example.
You're the new executive.
You've walked in.
You pretty quickly realize maybe there's some technical debt in the business.
You can benchmark the legacy investment in IT.
(20:53):
Not a proxy for cyber, but nonetheless the legacy IT spend by looking at the P&L 3% to
8% if you're an industrial manufacturer as a good benchmark.
Where do you go from there?
Especially if you're a non-technical executive.
If I walk into a business, 3% to 8% is a great benchmark to have.
It's broad.
I'll admit it's a broad range, but at least I know that I need to be somewhere in that
(21:14):
range.
Let's say I walk in and I realize as a non-technical person, I can realize we're spending 2%.
So we're below the range or maybe we're spending 3%.
So we're at the bottom of the range.
But I just know intuitively that based on other businesses that I've been involved in, maybe
we've spent more elsewhere.
Where do I go from there?
Where do I start?
If I look at those numbers you can infer I'm probably underspending in cyber because I'm
(21:35):
underspending at the aggregate.
I think it's a fair point.
The first thing for me is engaging an external party to come in and have a second look at
the system.
There's multiple groups that will come in and there's things that are called penetration
tests where they do some very interesting deep dive work on your system to understand
where you're at.
There's cyber assessments, which is more of a desktop exercise asking questions.
(21:58):
I think a lot of times you have the proposal from your team, you understand where you are,
we discussed that earlier.
Then I go out to that outside group and ask them for that opinion of where I am.
I can then put that together.
Personally and folks ask me all the time for this, to create a roadmap for them to get
to good and help them get to good.
So if you feel that your team doesn't have it in them or doesn't have the ability or
(22:20):
needs to be up skilled to be able to get you there, rely on an external party to help get
you there because they can help educate or bridge that gap.
So the first thing is get an assessment.
Second thing is start making incremental impactful changes.
One of those impactful changes we all hear about turning on multifactor authentication
solves so many things within the organization and it's such a simple fix.
(22:41):
Why folks don't do it.
I don't understand but I encourage our listeners, if you don't have that on your organization,
turn it on tomorrow.
It's the most important.
Let's go back to my example.
Yeah, I'm the new executive title doesn't matter.
I'm a new executive in business and my perception is that we're underspent on cybersecurity.
(23:02):
It's a business priority for me personally.
Maybe I'm in the CEO role or another senior level role or maybe my board has been asking
us for more information about this topic and you've given us some good guidance about how
to benchmark our spend, which is great.
But we got to recognize that maybe I've been brought in to preserve and improve the profitability
(23:24):
of the business and if you're going to say, hey, you're only at 2% or 3% of revenue on
IT and maybe I've brought in some experts who come and say, we think you should be closer
to 6%.
How do I live with a 4% headwind on the bottom line?
That's a big, maybe the business makes 12, 15% EBITDA.
(23:48):
I'm going to go from a double digit EBITDA business to a single digit EBITDA business.
How should I think about that?
Yeah, and in the context of cybersecurity, right, I think it's protecting what you currently
have today less than increased productivity.
If we were having this conversation with the guys of an ERP and that incremental spend,
I could say I'm digitizing some processes, I'm doing some automation.
(24:12):
All those things are very easy to build a map those dollars back and build a show what
it looks like.
But if you think about cybersecurity as an insurance policy and less as a revenue stream
or an improvement of revenue, it's like me asking you what's the value of your homeowner's
insurance if you don't have a problem tomorrow, do you really need it?
Well, you know that having that problem tomorrow would be such a detrimental effect on your
(24:33):
business that the ability to recoup even a 6% net EBITDA loss, how about 100% EBITDA loss?
So what we tell folks is it's carrying an insurance policy is preparing for a rainy
day and I may also say it's important to be thoughtful and cybersecurity.
There's a lot of folks out there that will sell you the world and try to sell you everything.
Make sure you talk to a professional before you sign up for anything.
(24:56):
Make sure you have the right level.
Make sure your cybersecurity insurance isn't some crazy policy that you don't need.
Have those conversations with experts, protect your business in a thoughtful way, but get
that insurance in place.
That's a great way to think about it like a homeowners insurance policy.
So let's talk about different sizes of business.
How does cybersecurity strategies differ from a medium sized kind of mid-market business
(25:17):
to a large size business?
You know, it's interesting, we're having this conversation in 2024.
Had we had this conversation 10 years ago, it would be a very different answer.
I'm going to tell you the answer is the threat vectors and the bad actors are the same.
What's interesting is it's changed now that the attacks are the same.
The way you're attacked is the same.
The people going after you are the same.
(25:39):
It's the amount of effect.
So the biggest thing I think is the difference, and you mentioned this earlier, I think it's
an excellent point.
Large organizations are more prepared because they have more folks and they're focused on
it.
Large organizations have the ability to send eight people to a cyber conference and learn
about it and then go back and do it.
But the challenge for a large organization, it's a larger footprint.
So yes, you're more educated, we have more threat vectors, midsize organizations, smaller
(26:04):
footprint, smaller amount of threat vectors, less spend, but less to protect.
So you have a fighting chance to be successful based on your footprint.
And the last one is, and we're going to keep talking about it, it's the budget allocation.
Large organizations budget millions and millions, and I'm sure there's a statistic that talks
about how many billions of dollars go to it.
(26:26):
Midsize organizations tend to allocate less budget in this space.
And that's a large differentiation between the two is what you spend on is what you focus
on.
If we're thinking about, if I'm a company thinking about starting to spend on cybersecurity,
maybe for the first time, perhaps spend more on cybersecurity, if you've already been investing
in it.
(26:47):
What are the first steps you should take to protect yourself?
Yeah, the big one, multi-factor authentication.
Again, turn that on tomorrow.
Should we do a, we should probably do a whole episode one day on multi-factor?
We should have a whole conversation about that and tell folks the different options.
I would love to have that conversation because there's some really interesting things out
there.
Single sign-on.
For example, the organization you and I work with, I have one username, one password that
(27:10):
gets me in everywhere.
So I reduce those threats, those vectors, remembering where things are, reducing that
risk.
And I think that's a great conversation because we just found that journey over the last couple
of years, making sure we locked down every application.
Yeah, I remember that I got some nasty grams from you about my non-compliance.
Correct.
You're welcome.
And yes, now I do it every time.
Yes.
Begrudgingly.
(27:30):
Feels great.
You know, and that's one of the first steps we took.
I'm told it makes us safer.
Yeah.
From threat vectors.
It's one of the first steps we took.
It's one of the last steps you took.
So it worked out really well.
There you go.
That's why they call me the closer.
That's one of the first steps is get that multifactor on.
Number two, and this is an interesting one.
You may say, James, this isn't really cybersecurity, but I'll tell you what's out there.
It's important.
(27:51):
Understanding the applications your users use.
I'm going to say that again.
Understanding the applications your users use.
Where are those shadow IT applications?
Honest conversations around knowing what applications your users use.
Do you know how I find what applications my users use?
Investments reports and looking at expenses.
I can find out what people have because I go to their accounting team.
(28:13):
I say, what have we spent money on software wise this year?
And then I reach out to those angels because I know who submitted the expense and I ask
them what are you using it for?
Why are you using it?
And we begin to vet it.
It's the easiest way for a midsize business to control this is looking at spend.
Yeah.
I've got a smirk on my face that the listeners can't see, obviously.
And that may or may not have something to do with the fact that I have personally been
(28:38):
emailed by you about the software that I've signed up for and expensed.
You used a really good word, good phrase that I've come to like called shadow IT.
And I don't think we've covered that yet.
So maybe just unpack that for us very quickly.
What is shadow IT?
Shadow IT is we all know those main systems that we use, right?
(28:59):
So we're a ERP and our ERP is this and we all know that shadow IT is and it's quite
different now because you can go click to own a piece of software or at least rent a
piece of software, right?
It's when I as a user say I'm going to go get this piece software because it serves
my needs.
And it's not part of the organization.
But I'm just going to go get it to get my done.
So what happens a lot of times we see it so like Grammarly Grammarly Adobe Premiere.
(29:25):
Yeah, countless others.
Grammarly is one of the ones that gets me man because knowing where that data is stored
and you know if you ever want to have a fun time for our listeners and you're stuck on
a flight and you just want to entertain yourself, go read some T's and C's of some of the software
your teams use and understand where your data is going.
Not to be an alarmist or anything like that, but just read where your data is going and
(29:47):
understand it.
So those are great examples of tools that folks can go and buy on their own.
And we see with AI tools every week I approve all the IT expenses for our organization.
And I've counted so far this year six different AI tools people have submitted expenses on
that we've had to have a conversation because people are looking for tools to do better
at their job.
I want to be clear here.
(30:08):
I don't think folks are maliciously signing up for software to have an issue.
They're trying to be better at their organization.
They're taking ownership of selecting that software.
It's just making sure they do it within the right confines.
I want to be mindful of time here.
We've we've been talking for a little bit on this on this topic.
So let's go back to the reason why we sat down to talk today.
(30:28):
Why cybersecurity should be your business's top priority.
And let me tell you a couple of things that I've heard and you want to add a couple closing
comments.
First and foremost, ten point five trillion dollar impact annually across the world.
Sixty percent of breaches, small and medium sized companies, more likely than not, you
(30:50):
are being targeted and whether you're the business owner, maybe the entrepreneur or
the operating executive or a private equity investor, you're worried about this.
And if you haven't been worried about this, I think the key message that you're trying
to impart to the audience is you should be worried about this.
What do we mean when we think about when we talk about cybersecurity?
(31:10):
We're thinking about every digital asset that your business has.
What's the potential impact on your business?
Every part of your business, every corner of your business could be impacted by this
from production to scheduling to your supply chain to payroll to invoicing and how you
get paid and how you pay vendors.
You know, it has enterprise wide impact.
It's probably going to sneak up on you when you least expect it and when you least want
(31:33):
it to happen to you.
But there are things that you can do about it, right?
No company is perfect, but you can put some industry protocols in place and how you get
there.
If you don't have a large team is most likely going to involve bringing in some outside
experts, whether those be, you know, cyber penetration testing companies or an IT consulting
(31:55):
firm.
You need to be thinking about this pretty seriously in 2024 because the threats are
real.
It's likely that if you're a smaller medium sized business that you're you're just probably
more exposed than if you're a big company.
And don't let the fact that you don't have a lot of resources get in your way.
Find out how much you're spending.
Use that as a starting point.
hire some experts to come in who can help you think strategically and tactically about
(32:19):
what to do about this so you can sleep well.
Yeah, definitely.
Great summary, by the way.
I try that.
That's that's why they that's why they asked me to be on this podcast.
Sure.
Like I said, the closer.
Well speaking of closing for today on our two bits trivia, I have two pieces of trivia
if you're ready.
We're doing two bits.
We call it two bits of trivia.
Two bits.
(32:39):
Two questions.
Is there pun intended there?
No, I'm not trying to be punny here, Mike.
Okay.
All right.
So two bits of trivia to round out the show today.
Let's let's give you this one.
So first one, a little bit of a t ball.
By the way, I'm not good at trivia, so I'm going to probably get both these wrong.
Mike, I'm serving you a t ball.
I hope you I hope you've been paying attention to your cyber training of all the threats
(32:59):
and threat vectors of business has.
What's the number one threat vector of a business?
People.
Oh, very close.
And people use what to be able to talk to each other?
Email email.
Number one threat vectors email.
Got to have people to have email.
You got to have people have emails.
Don't send themselves.
See, the thing is, you're so macro.
I took your micro.
I'm more strategic.
Yeah.
(33:20):
Yeah, that's right.
Bit number two.
Likelihood of this one.
Quite low.
In what year did the first ransom event occur?
Or it's the same which year, excuse me.
What year did the first ransomware event occur?
1997.
Oh, pretty close.
1989 fun fact was distributed on a floppy disk to folks.
(33:46):
So if anybody saw the recent sensational article of San Francisco, the trolley still run on
floppy disks.
So if you have a time capsule, head on back to 1989 and lock those guys out on those on
floppy disk.
Correct.
That was the that was the big cyber article this week about they still run on floppy disk.
So I hope you enjoyed two bits trivia there.
I did.
That was good.
We're keeping a score.
I'm zero for zero.
(34:06):
You're zero for zero for zero.
Correct.
There's two questions in there.
Thanks for tuning into this episode of Growing EBITDA.
If you like this episode, hit subscribe or follow us on LinkedIn for updates.
Got a topic you'd like us to cover?
Drop us a message.
We'd love to hear from you.
Welcome to the Growing EBITDA Podcast, where we unlock the doors to management and technology
(00:08):
insights in the middle market.
Join us as we explore innovative strategies to drive revenue and EBITDA growth, interviewing
industry leaders and technology experts.
Whether you're looking to streamline operations, understand the latest tech trends, or lead
your company towards exponential growth, you're in the right place.
Stay tuned and let's grow together.
(00:31):
Cybersecurity word of the day, cybersecurity.
Increasingly, we are finding cybersecurity being one of the top business priorities,
if not the top business priority for middle market companies.
And a couple of reasons why.
A report that came out that was affiliated with the FBI, but published in Cybercrime
(00:53):
magazine very recently reported that cybercrime will cost the world $10.5 trillion annually
by next year 2025.
$10.5 trillion.
Very interestingly, and also from the same report, more than half of all cyber attacks
are committed against small and medium sized companies.
(01:14):
So middle market companies, and 60% of them go out of business within six months of falling
victim to a breach or an attack.
Now 60%, I'm sure those numbers are a little bit skewed by smaller businesses, right?
And obviously our listeners tend to be running kind of more medium sized middle market businesses.
But nonetheless, those are some pretty scary figures.
(01:35):
Lots of dollars, high impact.
Probably the one of the most interesting to me is that 60% of all breaches are with smaller
and medium sized organizations.
I have my theory why, may or may not be accurate.
And that is bigger companies have more infrastructure, better systems, bigger IT departments.
I'm sure there's a lot of mid market companies out there, James, you'll probably speak to
(01:55):
this in a minute that don't have big IT teams, don't have sophisticated processes and protocols
in place to protect them from some of these breaches.
But anyway, obviously this is huge impact on companies, on businesses.
Almost every executive that I know, and every investor that I know is starting to think
more seriously about cybersecurity.
And hence, that's why we wanted to kick off our podcast by talking about that today.
(02:18):
So that's about all I know about cybersecurity.
As our guests will come to learn, I can operate my own laptops and my own emails, but that's
largely where my IT competency ends.
So thank goodness we have James here to guide us through today's episode and today's topic.
It's crazy to think that the 10.5 number you provided, that is three times the, or over
(02:39):
three times the value of Apple today.
It's crazy in our lifetime, we saw a business worth a trillion dollars.
I think it's such a huge business to think that something three times the size of Apple
is a total net loss globally.
It's a crazy number.
It's a lot of money.
A lot of money.
If I had that kind of money, I could retire.
Yeah, we'd get a better studio.
Absolutely.
Maybe a better producer.
Maybe.
I think we should introduce everybody to producer Matt.
(03:00):
Producer Matt here.
It was producer Matt's idea to start this podcast, if I'm not mistaken.
Is that?
Yes.
It's an origin story.
Yes.
It's an origin story.
Origin story.
He was talking about it.
It's a 10.5 trillion dollar podcast.
It just so happened to line up with today's number.
Back to business here, James.
Maybe we could talk about why it's a top priority to businesses.
Yes, definitely.
(03:21):
Let's do that.
So when we think about kind of the cybersecurity and the priorities around it, generally think
of it as three different major categories.
One of the things that we really say, and it's kind of the most important thing is cybersecurity
is protecting your organization's digital assets.
Those digital assets could be data, could be files, could be email, could be a lot of
(03:42):
things, but it's protecting those digital assets.
The next thing is we think about the reliance that organizations have, much like our podcast
today and all the technology surrounds us to your point.
We have a heavy reliance on systems.
And when those systems fail due to a cyber threat or cyber issue, it really does affect
our businesses and our ability to run our business effectively.
(04:02):
And then the last part, which I think is the reason anybody has a business, is the ability
to generate revenue.
And how does a cyber attack affect revenue?
It allows you to not be able to do the great things you do today.
And no matter what business you are in, cyber attacks find ways to halt revenue, which creates
stress and strain on business owners, especially in the middle market like our listeners.
(04:24):
I understand that it affects revenue, but maybe unpack that for us a little bit.
Tell us how you've seen it impact revenue in businesses either that you've been involved
with or that you've heard about.
Help our listeners understand that a little bit more.
Yeah.
I mean, when you think about the revenue side, when I have these conversations with folks,
a lot of folks immediately go to e-commerce sites.
My website went down and I'm not able to transact.
(04:45):
That's interesting.
That is one of the challenges folks face.
But it could be any sort of business.
If I'm not able to procure goods, if I'm not able to pay my people, if I'm able to collect
cash, if I can't even get to my bank, think about it as everything you do today not functioning.
And the way a lot of times that we talk about it with folks is, you know, we've all had
(05:06):
to unfortunately exit folks from an organization.
When you exit from an organization, we cut off all the access to that organization.
You no longer affiliate with the organization.
You no longer have any of the access.
Just imagine that you are that employee, essentially the business terminating you due to the cybersecurity
locking you out.
So that's the visual.
We all know what that visual is because we've locked folks out in the past.
(05:26):
It affects everything you do.
So when it affects revenue, e-commerce, sure.
Ability to procure, sure.
Pay.
The only thing it affects is the ability to just truly run your day to day, know the state
of your business, report on your business, have an understanding of your business.
It affects your employees.
Yeah.
And it also, when you have a breach, I imagine Murphy's Law kicks in.
(05:46):
It's never going to be a good time.
And it's probably when it happens, it's never going to be the right time.
And that's probably one of the reasons why it's so talked about today, not just that
it's beyond prolific and not just that the impact is huge, but it does, like you described,
it impacts every corner of your business.
They may not all go down at once, but they could.
(06:07):
There's been some recent examples of that, but it just has the potential to really bring
a business to its knees.
So James, stick it in the context of the mid-market, which is where we spend most of our time.
Give me an overview of what cybersecurity today means in the middle market.
This is an interesting topic.
The first thing I always talk about when we have this conversation is everyone has to
(06:30):
participate.
It's not the some participate, I'm a financial business, I'm a Bitcoin business, everyone
has to participate.
And that's a bit of a change.
It's no longer for just large organizations.
Mid-market has to follow the standards of everyone else.
(06:50):
And I think that the most important part of that is your clients and your employees expect
you to follow it because they expect you to safeguard and protect that data.
And so we think about compliance over the years, many years ago, for those who remember,
we went from the swipe credit card readers to the chip and pin where you had to insert.
And that was one of the first cyber changes because people are getting compromised credit
(07:11):
cards and it was a challenge.
No matter what size business you go into, pay attention next time, whether it's a small
business around the corner or a large multinational organization, they all have the same reader.
Why?
Because the industry standardized on the security protocol that was generally agreed to by all
folks and whether it's tap list or insert, there's no more, in extreme cases, maybe a
(07:32):
little bit of swiping, but very rarely as they're swiping, we agreed to that standard.
Think about mid-market is that same type of idea.
Those standards are out there, they're generally accepted.
Folks need to adjust to those to be able to align to even the way large businesses are
protecting themselves.
And in your experience, how many businesses, I'm sure for a lot of our listeners, they
can relate to the credit card scanner example in their personal lives, right?
(07:57):
But many, many mid-size businesses are more B2B in nature.
So that example may not draw immediate parallels to their mind.
Do you have any examples that are kind of in a more B2B environment?
So I think an example for B2B folks is the way that you wire transfer and do your wire
transfers today that is an interesting change on the validation side, right?
(08:19):
So I know as a business owner, you're familiar with the wire transfer process and maybe you
could tell me more from the business side, but I'll tell you from the technology side
that the way that you wire today and you have that handshake, which is a communication between
two systems is a large difference on how we do wire transfer today.
So if you remember back in the day, you put in your routing information and it wouldn't
give you any results.
(08:41):
Now you get that confirmation that says, are you from UMB blank, blank, blank, whatever
bank it is?
And you have that little bit of moment like, okay, I know I typed in that number correctly.
That's done because they built a trust with those banks to allow that information to be
sent out and returned so you the user can feel a little more comfortable.
That security to allow for that, there's a ton of work and a ton of protocols that sits
(09:02):
behind that very simple type in a number return a word, but there's a lot done there.
And I think for anybody who runs a business, you're very familiar with this being scared
of a wire transfer because you know when you transfer an erroneous wire transfer, it's
very hard to get back.
So those little nuances that protocols have been put in place to protect you, the consumer
also makes your life easier.
Got it, so I think what you're saying is there's different standards, cybersecurity standards
(09:27):
that are out there, but I'm sure a lot of businesses are less familiar with those standards.
Sticking with the middle market theme here, what percentage of middle market businesses
have cybersecurity, would you call them systems or protocols or how would you describe that
and what percentage of mid market companies have an adequate landscape, so to speak?
(09:49):
Yeah, I would say it is two numbers.
That's an excellent point.
It's how many have cybersecurity protocols in place?
I'm gonna go on a limb and say probably 100.
Everyone has something for cybersecurity because whether your vendors required it, your employees
have activated it, or your technology team has done it, everyone has something.
How many are using it to the degree in which we expect and know is required for the space?
(10:12):
It's a scary number.
It's probably around 25%.
Think about the number you talked about earlier.
You said 50% of the businesses are compromised.
Of those 50, that means that there's 50 that aren't compromised.
That's not to say that those 50 are protected and they got through.
They're probably underprepared as well.
And in my opinion, there's probably another 25% there that is exposed.
And so when you think about it, it's a target market of 75% of business have an opportunity
(10:35):
to be exposed.
Think about that as a bad actor.
It's a great easy way to make some money in an nefarious way by attacking those folks
aren't prepared.
So I'd say probably about 25% or where they need to be.
Wow, yeah, so if you are a bad actor, all you got to do is pick one company and 75%
chance you're getting in that one.
Pick two, the odds are with the bad actors.
I wish my Vegas odds were that good.
(10:56):
Building on that, what are some of the more common threats?
Because we all hear about, oh, there's this cybersecurity threat out there.
60% of businesses, small and medium sized businesses, $10.5 trillion annually impact
on the global economy.
Let's bring it home a little bit more though.
If I'm a mid market operating executive, I could be the CEO, CFO, head of IT, head of
(11:18):
supply chain.
What are some of the threats that are out there that are going to resonate with some
of these folks?
Bring it home for them a little bit.
Yeah.
So for me, cybersecurity, you can think of it as it's on a continuum, right?
So you can land anywhere in cybersecurity can be as much as you want.
Anybody who's a sports enthusiast or an outdoors enthusiast such as you and I, you know, there's
price points at all levels of outdoorness, right?
(11:41):
There's the REI price point, and then there's a crazy price point above that, and then there's
a Walmart price point below that.
Same type of thing applies to cybersecurity.
There's different levels.
What we really want folks to focus on is selecting the right level for your business.
The cybersecurity you need isn't the same that a bank needs.
So here's some areas to think about for a mid sized business that we're talking about
(12:03):
today.
My applications that run my business today, whether that's my ERP, whether that's Quickbooks,
whether that's my email, whatever that business system is that runs my business that I use
needs to be protected.
Number two, my collaboration tools.
Collaboration tools is a fancy way of saying email and chat.
Lots go through email and chat needs to be protected.
(12:24):
Number three, your clients and your employees data.
We all know all the time we hear about leaks every single week about the information getting
out there in those leaks.
Protecting that data should be high on your priority.
So number one, business applications, number two, collaboration and number three, data.
So how do you protect a business application?
(12:44):
Let's just start there.
I think you're describing for the listeners three really nice buckets to think about,
but how do you protect?
How do you prevent somebody from actually getting into one of your business applications?
Yeah.
So there's two types of business applications that are very common in the mid market.
Application number one is what's called a hosted application.
(13:05):
That's where I have a server in my back room that has that application on the server.
Type number two is a cloud based application.
That's the common applications we all know that are like software as a service that sit
in the cloud that I access.
So there's two different ways of protecting those systems.
The first system is what's called an on premises system.
(13:26):
It sits in my local server room.
It's near to me.
The way I protect that is I protect the servers and systems within my four walls.
So that's through firewalls, VPNs and lots of great other tools that are out there to
protect those.
And that's more of the traditional IT that folks have been protecting for years.
You protect those with very strong passwords, multifactor authentication and very good systems
(13:48):
that protect my four walls.
When I think about cloud based systems, we've all been there.
You go to a login page, I put in my email address, I put in my password.
Hopefully I have multifactor authentication or maybe I have a single sign on solution.
That is how I protect that data.
So the login of that data is the way I protect it.
Now we expect those providers to protect their data.
(14:11):
Because somewhere that data is still sitting on a bare metal server.
It's not truly in the cloud and floating around.
It exists somewhere.
So it's important to vet and ensure that those providers you're doing business with protect
your data much like you protect the data within your four walls.
So really for you, there's nothing you can do.
You're not going to build a go and give them standards that need to follow.
But you do need to do your due diligence to ensure those providers you're using are strong
(14:34):
providers in securing and protecting your data.
And I'm sure a lot of our listeners, many of them probably have on-prem, on-premise
servers with applications running.
I'm sure many of them, I'm sure almost all of them these days run some element of their
business in the cloud.
If they don't, they should call you.
You have to help them with that.
Not just to save money, but this probably improve a number of things for them.
(14:56):
So it's one thing to hear somebody like yourself say, hey, if you have an on-premise solution,
make sure that you have the right firewalls.
Make sure you have the right other pieces of equipment.
Make sure you have multi-factor authentication.
But it's an ever evolving landscape of new threats, of new bad actors, of new technologies.
(15:17):
And I feel like even companies who have a relatively well-established IT team or department
are constantly trying to catch up to the latest and greatest technologies.
And that's fine because you're protecting your business.
But what about companies without large teams?
I mean, how are they addressing this?
If I'm the CEO of a company and maybe it's my first day on the job and I do prioritize
(15:41):
cybersecurity and I walk into the business that I've just decided that I'm going to
spend the next number of years helping to lead and grow, how do I assess the current
state and how do I possibly keep up to these evolving changes in the threat landscape?
I think this is the challenge a lot of executives have.
And the thing we kind of jokingly say is you can't just walk through the airport because
(16:04):
we've all walked through the airport and we see the Barracuda sign or the kind of high
level of the folks who advertise because they know they're captive audience.
They know there's a lot of business folks who travel and see those things.
And unfortunately, that's only a small piece of the puzzle.
And you're correct.
You have to rely on your team.
So there's some things that you can you can start to think about as you talk to your team
and work through your team.
Number one is having open and honest dialogue with your team to say, where are we?
(16:28):
I'm joining the organization.
Let's go ahead and let the past be the past.
Let's have a real conversation of where we sit, where we're at and what our journey is.
There's a phrase in IT that's called technical debt, those things that you haven't accomplished
or haven't completed.
And we use this phrase a lot by saying paying down technical debt or the inverse of that
improving my IT system.
(16:48):
So having those conversations and open dialogue to your team to say, where are those areas
of technical debt?
And what do I need to do to pay those down?
Now, it could be monetary, it could be hiring, it could be education.
Those are different things.
That's number one.
Another one is being prepared to spend.
Not gonna lie, cybersecurity comes at a cost.
It's not cheap.
There's a lot of tools out there that are really great for the mid market that are affordable,
(17:12):
but they still come at a cost.
If today your team is not doing it and tomorrow you start to do it, the transition is not
gonna be free.
It's gonna be some cost.
And be completely honest, the cost is not only just a software, it's training your team,
bringing them along for the journey.
Because you have to train your internal team, that's your technology team, or maybe you
outsource it.
You also have to train your employees.
(17:34):
Cybersecurity is everyone at the company's responsibility.
I think that's important to note.
It's not just your team.
It's not just the executive that's coming in.
It's every single person.
So let's talk about cost.
Let's go back to that example I gave a minute or two ago about you're the new CEO or you're
the new...
Maybe you don't have to be the CEO, but you're an executive and you've stepped into an organization.
(17:56):
And cybersecurity is a business priority for you, maybe for the board of directors, the
shareholders.
How much should you be thinking about spending?
Do you have a benchmark number?
Because I'm sure if I was this executive, I could look at the P&L and say, hey, last
year we spent $10,000 or a million dollars, whatever the number is, on our cumulative
cybersecurity spend.
(18:18):
Do you think about it as like a percentage of revenue?
And is that a decent proxy for how much technical debt the business might have?
Or how should a mid-market executive think about this?
Yeah, I think that thinking about it as a percent of revenue is a smart way to do it.
And there's a couple factors that go into that.
Depending on the type of business you're in, it could affect it.
(18:39):
So if I'm a software business, my spend on cyber is going to be much higher than an industrial
business that has that type of data.
And so we do stratify that data by industry.
And I think it's important to think of it by industry.
But let's just take an example of a mid-market, easy example of a manufacturing organization.
We typically look for the total IT spend to be between 3% and 8% of total revenue.
(19:04):
Say that again.
3% and 8% of total revenue.
So the benchmark is for a mid-market industrial manufacturer, 3% to 8% of total revenue on
IT.
Now, that doesn't include just cyber.
Yeah, we don't have that subset out.
And I'll be honest, the reason we haven't been able to break that subset out is the
(19:24):
way folks organize their P&L today is we're lucky if the IT expense is mapped to a single
GL line for us to be able to do that analysis.
I think the industry has not really done a great job of capturing that cyber data.
One example is you can purchase cyber tools through Microsoft, but comes in on a single
invoice.
So being able to tease that out and having the discipline to tease that information out,
(19:47):
we don't see a lot of times.
I'm sure there's a benchmark.
What you're saying is it's tougher to break out cybersecurity spend from overall IT spend.
But 3% to 8% in the manufacturing space is a good benchmark.
You have benchmarks for other macro industries too that you can share?
Business services, for example.
We see business services spend up to 15% on IT systems because the amount of data they're
(20:10):
trying to secure or what they're doing.
Now when I talk about these benchmarks of spend, that's to run your operations.
If you're a software company, you're going to spend even more because you're not only
saving and securing the information within your four walls.
You also have a product that you're protecting.
And that product you're protecting, you also have spend on that as well.
(20:32):
So those benchmarks can vary and that one is another conversation for another day.
But about 20% on sometimes we see people spending in this space to be able to get the right
tools.
Let's go back to my example.
You're the new executive.
You've walked in.
You pretty quickly realize maybe there's some technical debt in the business.
You can benchmark the legacy investment in IT.
(20:53):
Not a proxy for cyber, but nonetheless the legacy IT spend by looking at the P&L 3% to
8% if you're an industrial manufacturer as a good benchmark.
Where do you go from there?
Especially if you're a non-technical executive.
If I walk into a business, 3% to 8% is a great benchmark to have.
It's broad.
I'll admit it's a broad range, but at least I know that I need to be somewhere in that
(21:14):
range.
Let's say I walk in and I realize as a non-technical person, I can realize we're spending 2%.
So we're below the range or maybe we're spending 3%.
So we're at the bottom of the range.
But I just know intuitively that based on other businesses that I've been involved in, maybe
we've spent more elsewhere.
Where do I go from there?
Where do I start?
If I look at those numbers you can infer I'm probably underspending in cyber because I'm
(21:35):
underspending at the aggregate.
I think it's a fair point.
The first thing for me is engaging an external party to come in and have a second look at
the system.
There's multiple groups that will come in and there's things that are called penetration
tests where they do some very interesting deep dive work on your system to understand
where you're at.
There's cyber assessments, which is more of a desktop exercise asking questions.
(21:58):
I think a lot of times you have the proposal from your team, you understand where you are,
we discussed that earlier.
Then I go out to that outside group and ask them for that opinion of where I am.
I can then put that together.
Personally and folks ask me all the time for this, to create a roadmap for them to get
to good and help them get to good.
So if you feel that your team doesn't have it in them or doesn't have the ability or
(22:20):
needs to be up skilled to be able to get you there, rely on an external party to help get
you there because they can help educate or bridge that gap.
So the first thing is get an assessment.
Second thing is start making incremental impactful changes.
One of those impactful changes we all hear about turning on multifactor authentication
solves so many things within the organization and it's such a simple fix.
(22:41):
Why folks don't do it.
I don't understand but I encourage our listeners, if you don't have that on your organization,
turn it on tomorrow.
It's the most important.
Let's go back to my example.
Yeah, I'm the new executive title doesn't matter.
I'm a new executive in business and my perception is that we're underspent on cybersecurity.
(23:02):
It's a business priority for me personally.
Maybe I'm in the CEO role or another senior level role or maybe my board has been asking
us for more information about this topic and you've given us some good guidance about how
to benchmark our spend, which is great.
But we got to recognize that maybe I've been brought in to preserve and improve the profitability
(23:24):
of the business and if you're going to say, hey, you're only at 2% or 3% of revenue on
IT and maybe I've brought in some experts who come and say, we think you should be closer
to 6%.
How do I live with a 4% headwind on the bottom line?
That's a big, maybe the business makes 12, 15% EBITDA.
(23:48):
I'm going to go from a double digit EBITDA business to a single digit EBITDA business.
How should I think about that?
Yeah, and in the context of cybersecurity, right, I think it's protecting what you currently
have today less than increased productivity.
If we were having this conversation with the guys of an ERP and that incremental spend,
I could say I'm digitizing some processes, I'm doing some automation.
(24:12):
All those things are very easy to build a map those dollars back and build a show what
it looks like.
But if you think about cybersecurity as an insurance policy and less as a revenue stream
or an improvement of revenue, it's like me asking you what's the value of your homeowner's
insurance if you don't have a problem tomorrow, do you really need it?
Well, you know that having that problem tomorrow would be such a detrimental effect on your
(24:33):
business that the ability to recoup even a 6% net EBITDA loss, how about 100% EBITDA loss?
So what we tell folks is it's carrying an insurance policy is preparing for a rainy
day and I may also say it's important to be thoughtful and cybersecurity.
There's a lot of folks out there that will sell you the world and try to sell you everything.
Make sure you talk to a professional before you sign up for anything.
(24:56):
Make sure you have the right level.
Make sure your cybersecurity insurance isn't some crazy policy that you don't need.
Have those conversations with experts, protect your business in a thoughtful way, but get
that insurance in place.
That's a great way to think about it like a homeowners insurance policy.
So let's talk about different sizes of business.
How does cybersecurity strategies differ from a medium sized kind of mid-market business
(25:17):
to a large size business?
You know, it's interesting, we're having this conversation in 2024.
Had we had this conversation 10 years ago, it would be a very different answer.
I'm going to tell you the answer is the threat vectors and the bad actors are the same.
What's interesting is it's changed now that the attacks are the same.
The way you're attacked is the same.
The people going after you are the same.
(25:39):
It's the amount of effect.
So the biggest thing I think is the difference, and you mentioned this earlier, I think it's
an excellent point.
Large organizations are more prepared because they have more folks and they're focused on
it.
Large organizations have the ability to send eight people to a cyber conference and learn
about it and then go back and do it.
But the challenge for a large organization, it's a larger footprint.
So yes, you're more educated, we have more threat vectors, midsize organizations, smaller
(26:04):
footprint, smaller amount of threat vectors, less spend, but less to protect.
So you have a fighting chance to be successful based on your footprint.
And the last one is, and we're going to keep talking about it, it's the budget allocation.
Large organizations budget millions and millions, and I'm sure there's a statistic that talks
about how many billions of dollars go to it.
(26:26):
Midsize organizations tend to allocate less budget in this space.
And that's a large differentiation between the two is what you spend on is what you focus
on.
If we're thinking about, if I'm a company thinking about starting to spend on cybersecurity,
maybe for the first time, perhaps spend more on cybersecurity, if you've already been investing
in it.
(26:47):
What are the first steps you should take to protect yourself?
Yeah, the big one, multi-factor authentication.
Again, turn that on tomorrow.
Should we do a, we should probably do a whole episode one day on multi-factor?
We should have a whole conversation about that and tell folks the different options.
I would love to have that conversation because there's some really interesting things out
there.
Single sign-on.
For example, the organization you and I work with, I have one username, one password that
(27:10):
gets me in everywhere.
So I reduce those threats, those vectors, remembering where things are, reducing that
risk.
And I think that's a great conversation because we just found that journey over the last couple
of years, making sure we locked down every application.
Yeah, I remember that I got some nasty grams from you about my non-compliance.
Correct.
You're welcome.
And yes, now I do it every time.
Yes.
Begrudgingly.
(27:30):
Feels great.
You know, and that's one of the first steps we took.
I'm told it makes us safer.
Yeah.
From threat vectors.
It's one of the first steps we took.
It's one of the last steps you took.
So it worked out really well.
There you go.
That's why they call me the closer.
That's one of the first steps is get that multifactor on.
Number two, and this is an interesting one.
You may say, James, this isn't really cybersecurity, but I'll tell you what's out there.
It's important.
(27:51):
Understanding the applications your users use.
I'm going to say that again.
Understanding the applications your users use.
Where are those shadow IT applications?
Honest conversations around knowing what applications your users use.
Do you know how I find what applications my users use?
Investments reports and looking at expenses.
I can find out what people have because I go to their accounting team.
(28:13):
I say, what have we spent money on software wise this year?
And then I reach out to those angels because I know who submitted the expense and I ask
them what are you using it for?
Why are you using it?
And we begin to vet it.
It's the easiest way for a midsize business to control this is looking at spend.
Yeah.
I've got a smirk on my face that the listeners can't see, obviously.
And that may or may not have something to do with the fact that I have personally been
(28:38):
emailed by you about the software that I've signed up for and expensed.
You used a really good word, good phrase that I've come to like called shadow IT.
And I don't think we've covered that yet.
So maybe just unpack that for us very quickly.
What is shadow IT?
Shadow IT is we all know those main systems that we use, right?
(28:59):
So we're a ERP and our ERP is this and we all know that shadow IT is and it's quite
different now because you can go click to own a piece of software or at least rent a
piece of software, right?
It's when I as a user say I'm going to go get this piece software because it serves
my needs.
And it's not part of the organization.
But I'm just going to go get it to get my done.
So what happens a lot of times we see it so like Grammarly Grammarly Adobe Premiere.
(29:25):
Yeah, countless others.
Grammarly is one of the ones that gets me man because knowing where that data is stored
and you know if you ever want to have a fun time for our listeners and you're stuck on
a flight and you just want to entertain yourself, go read some T's and C's of some of the software
your teams use and understand where your data is going.
Not to be an alarmist or anything like that, but just read where your data is going and
(29:47):
understand it.
So those are great examples of tools that folks can go and buy on their own.
And we see with AI tools every week I approve all the IT expenses for our organization.
And I've counted so far this year six different AI tools people have submitted expenses on
that we've had to have a conversation because people are looking for tools to do better
at their job.
I want to be clear here.
(30:08):
I don't think folks are maliciously signing up for software to have an issue.
They're trying to be better at their organization.
They're taking ownership of selecting that software.
It's just making sure they do it within the right confines.
I want to be mindful of time here.
We've we've been talking for a little bit on this on this topic.
So let's go back to the reason why we sat down to talk today.
(30:28):
Why cybersecurity should be your business's top priority.
And let me tell you a couple of things that I've heard and you want to add a couple closing
comments.
First and foremost, ten point five trillion dollar impact annually across the world.
Sixty percent of breaches, small and medium sized companies, more likely than not, you
(30:50):
are being targeted and whether you're the business owner, maybe the entrepreneur or
the operating executive or a private equity investor, you're worried about this.
And if you haven't been worried about this, I think the key message that you're trying
to impart to the audience is you should be worried about this.
What do we mean when we think about when we talk about cybersecurity?
(31:10):
We're thinking about every digital asset that your business has.
What's the potential impact on your business?
Every part of your business, every corner of your business could be impacted by this
from production to scheduling to your supply chain to payroll to invoicing and how you
get paid and how you pay vendors.
You know, it has enterprise wide impact.
It's probably going to sneak up on you when you least expect it and when you least want
(31:33):
it to happen to you.
But there are things that you can do about it, right?
No company is perfect, but you can put some industry protocols in place and how you get
there.
If you don't have a large team is most likely going to involve bringing in some outside
experts, whether those be, you know, cyber penetration testing companies or an IT consulting
(31:55):
firm.
You need to be thinking about this pretty seriously in 2024 because the threats are
real.
It's likely that if you're a smaller medium sized business that you're you're just probably
more exposed than if you're a big company.
And don't let the fact that you don't have a lot of resources get in your way.
Find out how much you're spending.
Use that as a starting point.
hire some experts to come in who can help you think strategically and tactically about
(32:19):
what to do about this so you can sleep well.
Yeah, definitely.
Great summary, by the way.
I try that.
That's that's why they that's why they asked me to be on this podcast.
Sure.
Like I said, the closer.
Well speaking of closing for today on our two bits trivia, I have two pieces of trivia
if you're ready.
We're doing two bits.
We call it two bits of trivia.
Two bits.
(32:39):
Two questions.
Is there pun intended there?
No, I'm not trying to be punny here, Mike.
Okay.
All right.
So two bits of trivia to round out the show today.
Let's let's give you this one.
So first one, a little bit of a t ball.
By the way, I'm not good at trivia, so I'm going to probably get both these wrong.
Mike, I'm serving you a t ball.
I hope you I hope you've been paying attention to your cyber training of all the threats
(32:59):
and threat vectors of business has.
What's the number one threat vector of a business?
People.
Oh, very close.
And people use what to be able to talk to each other?
Email email.
Number one threat vectors email.
Got to have people to have email.
You got to have people have emails.
Don't send themselves.
See, the thing is, you're so macro.
I took your micro.
I'm more strategic.
Yeah.
(33:20):
Yeah, that's right.
Bit number two.
Likelihood of this one.
Quite low.
In what year did the first ransom event occur?
Or it's the same which year, excuse me.
What year did the first ransomware event occur?
1997.
Oh, pretty close.
1989 fun fact was distributed on a floppy disk to folks.
(33:46):
So if anybody saw the recent sensational article of San Francisco, the trolley still run on
floppy disks.
So if you have a time capsule, head on back to 1989 and lock those guys out on those on
floppy disk.
Correct.
That was the that was the big cyber article this week about they still run on floppy disk.
So I hope you enjoyed two bits trivia there.
I did.
That was good.
We're keeping a score.
I'm zero for zero.
(34:06):
You're zero for zero for zero.
Correct.
There's two questions in there.
Thanks for tuning into this episode of Growing EBITDA.
If you like this episode, hit subscribe or follow us on LinkedIn for updates.
Got a topic you'd like us to cover?
Drop us a message.
We'd love to hear from you.
Popular Podcasts
New Heights with Jason & Travis Kelce
Football’s funniest family duo — Jason Kelce of the Philadelphia Eagles and Travis Kelce of the Kansas City Chiefs — team up to provide next-level access to life in the league as it unfolds. The two brothers and Super Bowl champions drop weekly insights about the weekly slate of games and share their INSIDE perspectives on trending NFL news and sports headlines. They also endlessly rag on each other as brothers do, chat the latest in pop culture and welcome some very popular and well-known friends to chat with them. Check out new episodes every Wednesday. Follow New Heights on the Wondery App, YouTube or wherever you get your podcasts. You can listen to new episodes early and ad-free, and get exclusive content on Wondery+. Join Wondery+ in the Wondery App, Apple Podcasts or Spotify. And join our new membership for a unique fan experience by going to the New Heights YouTube channel now!
The Breakfast Club
The World's Most Dangerous Morning Show, The Breakfast Club, With DJ Envy, Jess Hilarious, And Charlamagne Tha God!
Fudd Around And Find Out
UConn basketball star Azzi Fudd brings her championship swag to iHeart Women’s Sports with Fudd Around and Find Out, a weekly podcast that takes fans along for the ride as Azzi spends her final year of college trying to reclaim the National Championship and prepare to be a first round WNBA draft pick. Ever wonder what it’s like to be a world-class athlete in the public spotlight while still managing schoolwork, friendships and family time? It’s time to Fudd Around and Find Out!