An interview with our Director of Engineering and Security, Elias Stucky, discussing small and medium-sized businesses’ cybersecurity challenges with Lumu.
Julian Brown | August 12, 2021
As Director of Engineering and Security at Upward Technologies, Elias Stucky works to solve small and medium-sized businesses’ technology problems. We spoke to him about some common SMB cybersecurity challenges.
Tell us a bit about your customers and the kinds of services you provide to them.
Upward Technology is what’s traditionally known as a managed service provider—an MSP. We are essentially the end-to-end, bolt-on IT department that does all the functions that a traditional department at a larger business would fulfill: from purchasing hardware and software, help desk support, vendor interaction, technology projects, technology road mapping, risk assessment to being a personal CIO/CTO. We focus on small and medium-sized businesses (SMBs) that don’t have the workload or budget to staff four or five full-time IT service engineers. Many businesses find that there’s great value in outsourcing, considering the wide range of skills they gain access to.
Upward strives towards creating long-lasting partnerships. Our contracts tend to be open-ended and relatively easy to exit. We believe there’s no reason to hold a customer in a long contract if the relationship is not working for either party. We’re not interested in always hawking the newest thing and bleeding our customers dry. We seek to create a healthier relationship with customers that want to form a partnership and use technology to get somewhere, rather than support outdated technology.
The bulk of our clients provide professional services, and some others are in manufacturing. Our clients tend to be SMBs based in the Portland, Oregon area, but the common denominator is their leadership mindset: they see technology as a tool for moving forward and are willing to invest in it.
Changing Cybersecurity Attitudes
Have you seen more interest in cybersecurity from industries that were historically a bit more unconcerned?
Compliance-driven industries have had to update their cybersecurity since their compliance requirements are starting to get serious. Generally, people are realizing that breaches can happen to anybody, but we still run into businesses that have a mentality of thinking that cyber criminals aren’t interested in them. We try to educate those customers without spreading fear, uncertainty, or doubt. Rather, we point out that investing in cybersecurity makes business sense when you look at the losses that can be avoided.
SMB Cybersecurity Status Quo
Are your customers generally completely new to cybersecurity, or are there some cases where they need help to modernize their programs?
When it comes to cybersecurity, we often have to start from scratch. We start by assessing the client’s entire technology stack beyond cybersecurity and then based on industry best practices and standards we create a roadmap. Regarding cybersecurity in particular, the process is similar, but there are many more steps that fall into the “really need to do” and “need to do” categories.
In all cases, we have a conversation with the customer about the when, how, and why of each cybersecurity investment and ensure that the investment makes sense from a business point of view. Aligning technology and cybersecurity roadmaps with the business strategy is a key for success. If you’re not in alignment you may resolve the issue now, but in the long term it will not help the business.
Are cybersecurity vendors overly focused on larger enterprises?
Price is definitely an issue for SMBs because their budgets are smaller. Their ability to invest in multiple tools is restricted. Also, many vendors initially cater to enterprises with large teams, and then the technology ‘trickles down’ to SMBs. Because of that, there tends to be a lot of ‘operational overhead’ that smaller businesses don’t have the skills or headcount to fulfill.
From an MSP standpoint, the issue is how vendors structure their management and pricing. As a technician, I have to be able to monitor multiple clients, and it makes a big difference to be able to do that from one place. Portal fatigue is real.
What role does network visibility play in reassuring your clients?
For us, it is very helpful. As we all understand, everything flows over the network. Especially as everything is more SAAS-driven these days, fewer issues are related to the device itself, and more are related to how information is flowing over the network. Tech-savvy clients appreciate it when they can see a topology map, the network’s performance, and how we can improve and optimize things.
What do you like about how Lumu lets you manage alerts?
I appreciate that Lumu is very focused. Some tools try and fail to do everything. The main idea of “this device tried to go here, this place is known to be malicious, go look into that” is great. In a lot of other cases, you have to get the crazy, full suite of features to get that level of detail. I think how simple and straightforward it is, makes it easy to adopt, especially for an MSP with many moving parts.
SMB Cybersecurity Roadblocks
Are SMBs discouraged when they see multinationals falling victim to cybercrime?
The biggest problem isn’t that SMBs feel like they can’t operate cybersecurity proficiently, it’s that they don’t know how to start. Every single antivirus is marketing itself as an XDR now. Every single technology says that they use AI and machine learning. So, business leaders tend to have no clue where to start—often relying on word of mouth to inform a starting point, rather than taking a strategic approach. There are some really simple things that you can start with that can make a big difference to your security posture.
People underestimate how easy it is to use social engineering, brute force, or simply guess a password to get access to someone’s computer.
Where to Start
If the management of an SMB suddenly realizes that they need to start taking cybersecurity seriously, what would your recommendation be to them?
When the question is that you don’t know where to start, the answer is always “You have to start somewhere.” The biggest mistake is to answer with “I don’t know, therefore I will do nothing.”
Perhaps a product like Lumu is a great place to start because it’s low-overhead and you can start seeing some information. You can see which employees are clicking on malicious links. When the fear is that you are already hacked, visibility is the first thing you want to achieve. Otherwise, it’s like you’re running around in a dark room. You might as well turn on the flashlight.
Understanding your exposure is also important. A simple risk assessment can be really helpful in providing some direction on where to start.
Most importantly, start somewhere.
Link to original article. Reposted with permission from Lumu.