Phin Security

We’re All at Risk of Breach, So What Should We Do?

In the podcast "Gone Phishing," Connor Swalm, CEO of Phin Security, explains that everyone, including small businesses, is vulnerable to cybersecurity breaches not only through direct attacks but also via third-party or supply chain risks, debunking the myth that only large or high-profile targets are at risk and emphasizing the importance of recognizing human vulnerabilities and the widespread nature of cybercrime.

Welcome to Gone Phishing, a show diving into the cybersecurity threats that surround our highly connected lives. Every human is different. Every person has unique vulnerabilities that expose them to potentially successful social engineering. On this show, we'll discuss human vulnerability and how it relates to unique individuals. I'm Connor Swalm, CEO of Phin Security.

Understanding Breaches

A breach can be categorized as unwanted theft of information, access, or money. However, it's not just theft—unwanted access to information, money, or authorization also counts. Often, a breach isn't someone actively stealing from your business, but someone gaining access with the intention to eventually steal money, information, or access. Things like information, access, and money are valuable, and attackers seek to obtain more of them.

The "I'm Not a Target" Myth

Many small business owners, and people in general, believe they blend in and are not at risk. There's a sentiment of, "I'm not a target, I'm not at risk. Someone else is going to be at risk." A quote often repeated is: "You're not too small to get hacked. You're just too small to make the news."

Just because you haven't seen companies like yours in the news doesn't mean breaches aren't happening. The FBI reports that cybercrime, especially for small to medium-sized businesses in the US, is skyrocketing. Many people feel safe because they don't stand out or believe they're too small, but that's not the case.

You might be too small to be individually targeted, but that doesn't mean you won't get swept up in a larger breach. For example, if a well-known password manager is hacked, and you use that tool, your information could be compromised. This is called third-party risk or supply chain risk. Your business may not be the target, but a tool you use could be, and that can put you at risk.

Even if you believe you're not going to be targeted, you probably use large enough tools that are attractive targets for attackers—Google, Microsoft, Cloudflare, etc. Large breaches at these companies can affect you even if your business wasn't the direct target.

The Cascading Effect of Breaches

If you reuse passwords across services, a breach at one (like DoorDash) could compromise your credentials elsewhere. This creates a cascading effect: you might not be large enough to be targeted, but you are still at risk.

It's important to recognize that your risk exposure is not just your business systems, but also the tools you use for email, scheduling, and more.

What Should You Do to Prevent a Breach?

Drawing from presentations given to small business development centers, the advice can be summed up as: Be the second slowest person that the bear is chasing. In cybersecurity, you don't have to be the fastest, just not the easiest target.

For small to medium-sized businesses, breaches are usually crimes of circumstance and ease, not intention. If it's easier to hack you than the next person, you'll be the one targeted.

Large organizations are targeted for their vast amounts of data and access. When a tool with millions of users is breached, the value is in the scale, not in any individual account.

Basic Security Principles

  • Identify phishing attempts.
  • Implement multi-factor authentication (MFA).
  • Understand that the IRS will never call you.

A lot of cybercrime relies on creating emotional responses—panic, anxiety—to get people to act without thinking. For example, if someone calls claiming to be the IRS and threatens you, the goal is to get you to panic and comply.

Advice for Handling Suspicious Contacts

  • Never give out your password. Anyone asking for your password is not legitimate.
  • If you receive a suspicious call, text, or email:
    • Go to the official website of your bank or service provider.
    • Use official contact information to verify the claim.
    • Log into your account through the official portal and check for messages or alerts.
    • If someone on the phone tells you not to do this, hang up and do it anyway.

Most security breaches involving humans are about manipulating emotions to get access or information. Always take a moment to breathe and verify through official channels.

Key Takeaways

  1. 1.Just because you're not big enough to make the news doesn't mean you can't be breached.
  2. 2.Most breaches involving humans rely on creating panic or anxiety.
  3. 3.Never give out your password.
  4. 4.Always verify suspicious requests through official channels.

If you have comments, questions, or feedback, you can reach out to Connor Swalm on LinkedIn. Thanks for tuning in to Gone Phishing.