Video: SMEs and Cybersecurity: Time to Think Smarter, Act Faster | Duration: 1656s | Summary: SMEs and Cybersecurity: Time to Think Smarter, Act Faster | Chapters: Introduction and Background (1.8399999s), Cybersecurity Compliance Challenges (164.275s), Compliance and Improvement (376.93s), SME Security Concerns (611.28503s), Translating Technology Solutions (917.21s), Proactive Network Protection (1173.67s), Challenging Customer Relationships (1266.8049s), Challenging Cybersecurity Norms (1420.565s), Conclusion and Accessibility (1483.8501s)

Transcript for "SMEs and Cybersecurity: Time to Think Smarter, Act Faster": Hello. David Silk is my name. I'm the managing director of Centripetal here in Europe, and I'm joined by Donal Murphy from Intuity. And we're gonna try and have a open conversation around, I think a really meaty and interesting subject, which is some of the challenges that Irish SME companies face when it comes to cybersecurity and and some of those concerns. But, Donal, maybe to kick us off, just a little bit about yourself and, how long you've been with Intuity and, introduce yourself. Yeah. Thanks for having us, David. It's it's it's a real pleasure to have a conversation that that we kinda have every day with our customers. I've been working with Intuity now for twenty one years Wow. And have seen a lot in terms of what SMEs need and what they expect and how to protect their business. Or we talk about our mission in the two d is just we do our thing on the technology side so that the business can get on with whatever it is their thing is and and grow on their business, thrive and then protecting in in a what can be quite a challenging environment. Yeah. It's interesting. I think a lot of you hear about cybersecurity and PwC just came out with a report, I think, last week or a couple of weeks ago, but it was very enterprise focused. It talked about the 53 concern on AI causing this massive cyber attack. But if you look at the Irish SME marketplace, between three and four hundred thousand SME companies, either one to nine employees or anything up to 250 employees. And I think if I'm right around 40% of the Irish business in terms of revenue is created by the SME sector. Huge part of the business. Which is massive. Right? And and you deal with that every single day of the week. Yeah. It's something that we we see everything from the the the the innovative start up that's coming out of a place like Platform ninety four right the way through to the larger, almost enterprise level SMEs, so the bigger SMEs that are operating. And in in a lot of ways, they're very different, and in a lot of ways, their challenges are are very similar. And it's something that's from a from a cybersecurity perspective. Like, we see, something like the National Cybersecurity Center, for example, they release a report every year, but they talk about the the nature of the the threats and things that are affecting the Irish business. And something like 54, 50 five percent of Irish SMEs have been impacted by cyber in some way or another. And that might have been you, yourself, your own business, or something that's adjacent to you in the supply chain. Yeah. What do you think? So, like, if I am an SME and I'm sitting here and I'm reading all this stuff. Right? But what what are the things that really concern me? What are the things that again, you have a conversation with every single one of your customers every day. What are the things that they're saying to you that that resonates? Yeah. Usually, it's operational stuff. It's how do we how do we keep going? Uptime is massively important, making sure that the systems are available, that the data is available. But from a cyber perspective, it's often, where do I start? Like, how look at the frameworks. Some some organizations are under the umbrella of a framework. That might be something like Dora from a financial services point of view, might be NIST two, which is covering a lot of critical infrastructure and sectors there. Or it might be just that you're a small business supplying into those sectors, so you're now covered and expected to behave and perform and demonstrate that you're doing things to a certain level. And often the question is, like, how how do I even get started with this? Like, how do I navigate through all of this regulation and and best practice? And even sometimes it's not that I'm regulated per se, but I want to show you know, our business wants to show that we use cybersecurity as a differentiator for ourselves. Like, we want to use that to set ourselves apart so that when we're providing a service to our customers, they can know that they can trust that we're doing things to a really high standard. So it's it's it's for often for different reasons, but a lot of the time, it's, Jesus, where do I start? If if I'm, like a relatively small company here and providing some widget for a bigger vendor who's part of my like, why why is the supply chain piece so important that again, I'm a I'm a tiny little company or a relatively small company and how extensively do I need to be concerned about the Volt supply chain? It it used to be that you kinda have to care just for your own self and be selfish and look, if I look after my own house, then everything will be fine. But now if I'm take to take that example, if I'm a small engineering firm, for example, providing, a piece of kits or a tool that's going into the sector that's covered by NIST two, by extension I I am covered by NIST two as well or or at least have to demonstrate that I'm at a level that they can select me as a provider or continue to use me as a provider at that's at a certain standard. So you have to, you know, adhere to certain controls and provide evidence that you're doing these things in order to to get to to stay in that market or to get selected as a provider in that market. So it's really, like, it's really fundamental to the success of a business now that you have to up the game effectively from a cybersecurity point of view, from an operational technology point of view, but also as we said doing it but then demonstrating that you're doing it as well so that you can show from a compliance perspective that that's you're giving that to your customer so that they can show it for their compliance. So you're kind of falling down that chain, and your first protocol is probably to ask the question, am I under that spyglass? Am I under that magnifying glass for making sure that I've got all my stuff in order so that I can keep and continue to supply that service? Yeah. I think almost that individuals and companies, they look at compliance and regulation whether it's, you know, you mentioned this too and DORA and the the AI act and the cybersecurity act, and there's lots of different things. And I wonder is there a tricky balance between, do I just need to adhere all of these things, or can I actually use them to implement frameworks so that I have a better understanding? And and maybe those are a couple of the small steps that you can take even to get yourself prepared. Yeah. That's that's a great way of looking at it. Like, we would often talk about aligning yourself to a standard. So even if you're not even if you're not, compelled by legislation or whatever to to adhere to something, like like, we have ISO 27,000 a month. That's an international best practice standard for managing and securing data. And we wouldn't and I certainly wouldn't advise everybody to go down that route, but we we would align to that. So you don't necessarily have to go to the nth degree and get certified and all the like, it's a big culture change, it's a big expense, but you can certainly align with with that. So if you're not covered or forced to apply a framework, we believe that you should and we would all we would often suggest, like, the people process technology idea, start really small with something like that or adopt NIST, which is really good, or NAS two or, you you know, there's there's any amount of them. We can we can name plenty of them, but it's just a fine one. But definitely, if you're not compelled to or or have a compliance need, you should be looking at it from a best practice anyway to to secure your business and secure your organization. Well, one of the steps we even Centripetal took as a company and we're, you know, a vendor within cybersecurity was to bring in house a compliance officer. Yeah. And we felt that that was a really important step. So when we work with Intuity, we work with some of our customers, Oftentimes, we get asked questions on, you know, compliance on this or we've this framework and we're financial, so it's Dora. And I'll be honest. Like, I I don't have the breadth of expertise, but we'd like to have an open door policy to be able to at least have the conversation with anybody who's struggling with some of those questions because it is a big question. Yeah. It's huge. I think the the starting point there and a lot of our customers would have compliance officers that have risk officers, and they're experts in that field. And and we're not always on but we've you know, over the years, through our an old ISO journey, we would have learned a lot a lot, and a lot of the practices are based on the same fundamentals. So I think if you give yourself, and we use the term sometimes, if you sheep dip yourself in some of the some of the frameworks, it it really helps you to apply the next one and the next one because they're all fundamentally the same. They're all about building resilience and building in frameworks that you can actually measure because that's the other thing. If if, like, we talk about, say, for example, you're a you're a customer or your company that's looking to take on a new service, it's really important that you you apply a lot of rigor to who you're providing or who you're selecting. But it's not only enough to kinda select that vendor or that partner, you have to then continually measure. So if we're taking on a new contract for a year or three years, we should be looking at that every quarter and seeing, well, how good is the service? Is it measuring up to what we were promised? Are we getting the return for our organization that we'd like? Are we seeing like, we believe heavily in a continual improvement mindset? Are we are we challenging each other Yeah. To say, well, look. We could do this better. You could do that better. But together, if we did that over a period of years, you're seeing that continual improvement over time. And when you look back over after twelve months or after three years or in some cases, customers we have over thirty, nearly forty years, how the service and the relationship and the partnership has changed and evolved over time, that's really and that's a culture thing more than a compliance thing, but it's where the compliance kind of feeds the culture in a really positive way. So we would say embrace the regulations, embrace the framework, take it on as a continual improvement thing, and try to build that partnership and that challenge with your with your vendors, your partners, your customers on on all sides of the supply chain. That that's how you get an improvement and when it comes to cybersecurity, small improvements matter, small details matter, and getting those tiny little things right really really help reduce the risk from from an overall perspective. Yeah. And maybe on the and I I you know, it's it's you love these little stories. Like, every every marathon starts with that first step. Like, if you don't take the first step, you're never gonna get to the finish line even though the finish line could be daunting to say the least. Outside of the compliance framework and, again, SMEs are they're worried about cybersecurity. They're worried about security security. They're worried about data. The protection of the data is probably their greatest asset. Talk a little bit about just the some of the fears that you see from SMEs when it comes to either data security or overall cybersecurity that they're they're dealing with. Yeah. I think the the fear goes back to, and this is a challenge that and we talk about a compassionate challenge or a partner challenge, like, we would we would challenge companies like Centripetal who who are providing a phenomenal piece of technology and a service. Sometimes the sector and the industry can be led by fear. You know, the messaging can be a little bit fear, uncertainty, and doubt on this kind of thing. So we always try to encourage people to have that feeling of empowerment, that you actually can take this on, you can embrace the change, and you can do little small steps to make it better. So we would often say start where you are. You know, don't try to boil the ocean and try to do everything all at once. But if you start where you are and have, that old mindset of continued improvement and actually build it into a process, It's not just a talking shop. It's about are we actually making this better? So I think the fear comes down to where to start, knowing what to do, and that the first step that you can probably take is to look at whatever framework it might be, whether it's something you pick yourself or whether it's something you're regulated to do Yeah. And do a gap analysis and just do, like, a really simple assessment of where you are. So and then that's where you start. So it's not about necessarily you you definitely need to know the vision. You need to know where you wanna get to. But you're not necessarily gonna get there straight away. So you have to build up that program, that framework, help you do that. Framers like a scaffolding to get you to the top floor. Yeah. It's gonna help you layer these things on as you go. And one of one of the the areas that we would find, back to the people process technology example, like, something so so simple from a people perspective would be to train your people in a in a cyber awareness culture so that you're showing them and keeping them abreast of all of the latest threats that are out there. From a process point of view, then you might take on something again, it's anybody that's talked to the team in Intuity Technologies will be sick of hearing j JML, join or remove or leave her. That's a process that we do an awful lot of our service by because if you have a new person coming into your organization, so they're a new joiner, you give them the access to the data. So we're talking about what why am I concerned about data access? You only give them access to what they need. You give them access to systems and the data and the services that they need. And then if they move through your organization or eventually leave, you manage and curtail that access in a really timely manner. So that's your people aspect, your process aspect. And then from a technology point of view, and and back to the whole challenge and partner piece, we we spend a lot of time and a lot of energy and a lot of expertise looking at the partners we bring in. And this conversation probably started two years in the making now, and it's something that we're we're really, secure in our thinking now that we can say this is a technology that is very different from a centripetal point of view. It's but it's also backed by people. So that's where like, we talk about people processing technology all the time, and when we first have that conversation, we could see that there was yes. There was a called an edge technology. There was a bit of really clever thinking around the intelligence and how that was been gathered. There was use of AI in a way that isn't buzzwordy, if that's if that's even a word, but it was actually backed by a a people and a reciprocity of the challenge if that's it. Yeah. I got it. You talked the I think that when we first spoke with Intuity, which is two years ago, and you know that Centripetal, what we do is provide a a managed service for cybersecurity. And we can do that for enterprise, but we can also do it for SME depending on various different challenges that people face. But I just wanna go back because I think you the the summarizing of you talked about frameworks in terms of how SMBs need to align themselves potentially with these two Dora type frameworks. But you also clearly articulate from an intuitive point of view, the people process technology slash innovation, and that's a framework that you use as well. You might have gap analysis in as part of that, but every single conversation I've had with Intuity Technologies, those three things come out. The people, the process, the technology. And I don't want to go back all over them, but I do think that's such a fundamental framework to be able to talk to every single one of your customers, and it's it's obviously something that you do all the time. Yeah. So I I use it a lot. I I leave a a trail of the the intersecting circle Venn diagrams behind me, but it's a cheat code for having a conversation about technology. And that can be an an innovation. So somebody wants to add a piece of technology to take advantage of a market's opportunity, people process technology works for that because you have to be able to kind of put a bit of a strategy around it rather than just saying, let's go invest heavily in this tech and and leave it to chance. If you use a framework, as I say, it it is like scaffolding and a security to make sure that you do it in a really measured way. From a process point of view, that keeps you honest and keeps you looking at the quality and making sure that you're actually making those improvements. But you can apply it to, as I say, an innovation you wanna take advantage of or something to secure for so from a from a cybersecurity point of view, we go back to it time and time again because our job and and the conversations that I have are with experts in whatever field the customer is in. So it might be they're in finance, they're in manufacturing, they're they're making breads, whatever it might be. They're experts in that. They're not necessarily experts in technology, and that's where we can help them. So my job is often translating what I know to be their business strategy because we've looked under the bonus. We know where they wanna get to. We know the limitations maybe that they have because we've done that. We've a bit of a gap analysis, and we know how to get them there. So it's it's about again, it's back to buzzword bingo, but it's empowering them to to be able to take that bit of steer, a bit of guidance and apply it so that it'll actually help them grow their business or protect it from a from a cyber perspective. But that partnership, like, it's it's it's critical. Like, again, if I'm company x making bread as you said, I'm not worried. I want you to worry about the technology piece, the IT piece because I have enough things that I'm I'm trying to and I want you to enable me. Was there a piece on the technology or the people process side when you first kinda looked at Centripetal and you said, you know, you're a managed service provider, Intuity. You were doing some sorry. Managed service provider. You were looking to add security as an element to that. Why Centripetal or was there something there that you there was a gap? There was something different? Yeah. I'm just I'm interested in that. I'm remembering back to some of the earlier conversations, and I didn't get it at the start. It took me a couple of a couple of goes. There was I can picture a couple of conversations that I had with some of the team. And when I when I eventually got it, it was like, ah, that's what it is. So the way and that's probably me being too honest. But the way that we are able to differentiate it is it's a different way of doing things. So Yeah. Everybody's probably familiar with we talk a lot about a multilayered approach to security. So the old way was you had some antivirus, and the new way now used to be multiple layers to make sure you're protecting against the multiple types of threats. So we would have, looked at things like your firewall, your antivirus, your endpoint protection. Now it's into more advanced things like EDR and MDR and all these acronyms that people don't care about. Like, nobody asks me for, can I have an EDR? That's not the type of conversation people have in the real world. They're talking about how do we protect their business. So when we've seen this Centripetal technology, we were able to understand that, say, for example, your antivirus takes a couple of threat feeds, your firewall takes a couple of threat feeds, and your EDR solution takes a couple of threat feeds. This is the bit that I didn't get at the start. Centripetal has taken hundreds of feeds from everywhere. It's using the smarts and the AI and the and the technical people knowledge to disseminate that in, to block it from from even coming into the network in the first place. And when that landed, so when that clicked for me, I was like, okay. This is this is different now. This is a game changer. But I I genuinely find that difficult to have and explain it and translate it into the words that I'm used to using, which is plain English. We talk about Fisher Price English in the office. It's really important that we distill this stuff down so that it's understandable by that finance expert or by that engineering expert, whatever they're doing, because it's our job to allow them. And that's back to the empowerment piece again. How do you make a decision on something? You don't understand it. Yeah. And that's the that's how that has been challenged, and that's something that I look forward to, like, digging in with real curiosity to find out what is what is the nugget here? What is the thing that makes this different? So let me throw that one back to you. Yeah. Yeah. It's a question we get asked a lot. I mean, so Travda has been around for fifteen years. And for a lot of the early part of of the company, it was really around how do you look at intelligence and use intelligence to do one really important thing, which is to proactively protect a network. We arrived here three years ago in to Galway with a with a single focus which is for any customer of any size, can we look at the threats that are happening in real time in the world today and use that information to proactively protect your network, be part of the overall stack. And I think the one thing that we give, is peace of mind. It's our job to protect you as a customer. It's our job whether you're the CSO or the IT manager to make sure that you're fully protected, and we're gonna give you a really valuable gift which is time. And we're very fortunate that we've got some great people sitting here in in Galway, in addition to The US, that spend their lives proactively protecting, companies not just here in Ireland but all all over the world. And we're very fortunate to be in that position. I've worked in a lot of different companies, and you don't always feel that you're providing something that has a real meaning. And I genuinely believe that. And I think that even when we had discussions with Intuity, we felt that you felt the same, which was, can we actually do something that's gonna help people? Can we make a difference in their lives? And by protecting them, we definitely can. One of the things I'd I'd really like to ask you about is, you know, is you use the word challenge a lot, and I know within the ethos of ingenuity, that is really part of your your philosophy, but just give me a minute on that. What does what does it mean? Like, it's easy to use the word, oh, yeah. We like to challenge people, but what does it mean? I wouldn't go so far as to say there's there's a lot of old sporting analogies like if there isn't blood on the dressing and floor, there's not enough care. You know? It wouldn't go that far. But we we start a conversation. So give you an example. We have a a customer that has recently joined us, competitive tender. We went through all the process, but we we had a meeting as part of that process. And one of the first things we'll say to a new customer or any partner that we're gonna work with is if you're looking for a a provider to provide you a service and just sit quietly in the corner, that's not us. We're we're we're not good at staying quiet. So if you're looking for somebody to come in and really understand your business and look under the bonnet and then challenge you on your technology, whether that's from a protection point of view. So we as a practical example, we create a risk register. We share that with the business on a quarterly basis, make sure that we're if there's anything that we feel that needs to be addressed, we're we're we're putting that out in front of the business. We're giving them an idea that this needs to be addressed in six months' time or in a year or whatever it might be. But we're having a conversation in on a regular basis to make sure that that challenge is there, and that's a two way sometimes three way conversation if there's a if there's another vendor involved. This is generally a two way conversation where we're saying, here's the service as it looked for the last quarter. Is there anything you'd like to challenge us on? Is there any way we can make it better for you because you're the one that's feeling it and receiving it and and taking it? Or is there anything that we feel in order to for you to get more out of us out of Intuity, that we can we can ask you to do better? And it you have to earn the right to have that conversation. I I think you show that you're interested in having a long, long term. So we have customers, as I mentioned, that are near with with the company nearly forty years. You don't get that by not caring and not challenging. You have to be able to challenge each other and grow in that. Like, that to me is it makes it so easy. It makes the conversation if you're able to be open and honest and challenging with each other, the trust is just built up and it's just there over time. So it's, I think it takes a while to get that. You don't walk into that first game like, you know, it takes You have to earn it. You have to earn that because otherwise what right have you to even ask the question? Just a throwaway comment a little bit. Yeah. You do have to be very careful. Like, I I would be I have to tee it up a little bit before I would I would come out and say, look. We're gonna come in. We're not just gonna come in guns a blazing because we're right and you're wrong. That's not the vibe. Like, it can't be that approach. Yeah. It has to be genuine and natural and with a with that improvement in mind for for both parties. It appealed to Centripetal, the challenge piece. Yeah. We firmly believe in challenging. We believe that the the current status quo, for example, on cybersecurity, if I look at every single breach that's happened Yeah. I can guarantee you in nearly every instance of the firewall in place, there's security in place. And the approach we're trying to take is that we firmly believe that the answer to a lot of the challenges is the intelligence. In 99% of breaches, intelligence is there that will show you that that breach is about to happen or has happened. And we're unique and have been able to use that proactively. And having that challenge or mindset, I think, is really, really important. To kinda wrap it up and and and bring it back, is is there anything you think we've forgotten? Is there anything you think if an SME is listening or watching today that there are key takeaways or the key things that they need to do today to to be proactive, specifically when it comes to cybersecurity? Yeah. I think something that jumps to mind is we talk about making these things accessible to business, and budget can often be a a challenge. So what we sometimes, we sometimes see this, it's it's a funny kind of reaction. So if we talk about AI led intelligence enterprise grade technology, an SME sometimes just switches off to, alright. That's not for me. It's not in my bracket. It's not in my my sport. And that that would have been the case, like, three, four, five years ago. If we were talking about the type of technology that's Intuity will do, we were definitely looking at something that was inaccessible to most SMEs. So that's where I think the game has changed a wee bit Yeah. In in relation to that. And it you know, there's a lot of talk about this, but it's genuinely accessible. And if you break it down into, you know, a tiered structure as well, there's lots of different ways that you can access this. So I think that's something that I think is important to to acknowledge. Like, people are probably look at the look at the quality and this and the the technology behind it and some of the language sometimes, like enterprise level. Yeah. But then say, I don't need that. That's not me. I think we need to make that clear. And that's that's our job a lot of the time is to is to try and bring we go out into the cybersecurity space and bring back what we call appropriate solutions for our customers, and we definitely put them through the wringer to to make sure we're selecting the best in class that is accessible from a budget point of view. Sometimes that can still be a challenge, and it might mean that we can't do it today, but let's build a plan for doing it next year or just let's build a plan for doing it in six months' time. And that's the that's the proactive piece as well. Say, look. We we firmly believe you need something like this, so let's see if we can build a plan. If we can't make it work, we can do it. But it's it's a it's an an open and honest conversation that that I think is important to have. Yeah. But it starts with, starts with a conversation. It starts with similar. Well, how do we get there? How do we make this better? Yeah. And I think if I could leave it one comment is that, well, some Centripetal of view, we're very proud of the partnership with Intuity. We've only launched it officially over the last couple of weeks. It's a really great way that we have to bring all of the world's global threat intelligence to the SME marketplace, at an affordable, accessible level. We're excited to work with you, the full team, and hopefully for the next forty years because you've done forty years before we have. But we're very proud, and we're we're delighted. And thanks for your time today, Donal. Brilliant. It's been a pleasure. Thank you. Bye. Cheers.