Despite the ongoing news about cyber threats, cyberattacks, and data breaches, many small to midsize businesses (SMBs) still aren’t implementing the necessary security measures to protect their businesses, says cybersecurity expert Michael Caralis, vice president of Verizon business sales. As such, the cybersecurity risk to SMBs is continuing to increase.
A lot of SMBs’ IT staffs are overwhelmed, Caralis says. Not only that, but many SMBs think they are safe.
Consequently, their attitude is that if it’s not broken, they don’t have to fix it, he says.
“But the risk is so real and legitimate at this point in time that every business should take action.”
Techopedia sits down with Caralis to discuss the cybersecurity challenges SMBs face and how they can handle those challenges.
About Michael Caralis
As vice president of Verizon business sales, cybersecurity expert Michael Caralis oversees the company’s advanced solutions, wireless connectivity program, and its V2B (vehicle-to-building) unit. Caralis has also led various organizations across SMBs, including commercial wireline, mass markets (Fios), channel programs, and Internet of Things (IoT) resale.
Prior to this, Caralis served as Verizon’s executive director of solution architect and engineering. In that role, his team was focused on the transformation of the company’s technical teams, providing the best integrated solution designs and managed services, including broadband, security, and collaboration platforms.
SMBs’ Perception of Cyber Threats
Q: What are you hearing from SMBs in terms of how they perceive and how they’re addressing cybersecurity threats?
A: A lot of SMBs’ IT staff are overwhelmed. And their CIOs [Chief Information Officers] may also be their CISOs [Chief Information Security Officers]. I met with a customer about a month ago and — I’ll be candid — their cybersecurity policy is pretty weak. And the CIO was also the CISO, and he completely understood the risk.
However, he couldn’t get the Chiel Financial Officer to buy into minor modifications to remedy and provide some capabilities that they didn’t have from a threat protection perspective.
I said, ‘Let me meet with your CFO and let me walk through some of the risks and some of the costs.’ And I also advised him to reach out to their insurance vendor.
Many companies that are providing business insurance, especially cybersecurity insurance, won’t certify a business any longer unless they have some basic fundamentals, whether it’s device management or threat protection.
We ended up working through some of those details and we were able to move the customer forward to provide that level of security. And this particular customer was in healthcare and had to maintain HIPAA compliance. So they had a high amount of risk in there.
However, as dangerous as it is out there, and despite how much information there is around breaches, I still think many SMBs think it hasn’t happened to them yet, so if it’s not broken, they don’t have to fix it.
But the risk is so real and legitimate at this point in time that every business should take action.
Preventing Cyberattacks
Q: How can SMBs prevent cyberattacks?
A: I think that you look at a few different factors. You look at patch management around vulnerabilities that are being exploited. We’ve seen through our data breach investigation report from 2024 a 180% increase in initial exploitation of a vulnerability.
And it takes a typical small and medium business around 55 days to fully remediate all their vulnerabilities and risks. So, just real dedication to patch management and remediating those is needed.
I think employee training is also important. As the number of pretexting and social engineering attacks continues to increase, employee training on what those attacks are is needed.
And then there is very low-cost security software that you can use on mobile devices and routers to provide base-level protection that many folks don’t currently use. I think you combine all those things.
Q: What do you recommend SMBs do to address cybersecurity threats beyond the basics?
A: First and foremost, I think that you have to have the basics covered. Do you actually have malware protection? Do you have threat protection, endpoint protection on your devices? Many folks forget that their smartphones actually have so much information on them, and they use them for everything.
SMBs should also have network security, and threat protection, as well as a cybersecurity policy. They also need an incident response plan and the ability to detect a breach and react to it.
And they must have compliance standards in place specific to their verticals. [These standards are regulatory frameworks and guidelines that organizations must follow to protect sensitive information and ensure the security of their systems and data.]
Cyber Risk Is Increasing
Q: Is the cybersecurity risk for SMBs increasing? If so, why?
A: It absolutely is increasing every single year. All businesses today are pretty much natively digital. To compete in the United States today, you have to be online.
And you also have post-pandemic hybrid work environments where many folks are working from home and they have to be connected over the internet.
So you look at this rush to enable all these businesses to compete in the marketplace and serve their employees and their customers. And then you look at the money that’s in the United States — we’re a consumer-driven economy.
Consumer spending drives the success of our economic engine in the United States, and much of that transacts digitally.
Therefore, not only do you have bad actors in the United States, but bad actors globally targeting businesses within the United States, because this is where the money is. Never mind foreign bodies that are trying to disrupt things and test the ability to disrupt things.
And these bad actors recognize that SMBs aren’t the most technically fluent folks in the world, which presents an opportunity for them to attack these SMBs and make money through ransomware attacks.
Q: As SMBs invest in digital tools to improve operations, why haven’t they also implemented cybersecurity solutions and protocols equal to their investments in those digital tools?
A: Sometimes it depends on the partners they’re working with, for example, their Internet service provider partners. And those partners may not be providing their SMB customers a holistic solution [that includes security]. They may just be providing connectivity, for example.
Partners have to educate SMBs so they understand what their risks are and explain that they should have some baseline protection from a threat protection perspective.
But since the [SMB] technical knowledge isn’t the greatest, their partners have to speak very simply and to the point with their SMB customers, ask what their risks are, and explain how you’re going to protect them.
How to Protect Their Data
Q: As SMBs typically have limited resources, what are the most important things they can do to better protect their data?
A: It comes down to having something that is protecting your endpoint devices. If you have an endpoint that is touching the Internet, you have to have some type of capability or software that protects it.
You can use VPNs, you can use zero trust access solutions — but you have to have a cybersecurity threat protection platform in your infrastructure.
You have to manage software updates, you have to do employee training, and you have to have some type of option to detect and respond to a threat. If you can’t do those basics, you have to bring someone in that can help you ensure that you can hit those basics.
Q: Can you highlight some of the cybersecurity insights from Verizon’s 2024 Data Breach Investigations Report?
A: Our survey noted that denial-of-service attacks continue to grow; they were responsible for 55% of the incidents in 2023. These attacks compromise the availability of networks and systems by overwhelming them with large amounts of data.
In addition, one-third of all breaches involve ransomware, which was the top threat across 92% of industries.
The number of mobile malware attacks increased 46% and we continue to see increased sophistication from cybercriminals and their attacks becoming more numerous and varied.
Q: You’ve said that investing in cybersecurity isn’t just insurance, it’s a growth strategy. Can you explain what you mean by that?
A: For vendors and customers, there’s a lot of risk even in third parties. In fact, 15% of breaches involve third parties coming in through partner infrastructure application programming interfaces (APIs) and those types of things.
So when customers put out a bid to do business with vendors, they should ask about their cybersecurity policies. If those vendors have access to the SMBs’ customer data and insights that’s a risk to their business.
I would not do business with a vendor that did not have a cybersecurity policy and plan in place.