Episode 32: Threats to small business: natural and cyber


All Xero Gravity episodes

Hosted by Elizabeth Ü and Gene Marks

You can’t put a price on peace of mind — especially with the real threat to small businesses from natural and cyber security. So what precautions can you take to safeguard against a cyber attack or natural disaster?  

In Xero Gravity #32, David Raissipour, SVP of Product & Engineering at Carbonite, and Russ Findlay, Head of Marketing for Hiscox USA, join us to debunk all that’s unsettling about security, data breaches, data backups and disaster insurance.

We’ll share how you can allay your fears and remove the dangers, by taking the proper measures, simply and affordably. You’ll learn how mitigating these risks to your data and business can increase profits and peace of mind. Listen in, and never look back!

Small Business Resources:

Episode transcript

Hosts: Elizabeth Ü [EÜ], Gene Marks [GM]
Guests: David Raissipour [DR], Russ Findlay [RF]


Announcer You’ve just tuned into Xero Gravity. A podcast for small business leaders and entrepreneurs across America. Now to your hosts, Gene Marks and Elizabeth Ü.


GM Hey, everybody! Welcome to this week's episode of Xero Gravity. We have a great show planned for today. Elizabeth, I'm very, very excited. We've got from Hiscox Insurance Company, Russell Findlay. He's the head of marketing at Hiscox.

Hiscox offers all sorts of insurance for small business in the UK and the US and I think other parts of the world as well. Then we've got, and Elizabeth, correct me if I'm mispronouncing. It's David Raissipour, did
I get that right?

EÜ I think that's right: Raissipour.

GM Yeah, I think that sounds good. Okay, anyway, David is, I'm going to call him David. He's the senior VP of product and engineering at Carbonite, which offers automated cloud backup of your data. Do you run into any customers at Xero that you hear moved to Xero because they just had security issues, or some disaster, or they lost a lot of data and they're like enough of this, we're just going to put everything in the cloud?

EÜ I mean we definitely hear from a lot of people who are using desktop software and it's a nightmare to figure out just even version control,
who’s got the most current version of the file if you're sending it to your accountant, to your bookkeeper; make sure you don't make any changes while they're working on it. Working in the cloud has other advantages in addition to making sure that you've got bank level security in the back end.

GM Right, it makes sense. The other thing to keep in mind is that even though it's a cloud-based world, there’s still stuff that’s stored locally. People still store stuff on their devices, on their laptops, on their MacBooks, on their servers. When the disaster occurs, it can really be crippling to a business.

EÜ I know and it's not just data; we're definitely talking about inventory. We're talking about your brick-and-mortar store. There's all sorts of things that can happen even beyond just the data. When we're talking about disaster preparedness and some of the things you can do to protect yourself, it runs the gamut.

GM Lots of really good stuff coming up. We promise you'll learn a lot. Stay tuned, we'll be back in just a minute.


Pre-recorded guest quote

DR “Most small businesses, if they were down for more than two weeks— something like 80% of those businesses — never recover, and ultimately go out of business within one year.”


GM Welcome back. We are going to be having a great conservation right now, about threats that occur to us as small business owners. Both natural and online, cyber threats that occur.

Let me start, and Elizabeth feel free to jump in and let me know what questions you have. Russell, I got to start with you. I'd like to ask right now as somebody who specializes in insurance, and you're looking at the small business market: What types of big cyber security issues are you seeing your customers facing, that you're hearing from your customers?

RF There's a fair amount of questions regarding cyber security. The attitude in the small business role has been, "I'm too small to be a target. I don't want to invest in this. I'm beneath the radar." Over the past year, there's been a lot more questions on, "Is that true? Am I a target? If I'm not one now, how could I be a target? What would make me look appealing to a hacker? How do I mitigate that?" That sort of cyber breach and mitigation part of the business is getting a lot of questions, and there's a lot of people who are looking to lower their threat profile.

EÜ In addition to threats from people outside the business, what about threats from people inside the business? I'm sure that's a risk as well.

RF The first when people inside their own company we found tend to be less from a cyber-attack perspective. It's really about intellectual property theft and embezzlement to be honest with you. Those two are the biggest ones, but yeah there's issues across the board in terms of making sure that your business is protected from unforeseen disasters.

GM Got it. I'm going to switch over to you David. I mean being involved at Carbonite, you guys back up data. Give me an idea of where you sort of see regulation going related to that? Some idea of what we as small business owners should be considering when it comes time to protecting our data and making sure it gets backed up.

DR Certainly. Anybody that's in the financial sectors, anybody that's in the health care, there are specific regulations that dictate what they need to protect, how long they need to protect it, and what type of security needs to be in place for that data.

There are lot of other small businesses that don't fall under any sort of regulatory compliance, where it just becomes good business practice for them to really protect themselves, and protect their customer data. I agree that the insider threat is a huge risk, and that the vast majority of cases is not intentional, it's really unintentional. As we mentioned, people say I'm not a target and they forget that people walk into their businesses (or employees) with all kinds of personal devices and assets, and they can become inadvertent targets. They could be going after information about people, their Social Security numbers, their credit card information, and become inadvertent victims of these types of breachers.

GM Do you ever get surprised at how many small businesses don't backup their data? I see this all the time that businesses not only don't backup their data (and sometimes they think they're backing it up), but
it's not really happening. Do you run into this situation a lot?

DR We run into it all the time. We got a lot of customers that show up at our front door, unfortunately, after they've lost everything. It becomes "Quick, I need something to back up all my servers, and my PCs” after they lost data. To be honest, that's probably the majority of small businesses out there. They don't really think about it. It's not at the forefront, just like other aspects of security, they don't think about it until they've had a loss, and then show up.

EÜ Then they call Russell, right?

DR Yeah, exactly. We protect them from here on out, but in the meanwhile we have a stat published on our site that says, "Most small businesses if they were down for more than two weeks — something like 80% of those businesses never recover — and ultimately go out of business within one year.” Unfortunately, that's the reality of what happens when there's massive data loss.

EÜ Russ, obviously you've seen all kinds of disasters beyond just data loss. What are some of the other main risks that you see small businesses are facing?

RF Certainly, there's a risk of data. There can be some sort of a natural disaster, there can be a general loss to their supplier community. It's not just them. They themselves maybe running the business properly if something else happens to their network of supporting businesses or even their customer base. Sometimes it's about expansion, and the ability to expand their business. Sometimes it take on too much of a byte, sometimes they get regulated into a corner. It's tough being a small business owner. But I think what David was saying, they tend to underestimate the risk of running a small business from a disaster perspective, and come to the table when they want to cure less
often than when they want prevention.

EÜ Let's assume that our listeners are all very smart cookies and they do want to protect themselves from the risk of some of the major disasters that you can see. That following everything from making sure that they are backing up their data, to making sure that data is secure (and other things that they can do). Russell, what would you suggest?

RF I think first and foremost — just in terms of risk mitigation in general — have a plan, and really have a realistic plan. Talk about potential scenarios. Whether you're in a geography that has extreme weather, prone to earthquakes, or prone to something else — take that into consideration. Are you in a controversial industry that may have protesters that want to adversely affect your business? Understand
the environment in which you work, because maybe somebody from another company is very interested in getting their hands on it.

If you have personal information, not just about your employees, but about your customers, or about end consumers. If you get any kind of PII (personally identifiable information), you could be a potential target. Have a plan that's realistic and get that level as detailed as you’re able to, and understand what would trigger that. That'll get you a long way down the path of being prepared.

GM Sounds good. David, let me go back to you again. You guys at Carbonite, you host data, you backup data into the cloud. I get lots of questions from my clients about the security of the cloud and the data that you are backing up and storing. You must get questions from your customers as well, "How secure is that data? How do I know that's not going to be breached?" What do you say to your prospective customers to respond to that?

DR Sure. We do get that question constantly and we get customers that ask for documentation on it as well. For companies of that size, Carbonite does a few things. First and foremost, we really have third party folks come in and certify and audit, and really provide certification as to the level of security that exist in our data centers. That's number one, we usually don't just say, "No, no, trust us. Take our word for it."

Second, we really, as any responsible business in our position should do, is we really rely on data encryption in order to provide that additional level of security. In our case for example, that data is really encrypted on the person's machine. It’s sent to us over an encrypted communication pipeline and it is stored encrypted on disk. At no point is the data sent to the cloud unencrypted. The general fear of: “if it's in the cloud, I can't control it.”

One of the things that most people don't really take into account is, yes,
a Carbonite, or a Google, or an Amazon is a bigger target, but they also have much more sophisticated technology in place to protect things. They also have much better detection capabilities in place to detect things. And they can take data offline a lot faster than smaller businesses. The level of resources and controls that are in place far outweigh the risk of “someone else has my data!”

GM One more question for you, David. It's funny, over the years, so many of us hear about encryption, "No, it's secured because data is encrypted and it's being transmitted, and it's encrypted both in transmittal and also at the end result." For our listeners, I mean, because you're a VP of product and engineering, can you explain to me what is meant by encrypted? When something is encrypted, does that mean that it’s just unhackable?

DR No, it does not mean it's unhackable. It means it's unhackable for the most part, in the amount of time that it makes the information useful. There's different levels of encryption, so you probably heard everything from 128-bit all the way up a 1024-bit encryption. That really refers to the level of complexity of the encryption. In our case, for example, we have 256-bit encryption. And short of somebody having stolen the keys that are used to encrypt the data — and that's not an easy thing to do — it would take super computers a period of time in order to go through all the possible combinations of attempting to decrypt that data.

By then, for the most part, the bad guys are on to something that's an easier target. That's really what encryption is intended to do. There's no such thing as unbreakable, it's simply impractical, unreasonable and simply too expensive to do. What a bad guy will do is move to an easier target that are a lot easier to find.

GM Elizabeth?

EÜ Yeah. I’m still really fascinated by this concept of small business insurance and this question about what is included, and what is standard. Because I know in places like San Francisco — where earthquakes are, maybe not common but at least a risk — a lot of homeowners insurance doesn't cover earthquakes. Is that similar for small business insurance as well, like are there any loopholes that our listeners need to be aware of? Is protestor, you mentioned protesters earlier, is protestor insurance included in the standard package? Or is that something that you would need to add on?

RF Yeah. I think that people need to understand, small business owners tend to want to look at general liability, which is basically an insurance for running your small business. If you have a brick-and-mortar operation and somebody comes in and slips and falls, there's something about the fact that you are open for business.

There's professional liability; which is, think of it as malpractice insurance for business professionals: something that causes a loss based on what you know and what you do as a professional. Then there's the business owner’s policy if there’s some sort of property loss. That also can include lost income. If something happens, like an earthquake; if there's some sort of business interruption and not all policies are the same, I really urge small business owners to review their policy.

Some policies have a mechanism for reimbursing small businesses for lost income. If something happens on your block and the block is cordoned off for some reason, and pedestrians aren't allowed to get to your store, you've lost income. That could trigger the policy and you can get reimbursed for that.

Flood insurance. People can be really careful about insurance, earthquake insurance, any sort of natural disaster, because a lot of business policies don't respond to a flood. But they may respond to substances and water damage where water has seeped in somehow.
Look into it, be mindful of it. Not every policy that may have the same title actually covers all the same stuff.

EÜ There's certain expectations that small business owners should have (as far as what they will be needing) to pay for the standard package, and how big they need to be before they consider it. Or is this just with the general liability insurance? You need to have it no matter what, as soon
as you open up your brick-and-mortar shop?

RF It's funny, there's a number of small business owners, but a third of them we found across the country don't open their doors with any kind of insurance. For a variety of reasons, a lot of the mindset is "I'm too small to sue. I only work for my friend. My friend has never sued me. I'll never get a loss. Yes, I'll get small business owner insurance sometime down the road. Right now I’m working the business out of my house."

There's a lot of reasons why people don't want to spend money to get insurance to protect themselves. They are spending their capital on getting business and growing the business and assets and equipment, and that kind of thing. I think that's risky. I think it's really risky. As far as pricing goes, we sell a small business owner's policies anywhere from $22.50 a month on up. It depends what deductible you want. Generally,
a few hundred dollars per year can save you from spending a significant multiple of that trying to dig yourself out.

GM Russ, for a lot of our listeners (if you're small business owners in professional services), there's so many service companies. From landscaping to roofing, to being an accountant like me, or a lawyer or whatever. I just was curious of your thoughts on malpractice insurance.
A lot of clients ask me that question, like “What if I mess up a project or screw something up?” That's something that Hiscox offers. Do you recommend it? Do you have any thoughts on that?

RF Yeah, I do on a couple of fronts. Yes, Hiscox offers it and we offer to 30 plus different industries. The big reason why it's really important to get it is that a small business owner can be sued even if they themselves aren't at fault.

Let’s just say you're marketing consultant, just as an example. You recommend to a client that they should do to certain kind of promotion and they take your advice and they do this promotion and it goes horribly wrong. Most often the company that puts on that promotion to another business or to the consuming public, they're the ones that are going to get sued. They may turnaround and attach you to the lawsuit. If you don’t have insurance, you can get wiped out.

In fact, what we're seeing more and more is that small business owners are asked to provide proof of insurance as a condition to getting contracts with larger companies. Already having professional liability insurance is just another quick and easy way of showing a potential business partner that you're serious, that you're credible, this is a legitimate operation that you're running, et cetera.

GM Now, let me switch over to you, David. I have had clients over the past two years that have gotten hit by CryptoLocker or a virus similar to that. Somebody downloads a file by mistake, it basically encrypts their computer and it’s ransomware, which means that you get a message saying if you need to un-encrypt it, you have to pay a ransom, usually in Bitcoin or some type of virtual currency. It's disastrous for a lot of companies that get infected by this. I guess my question to you David is have you seen this happening at your clients, your customers, as I'm sure you bumped into this? I'm curious depending on the size of the business, does it make sense from a cost perspective to just toss your computer and just restore it with your backed up files from a Carbonite?

DR So this happens actually quite a bit more than people realize, because most folks that get hit with the ransomware type of demands actually kind of feel embarrassed and they don't tell people. When these things happen, you really only have two options, actually three. You can either walk away from your computer, you can pay the ransom, or you'll have to be able to restore from a backup; from a point previous to the ransomware having infected your machine.

In the case of Carbonite, what we recommend to our customers is to basically wipe the machine clean and restore from a previous backup,
and it will be as if they never went to that site or they've never opened that attachment. It will return them to an operating state.

EÜ I have to say that all of this making me really feel like cloud-based software can be a boon in the event of a disaster. Because if I had to completely wipe my computer today, I mean the fact that we're using cloud-based software for most of what we do here at Xero, I could get on a different computer and just access all my files immediately.

DR Absolutely. I've been working on cloud software for 20 years and I can't imagine a world without it.

EÜ Do you have advice for making sure that not only the business owners themselves, but all of their employees are trained in these best practices? Because it's not just a matter of having the right backup software or having the right insurance policy. It's also making sure that all employees know what to do so that the insurance policy is still valid or that a backup is happening according to plan.

DR Absolutely. Any plan that gets put into place has an educational aspect to it, because that turns out to usually be the weak point in any of these plans. People do have to be educated about the importance of backing up, the importance of not dismissing that dialog that reminds them that their PC hasn't been backed up for a while, and making sure they realized what the impact is to the business. Now, having said that, you also have to assume that everyone is going to ignore that education aspect and you have to put something in place that works regardless of whether the individual follows those steps or not.

It is absolutely a combination of the two. Then the third thing I would say is, any organization that doesn't test their backup, doesn't test their disaster recovery or business continuity plan, might as well not have one. Because they really have no idea whether it's successful or not.

GM What do you wish, what is the one thing you wish your customers would know about insurance, Russell, that sometimes they don't get, that you wish they all knew about?

Dave, I'm going to do the same thing and ask you about, what you wish your customers would know about backing up their data? What's the mistake they make that they can avoid?

RF I would say, know that it's not as scary as they might think. Meaning it's not expensive so it's not financially scary. It's not really all that complex if you get somebody to reach out to you. We've got advisers that you call on the phone and get some advice for free. It's not as scary as it is going without it; I guess that's what I would tell them.

GM That's great advice. I take your advice as well. I have professional insurance. We've used it for years and it's cheap. A few hundred bucks
a year and it really gives me peace of mind. I should have done it a long time ago.

EÜ Have you ever needed to use it?

GM I have not, although right now I'm involved with a client where I'm starting to get concerned. I am real happy that I've got that insurance behind me.

EÜ Peace of mind is very valuable.

GM It really is, it really is. David, let me turn to you in the world of backing up. What do you wish that they knew about backing up their data?

DR I think probably the biggest mistake is one that we've covered already, which is, it doesn't happen to me. It's living in a state of denial to a certain extent. One of the questions that I wish every one of this small business owners would ask themselves is, “What's better, having a plan to recover in case something goes wrong, or having to start from scratch and having to rebuild that business?” If they asked themselves that question, I'm pretty sure and pretty confident that they would all arrive at the right conclusion, which is that a little bit of an insurance policy is the cheapest way to build a business.

GM That's great, so let's turn to our last segment guys. This is called The Elevator Pitch. This is something to just have fun with, however, there’s a little bit of competition here because the winner of this will get 100 bucks, a gift card from Amazon. That's a little bit of an enticement for both of you guys. We're going to be asking you to come up with a product or service idea that solves a problem. You have 90 seconds to do it. You need to re-identify the problem that I'm about to state, you must make a pitch that offers a solution to that problem, what your target market is for that problem, who’s your target customers.

You should have a compelling names, something kind of catchy and fun for this as well. You want to make it as creative and out of the box as possible. Russell, I'm going to pick on you first, okay? Here is what the problem is: obviously a lot of small business owners have suffered natural disasters in the past. The most recent — at least to me because I'm in Philadelphia — was hurricane Sandy just a few years ago.

Knowing what you know in the insurance world, small businesses need to better prepare and then also better respond to a natural disaster. If you were given the opportunity to come up with an app, a product, a service that would help small business either better prepare or respond, what would be your solution? Give me a pitch for a product or service that you think would do that.

RF I would pitch an app to small business owners. I mean really small, micro- business, 0 to 20 or so employees that basically is a disaster response enablement tool. You select from a menu of things that you have pre-planned, whether it's, "Hey, natural disaster just struck” or “Now, what do I do?" You go to your app and you hit the button and then it enables that to happen. You have a data breach, "Okay, now what do I do?" Here's what's going to happen, you've already pre-planned to see what's happened and basically it enacts it. There's no running around with, "Oh my god, the sky is falling. What do I do? This just happened?" You've already planned and tested it. The product is called, "Mayhem Mitigation."

GM [Laughs] Alright, that's awesome! Well done. Alright, so David, you've had some time to think about this. Let’s hear what product or service you would propose.

DR I think the disaster recovery space is the right space, but I'm going to have a slightly different spin on it. For most people that face a disaster, even if they have a disaster recovery plan, there's some initial steps and in some cases, some of those disaster recovery plans are on the very systems that they lost. For me, I like to focus on a simple app or a service we like to call, "Be Right Back."

EÜ Love it.

DR What this does is, this allows a business to identify some subset of their applications, or a server which were the bare minimum list of things they need to do to get back in order to be up and running again. What "Be Right Back" does is it takes a snapshot of those systems or those applications and stands them up for you in our Carbonite cloud and allows you to still run map PC as if the PC was never underwater or the natural disaster didn't hit. Then, you can continue to execute any of the rest of your disaster recovery and business continuity plans.

EÜ Wait. Let me make sure I understand this. It's somehow magically resurrecting your drowned hardware as well?

DR It's not resurrecting your drowned hardware. It's resurrecting what was running on your drowned hardware, on hardware that's somewhere else and allows you to run your service on it.

EÜ So the package includes redundant hardware storage somewhere else?

DR That's correct. It's not meant to replace your entire small business and all of your hardware. But what it does is not let you have that, "Oh, now what?" moment, by getting some set of infrastructure up and running.

EÜ Alright, so I'm going to judge these two on our five different criteria here. “Mayhem Mitigation” sounds like it's going to do a really great job of helping people immediately access their plans that they will have created, thanks to the help of an app, as well.

I thought that was really great. Not only does it help you create that plan in the first place, but it's also in your hand, on your person, after that disaster strikes. I also thought you did a really great job of outlining your target market. You said micro-businesses with 0 to 20 employees, and that was very clear. And your name was great, had some good alliteration.

As far as creativity goes, I think that this is, it may not necessarily be completely out of the box, this sounded like a totally necessary and practical, and completely implementable plan. I'd actually be surprised if somebody isn't actually already doing this. It sounds great. Really great there.

David, you definitely outlined your problem really well. Your solution, obviously, I had to ask a question about it, so I'm learning something
new there.

"Be Right Back" I thought was a brilliant name. Then again, as far as creativity goes, I'm wondering if that's something you do already offer? You seem to have it all fairly well planned out. This one, I'm really on the fence about this one. I'm leaning toward Russell but Gene, what do you think?

GM I think they're both really, really great ideas.

EÜ Yeah.

GM I actually was actually leaning more towards David believe it or not. No offense Russell. If there was a big disaster, I'm concerned there were no communications, no internet, no electronics at all. And then I'm thinking, "Oh my god, so how does this disaster plan even get implemented if there's basically nothing working?” David, I think might have a more practical application but very, very close, honestly.

EÜ No, that's a good point. Yeah, this has been the hardest one to judge so far. I'm willing to go with David this time, but Russell know that you were very, very close runner up.

GM David, you get a hundred dollar gift card to Amazon. Russell, you just get our undying thanks for being on this show, which really is worth multiple times a hundred dollars, right? There's value and our love.

EÜ If we don't say so ourselves.

GM If we do say so, right. Anyway, both of you guys, thank you very much. You were both awesome. This is great, great information for our listeners, and it's really, really important stuff. Thank you very much for joining us.

EÜ Thank you.

DR My pleasure. Thanks very much.

RF Thanks very much.


Xero Gravity Promo

GM If you have any questions you’d like answered on the show…

EÜ ...tweet us at Xero using the hashtag #XeroGravity. Or, text us your questions, to 415-813-9878. We’ll answer them on next week’s show!


GM Elizabeth, that was a pretty fun segment, don't you think? I mean, trying to have a little bit of fun and good information with a pretty scary subject.

EÜ I know. Like Russ was saying, it doesn't have to be scary. It's scarier to operate without insurance than it is to operate with it. I probably fall into that category of people who are a little bit too complacent when it comes to this type of security. I always assumed that, "Oh, if I'm a small business, no one is going to care about my data."

Obviously, the opposite is true. I'm just that much more vulnerable and it's easier to get at my data and my information. Really, a great reminder!

GM I agree. One final takeaway, I really did take this advice myself a few years ago: Russell's advice about not being afraid to get insurance and to ask about coverage. Again, my company, we’re a service firm. And so I got malpractice insurance and it's few hundred bucks a year, and it does give me some peace of mind. He's right, you should be talking to your insurance agent, and you shouldn't be afraid to buy insurance. It's not that expensive, and it will keep you covered when there are certain things like data breaches, or if you're attached to a lawsuit. It's good advice, good takeaway action. I like it a lot.

EÜ I loved how he broke down the different types of insurance too, how he advised all of us to take into account things like the geography, or the industry that you're in. I didn't really think about how there's different risks with regard to the different industries that you might be in. Obviously there are, just like there are only earthquakes or floods in certain areas of the country.

GM Yup. Good stuff. Anyway, everybody thanks so much for joining this week. It was a really good session. I learned a lot. I hope you did as well. We will be back next time. We look forward to seeing you then. Have a good one.



Xero Gravity Promo

Anncr Do you want 30% off Xero’s beautiful accounting software?

Head to xero.com/signup and use the promo code XEROPODCAST to get a discount on a 6-month subscription. It’s valid until March 31st, 2016,
for small businesses new to Xero.


Read more>

You may also like