Alex Heublein - Navigating cyber risks while embracing new technologies

We already had a great conversation with Netsurit's Louwki Coetsee, who is now the chief revenue officer of their US division. And with Louwki, we discussed the critical importance of balancing people, processes, and systems. For having success with digital transformation. We'll link that in the show notes.

Don't worry. And today with Alex, we'll be talking about how to navigate cyber security risks while also keeping up with all the innovation that's happening in the technological sphere. So Alex, welcome. Happy to have you here on the show today. Anything you want to add before we dive in?

Alex Heublein: No, perfect. Thank you so much for having me.

Looking forward to this.

Tim Butara: Yeah, me too. I think that that cyber security is definitely an important topic. And I want to start right off the bat with talking about this. So, this importance to integrate very robust, very strong cyber security measures into digital transformation strategies. And I'm interested in both the technological aspect of these cyber security measures as well as the people aspect on the other hand.

Alex Heublein: Well, yeah. And I think you've hit the nail on the head there. A lot of people just look at the technology aspect of it. You know, they say, how do I build the walls higher and thicker and put more defenses into place, but there's a huge people element to it as well. And I think that people element is, is maybe the greatest vulnerability that a lot of companies have today.

And they just, they don't realize it though. And I, and if you take a step back, I mean, There's a big difference. You know, we, we, we in that shirt, we service the small and medium business world. So, you know, companies ranging in size from, you know, 25 to 50 users all the way up to say 2, 500 users. And so there's some differences in that small and medium business market when it comes to cyber security.

And I think it's, I think it's maybe important to kind of point some of those out. So one of them, for instance, is that when you're dealing with most, I'd say the majority of small and medium businesses, they intellectually know that cyber security is important. If you ask them in an elevator or at the bar or whatever, How important is cybersecurity?

They'll say, Oh, yeah, I don't know. It's very, very important. But it's more of a theoretical concept. It's not a practical day to day concept, because the reality is, you know, starting and building and running a business is hard. And as the founder of those businesses, the CEOs of those businesses, They're getting pulled in a thousand different directions and so cyber security is one of those thousand different directions they get pulled in every day and and oftentimes I think they underestimate both the risk as well as the potential outcomes that they can see.

So for instance, I think a lot of people. In their head will do some math like, okay, if there's a 1 percent chance of me getting hacked and the, the outcome of that hack, let's say I might lose a million dollars, they'll say, well, you know, the expected outcome of, you know, multiplying 1 percent times a million dollars is 10, 000.

So I think in their heads, sometimes they get this idea that, well, if I'm spending more than 10, 000 a year on cybersecurity, I'm not getting a positive return on investment. And again, I don't think people put that on a spreadsheet. I don't think that they you know, they modeled this out in some kind of formal way.

But in their heads, I think they're thinking along those lines. And the second thing that we see is that the threats have gone up massively particularly since the pandemic. I think the pandemic was a real boon for cyber criminals. We saw people going and working remotely. We saw this distribution of data.

And I think from an economic standpoint, I think that's one of the ways you have to look at this. The small and medium businesses are looking at it like, well, what's the expected outcome here? What might happen versus the risk of that happening? And I think they, they underestimate both of those things.

They underestimate the chances of them being hacked. And then I think they underestimate the damage it can do to their companies. Right. And it's not just financial damage. It's reputational damage. It's damage to their ability to service their customers, so their customer satisfaction levels can potentially go down.

So it's not purely just a financial situation. And then on the other side of the equation, you have the cyber criminals. And I think a lot of small and medium businesses think to themselves, well, they're not going to go after me. Like, why would they go after my small, my small business, right? It's not like I've got millions and millions of dollars or billions of dollars to go after.

It's not like I'm a high profile target. And I think there was probably some logic in that maybe 10 or 15 or 20 years ago, right? There was probably just some safety in the fact that you weren't a big company, you weren't well known. But I think over the last four or five years, we've seen a massive increase in the number of cyber attacks on small and medium businesses.

And, and I think part of the reason for that is that before this, it just wasn't terribly cost effective for cyber criminals to go after these small and medium businesses. But now we're seeing the rise of new technologies, artificial intelligence, impersonation technologies that have really lowered the cost for the cyber criminals to go after the small and medium businesses.

So it's really, And I hate to even put it in these terms, but it's opened up the market for them, right? So on one side, you've got people sort of the small and medium businesses, I think they're underestimating the risk of being hacked. And I also think they're underestimating the damage that it can do to their organization, while on the other side, the economic equation is, wow, it's gotten a lot less expensive to go after these small and medium businesses, and therefore the economic equation has tipped in their favor.

So it's really a balancing act that you go through there a lot of times.

Tim Butara: You know, you mentioned like when they're doing the calculations, it's like, Oh yeah, there's a 1 percent chance that we're getting hacked. And we're so used to this, I guess, almost a policy of 1 percent being this really insignificant amount.

When we, in reality, 1 percent means that it's going to happen once every 100 times. And if you have automated cyber attacks, and if that's, that's opened up that, that, that might mean, you know, several successful attempts a day, if you're not prepared properly.

Alex Heublein: Yeah, absolutely. It's almost like self driving cars, right?

If somebody said, well, I've got a self driving car and it'll drive you around. It's great. You don't have to do anything. It's fully automated. But there's a 1 percent chance you could be involved in a bad accident every time you get in the car. Like, no one would buy that car, right? One out of every hundred trips, you're going to get into a really bad accident.

So, and that's one of the reasons we don't really see a lot of fully autonomous self driving vehicles today, because that, that number, instead of being 1%, it needs to be like a hundredth of a percent for people to start going, okay, yeah, I trust my life to this. So I think you're right. We're in the same kind of situation with cybersecurity.

Where people say, ah, yeah, 1%, that's not so bad. You start thinking about it a little bit longer and you say, no, actually that's terrible. I mean, this, and, and the problem is, is that, I mean, it's an existential threat to small and medium businesses. In some cases there are ransomware attacks reputational damage, et cetera, that have put these companies out of business entirely.

So what's it worth to you to make sure that your business doesn't go out of business as a result of this, but they're always trying to balance that because. You know, small and medium businesses, the, that you've, you've, you've got budgets, you know, every, everyone does, but in particular in small and medium businesses, you'd like to be taking your it spend and spending that on technologies that will differentiate you from your competition.

The last thing you want to be doing is spending that money on stuff that just, just kind of protects you, but it doesn't add a whole lot of value to your business other than you're being protected from these things. So it's not that it's not important, but it's certainly not as, as cool and sexy and potentially beneficial to you.

As investing in some of the new and emerging technology spaces. And I think that's where, that's where striking the right balance between the right level of security and the right risk profile, that's tough for small and medium business owners to do.

Tim Butara: So do you have any practical tips or some advice or like some strategies for how they can, they can better achieve this balance?

Alex Heublein: Yeah, well, one of them is, this is not a do it yourself project, right? So cybersecurity isn't, and we see this all the time, literally all the time. We will talk to people and they will tell us, you know, well, you know, my cousin Vinny does cybersecurity for us. He's, he's really, really good at this stuff. He really knows his stuff.

Maybe that's the case, but rarely do we see that as a practical reality. So, so the first, first bit of advice is don't try to do this on your own. You'll probably fail at it, or at least you'll increase your risk profile very significantly. And so a lot of times we'll go into companies and one of the first things we do is we do a vulnerability assessment and it's a quick hit vulnerability assessment, right?

It's not like we spend weeks and weeks on this. This is a couple of hours kind of thing. And probably in 90. 90 plus percent of cases, we see some pretty significant vulnerabilities, even when they've got, you know, their cousin doing, doing cybersecurity. So, so don't try to do it yourself. Don't, don't depend on, you know, one of your family members who took a cybersecurity class to secure your business.

You, you actually need some professional help. But then I think the problem you get into is the, the level of professional help. We see a lot of organizations, again, they'll They'll go out and they'll outsource their IT operations, right? They'll say, we need somebody to take care of our systems. We need somebody to take care of our laptops and support us and deal with all the operational challenges that come up as part of using information technology in my business.

And so they'll outsource that, right? And that's a big part of our business. It's called the managed service provider world. And that's a big chunk of our business. That's a lot of what we do. And then they will say, well, okay, maybe I need to go get some cyber insurance, and I'm going to bring in a security company to help me with that.

So now I've got one company doing my it operations and support. I've got another company coming in either, either on a continuous basis or, or more frequently on a very periodic basis, right? Like once a year, come in and look at my cybersecurity and give me some, some advice. And then they've got other organizations helping them build new and innovative capabilities to power their digital transformation.

So now I've got three cooks in the kitchen here. I've got one organization trying to do my, my, my IT operations and support. I've got another organization coming in, doing cybersecurity. I've got another organization coming in, helping me build applications and capabilities to take advantage of some of the new technologies in the market.

And that can create chaos. For a small and medium business. So one of the things we recommend is look, if you're going to outsource this, and we recommend that you do bring in some professionals, not three guys and a dog down the street type of companies. But, but one of my recommendations is to, to, to bring in a partner that can do all three, right?

A company that can help manage your it operations and everything that happens there, a company that also is, is, has a great deal of expertise in cybersecurity. And then a company that can can also help you take advantage of new and emerging technology spaces. If you can find that in one provider, I think you've struck gold.

It might cost you a little bit more, but in the long run, I think it saves companies a ton of, of time and money and lowers their risk profile tremendously because that one company can see across all three of those domains and come up with an integrated cybersecurity strategy that not, that doesn't just protect your infrastructure, But also works with your people because we, you know, we talked about that a couple of minutes ago.

It's not just putting the biggest firewall and the best firewall in place and putting VPNs in place and two factor authentication, et cetera. All of those are great practices, but what we see more often is social engineering, phishing attacks, getting to the people that are using these systems and have the credentials and have the access.

And that has skyrocketed. That's increased three, four X over the last three or four years. And so in, in the technologies for doing that have become much, much more sophisticated. So you also have to take into account the people element. You've got to have good training programs, good compliance programs, but the problem with training and compliance for security, and I had a salesperson, we sell both, you know, cybersecurity services, but we also sell training services to help people become more productive.

With the applications that they already own, and he came to me and he said, you know, I've got a customer and they're not even taking the security training that we provide to them, Alex, right? Like why in the world would they then also take this other training if they're not even doing this really, really important cyber security training?

And I told him, I said, you know. Part of the problem with cybersecurity training is that there's nothing in it for them. There's nothing in it for them as an individual. Whereas if I, if I sell you some training to help you become more productive in your day to day job, you get some benefit out of that.

You get some immediate benefit in terms of, wow, now I have more time to go focus on other things because I know how to use the technologies that I have better. Where cybersecurity training, it's really, really hard because the individuals don't see they don't see a lot of net benefit. There's a benefit for the company and there's sort of this theoretical benefit, but it's not manifested in a way that they can really connect to.

So I think doing that cybersecurity awareness training, preventing a lot of the, the phishing attacks, a lot of the, the, the other attack vectors that cybercriminals have, it's, it's absolutely critical. Going forward because the people element, I think now I think it's shifted. It's actually become the biggest vulnerability today in cybersecurity.

Tim Butara: Yeah, that's what's most attempted to be exploited, right? And you mentioned early on stuff like deepfakes, voice clones, stuff like that. That's all been like super streamlined ever since the generative AI explosion. So I'm interested if there are any like new special considerations now that are specific, specific to these risks that are related to generative and then other AI uses.

Alex Heublein: Yeah. So I think there's a couple of interesting, so there's, so there's two sides of that equation, right? There's, there's a side of the cyber criminals. And and I'm, and I'm personally terrified of this stuff, right? Because I've done dozens and dozens of podcasts and radio shows and interviews and things like that.

So my voice is out there, and I'm sure yours is as well, right? Cloning my voice and getting it to speak exactly the way I would speak is not a difficult thing to do. So I'm always terrified that some cyber criminal is going to, you know, call my mom. And, and, you know, she's, she's almost 80 years old.

They could probably fool her and saying, Hey, I'm in trouble. I need a thousand dollars. Can you do this? So on and so forth. So, so I think those tools have gotten a lot more sophisticated. And, and the big challenge that we see today with generative AI and a lot of the other AIs, it's not just on the, it's not just on that sort of impersonation attack type of situation, phishing attacks, et cetera.

What we're seeing also is small and medium businesses. The really progressive ones are really starting to adopt generative AI technologies to give them an innovative edge. And so this is an area that we spend a lot of time with our customers on. And if you think about AI today, you know, people use chat GPT or Gemini or Microsoft copilot or whatever.

You know, and they'll feed this thing information, they'll upload files, and I think most of them don't realize that most of these sort of publicly accessible free versions of these large language models, you know, they're going to take that data that you're uploading and they're going to train new models on it.

So you are effectively, although there's a big time delay, you're putting a lot of your information out there in the public domain. And so that's not to say don't, don't use large language models. They're very, very powerful. But you do have to go in and set some settings up. So where they're not going to train these models on, on your data, your spreadsheets, your whatever, the second piece of it though, and this is kind of the really interesting part is that, you know, one of the areas that we're really focusing on right now.

Is using generative AI to reason across highly disparate data sources within these companies. If you go look at the, the ability to take both structured data, so data that I have in databases or data that I have in certain systems internally, and go be able to look across that data intelligently, but also take a lot of the unstructured data that I have in my business.

I've got hundreds of PDFs and contracts and proposals and whatever. The ability to use large language models to reason across both the structured data you have, the unstructured data you have, and then be able to make recommendations, perform analysis, give you data insights, it's tremendous. The problem is, Is that it also exposes some, some security risks, right?

We're working with a client right now and, and, you know, he's not so much concerned about security. It's a financial services company. And he said, look, I'm not, I take security for granted. I, I view that from you guys is coming to me that you're going to secure my environment. But he's actually a lot more worried about privacy who can see this data.

I've just given this large language model, the keys to the kingdom. I'm giving it all these documents. I've given it all my data. And you can do that in a, in a very private and secure way, but there's a lot of misunderstanding about that. So I think generative AI is one of those things that it is potentially one of the biggest productivity enhancers that we've seen in a long time.

It's certainly in the last 15 or 20 years it's potential to give small and medium businesses an advantage. Or at least keep up with their larger and more well heeled competitors. That, that opportunity is tremendous, but you have to, you have to bring in people that not only understand the AI part of it, they, they not only understand how to go get it, get all this data, how to get insights from it, but also how to secure it and make it better.

Private. And so, so that kind of goes back to that idea of don't go hire three companies, you know, one doing your IT operations and service, one doing cybersecurity, and then one doing generative AI for you. I think that introduces a level of danger for a lot of these small and medium businesses that you can avoid by hiring a provider that can do all three.

Tim Butara: I think that Spider Man's Uncle Ben would have something really great to say to this right now, but I myself can't think of anything to say except that, except that I mean, it's definitely, it's definitely one of the most important considerations right now and tying back to, to the choice of partnering with different service providers or choosing just one.

This sense would it make sense for like, you know, because we're talking about smaller and medium sized businesses, not, not huge enterprises. Would it make sense if they kind of developed in, in combination with these IT partners, would it make sense for them to develop their own private instances of these large language models?

So let's say a private, private instance of chat GPT, where they have to have less of these guardrails because they're already kind of programmed into everything.

Alex Heublein: You know, it's funny that you ask that, because that's actually an offering that we're looking to bring to market. I think most of the small and medium businesses out there, A, they have no idea how to do that, and B, it turns out to be very expensive, right?

You've got to go, you've got to go get a lot of very, very expensive hardware to do this sort of thing, right? You know, the good, the good news is at NetShirt, we have our own private data center. So we have our own private cloud infrastructure. And this is actually an offering we're looking at bringing to the table.

But I, but I don't think that the public large language models are necessarily insecure, nor do I think they, that you, you can't get around some of the privacy concerns. If you're programmatically through their APIs, they're not going to use that data. To to train future models, and you can explicitly opt out of that on any sort of paid plans with these.

The question is, do you trust them? I mean, do you really trust Sam Altman and Open AI? Do you really trust the guys? Do you really trust Google with Gemini? And so I think there's some questions there. So I think this idea Yeah. For certain use cases for certain customers, setting up private large language models is certainly a viable option.

It's expensive it's not easy to do. It has to be maintained. So I think, you know, you don't get the economies of scale that you get by going, going and using some of the public, the public LLMs, but at the same time, I think for the right type of customer, the right profile of customer, that can make a lot of sense.

Tim Butara: Yeah. Yeah. That, that's why I emphasize, you know, since we're talking about small and medium size enterprises, the cost factor might be more important than for a huge enterprise where, where the, the bigger cost of a custom tailored LLM solution might not factor in that heavily.

Alex Heublein: Yeah, exactly. They just can't achieve the economies of scale yet.

It's a large enterprise. But on the other hand, I mean, if you look at that, you know, large enterprises have a couple of advantages. Usually, they have more money to invest. They actually have R and D budgets and things like that, whereas most small and medium businesses don't. And then they've also got the ability to do things at a scale where you get those economies of scale and things start making a lot of economic sense.

Yes. The advantage, the small and medium businesses have, though, over those larger enterprises, you know, a lot, a lot of which they compete with their big advantages. They can move quickly. They've got a much higher level of adaptability and flexibility to go out and implement these technologies very, very rapidly.

So I think it's always going to be a balance, right? It's always going to be a balance between how secure can I make this? What are the costs of doing this? And then how quickly can I implement these technologies? And doing that calculus is difficult. It's not like you put it into a spreadsheet and an answer pops out at the end of it.

It tends to be very industry specific. It tends to be very, very customer specific as to how do you balance that equation? How do you do it from a budget standpoint, from a financial standpoint, from a risk standpoint, and then from a capability standpoint. Those variables are much more complex than, than you might think in a simple equation.

So again, having a partner that can do that, having a partner that can look across all of those domains and say, look, here's the optimal answer for your, or maybe it's not even the optimal answer, but, but it's close enough to where it doesn't matter. I think that's, that's a critical bit of advice and wisdom that you can get from your it service providers, as long as they can, they can cross those domains.

Tim Butara: I love how we talked about balance with your colleague Loki and now we basically also ended up talking about balance and balancing people and technology on the one side and I guess it just emphasizes right how how even in something that's literally called digital transformation Digital is just, you know, at, in the best case scenario, it's 50 percent of the equation and the other 50 percent is the people, but it's usually even much more nuanced than that, as we have hopefully highlighted throughout this episode.

And for anyone who wants to dive deeper, we'll also link the episode with Loki Kutsiya, as I mentioned in the intro. But before we wrap things up, Alex, if anybody listening right now would like to connect with you, reach out to you, what's the best way to reach you?

Alex Heublein: You know, absolutely. I can reach me via email at alexh at netsurit.com. And you can go to netsurit.com have a look at some of the, some of the things that we do. We've tried to, we've, we've, we've spent a lot of time. We have over 600 clients globally and we work with them to to balance, to, to achieve that right level of balance. And it's not simple, it's not easy, but when you do achieve the right level of balance, now you're not only Getting a very highly operational IT systems, you're getting very secure IT systems.

And then you're also taking advantage of some of these new and emerging technologies that I think in the small and medium business world, they've got the opportunity to really change the game and give them a competitive advantage.

Tim Butara: Alex, this was actually the perfect note to finish on. Thank you so much for your time, for your insights and for the great conversation.

Thank you for joining us today.

Alex Heublein: Thank you for having me.

Tim Butara: And well to our listeners, that's all for this episode. Have a great day, everyone. And stay safe.

Outro:
Thanks for tuning in. If you'd like to check out our other episodes, you can find all of them at agiledrop.com/podcast, as well as on all the most popular podcasting platforms, make sure to subscribe so you don't miss any new episodes and don't forget to share the podcast with your friends and colleagues.