A year has passed since we published “A Cybersecurity Update for CPAs,”1 and the threats outlined in the article have only continued to increase in sophistication and reach. The difference, perhaps, is that more and more small and medium-sized enterprises (SMEs) are now finding themselves caught in the wide net of cybercrime.2 To find out why, we recently spoke with Michael Argast, the co-founder and CEO of cybersecurity firm Kobalt.io, which specializes in helping SMEs.3
Before we dive in, can you explain how you came to work with SMEs?
I’d actually been retired for three or four years when I was presented with the opportunity to co-found Kobalt. Having already done security for 50 large enterprises all over the world, I had to ask myself: “Why should I get back into this?” The simple answer was that SMEs had always been the unresolved problem for me with regard to cybersecurity. There’s been a lack of support for them and a lack of focus on them. And yet all the job creation and innovation in this country starts with these smaller enterprises. So I decided that if I could help SMEs survive and thrive in a challenging cybersecurity environment, it was a very good reason to come out of retirement.
What do you see as the biggest cybersecurity challenges for SMEs today?
There are a few obvious ones. Ransomware is not going away, unfortunately. And business email and transfer fraud is a quiet but deadly killer. In fact, about one in four SMEs I’ve talked to has lost $150,000 or more in the last 12 months to this type of fraud. So it’s broadly occurring but not talked about much in the media, and yet it’s relatively easy to address.
Additionally, both the quality and the volume of attacks have increased significantly over the past year. One of the main reasons for this is the adoption of AI, automation, and social engineering, all of which is making life easier for attackers and harder for their targets. This is certainly true for SMEs, given that most attacks start off as automated campaigns and then switch to targeted measures once a point of compromise has been found. So that’s another thing that is significantly changing the risk landscape.
The last challenge is even less talked about, and it’s one that’s especially hard for SMEs to manage: third-party risk. Most organizations today don’t run their own technology stacks. They don’t host their own data. Instead, they rely on SaaS4 providers and cloud providers of various pedigrees to do that. And third parties are getting compromised all over the place.
Attackers particularly like to target juicy suppliers with multiple supply chain partners, because they know a successful breach will gain them a lot of downstream access. In 2020, for example, attackers who breached a major fundraising software company were able to access the data of more than 13,000 non-profits.5 There’s an endless list of these sorts of situations.
You mentioned social engineering—can you talk about how its use has evolved?
AI is being used in a variety of different ways now. Better written content is an example where it’s tailored to the particular target. If you want to mimic a CEO, for example, you can feed in a bunch of the CEO’s previous writing and use AI to draft an email that has the same tone and language.
Video and voice tools are also becoming more prevalent as they become much less expensive. We’ve seen scenarios where real-time deepfakes of existing employees have convinced people to transfer funds. There was a company in Asia, for example, that lost more than $25 million after a simulated CFO convinced an employee to transfer money during a video conference call.6 And voice is much easier than video, because you can use a four-second sample of somebody’s voice to launch simulated messages and have real-time conversations.
So one of the things that’s really important for people to understand is that you can no longer confirm that the person you’re talking to is the person you think they are by voice or video alone. You have to have other mechanisms in place to validate their identity. It’s a real challenge.
How can we combat these kinds of sophisticated attacks?
It’s a good question. Right now, attackers don’t tend to compromise multiple channels—for example, if they’re going to compromise your email, they’re typically not going to go after your phone, your Teams or Slack, and your other channels of communication as well. So one of the ways we tell people to protect themselves is by using out-of-band reverse-direction validation. This means that any time you get a request to set up or change payment information, you contact the sender on a different channel to confirm that it’s legitimate.
For example, let’s say I’m emailing back and forth with my COO. If I switch over to Slack to validate something we’ve discussed by email, the probability that attackers will simultaneously compromise both of these channels is lower. Of course, how long it will stay that way is another question—attackers weren’t really targeting multi-factor authentication [MFA] two years ago, but they’re doing so quite aggressively now. It’s always a cat and mouse game, so if you can keep yourself a couple steps ahead of the attacker, you can buy yourself some time.
Are SMEs really high-priority targets?
I often hear people say: “They’re never going to target me. I’m just a small business.” This is naive thinking about how attackers view them and about how attackers operate. It’s not that small businesses are being targeted specifically—it’s that attackers are using large-scale campaigns with automated software. They cast a very wide net, and SMEs become victims of opportunity.>
Generally speaking, you want to be secure enough that you don’t get caught up with everybody else. Attackers are lazy, so they’re going to do whatever’s easiest. That’s why they like business email fraud so much—it’s a one-step process. All they have to do is get you to transfer the money to the wrong account.
And AI is making it even easier for them…
Yes. Business email and transfer fraud is much more sophisticated than many people realize. It’s not a sketchy email from your CFO requesting a financial transfer to an offshore account. The business email fraud that’s happening today, with these wide-net attacks, enables attackers to live inside your email systems for weeks or months and insert themselves into existing chains of communication, which makes their activities seem highly credible. And they’re going to target the single largest financial transfer you’re going to do in six months.
So people really need to understand the level of sophistication involved and follow consistent best practices to make sure it doesn’t happen to them.
What other critical cybersecurity measures should SMEs prioritize?
It’s different at different scales of SME. For solo employees, it’s about end-device security and education. This means making sure that your laptop is encrypted and password-protected; having a strong anti-malware solution running; using MFA everywhere you can, including in the cloud; and using a secure and trustworthy cloud service provider that has demonstrated at least the minimum due diligence of care to secure their infrastructure—through an SOC 2 report, for example.7
If you have five to 10 employees, it means taking a risk-based approach to how you invest in cybersecurity and what kind of controls you put in place. You may want to start by partnering with a cybersecurity firm to perform a simple risk assessment that will help you prioritize investments, including low-cost investments like MFA. Using MFA everywhere all the time really does have a big impact, but as I mentioned earlier, it’s not a silver bullet. A lot of people have come to rely on it too much, and that’s why attackers are now phishing MFA credentials the way they used to phish regular credentials.
Once you get a little bit larger—say 20+ employees—you can start putting in a proper security posture based on an industry standard like ISO 27001.8 This used to be a lot more expensive and only reserved for larger organizations, but now even SMEs can implement one of these standards and dramatically reduce their risks. And then larger companies at the opposite end of the spectrum will typically have a security team. For them, taking a risk-based approach becomes even more important.
Any final thoughts you’d like to share?
A lot of small business owners think they have to build this themselves, but there are good service providers out there who focus on delivering cybersecurity services at a fraction of what it would cost to build these kinds of capabilities in-house. They know best practices, and they can scale their services to the size of the business.
Lastly, just by implementing some of the things we’ve discussed—MFA, out-of-band verification, etc.—you can dramatically reduce the risk of attacks being successful. This is a numbers game for cybercriminals, and you can stack the odds in your favour just by taking the right actions.
Want more?
You’ll find some free resources, including infographics and guides, at kobalt.io.
Michelle McRae is the managing editor of CPABC in Focus magazine.
Michael Argast is the co-founder and CEO of Kobalt.io, a cybersecurity company that assesses, develops, and runs cybersecurity programs for SMEs. His past experience includes serving as a security leader for TELUS and as the global head of sales engineering for Sophos. Michael is the author of “How SMEs Can Start and Gain Company-Wide Support for Cybersecurity,” which was published in the CPABC Newsroom on April 16, 2021. You can read it at bccpa.ca/newsroom.
This interview was originally published in the September/October 2024 issue of CPABC in Focus.
Footnotes
1 “A Cybersecurity Update for CPAs,” CPABC in Focus, September/October 2023 (20-27).
2 Gary Smith, “Cybercrime Statistics 2024 (Shocking Trends You Must Know),” stationx.net, June 17, 2024. See the section “Cybercrime by Organization Size.”
3 In the context of this article, SMEs are enterprises with one to 1,000 employees.
4 SaaS: Software as a service.
5 Sara Herschander, “FTC Orders Blackbaud to Overhaul ‘Shoddy’ Security Practices Behind Data Breach,” philanthropy.com, February 5, 2024.
6 Heather Chen and Kathleen Magramo, “Finance Worker Pays Out $25 Million after Video Call with Deepfake ‘Chief Financial Officer,’” cnn.com, February 4, 2024.
7 See: aicpa-cima.com.
8 See iso.org/standard/27001.