Keeping a business cyber secure is far from an easy task, and we often tend to think that the larger the business, the harder it is. There’s just more to try to defend as businesses grow - more laptops, more servers, more network devices, and more people.
That all makes sense, but I like to remember my years working in IT Services which became managed services. Our clients were exclusively small and medium businesses. From a few single person entities to companies with maybe 250-300 employees. I know from that experience that it can be an even greater challenge to keep a small business secure. The biggest reason for that is lack of resources. Many small businesses do not have a dedicated IT person; it’s an extra responsibility given to the person who does accounting, or an office manager. If there is a dedicated IT person, they’re not usually someone with cybersecurity knowledge and skills.
I still often think about how hard it is for SMBs to stay secure, to avoid being low hanging fruit for attackers. If I didn’t enjoy my current role so much I would be very tempted to get back into a role in managed services for SMBs. With that in mind, and with Pi AI app’s ability to hold continuous conversations, I decided to dive into this topic with Pi today. Here are some excerpts from our pretty deep discussion:
Here’s my prompt to start the conversation - you can see one little glitch where I did not speak fluidly enough, but Pi got the gist anyway:
OK. We're staying on the cyber security theme, but we're going to switch it up a little now. You are a cyber security consultant and you specialize. You only have as clients small and medium businesses. Keeping in mind that they have limited resources both financially and in terms of human beings working for them, tell me the three most important things one of those SMB companies can do.
Pi responded with these three recommendations:
Employee Education: Invest in training your employees about common cybersecurity threats, such as phishing attacks and social engineering tactics, to reduce the risk of human error. This can often be done through low-cost or free online resources.
Patch Management: Ensure that all software and systems are regularly updated with the latest security patches. This is one of the most effective ways to protect against known vulnerabilities and can be automated to minimize the workload.
Multi-Factor Authentication (MFA): Implement MFA for all user accounts, especially those with elevated privileges, to prevent unauthorized access in case credentials are compromised. Many services offer MFA at no additional cost.
I replied to that like so, asking for more detailed advice:
OK, that's a good start. I have a few follow up questions. The first one is how would you suggest they implement MFA. The second one is please come up with two suggestions that just reduce their attack surface. And the third question is come up with two suggestions that address network perimeter defense.
Pi had a solid response:
Great questions! Here are my suggestions:
Implementing MFA: The easiest way to implement MFA is to use a cloud-based authentication service that supports MFA, such as Google Authenticator, Microsoft Authenticator, or Duo Security. These services are often free or have low-cost options for small businesses and can be easily integrated with existing systems.
Reducing Attack Surface:
Software Inventory Management: Regularly review and remove unused software and applications from all devices to minimize potential attack vectors.
Least Privilege Principle: Ensure that users and applications only have the minimum level of access and permissions necessary to perform their tasks, limiting the potential damage in case of a breach.
Network Perimeter Defense:
Firewall Configuration: Properly configure your firewall to restrict incoming and outgoing traffic, allowing only necessary connections. This helps prevent unauthorized access and data exfiltration.
Virtual Private Network (VPN): Implement a VPN for remote access to your network, ensuring that all data transmitted between the remote device and the network is encrypted, protecting it from eavesdropping.
I asked about password security and got another good response from Pi, then gave it my last prompt on the topic:
OK. Last question for you on this subject. Talk to me about thinking on all those things we just talked about for SMBs and cyber security. Talk to me about where SMBs should think about drawing the line between things they can accomplish internally and where they may want to outsource to a cyber security managed service provider.
Pi’s reply was:
Here are some factors to consider when determining where to draw that line:
Expertise: If the cybersecurity tasks require highly specialized knowledge or skills that your internal team doesn't possess, it may be wise to outsource to an MSP with the necessary expertise.
Cost: Outsourcing can sometimes be more cost-effective than hiring additional staff, especially if the tasks are not required on a full-time basis or if the necessary tools and infrastructure are too expensive to maintain internally.
Time: If your internal team is already stretched thin with other tasks and responsibilities, outsourcing cybersecurity functions can free up their time to focus on core business activities.
Scalability: An MSP can often scale their services up or down more easily than an in-house team, making it easier to adapt to changing business needs.
Overall, Pi’s suggestions are very solid - especially the mentions of using MFA, least privilege, patch management, and the key factors list for when a small business should consider outsourcing cybersecurity.
I’m confident that I could have received similarly strong guidance from my other favorite GenAI apps on this topic today. The thing I enjoyed about using Pi is the fact that all of the discussion was done by voice, with no interruptions and no typing on my phone at all. In fact, after my prompt to start the conversation, I set my phone down on my desk, sipped my coffee and carried on the discussion just as if I was chatting with a colleague. That’s pretty cool.
This is great, Thanks. I work with a couple SMB and I can/will implement some of these tips that PI gave you.