Podcast Summary: Navigating Cybersecurity in Small and Medium Businesses with White Hat Hacker Graham Berry
Podcast: Cybersecurity Today
Host: Jim Love
Guest: Graham Berry (White Hat Hacker & CISO)
Date: October 25, 2025
Overview
This episode explores the real-world cybersecurity challenges faced by small and medium-sized businesses (SMBs), featuring advice and frontline experiences from Graham Berry, a seasoned white hat hacker and Chief Information Security Officer. Jim Love and Graham discuss why SMBs are targets, misconceptions about cyber risks, the growing importance of cyber insurance, the impact of AI on security, and practical steps for companies to build resilience. The episode is rich with anecdotes, actionable advice, and memorable moments that ground technical issues in the world of business leaders.
Key Discussion Points and Insights
1. Graham Berry’s Journey and Motivations
- Background: Graham’s love of computers began at age 8 with a Tandy TRS 80 in rural Ontario (Hanover) ([01:31]):
"It was Hanover, just south of Woolen Sound. And I was probably eight or nine maybe. That was my first exposure to computers." – Graham ([01:46])
- Career Path: Progression through tech roles to retail, government, and eventually running his own cybersecurity business ([02:24]).
- Transition to Security: Early experiences resetting passwords and hardware hacking led to his modern role ([04:14]).
2. Cybersecurity Risks & SMB Perceptions
- Myth: 'Too Small to Be a Target':
Many SMBs mistakenly feel insulated from attacks. Data suggests otherwise:"More than half of the country's small businesses have already been hit." – Jim Love referencing a recent survey ([06:53])
- When Reality Strikes: Clients only react when attacks affect their operations or partners, threatening business continuity ([07:29], [08:47]).
- Supply Chain Vulnerability: SMBs can both suffer from and accidentally propagate attacks, emphasizing interconnected risk ([08:47]).
3. Responding to Incidents & Building Trust
- Communication is Key:
Graham advocates for honesty and preparation in post-breach communication, highlighting the benefit of tabletop exercises:"Be honest, be straightforward, don't be embarrassed... That's a different thing than having a sloppy shop." – Jim ([09:34])
- Tabletops: Mock scenarios help companies grasp the complexity of response and recovery, fostering preparedness ([10:01]).
4. Cyber Insurance: Process, Importance, and Pitfalls
- Misunderstandings:
Many SMBs see insurance as a checkbox exercise, not a rigorous requirement. Falsely claiming controls can nullify coverage ([10:44], [11:13]). - Insurance as a Reality Check:
"Could I get insurance? Forget whether you got to buy it or not, could I get it?" – Jim ([18:57])
- Preparation:
Insurers require clear security practices; successful clients embed controls and can then qualify for real coverage ([17:38], [19:21]). - Vendor Requirements:
Larger clients increasingly demand proof of cyber insurance or recognized security attestations (SOC 2, etc.) for all suppliers ([22:10]).
5. Consulting Process: How Engagements Begin and Progress
- Why Clients Call:
Triggers include regulatory requirements, client demands, or near-miss incidents ([14:27]). - First Steps:
- Inventory hardware, software, data assets.
- Identify business-critical data and processes ([11:42]).
- Use Business Impact Analysis to spotlight true business risks ([11:42]).
- Engagement:
Frequently, the challenge is getting business owners to see security as a business risk, not just a technical issue:"We were given one mouth and two ears. You know, use them more, listen and take it all in and understand the business." – Graham ([16:51])
6. Tabletop Exercises: Making Risk Real (and Memorable Moments)
- Best Practices:
- Start with technical scenarios, then pivot to executive impacts ([23:03]).
- CEOs often become deeply engaged when seeing business operations (like manufacturing lines) threatened ([24:56]).
- Memorable Quotes:
"Within 30 minutes, I had him pacing the meeting room and he was freaked out." – Graham ([24:56]) "You'll start to see the light bulbs go off when they realize this isn't a technical thing, this isn't an IT issue, this is a business issue and it's a business risk." – Graham ([26:29])
7. Recovery Stories and Lessons Learned
- Preparedness Pays:
One client invested in immutable backups, allowing for a full recovery after a ransomware event—a rare but telling success ([28:44]). - Pitfalls of Neglect:
Many businesses discover only during crises that their backups are unusable, leading to prolonged outages and existential risk ([29:54]). - Making Security a Priority:
Real engagement and consistent attention are necessary; half-hearted participation leads to increased costs and risks ([32:08]).
8. Guidance for SMBs and Consultants
- It’s Never Too Late:
"It's not too late. Start taking it serious. It's going to hit you. Right. The experts say it's not a question of if, but a question of when." – Graham ([34:06])
- Focus on Protecting 'Crown Jewels':
Every business, regardless of sector, is now a technology business ([34:56]).
9. Artificial Intelligence: New Frontiers, Old Risks
- Data Risks:
Employees often upload sensitive documents to AI services, exposing critical data ([35:19]). - Legal and Practical Risks:
Noteworthy cases (e.g., in New Zealand) may shape global policy for AI data breaches ([36:06]). - Shadow IT Redux:
Unregulated AI use is the new 'shadow IT'—companies must surface and govern this activity ([38:29]). - Simple Safeguards:
Model settings (e.g., not sending training data to OpenAI) can mitigate some risk—but only if businesses know such activity is happening ([36:06]). - Memorable Warning:
"If they're putting your company data in there, and chances are they are..." – Jim ([36:06]) "With the browsers... malicious scripts and prompts... could prompt the engine to do exactly that—harvest email, harvest data." – Graham ([37:39])
10. Evolving Mindset & Looking Ahead
- Growing Security Maturity:
Graham observes increased engagement and awareness among SMBs, seeing more informed conversations around security and AI ([39:16]). - Tech Passion Endures:
"I'm excited to see where [AI] can go, but it has to be done correctly. It gets back to the old Tandy TRS 80. I'm still a technology junkie. It's just a new form." – Graham ([40:18])
Notable Quotes & Memorable Moments
- [07:29] Graham Berry: "They start when it starts getting closer to home... when our clients are saying they can't pay us. So that's when it really starts."
- [11:04] Jim Love: "If you tell your insurance company you're doing something and you're not, you're uninsured and it's just that simple."
- [17:38] Graham Berry: "We're just starting to make that big wide turn... when the devs are calling me and say, does this make sense?... That's when I know we've got the ship turning around."
- [19:21] Graham Berry: "For the most part for small businesses it's an easy exercise. Yet you get told right away pretty much that yeah, you're approved and we've got you. And I can't stress it enough how important it is, because the costs of recovery are just, they're insane for a small business."
- [24:56] Graham Berry: "Within 30 minutes, I had him pacing the meeting room and he was freaked out... He was the most engaged CEO I've seen after that."
- [26:29] Graham Berry: "...this is a business issue and it's a business risk."
- [34:06] Graham Berry: "It's not too late... It's not a question of if, but a question of when."
- [35:19] Graham Berry: "People are using the AI tools and just uploading documents, uploading data... you're pumping your corporate data up into someone else's server."
Timestamps for Key Segments
| Segment | Timestamp | |------------------------------------------|-------------| | Graham’s early tech journey | 01:31-02:24 | | Transition to security | 04:14-05:10 | | SMBs waking up to real risk | 07:29-08:29 | | Incident response & supply chain risks | 08:47-09:34 | | The value and process of tabletop exercises | 10:01-11:42 | | Insurance: pitfalls and best practices | 10:44-11:13, 18:57-19:21 | | First steps in consulting engagement | 14:27-15:05 | | Business vs. technical communication | 16:26-16:51 | | Tabletop exercise stories | 23:03-25:36 | | Recovery tale (immutable backups) | 28:44-29:54 | | Advice: Always take security seriously | 34:06-34:56 | | AI and emerging risks | 35:19-38:29 | | Looking ahead, growing security maturity | 39:16-40:18 |
Takeaways & Recommendations
- Cybersecurity is a Business Risk: SMBs must recognize they are targets and integrate security as a business imperative, not a technical afterthought.
- Preparedness Trumps Luck: Regular tabletop exercises, clear communication plans, and up-to-date, tested backups are critical.
- Insurance Standards: Treat cyber insurance eligibility as a benchmark for minimal security maturity.
- AI: Exciting and Risky: New AI tools increase productivity but introduce new data risks—visibility and governance are essential.
- Engagement & Honesty Matter: True progress happens when leadership is involved and teams are honest about capabilities and gaps.
- It's Not Too Late: There’s time for every business to start improving their security posture, but procrastination makes incidents likelier and costlier.
This summary omits podcast advertisements, introductions, and outros, focusing purely on the substantive content provided by Jim Love and Graham Berry in their own words and tone.
