Small business owners frequently ask about the importance of cybersecurity, cost-effective solutions, specific services they need, and how to handle compliance requirements. They are also concerned about employee training and protection against common threats like phishing and ransomware.

In this interview series by Safety Detectives, I speak with small business owners who have faced these same challenges head-on with success. If you’re looking for actionable tips to safeguard your company—and avoid costly mistakes— from those who have been in your shoes, you don’t want to miss this.

Kamban S is the founder of Elephas, an AI powered knowledge assistant for Mac, iPhone, and iPad that saves up to 50% of writing time and 75% of content costs for its users. His work as a product development specialist has spanned multiple projects over the years, including FlatGA, a tool for unifying website metrics.

As a business leader who works online most of the time, what event(s) made you realize the real importance of online safety and privacy? What happened and what lessons did you learn from that episode(s)?

One of the friends I know, who works in the security business, mentioned this––An attacker inserted his/her email into an email chain dealing with money transactions and managed to receive the amount into his/her account without both original parties knowing. It made me realize the significance of online safety measures.

This is a type of cyberattack known as Business Email Compromise (BEC) or Email Thread Hijacking. 

Here’s what happened in the example:

The attacker gained unauthorized access to an email account involved in the conversation about financial transactions. This could have been done through phishing, malware, or exploiting weak account security (e.g. no two-factor authentication).

Once inside, the attacker monitored the email thread to gather information. He inserted his own email into the conversation at the right moment, posing as one of the original parties.

Using social engineering tactics (e.g. using language and formatting similar to the original participants), the attacker instructed the victim to transfer the funds to their account, likely

Because the fraudulent email seemed legitimate and appeared in the same thread, the victim didn’t suspect this was a scam. He followed the instructions, and unwittingly transferred funds to the attacker.

Sophistication: BEC attacks often rely on careful observation and timing, making them hard to detect. Victims, including many organizations and individuals alike, are typically not prepared to detect or prevent these types of attacks, and end up losing significant amounts of money.

How to prevent BEC attacks:

  • Enable Multi-Factor Authentication (MFA) to make it harder for attackers to access accounts.
  • Always Verify payment instructions through a secondary communication channel, like a phone call.
  • Employee Training: Ensure everyone in your organization understands phishing and BEC risks.
  • Use Email Filtering and Monitoring tools to flag unusual activity in email threads, especially around financial transactions.
  • Use cryptographic signatures in emails to ensure authenticity.

We normally don’t store any sensitive data. It is risky to store and safeguard unless it is mandatory for the product. We handle most of the logic inside the app on the client side. We also use end-to-end encryption even for non-sensitive data, say analytics data communicated from the client’s device. They do have the option to disable this.

For my own online safety:

  • I use password managers and don’t store passwords anywhere else.
  • I have 2FA (two-factor authentication) for most websites like AWS and Google, and my banking accounts.
  • I regularly update my passwords and ensure they are complex and unique for each service.
  • I normally review social media privacy settings to make sure I have only the necessary permissions enabled. For example, whether people can find me using my email address.

What’s your experience with outsourcing cybersecurity to a Managed Service Provider (MSP) versus handling things in-house? What would you suggest to other companies of your size?

I think when you start handling PII (Personally Identifiable Information) and sensitive data, outsourcing to an MSP can bring several advantages, including access to a wider range of tools, technologies, and expert knowledge that may not be feasible to maintain internally, for a small team.

Advanced encryption technique, homomorphic, which allows computation without decrypting the source data, is an interesting positive thing. Quantum cryptography is another one that can create unbreakable encryption.

Advanced facial recognition is one concerning development in this area. Deepfakes pose further challenges to digital media.

This interview was originally published on the Safety Detectives

How can people connect with you?

LinkedIn: https://www.linkedin.com/in/selvam-s-66014826/

X: https://x.com/KambanTheMaker