CTIO 101 Podcast
CTIO 101 Podcast
Ransomware Part 1
The biggest cost of Anyware attack will always be the downtime. that's deliberately because if it wasn't, you wouldn't pay the ransom, the ransom will always be less than the downtime cost. That's the, that's the fact, that's the pressure they wanna put you under.
Malcom:CTIO 1 O 1. Business Technology. Simplified and Shared Sponsored by Fairmont Recruitment, Hiring Technology Professionals Across the UK Europe Don't forget to subscribe! In this edition Rob explains the first step and subsequent steps of a ransomware attack. Follow the escalation step by step of how something seemingly innocent can quickly develop into an existential crisis. Cyber attacks are becoming more complex and sophisticated all the time, but they generally have a simple aim. They deploy programs that run on your computer and then demand payment to unlock files or remove malicious software. In this video we talk about ransomware a malware that encrypts files so they cannot be accessed. This kind of attack, showcased famously in the global WannaCry attack in May 2017, has been growing in popularity alongside increased awareness of cyber attacks and the growth of online networks and services.
Jon:One of the things that struck me about the topic we're gonna talk about, um, this evening is the timing. And actually the timing for the event we are going to discuss. Um, I mean, people will know the title of this video, so it's not really a cliff hanger, uh, but having it, having it, uh, late on a Friday evening at the end of a long week, everyone's a bit tired heat waves on, you know, let's have a, a couple of beers over the barbecue and Robert, just like to say, no beer has passed my lip. Um, this evening, although there, I may have a beer afterwards, uh, but, but you know, it's just sort of a vulnerability. Rob, I can tell you, um, I'm asking a man who's just probably just got the kids to bed. Yeah.
Rob:it was a battle tonight. I can tell you that
Jon:your, your passion is, uh, how much sleep am I gonna get? And are they gonna stay asleep? And there's nothing worse than putting the little ones to bed when you've actually got a deadline. It's quite unusual. Isn't it. To have to put'em to bed to then do a, a podcast at nine at seven 30 on a Friday evening,
Rob:it was a weird trade after night because was in nursery on Thursdays and Fridays, which means she comes home knackered, which sort of is a plusser minus because it means she. Absolutely fights to sleep. Like no man's business, it's all screams, whatever, but her body is also knackered. So like, she'll have the big tantrum then she'll collapse and you think you've won and then she'll get a second wind and back up and down, up, down, up down. But, um, yeah, I think we, we, we got her down at about seven. She went, she went quiet, so I I'm hoping she'll, uh, she be through like a rock now, but, um,
Jon:If we have to, if, if, if there's any change, you know, we, we can, we can cater for that in the, uh, in the, in the, uh, with the technology, not a problem, not a problem at all. So,
Rob:an extra guess. That's all.
Jon:yeah. That's all right. Well, that's good. That's good. Uh, a future, um, a Fu future CT 1 0 1 presenter. Um, so, so we're gonna talk about ransomware. Um, and also I think, I think the structure we said we would try and structure around the key events of a ransomware attack sort of stages that we go through.
Rob:I was thinking. I say, yeah, we sort of give the overview of what runs, where actually is and the problem. And then it's to say it is just walking through roughly what people have to deal with as they go through them. Cuz it's like any crime. Right. You sort of know about it, but until you've experienced it firsthand, you're not gonna know every sort of detail.
Jon:There's a few things, um, you know, having read your notes and done a bit of research. I think I need to eat a little bit of humble pie. I think I've suffered from a bit of hubris around, um, immutable, uh, technology, which I think we'll get to later. Uh, and it's the classic, uh, technology situation where, uh, you could, you know, you think you've got one facet covered really well, but actually if you don't have a, a number of other key areas covered you, you are still vulnerable. Um, and we'll, we'll get into that. I think when we start to think about, uh, the, you know, the immutable side of things, but, um, first of all, I suppose, unless you've been living under a rock, I mean, let's go right to basics. Yeah. A ransom. I mean, I'm sure everyone watching this knows what a ransom is, but just in, in essence, it's, it's withholding something, isn't it. And then asking for payment. Um,
Rob:it's extortion of another.
Jon:It used to be kidnapping in the seventies. You were, so you
Rob:Cut out all the cut out the letters in the newspaper. Send you notes.
Jon:that's the one. Um, and then forget the fact that you did a, you know, you left your thumbprint on the, on the envelope, uh, and you send it over, uh, and, uh, you, you pay a answer and then, you know, if it's an honorable criminal, which is a bit of an oxymoron, potentially, uh, the person gets returned completely, um, you know, unharmed. Uh, and then, uh, the other scenario is that they're not returned regardless. Uh, and there's lots and lots of different scenarios in between. So I just wanted to get the listeners to get the frame of mind. um, around the kind of the folks that are acting, you know, people that are creating this problem, the folks who are demanding ransom, it's not a formulaic group, is it? It's not a kind of a, if you do this, this is what will happen. It's quite a lot of different responses that you can get in different approaches, but they're not. Um, as I understand it, Rob, that they're not folks that are kind of amateurish. There's a lot that goes in to the beginnings of a ransomware attack, a lot of potentially social engineering and infiltration and, and the folks that do it are by the nature of the attack need to be quite highly organized. Is that right? Or is it a, an apologies for any up and coming technologies, listening to this stereotype? That's about to come out, but is it a, you know, 14 year old, you know, teenager's got a few things downloaded from the web and they're just launching it all from their bedroom and their laptop.
Rob:No. I mean, don't get wrong. Obviously, there's, there's some fairly high profile cases from the past of 14 year olds taking down some pretty respectable businesses, which, um, I guess highlights just how, how scary the problem can be. But, um, no, I mean, you hit it down on the head quite with fair few points to that. Like if you take it down to basics, you know, the whole act of extortion and Ransom's taking something that's valuable to someone and applying the pressure in a way that makes them pay money, which is tends to be a big part of our catalyst existence, essentially. Um, so as you say, it could have been, if you think back to films and stereotype stuff, it could be a loved one or a child or that kind of thing creates quite emotive responses. But again, With ransomware. It's just doing that with, with data and part of that in order to have a successful attack, they need to make sure they're dealing with the people whose that data matters to the most.
Jon:Yes. Yes.
Rob:And if the, if you strike some of the data matters the most at a time, a really high pressure time or, or difficult scenario, whatever that's gonna create the best response. And that's how they, that's how they operate. So in order to do that, you can't just sit and I mean, don't get me wrong. There's there's spray and pray attacks, right? There's, there's, there's lots of pretty low risk attacks flying out. They're just, just chanting it. But when you talk about, and I think the phrase people use is big game hunting. When they're, they're really smart and engineered, um, attacks, they are profiling people. They're getting access to social media. They're understanding their, their lives, their work and habits. What's important to them. Um, and it's worth it because it's a, it's a huge, a huge business, right? It's an. It's not, it's an illegitimate business, but it's a very viable business model, what these, these gangs are doing. And when you take, I think the market, um, market for 2021 was valued at 20 billion us dollars.
Jon:Wow.
Rob:And when you take its account, there's a few, it's a huge amount. Um, and actually that's just been flying up as, as time goes by. That's, you know, it's been a huge increase and there's a few facts we can go onto later sort that, that attribute to that.
Jon:and Rob, I'm, I'm putting a few things up front because I think it's really important for folks to hear some of it before we go through the kind of the sequence, because then when you hear the sequence, you kind of hear certain elements for the second time and then hopefully it really sinks in. Cause I think part of what we can do here, um, is educate folks who think they know what ransomware is, or have read a lot about it, but they haven't actually sort of taken the walk of going through an event. And therefore there's some, when I read, uh, some of the work, you know, some of the preparation you'd done for this event, one of the things that really struck me was it's so obvious in your mind that the ransom is they've taken your data and you want your data back. Yeah. That's sort of quite easy to get your head around. Um, and, uh, and, and if you had a countermeasure, which is, you've got some kind. Super safe backup that you restore from. It was the point that you were making, which is if that takes, if that restore takes 28 days or a month or whatever, you know, if that, if that really is gonna take time, then actually your active re of, of restoration is leading to potentially, you know, 28 days of outage, which means actually you might be turning to the ransomware folks for, you know, some means of getting the data faster and, you know, it's those sorts of things. I think when we go through the, you know, we might go over that point again, but this is where I think people really have to, um, sort of go along that rule of, you know, you think, you know what might happen, but it's not until you go through an event or you, you, you go through this sort of documented, uh, experience that other other people have had. And there, there are some really unexpected twists and turns. In the, in the ransomware space, would you say, or would you say, you know, and there might be some others that we, we kind of, uh, come, come across?
Rob:I think, I think you're completely right. As I say, people and people focus so much on the safety net. but they don't focus on how quickly you can bounce back, but the biggest cost of Anyware attack will always be the downtime. Um, that's deliberately because if it wasn't, you wouldn't pay the ransom, the ransom will always be less than the downtime cost. That's the, that's the fact, that's the pressure they wanna put you under. Um, but likewise you say, as businesses become way more dependent on data and driven by data. And as you know, there's not a business on, on this earth that haven't got digital transformation somewhere in their annual report or, or on the agenda as, as we become data for those organizations, the implications of this data and what it contains, where it sits, where you operate it
Jon:absolutely massive.
Rob:It's huge. And unfortunately, I think there's still a bit of a tick box exercise applied to this and go right. Is this safe? Like yes, broadly tick, tick, tick. And the problem with ransomware is, as we said at the start. It's not necessarily a, not necessarily a technological attack. Like it, it does act as in a technology space, but it's a human attack. It's an attack on your business and it suddenly lines up all these different factors together
Jon:yes,
Rob:and they all get struck at once. And if you're not prepared for that, that's a, that's a very sleepless few nights for you.
Jon:You know, you can, you can work it out because if you've got a genuine business case around automation, um, and you've pursued that in your, you know, your digital agenda or whatever, and you've just hugely transformed, say the operational part of your business or a really key part of it. And not only that, but you've done it end to end. So you've, you've put in processing all the way through. So suddenly you've got this amazing velocity of value flowing through your business, you know, through automation. Um, you know, that is, is there, there, there is, there's your vulnerability suddenly it's running, you know, in all those compute cycles on various different bits of kits and it's storing data and retrieving data, if that then gets interrupted. And that, I think that's one of the things we might wanna just answer a bit about the nature of ransomware. Why, you know, why is it so difficult to, sort of immediately, uh, defend an attack when it happens, you know, what, what, what's the big deal? What are they doing? Technically, that's just stopping making that, uh, such a terrible option. But if you have all that, uh, automation in place, then you, you stop the business. It's a bit like going into a place that's called manual process and just making sure nobody can enter the, the factory. It's it's as simple as that. Um, and, and you've got in a digital operations, you've got, you know, potentially millions of, or thousands, hundreds of thousands of transactions occurring every hour, day, whatever. There's very, very high stakes and then there's, you know, a lot of businesses that have just got very important information, uh, that they need retrieval for, uh, that's stored, I mean, what we're doing is we're just going through the scope of, of technology at the business technology. Aren't we, and it is absolutely massive.
Rob:Absolutely. And it's a really, it's a very long thought exercise you actually have to go through. And a lot of the time, you know, especially if you're thinking of sort of that, you know, that CT CTO level, you're focused on those high level automation. Okay. Like, where's this data sitting, how's it running? What's it doing for business quick patients, but you've got to work right down the changes that's affecting people. And if you take, for example, say like a retail store, if you point of sale goes down now. Yeah. You, you are panicking it loss of sales, but maybe you try and flip over to a manual process. Well, your cashiers are gonna have to work out V a T and taxes for that. Have they, do they know like, is, is GC math, they required skills to do that job. Have they got a
Jon:and they're probably, and let's face it manual. uh, in this, in that instance is still, um, using, uh, Excel or, or, or, um, you know, which is on the computer. It's a bit like, uh, there was a really cold winter a few years ago and, uh, we, our, our mains water pipe froze. And, uh, my wife and I were in the kitchen and, uh, she said, what we're gonna do? And I said, it'll be fine. It'll be absolutely fine. You know, let's just have a cup of tea. And I turned the tap and of course there was no water. And I was like, oh no, what are we gonna do? So, you know, that's this sort of levels of, I mean, could any business really go fully manual? You know, I mean talking, you know, pen paper, especially retail. I mean, you can't even order stock. I mean, there's nothing in the supply chain there that isn't running off a
Rob:And I mean, realistically, if you're a business that can go and operate fully manual, Do you know what? You're probably pretty safe because they're told just not gonna target you
Jon:but you're only safe. You're only safe when all the other businesses aren't being ransommed because because you are, obviously, there are certain, maybe there are certain sort of businesses that are, uh, lend themselves more towards that. But, um, do you know what I mean? You've gotta, increasingly you've got to be in the digital space to survive longer term. So there is a, there's a little bit of a, kind of a, um, you know, an inevitability about having to face something like this. Rob, I just wanted to, uh, throw, throw something in only because you know what you've said, but you know, you're talking about how it's highly engineered and they might go after a particular individual. Um, I remember that as being, uh, uh, there was a thing called there's this fishing. Yeah. Which is like general. And then they called it whaling when they're going for the, you know, the big hits. But, um, there is, I think you have multifactor authentication in place. It's a real big one. I mean, that's, that's one of the really good. Overall kind of, you know, measures that, that anyone should try and make, because where I was coming from was this ransomware attack could actually start off as an socially engineered break into someone's email, pretend to be them, you, you know, to make certain decisions that aren't about, you know, the classic, get this check paid, but more about, can you give such and such access so that they can actually work themselves into positions to, to launch the attack? Are we gonna end up saying at the end of this Rob prevention's way better than cure kind of thing.
Rob:um, I think the unfortunate answer is there. Isn't a cure. Um, it's about, it's about utilizing prevention and I guess, impact mitigation, but the MFA point's really interesting again, just to keep stressing the human element of this is a real bonus of MFA. Obviously it's got its key requirements that, you know, having that second login, just give you that external security people, can't just bypass systems and whatnot, but actually just having the time to think, because when, when you have these fishing attacks and these whaling attacks, again, they, they do'em in ways that are either apply pressure or they catch people off guard or people aren't expecting. Again, they, the classic one is having a, a fake C CEO reach out to a junior member of staff. And you're like, I want to pick you for this special task. And they get all excited, whatever, but actually having that moment to think, cuz you tap in the, the number or the password or whatever you go, hold on. They've never spoke to me before. Why are they, why are they giving me this task or, or that kind of thing could be a real.
Jon:you you're right though. But, um, but the, these guys are playing off of really strong, uh, uh, I suppose emotional intelligence. I hate to say it, but they really understand how people are gonna behave because, and also certain industries and sectors probably are more prone to this. So you have certain sectors. The non, you know, the people that aren't directly facing revenue, generating roles, you know, um, maybe in the sort of support, there's a sort of a deference inbuilt deference. There shouldn't be, but there is a sort of inbuilt deference between different portions of the business. Um, so if, I mean, obviously a CEO, uh, you, you, you pretend to be the CEO. You're assuming you've got, you know, a lot of influence over, over everyone in, you know, in the business. I think we already said, you know, Friday, evenings, holidays, Times of, uh, I, I think they don't, they also research your key business events. So if they know that your business in particular has got a massive event coming up, they might want to plan the attack a couple of months prior. So there is, you know, they're creating all these different pressures for, for fast payment. Is that, is that, that's what they're trying to do. Isn't it?
Rob:Yeah, absolutely. So let's say if you are a furniture retailer, January sales, huge time for, for them, or maybe like a travel agent while they broker they're gonna hit you your busiest time. Um, they're gonna come in, you know, they're not gonna wait for you to log on on a Monday morning, have your have your first coffee the day get settled in and then say right game on let's let's let's apply ransom. It's gonna come through at two, three in the morning, potentially. No one even working. You might have a couple of analysts, keep an eye on things, um, or whatnot, and they're gonna catch you. They're gonna catch you off guard and they're gonna catch you at a point where you cannot afford to lose that data.
Jon:And, um, this is a retail, uh, quote, but, um, there's that statistic isn't there that for retail, isn't there something like, is it 11 days in December that that represent more than 50% of retail sales or I I'll have to fact check it, but there's a disproportionate amount of revenue for retail that occurs around Christmas because of, you know, Christmas purchasing. So, so retail would, would be absolute prime target for kind of like November, uh, you know, those, those sorts of times because, um, you know, Rob, you might say, uh, businesses need to be on heightened awareness, you know, and they should be, and there's all sorts of things, but maybe we're gonna discuss about how you do that, but you cannot as a human being be. Uh, alert top alert all the time. It's just impossible because by, by nature being on alert is about a change of state. Yeah. And you just get exhausted. So I think, um, I think having a really clever step back and look at your key events and through the eyes of maybe these folks and think about, okay, if I was going to do this, what is our absolute most vulnerable moment, um, might, might be, would you say that's a useful thing to, you know, to do, uh, as a scenario planning for, for the technologists and the business?
Rob:Yeah, I think it's, it's important to pay attention to you. The key points in the, in the business card of the year for you. Um, it's a difficult one cause you are absolutely right. You can't be on full alert all year, but it's also, it's difficult to say stand down between those events as well. And this is a really difficult thing you're gonna be, you're gonna be caught in. And um, I think what it, what it comes down to, and we'll say we will cover it off a bit more later, but a lot of it comes down to just practice and preparation, really more than anything, cuz that sort of acknowledges the fact that you won't be on your a hundred percent guard all the time. And then you'll put the measures in, you'll put the permit security in all these, these different aspects, but having prepared who needs to be involved in what capacity and go through those lines of thought about what could be impacted and where means that when, when something does strike, whether that be at your busiest time of year or quieter time of year you've least got an idea of where to, where to head with things.
Jon:All right then. Well, look, let's try and get folks drawn into, um, you know, the scenario. Okay. So, uh, you and I are, um, we're working in the same organization. If that, if that's the scenario we'll play, um, and. How do we find out in, uh, Rob I've, I've found out about all sorts of things over the years. So I'll be interested in your view of how you find out and I'll see if that chimes with, um, yeah. You know, obviously won't go into any details, but I've, you know, uh, been around long enough to be involved in all sorts of service events. Well, let's call them, uh, and, uh, very interesting. The big ones you can remember exactly where you were when you were told, you know, when, when, you know, when you realize that something serious is happening, you can normally remember exactly what you were doing. And, uh, so go, what's the scenario that you'd like to say in terms of us discovering, who finds out first, how does it come in? Does it even come into the technical team? Does it come into the business? You know, is it something we notice? It's something we get informed about? What, what, how would you say that the play goes.
Rob:Yeah. So, so again, it's gonna depend largely on what the, the nature of the business is, but likely you're gonna get, you know, the, the, um, security team or the analyst team or the ops. Team's gonna start getting a few support. Tickets raised an instance from people not being able to access, you know, their usual spreadsheet, or maybe they can't log onto a till, or maybe a petrol. Pump's not working all these different things that might be reliant on the data, and I'm gonna look into it and go, okay, this is weird. It shouldn't normally be like this. We'll go and run our, our patches, our tests or whatnot. And they're gonna start seeing that there's a lockdown of files or there's missing files or there's something not quite right system.
Jon:And actually, uh, Rob, that's got, um, that's not dissimilar from a, from a, just a good old fashioned outage,
Rob:no. And that's probably what they'll be thinking.
Jon:The pattern that you see there, uh, you know, um, just, just as you describe it. So if you were hearing that just as some, a conversation, you would, you, you potentially could be getting nervous about an outage, but you wouldn't necessarily jump straight to ransomware a a and also Rob Kurt, just to be clear for everyone listening and for, for make sure I understand this. You're describing the ransomware event unfolding. But actually, I suppose we'll get into this for this to have happened. They've already, they've already got inside our systems a while ago. Haven't they? Because this isn't something they can just land at the door and launch. This is something that takes a bit of, uh, I I'm probably gonna use the wrong phrase, but I'm using this literally from, from reading the stories of old, but this is like a Trojan horse. It's it's, it's already, things are in place. Aren't they for them to do this
Rob:it, it, yeah, you're absolutely right. And it's very rare. You'll get around tomorrow attack that will, will penetrate the network and then strike immediately. Um, they get in there, they lay dormant. They. Get a feel for how your network works, your files, your operations, that kind of thing. Um, interesting enough, the very first ransomware attacks that actually they actually predate the Internet that used to be sent out on floppy discs and offering free software, but they had the same mentality. They, you put the, the floppy disc skin and it could count how many times the PC had been boosted and they'd wait for a certain number. And then in fact, so you wouldn't attribute it to the floppy disk you've got. So it's the same principle that there might have been a minor incident, but if this has gone under the radar undetected and they will sit there for time, understand the organization, understanding your operations and waiting for that, that prime time to
Jon:So, so, so the key point, Rob, if we can sort of make this a bit cinematic. Okay. Um, and I'm assuming you've seen JAWS.
Rob:Yes,
Jon:Yes. So, you know, um, the, uh, the, the, the scene where the coast guard, the, the, the sheriff, he sat on the beach and he suddenly realizes, and they do this really clever camera technique where they zoom in. While zooming in, they move the camera back. So you get a zoom, but the spec, there's a really famous scene of realization. I always imagine that's the, that's the scene on the CIO's face when the moment, you know, it's ran. I know we don't know it's ransomware yet, by the way. But the moment, you know, it's ransomware because it's not just, we're under attack. It's, it's, they've been in for quite a while. Do you know what I mean? It's a very serious moment because it's not just, oh, they're at the door, you know, we're gonna fight them off. It means actually they've been in it's all it's it's, it's like you've found out and it's too late.
Rob:Yeah, it, it is not a hundred in a, in a, second.
Jon:I'm not giving up, Rob. I'm not saying it's too late. We're throwing the towel in, but do you know what I mean? It's that sort of. You know that gravity of the situation, um, I don't wanna be over dramatic, but I don't think you can be, uh, obviously you have to, uh, hold it together. Uh, my personal experience of, um, major incidents is that you do everyone works really well. It's it's once the event is dealt with that's when you kind of, you know, need a coffee and you just really, you know, the shock kind of hits you cuz you're, you're, you're running off adrenaline, uh, to start off with which actually you have to be careful about because if you are in a full adrenaline fight mode, you know, there's very important rational part of your brain that's switched off. Um, and I I'd wager that they even know that, you know, in terms of working out how people are gonna respond, et cetera, and Rob, sorry, I'm getting excited. I shouldn't be, cause it's a terrible thing, but the, so we're starting to notice a few users. Can't access, you know, it's that sort of, that's how it's sort of starting to build maybe no one's called the CIO yet because we've got shifts in place. It's a, you know, we're, we're looking, we don't have most of our business online at the moment, you know? So we're not, we're not even aware of, uh, how many, you know, it could be just a few machines because there are only a few people actually logged in, but it could be all the machines. It's just that you've, everyone's gone home or they're not in use or something like that. Yeah.
Rob:That's it you'll be, you'll be starting to see patterns, but again, if your mind jumps straight to answer, and you're probably quite a paranoid individual and you, you're probably not living a great, having a great time anyway. Um, so you'll probably be looking for, as you say, more common outages or just maybe patch, issue issues or updates or that kind of thing. And you're gonna quickly start to build that picture as more and more people log on, or as you realize more and more files are inaccessible or, or, um, you know, missing or those kind of things. And. eventually you're gonna have to make that, make that call to maybe an ops manager. Maybe you probably wouldn't go straight to a CISO or CTO if you weren't a hundred percent sure yet if you're in the, you know, the shoes of that analyst, you're probably gonna alert on a little bit more senior to have a, have a look
Jon:yeah, and I think this is a really important operational point. So, um, I, I, I subscribe to, to the view that, um, if your organization can afford it, you know, if you've got the right scale, your chief information security officer, your CISO should report independently of your, of your, uh, CIO. I think it's just really good to have that separation. There's a little bit of marking your own homework and it's good to have that audit. Plus the fact, you know, classically CISOs get involved in things that are a little bit more meaty than just, you know, the, the cyber side of it. But then on the, uh, CIO CTIOs perspective, we, we are managing, um, a lot of operations, including quite often cyber operations. So I've always had cyber operations reporting to me. Um, in some organizations I've had, uh, you know, uh, what I describe as a very wide stack of that and others it's been quite sort of thin, but I was just saying, whilst that separation's really important, one of the risks is that that pattern that you are describing, um, could be it's being potentially observed by two groups. Um, that might sound like a good thing, you know, two sets of eyes, but it can also lead to sort of a lot of cross traffic when you've gotta be really organized. Otherwise you can have almost people not deliberately briefing against each other, but you just get. Because a lot of them will come to the same points for reference in the network. And, you know, I'm just wondering if, if you have a view on the governance or, or, um, you know, where it can be work really well or where it can be challenging when you are trying to detect the event. I mean, obviously we've, we've got a challenge already, cuz we know they've already infiltrated the network and set things up. So that's, that's already happened, but I'm just saying, um, whether, uh, your SOC, you know, needs to make sure it's reporting in the right way and everyone's involved, it comes to the table at the same
Rob:I think you're right. I think the reporting lines are really important. And I think you actually, you see a lot of the time, any organization organizations that have been through this do normally split out that CISO function afterwards. Cause they acknowledge the importance of having that, that independent view on the security side. But what it comes down to mostly is you've got security teams and operational teams. And whilst they've got a shared goal in terms of protecting the business of keeping business continuity, going they're, they're working in very different ways and there will be crossovers, but probably less and less as you get further down the chain and you are bringing these people together to work together for the first time with kind of an aligned goal, they wanna get the business back up and running, but very different methods, very different approaches, very different understandings and different personal goals and egos and all these kind of things come into it. And whilst it be lovely to say that these all get parts of the door, the fact of the matter is, is it's it's people working here, so they there's gonna play into it. And you get a whole range of people are gonna be gonna be brought in to this. So when let's say, I guess to bring it back to the incident, you know, you've seen once they're, they're pretty certain that these files are getting encrypt store or, um, or stolen or, or breached or all these things. You're probably gonna get issued with a note fairly soon. And that's gonna, that's gonna confirm that, right?
Jon:And that's is that this is the cutout of newspaper. Uh,
Rob:Pretty much. Um,
Jon:I mean, but seriously there, Rob, how do they send you the note? How do they make it? So it's not traceable, is it just a, you know, a Google account that was set up an hour ago? You know, sort
Rob:basically. Yeah,
Jon:like a burner phone, but a burner email
Rob:absolutely right. Yeah. Just a burner email, probably via proxy, all these different things to, to help hide the tracks. It's a very much a spin up attack. Bring it down, move on mentality. Um, But you will have an open dialogue with the ransomware gang. They will speak to you. They'll probably make comments on how you're responding. They will work to get in your head.
Jon:and who, who are they gonna try to be? Who are they gonna try and get ahead of the CIO? Are they gonna go into the commercial side? Who do they typically try and connect to first?
Rob:So, um, it's a good question. And it does vary from place to place. Um, I think generally they want to go after they do wanna sort go after that sort of C level bit. Cause you need someone, who's got the authority to be heard than the business in order to make a payment of that.
Jon:I hate to bring this back to movies again, Rob, maybe it's cuz it's a Friday evening and I'm just sort of thinking about the, you know, the movies I might watch at the weekend, but that reminds me the scene that reminds me of is, you know, when, uh, okay, I'm gonna use star Trek. Okay. But they're at the bridge, you know, and they say they wanna speak to us and he says,
Rob:I'm not, I'm not a Treky by any means, Jon, this is gonna, it's gonna go straight over my head, but I'll uh, I'll entertain it.
Jon:No, no. I use a different analogy. Then the police are, they're talking, you know, they've got the killer on the
Rob:Mm-hmm
Jon:and they say they wanna speak to you, you know? Okay. Put'em on. You know, is that, is that they literally that's, that's what happened. So, so the CIO could be the, you know, the point of contact, uh, of, of talking to the ransomware folks. So I'm, I'm immediately thinking when you get to senior positions, it's quite common to get media training. You know, big companies will do that, you know, to make you media savvy, how to, you know, face questions, answer questions, make sure you do answer the questions, but also, you know, answer them in a responsible way for the company. Um, I, I would've thought it'd been pretty good to, to train and simulate speaking to, uh, you know, these folks
Rob:it's a really interesting point,
Jon:gonna be a moment in your career where you're just gonna say actually I'm not I've I've never done this before and these are proper criminals.
Rob:Yeah. You, you send CIO, CIO, stroke, hostage negotiated. Don't you. And that's, uh, probably not what you signed up for.
Jon:Well, it's interesting. And I don't think anyone knows what they signed up for, but, uh, you know, cause you never know what's gonna happen, but that, I think that is a genuine kind of moment where you are. Um, yeah. And if you, and if the adrenaline's to in, you know, and you are being a bit too feisty with them, that that might not be the right thing to do or it might be, I don't know, but go on then Rob. So I'm, I'm getting, I'm actually starting to get nervous now because I'm, I'm really immersing myself in the, in the, in the sequence, but I'm, I'm, I'm, I'm saying that we've got maybe we're 80% certain, there's an attack. Cuz remember there there's never a hundred percent certainty until there's an absolute smoking gun in the early stages of detection. But once that phone call comes in and you correlate that phone conversation with what everyone's saying in the operation center, then you're thinking, okay, this is, this is real. That's when it sort of goes into slow motion, you can't quite believe. So what they're gonna say, uh, what will say to you, Rob. Literally, what would they say?
Rob:It's. I mean, it's pretty simple. Really they'll say, hi, we've got X data of yours, um, to retrieve the, the keys to decrypt, it pay us X amount in Bitcoin to this account. Uh, and I'll give you a deadline and the clock will start ticking. And it's, it's pretty simple. Really. They, they, they don't really want much more, so they straight to the point.
Jon:and it's, and it is Bitcoin. Um, you know, is that, is, you know, is
Rob:Yeah,
Jon:it E theory? Is it Ethereum or is it genuinely Bitcoin? Cuz that's a bigger,
Rob:I use, I use Bitcoin, so I'll, I'll admit my cryptocurrency isn't isn't too extensive, but yeah, it's essentially it's crypto. And that, that, that, that was what brought the boom ransomware as well, because suddenly you had a really easy unregulated way of receiving payments and
Jon:completely untraceable
Rob:yeah. And you still need to, you still need to launder it and be clever about it because obviously the. I guess on the other side of the fact that it's, you know, it's all out on the open, you can actually see all these transactions publicly, so you can't just go and cash in 10 million pounds of Bitcoin without, without attracting attention. But so you sort of go through the motion of disputing it, you know, lundering it point into different currencies and moving it around and whatnot. But yeah, it, it enables people to an easy way to pay.
Jon:So, so you think there's a correlation potentially between Bitcoin, which is the, kind of the means of, of collecting the, the criminal collecting the value. Uh, obviously there's got to be a correlation with some of the tooling that they're using the encryption tooling and the way that they break into those sort of, that becomes weaponized. But then combine that with blockchain. You've got these two technologies that have converged, and then you've got businesses that have got genuine dependency on their data. The third factor that's, what's created the, this 20 billion a year market.
Rob:absolutely say it was its existed for years, but. The, the route to payments made it very risky and, and tricky, you know, cryptocurrency comes along in 2010 and I think that the problem they, they had with that was the, the ransomware gangs were like, great, this is a great HC payments, but no one had heard a cryptocurrency. Right. So you are going to your, your standard CIO CEO and saying, you know, give me X amount of Bitcoin. And they're like, I dunno what that is. I dunno how to make the payment. I dunno how to buy this. So
Jon:that they saying? Like, is that, are those those chocolate coins
Rob:have, yeah, you have absolutely no idea. Would you.
Jon:Well, well on earth Bitcoin, but, um, yeah, but I'm just wondering even the act of being prepared to pay. And by the way, I'm not saying we should pay yet. Cause we'll get, we'll get to all of that. But just the act of being, if you decided, look, we're gonna be ready for this and you set up a Bitcoin account and you might have mentioned it, or maybe they've, exfiltrated your email. So they actually see, you know, some they know it's happened, they might go great. That's a marker. That means we can actually. They're ready for us to go. Do you see what I mean? They could be, you could be giving off markers, um, to show that you're actually in a position to pay in Bitcoin because you know, if you've got two attacks and one folks have got Bitcoin, they're ready to do it. And the other just, you know, dunno where to start. You might go well out the two, let's go for the one that's ready to pay. I'm not saying, you know, that, that, that could be a factor if they're really sophisticated. That's the sort of thing they're gonna be thinking. Isn't
Rob:yeah, they, they want, they wanna make sure you've got the means to, to make the payments and, and whatnot. And it's interesting you say that, cause there is genuinely a strategy that, that some businesses employ where they put aside X amount a month into a Bitcoin account
Jon:Yeah.
Rob:for if they get hit by ransomware and that's their, that's
Jon:Ransomware. They're ransomware accrual. Incredible. I mean, that's
Rob:save up for, right?
Jon:But again, you know, the savvy criminal will wait until year end, you know, wait until that's got as much in its, I mean, you know, I'm not trying to give any tips by the way, I'm just, you know, these are thought experiments, but, um, so one of the, one of the real big headaches, Rob for a CIO, it's not is a headache, but it's so important that you don't do lip service is the cyber insurance every year, you know? Um, it's, you know, premiums are going up. I, you know, I presume for everyone because the, you know, it's becoming really, it's almost like a badge of honor if you're able to achieve insurance, you know, because it, and quite rightly so, um, that, uh, the folks at insurance, they want to see MFA in place, certain things now, which are, were kind of, you just sort of discussed it maybe three or four years ago. And now it's absolutely. If you haven't got it, we're not interested, but in the old, uh, no claims bonus space. Yeah. What, if you are fortunate enough to have a. Cyber insurance that would pay off your, um, you know, cover your ransom payment in the, for the first instance, it that's a bit of a one off isn't it? Because unless you do something very drastic, you may never get insurance again. Or I would've thought the premium would go up. I mean, I don't know whether once you've been attacked, does that make yourself vulnerable to other attacks? Are they, or are they extremely honorable and say, no, you know, we'll, we'll, we'll tick them. We've ticked them that they're okay. Whenever coming back to them, I mean, you know what happens am I have, I now got a big target painted on my back?
Rob:yeah, I mean, I guess there's two lines to go down there. So let's focus first on paying the ransom and the, you know, the implications that gives, and then we can talk a bit about the cyber insurance and the reflection on that. So
Jon:Yeah.
Rob:a lot of people pay the ran. A lot of people pay their, and this is why it's funny. Any statistics you read are always completely skewed because there's so many businesses who just paid, stayed quiet and it just never gets reported or, or acknowledged.
Jon:And, and maybe also of the businesses who have paid, they may say they don't in the sense that you don't negotiate with terrorists and you never, you don't, you know, it's not, it's not good to put out
Rob:You're not putting that in your press relations. Are you?
Jon:yeah, we, we pay everyone we pay and we've got a Bitcoin account we're actually accruing this month. You know, we're waiting for the next attack. You know, you, this you'd never do it. But the, but what you're saying is the reality is a lot of businesses are poised to try and get a, a rapid resolution. And that may include paying.
Rob:a lot. A lot of businesses pay. And when you, when you pay, you have to, it's not to show it down. Cause it's very easy to, as you say, give the line, don't negotiate with terrorists. Don't pay it. But as we said, this is a really difficult scenario. You've potentially got, you know, it can Crip a business, it can put people out jobs. You've got lot people
Jon:So an existential event, you can be looking at everyone, losing their jobs, share price. Has gone years of investment wiped off, you know, this is, this is as serious as it gets for a business. So paying ransom, isn't something where folks are getting into the morality of it. It is existential. There is a, you know, uh, and, and businesses have to act in the best interests of all the shareholders, you know, the business itself.
Rob:and that's, and that's just purely businesses. Think about, think about national infrastructure and public sector organizations, these things, and, you know, colonial pipeline was a huge headline. Um, recently, you know, big oil and gas supplier. Like they, they supplied too much to, to have the downtime and they, they, they made the payment, like it's the, the, let's say the implication are huge. So it's not to, it's not to dam anyone for, for paying it. It's an understandable why people do. But when you do make that payment, as you actually say, you basically hold a flag and, and say, we are willing to pay, which makes you a bit of a soft target, quick
Jon:Yeah. And, and like you say, and we'll just be really clear with folks who are, who are watching this or listening to this. We're not criticizing folks that do that. We're not making a judgment. We're just saying that's what happens. And when you combine that with all the other factors we've described, you can see why. I mean, you know, my view would be that ransomware attacks must be on a massive uptick. Uh, would be my, my, um, my guess I haven't actually see, I haven't looked at any statistics, Rob, so I don't know whether it's peaked, whether it's going up, whether it's on the level it's falling. I don't
Rob:no, it is, it is, it is growing. Interestingly, it did dip a little bit during the pandemic. It had a bit of an amnesty and then realized I think it was gonna go on for longer than they thought. So cracked up again, like, like most businesses, I
Jon:No, that was the, um, the ransomwares folks had to work out there, their work, anywhere strategy.
Rob:that's it. Yeah. Self hybrid working and
Jon:They've been doing it all manually in the office and they're there to work out how to get teams up and running. Uh, but, um, crikey, that's, that's really interesting. So, so statistically, like you say, they are skewed because there's, you, you're saying a lot goes unreported. It doesn't, it's not the sort of thing you offer up, uh, lightly. So some of it is, uh, projected, but it, it looks like it is on the increase.
Rob:Yeah. And, and of the ones that reported the people who pay. So the statistic is that you're 60% more likely to be hit again, if you make the payment. But again, that's skewed by only the ones who have acknowledged they've made the payment and been here again. So it's probably higher. And then you unlock, you unlock double jeopardy. You unlock triple jeopardy because you might make the payment and the ransomware goes great. Thanks for the payment. Here's your data. A lot of them do give you the data back because otherwise their business model doesn't work. So I'll give you the data back, but then they'll say, by the way, if you pay another half a million or another two 50,000 or whatever it's gonna be, we promise we won't do it again. And you go, okay, fine. I'll pay you that much. And they go, great. Thank you for that. Right. We promise won't do it again, by the way, if you pay us an extra half, a million million, whatever. We promise. We won't tell anyone else how to do it, or we won't tell your blueprints on, or we won't do this. And you're sort of stuck and where, you know, the cycle never really
Jon:Could they then come back and say, and then, you know, as a final offer, we're doing a two, a three for one offer this month. If you pass more money, we won't release the data that we've unlocked to the dark web, you know, it just keeps going. Wow. That's I mean, that's terrifying, isn't it?
Rob:It's a really, it's a really horrible situation where you you've, you've done what you thought is right. To get your, your infrastructure, your business back in line quicker. And then you are just further exploited. And again, keep bringing it back to that human element. It's about putting the pressure on people and exposing people and exploring them.
Jon:and, and, and now I'm just thinking, oh my goodness, me, you know, that data, if it's important, you know, it's, it's almost, it's very, very likely to be sensitive. Yeah. And it could be sort of in the GDPR, uh, space. So there is an obligation isn't there to report a breach.
Rob:Yes, you have, you have 48 hours to, well, you have 40 hours to report it from the moment you can confirm it to breach. And this is the interesting piece. So businesses will dig their heels in for as long as possible before confirming it's a breach cause that's what starts the clock ticking.
Jon:yeah, no, I understand. But you could, you know, this is where all the different factors are starting to become. This is quite a pressure situation, especially if you've just got off the phone to the, the folks that are telling you, you know, Mr. Smith, you know, this is, this is what you have to do. And then, you know, you've got the, the, the, like you say, when the official 48 hours starts ticking. Um, yeah, this is really, this is a really tough, this is a very, very extraordinarily tough scenario. Isn't
Rob:And you've also gotta think about at what point do these things cross into your mind. So again, if you are unprepared for this, and as you said before, if you're running off adrenaline, you got tunnel vision. are you focused on just getting your critical, so your business can run. Are you thinking about where this data is? What this data contains? You know, who's at jeopardy of this data getting, getting leads, which stakeholders would be affected, who like, are you thinking that straight away or is that coming later down the line and again, less time to deal with it.
Jon:me, you made me think something. So Rob, so, you know, I'm doing quite a few episodes over the next two weeks, which is great. I've got a lot of, uh, content being added, uh, to the channel, really exciting stuff. And this morning, uh, I was speaking to a business coach. Um, she's got many years experience as a police inspector.
Rob:Okay.
Jon:Um, you know, because I was talking about, you know, working under pressure and, you
Rob:Mm-hmm
Jon:it's CIOs go on about, you know, the operational pressure and stuff like that. But actually, you know, it's pretty serious, isn't it? If you are a police inspector, the sort of things you've dealt with, and we were talking about how, uh, um, you know, when you have to do something without thinking and do it well, you know, that's where you rehearse, that's where you have command and control. That's sort of interesting your point about, you know, the adrenaline, you know, the adrenaline blinkers are on and if you haven't rehearsed and you don't say right, it's a ransomware, we're now going into operation, whatever, you know, your pre-rehearsed thing, that's where you can make these terrible judgments. That seem absolutely the right thing at the time. But then they'd play out in a, in a, a really horrible way that you just couldn't, you, you couldn't have fathom, you need to do that scenario planning before it happens. Not, not as it's happening.
Rob:It. It's what I'm doing. Yeah. You need to use a have in your mind, your recovery strategy, your mediation strategy. Yeah. You need to know. Every department's gonna be involved in that. Every person that's gonna be a part of that. I need to make sure that whoever's leading that as I say, probably will fall on the CIO, um, CCO role that you can command the, the playbook that brings everyone in at the right time. Make sure people are, are working together at the right place, sharing the right information in order to reach hopefully a successful recovery. But without that planning, odds are, there's gonna be hiccups. There's gonna be crossover. There's gonna be miscommunication. There's gonna be issues. It's It's a Hornets nest essentially.
Jon:it is. It, it, it is. And actually, you know, um, so I, I I'm gonna say fortunately, but fortunately, uh, the major incidents that I've been involved with in my career have been, uh, in relation to, um, uh, technology, uh, issues and, um, some really, really big impacting outages from some very, very small, tiny esoteric engineering problems. Like the size of, of network packets being misconfigured between two devices that you get to at the end of a week of. Asking everyone getting everyone involved, no one can fix it. So, you know, those sorts of things. Um, so, you know, we're used to, we're used to going in at that sort of level, but here, this feels like, you know, you, you lose a, you could lose a bit of hope because it's not, it's not necessarily an engineering solution. That's going to get you out of this. This is, this is you're starting to get into the realms of kind of game theory and negotiation and how you, you know, deal with the folks and damage limitation. You know, there's all sorts of it. Um, yeah, I don't wanna keep going on about it, but it, I think it is just, I don't think, um, folks that are listening can underestimate the impact this could have on, on them.
Rob:It's it's easy to write it off as it's a, you know, I think don't think anyone doesn't see it a serious matter, but it's easy to write off and go, right. Files are inaccessible. We need to get them back up as, as good as possible. But it it's not that it's, it's the process. It's the people, it's things involved. So the extent, like, if you think about it, if your, if your VOIP. goes down. If your UC tools go down, if your SaaS apps go down, like actually we're talking about how to communicate with all these people. Well, what if you can't communicate?
Jon:Yeah, yeah, absolutely. Um, I remember, um, during, um, you know, pre just, just as a pandemic broke, you know, this story's been told by many by everyone. Yeah. So I'm not saying this is in any way unique, but everyone basically had to figure out how to work remotely. Um, and so we basically, all of us had pulled off, you know, the biggest UK PLC, business continuity plan ever done, cuz the, you know, UK PLC carried on, uh, a whole load of countermeasures, including government support, furlough, remote working, you know, we that's what we did, you know, we we'd all be. Proud proud of that. Um, but what I started to do is I started to think, oh, um, in my business continuity thinking, I was only thinking of, you know, we lose access to the office. So what do we do next? Now we're in the completely new setting. What's the continuity, you know, what's gonna go wrong in this scenario. And, uh, it is pretty scary to think that, uh, you lose your, your, your ability voiceover IP is what you're referring to, but basically, you know, telephone video, that sort of thing, or private circuits, if they become compromised and suddenly, uh, I've now gotta pick up the phone to speak to my team. You know, you have to have those sorts of backup plans.
Rob:Yeah, you have a, you have a major instant calls over FaceTime. It's crazy. Like it's not.
Jon:And yeah. Or WhatsApp. Yeah. I've had a lot, I've had a few of those, uh, or actually in these sort of work anywhere times you might need to actually declare. A physical place where you'll kind of congregate and rally to, uh, if you had to, I dunno if it still happens, but there used to be a company called Sunguard. They might have been bought or different, um, different environment. What they used to do is they used to sell you a bus. You were aware of
Rob:Yeah. So you, you could literally spin up an office couldn't you in, in like
Jon:Yeah. And you could rent, it was such a clever business model because they obviously worked out almost like an insurance policy. How many buses they, they would need for how many customers, but the deal was, you know, if you couldn't access your office, you could get in a bus. This isn't about losing an office, is it? Or this is just losing it, it just, just cease to be digital. It's
Rob:it's losing functionality, right? It's it's losing the ability to work and. Yeah, I think it's, it's noticing that blast radius as well. It's a huge thing, cuz as I say, when it gets alerted, you'll probably be spotting a few key elements and then suddenly this blast radius will just grow and grow and grow as you investigate and more and more things get brought to your attention.
Jon:Just the scale of it, you know, we've been talking about major incidents, uh, there's a lot of different roles involved. You've got a CISO you've got a CIO, you've got a board that you're reporting to. These are all massive company structures. And, you know, there is a very significant portion of business in the UK that does go through the, you know, the top 250, but there is a huge tale of really important businesses in the UK that are small to medium size. Are, are those guys, um, being saved because of the, because they haven't got the scale to pay or is this technology gonna get weaponized or not weaponized the wrong word industrialized. So actually these smaller companies are gonna get hit on a do. Do you see any of that happening between scale? You know, uh, so the smaller company. It's got, you know, it's got some cash in its current account, you know, it's, it's got money. Um, but it hasn't got, it's not the same as the, you know, the bigger targets. I'm just wondering if, if we see anything like
Rob:no. So it it's all relative. Right? So. I don't think there's any, there's no business that's immune, because if you've got something that's valuable, that's more valuable than whatever ransom is asked for. Then there is root for extortion there. Um, you know, what, what you'll see is just the difference in amounts that are asked for, um, probably not even if in sophistication of the tax, again, it all comes down to, you know, have to treat runaway gangs as effective businesses. And they'll have a business problem. They'll know who their target market is. And the target market is anyone who will pay. So where the SMB
Jon:Well, anyone who pay, who doesn't, who doesn't have MFA multifactor authentication for me would be on my list of, uh, if I had a long list of targets. Yeah. That would be one of the things I would sort my long list into a short list would be MFA. I'm not saying by the way, I'm not. Saying Rob. And I think it's really cool that you guys are very, very, uh, you are very careful to say don't rely on one piece, you know, don't think cuz you've got MFA, you're cool. Or you've got this everything. So you've got to have a, there's a surroundings, but I do think, um, multifactor authentication, um, by having it, it's a little bit like that terrible expression, you know, when you're being chased by a lion and you're in a group, as long as you're not the slowest person running, you are the safest, you know, that's an awful analogy, but there is a, there are some things that small companies could do, cuz MFA's not expensive, especially for a small company it's actually really straightforward to implement, but I'm amazed at how many folks still have, you know, they don't expire their passwords. You know, things get sent on email when you get an account set up, uh, you know, and it's just, you just think, oh my goodness, me, maybe they just haven't experienced it or
Rob:Well, the, the craziest
Jon:got the head around
Rob:the craziest thing I think is, is say that are so many businesses who don't deploy these really simple mitigations, but actually they're users and their employees are used to doing this in their personal life. Like most, most like domestic applications are now using MFA to an extent, or, you know, require stronger passwords or educating you in terms of how to secure your accounts. But
Jon:actually Rob, so, um, you know, this is, uh, for folks who may or may not know this, but you can, on Amazon, you can buy a firewall appliance. You know, it's an actual box. I dunno if it's a raspberry pie underneath it all, but it's a, it's a, an actual firewall dedicated appliance with four ports. And, um, I won't say the company name, but there's a very. Uh, a large security company that, that does a lot of firewall technology and you can install one of their commercial grade firewalls on your, uh, uh, firewall at home for free cuz they, they make it free for domestic use, which is probably quite clever because I suppose they're thinking these technical folks, this might be a way of influencing a purchase or, but, but I don't wanna be too cynical. It might be a bit like some of the car manufacturers that share, uh, safety technology amongst other car, you know, they, they share their, their safety innovations cuz it's, it's good for everyone. Um, so, so you've got that. Um, uh, and then you've got maybe a VPN, so you're encrypted and then maybe you've got multifactor authentication on, you know, app. Apple's got a very good setup. Google's got a very good setup. I think Microsoft's it. It's, it's definitely usable. It's not quite slick, but you know, it's available for everyone. Isn't it? And a lot of people, like you say, they do at home and then at work, it's not there. Why is that? Is that, is that because there's some, do we get kind of caught with trying to implement the big, perfect. Is it perfection? Is the enemy of progress or is it, you know, what's holding back that kind of look, forget everything guys. Let's just put in MFA and patch everything, and then let's talk about our more sophisticated approach to security.
Rob:I, I think to be honest, it just comes down to education, understanding and exposure. Right? I think the examples we use where companies aren't using MFA or encryption, these, these kind of things, or VPN. they're not the companies who are then having long discussions about their security strategy. Are they, they they're companies that see it as a cost center rather than, you know, a business driver or so product. And, and there's, there's still business out there where actually it probably is just a cost center and it's not integral, but again, it's about weighing up. It's all about weighing up risk versus investment. Isn't it? Um, I think as I said at the start with, with more and more companies, you know, investing in it and using, using data to drive them and stuff, it, it, we are moving away from that area, but yeah, it purely comes down to an understanding of the, of the threat and, and what's out there. Um, and I think that goes for, for all security, doesn't it, whether it's business or domestic or personal or anything, it's all about understanding what, what is a threat to me and how much do I value the threat itself?
Jon:yeah, yeah, absolutely. So, um, where, where are we in our event? Uh, I, I definitely want to go down this immutable, uh, backup piece because I've, I've definitely fallen foul of, of, of, of believing. That's kind of like my, you know, superpower, uh, or one of the superpowers. Um, and then, and actually I've got a build on, on, you know, uh, some of the stuff you were saying, I wanted to, to throw something in, on, on, on storage, uh, in, in a minute, but are we ready to go down
Rob:yeah, I think so. So without breaking the, the fears of the mind that we've been, we've been painting. Cause I think we've had a few, a few, uh, gone down a few different avenues here, but, um, let's say we know, we know we're dealing with ransome. So normally, you know, the first thing you're gonna need to do is sort of touched on before is you're gonna have to investigate the, the blast radius of this attack. You're gonna need to know where that breach got in. You're gonna need to know what's been infected. Can you quarantine them? Can you isolate it? Um, that's when you start the new calculations of what this financial downtime is that we've, we've touched a lot on. You're gonna start looking at, can we contain this? Is there gonna be any media leak? So all this stuff's going on in these instant calls,
Malcom:Now that we know just how bad a ransome attack can be. our next video will cover what you can do to prevent these attacks. Learn about these important counter measures and subscribe to the channel now to get access to a catalogue of business technology topics, that are easy to digest and share. Click the icon of Jon's face, such a handsome fellow. Honestly, some of the things they programme me to say.