Understanding Cyber Risk in a Pandemic (Guest: Bill Mew)
Understanding Cyber Risk in a Pandemic (Guest: Bill Mew)
Bill Mew: If you've been slow in patching, they'll just spot you and they'll hack you and they won't give a damn and then you're in real trouble.
Welcome to the Masters Of Data Podcast, the podcast that brings the human to data. And I'm your host, Ben Newton. All right, everybody. Welcome to a another episode of Masters Of Data. I'm your host Ben Newton and we're doing this in a little bit of a different time in the middle of our COVID- 19 interesting times. With that I'm really excited to talk to an old friend now, I think it's his third time on the show, he is the CEO ofthe cyber crisis management firm, crisisteam.co.uk and I want him to talk a little bit about that in a minute. But welcome, Bill Mew. It's good to have you on the show.
Well Ben, it's great to be speaking to you and yes, this is incident number three when we're having yet another program. I think the first time we did it face to face, the second time we did it remotely from our offices and this time it's a little bit different. We're stuck at home.
Yeah. So I want to talk a little bit about that. I'm stuck in my little building in my backyard where my children have to at least think a couple of nanoseconds before they come bother me. We're doing okay, but you're also holed up in the UK. I want you to talk a little bit about your situation because I think it's awesome.
Over here in the UK there is a massive lockdown and everyone needs to stay at home. It's a little bit different for me because the home where I'm sat right now happens to be a castle on an island in a lake in the middle of a small valley in the countryside. We've actually pulled up the drawbridge, so I think in terms of isolation we're fairly safe and the dungeons hereat the castle a well- provisioned. So I think we can hold out for some time. My only real concern is if the broadband goes down.
So have you raised your retinue of knights and everybody's good to go?
Wellunfortunatelyknightsand pages and other sevens are in short supply this day and age, and I think inaudible lockdown anyway.
When you sent me the picture of that before I thought that was... that brightened my day. So I think that's pretty cool. One thing too, since you and I talked last, you've started this new firm Crisis Team. Talk a little bit about what you're doing there and what's your new mission here?
Okay. We'll come to talk the threats in a little bit because obviously the cyber arena is one that we both focused on and that there are a lot of companies out there providing a lot of preventative measures, be it software solutions, SaaS solutions, whatever. And actually the market is really well- provisioned in that respect. It has also a nascent cyber security market to try and...or sorry, a cyber insurance market to try and cover you if things go wrong. But the real need is if things do go wrong, well exactly what do you do? That's all around incident response. There are some really talented groups of guys that can be flown into an incident and can fix it and it takes real skills in that particular arena because you need to fix it fast and you need to do the forensics to find out exactly what was wrong. I'm partnering with some really great people in that particular respect but once they've done that, they needtohandthatontoalegalteam.I'vegotthebestlawyersintheworldwe then need to hand on to a reputation management team and I'll come on and talk why that needs to be different for a cyber incident and then to a social media team to deal with the whole arena around any incident where you have misinformation and hysteria. The Crisis Team, we're actually almost the only people out there providing that soup to nuts thing with incident response, a cyber law specialist, cyber reputation management, and then the whole social media piece. So that's what we do.
I think that's fascinating and it makes lot of sense how necessary that would be, edging into our topic today. With all the news, and I think like anybody else, I'm an unwilling news junkie these days. You look it up, there's a lot of talk about the health risk and flattening various curves and all these kinds of things but I think a new topic that particularly in our industry has come up is with the cyber risk and you talked as we were preparing for this, that we weren't prepared for what happened in 2008, there's been other crises since then that we haven't really been prepared for. Now looking at what's going on now, we're not really prepared for some of the things that are happening right now, including not only the health aspect but the cyber. So talk a little bit about that.
Yeah, there's some very good reasons for why we're not prepared. It's the way that we're all incentivized and the way that we operate. If you look at most organizations, nearly all of the executive team and most of the people reporting to them are incentivized purely around revenueand[inaudible00:05: 46]. These are ROI measurements, return on investments. So if you have an entire management team who are focused on ROI, then they'll go out and they'll do exactly what they're incentivized to do and they will maximize revenue and profit. That's exactly what happened in the financial crisis when all the banks went absolutely all guns blazing to try and maximize all of their revenue in that particular time. What they failed to do was to understand the risk that was coming[ inaudible00:06:18]. It's a bit like the fact, if you have a television that typically, the television has three different color feeds. If you had only two of those color feeds, which are profit and revenue, then you can get a picture of what's happening in the business, but you're not getting whole picture and sometimes you'll miss something.If at the same time, there is a guy who is looking at the other color feed, the blue let's say, and he's actually stuck in the basement and you're not listening to him, and that's exactly what happened inaudible financial collapse. They had risk managers. Those risk managers were looking at a different picture, a different color feed, and they were saying," Look at the risk here. This is terrible." They weren't listened to. So if you've got these guys, they're sounding alarm and you're not listening to them, you're heading for calamity. Now the problem and the difference between that people or that person and the senior team is he is incentivized about ROR, which is return on risk. So basically the way that manager in a financial organization works, he's focused on well, what is our risk appetite? How much do we need to spend? Because you could spend an infinite amount on a risk mitigation and you don't necessarily want to do that.You need to work out what your risk appetite is. What are you going to spend on mitigating this? And certainly in the cyber arena and the tech arena, the guy responsible for this is the CSO and that many organizations now have CSOs, not enough of them sit on the board, not enough of them have a voice and possibly they're not being listened to at this moment in time. So you've got a very similar scenario here with a board that is overly focused on ROI and you've got one person calling out the[inaudible00:08: 10]," Hell, if you look at the ROR's perspective, and if you look at the risk, there's a really serious risk here." Now, we weren't looking adequately at the risk ahead of the financial collapse and therefore it crept up on us and brought the whole world to its knees. Again, we were looking at the health risk ahead of the pandemic and that meant that we were slow to react. We were unprepared and the chances are that there is going to be some sort of cyber pandemic or serious cyber incidents that are going to happen. Again, if we're only looking at revenue and profit, we're going to be unprepared. We're not adequately going to have an ROI focus here. The risk is if the CSOs aren't given a voice, they'll face what I call CSO-lation, they'll just sit there inaudible on their own and possibly we should be listening a little bit more.
Have you trademarked that? I think you need to trademark that. CSO- lation, I like that. That's fantastic. Well, let's talk a little bit, before we get into some of the other media discussion here. I think a lot of us may take for granted why the risk is increased, but let's talk a little bit about that because in some sense people are doing a lot of the same things that... as opposed to the people who have to be onsite at point of sales and in retail and things like that. But for those of who are transitioning to working remotely, why is that increasing the risk now?
I think we need to understand that we were facing an increasingly hostile threat landscape anyway. The cyber criminals are becoming more and more innovative. They're using AI themselves against us as much as we try and use AI in our defense. Actually, the problem that we have is that they only need to be lucky occasionally, whereas we need to be lucky all the time and therefore the cards are stacked against us. Now, if all of a sudden, and we're seeing that right now, if all of a sudden everyone starts doing something they're not used to, like working from home in a far greater number than they ever have before, and we weren't prepared for it. We didn't necessarily think ahead about how we were going to train people to work from home, have they given fresh briefings around potential phishing attacks or potential vulnerabilities, what they need to be doing at home? Have they updated the home router software? Which wireless networks are they doing, using it from home? Are these secure? And looking at have they set up multifactor authentication in order to ensure that they have that level of protection? All of these things would be things that in the normal environment, hopefully we'd think about in advance. Again, we're coming back to preparedness here. I'm going to say this a few[ inaudible00:11:15]. We simply weren't prepared for this and we simply weren't prepared for inaudible homeworking we've got at this moment in time and therefore lots of these protections and a lot of these measures simply weren't put in place. Now, doesn't mean we can't think about some of them now, doesn't mean we can't go down a checklist of things that we need to do and there are some very clear steps that we could take around possibly a quick refresher training around phishing and how to spot it because there are lots of criminals out there using notifications or emails around coronavirus, to actually entrap you with phishing attacks. We can also look at the security of our home networks and our home devices. We can also have a separation where we only use home devices for home activities and personal activities and we only use work devices for the work activity that we need to do and therefore, that will provide a separation which is important. Obviously, there is the multifactor authentication. I think, if you look at the threat vectors and the threats out there, at this moment in time, something like 80% of the potential attacks or the activity going on could be stopped with a level of training around phishing or with multifactor authentication to help mitigate against the very obvious and widespread attacks around things like Office 365 access. So, those are the things that we need to address in order to prepare ourselves for this temporary new way of working. But on a slightly more permanent basis, we need to think on a broader perspective about how prepared are we for other potential crises, other potential shocks and for the increasing threat landscape that we're seeing in the cyber arena?
No, I think you lay it out really well Bill and with that, I think with a lot of us we were very focused in other areas and now this is coming to the fore of how people were thinking about what the risk are and particularly with companies with remote workers. So when you and I were talking about this, I think you had a really good way of how we could talk about this in terms of basically debunking some myths. So you got three myths that you think you need to debunk. So why don't we just go ahead and get into that?Because I think this is a really a really good way of thinking about it. So with the first myth, the myth being that we're not really the ones that the hackers are going to target because we're either too small, we're too unknown, we're not really... We've got our stuff together, we're good to go or they don't really care about us. So why is that a myth? That actually doesn't seem that crazy.
Well, most people believe they're not on the radar of the potential hackers or the cyber criminals here. To a large extent that's true, but you need to remember that these hackers are opportunists. If you don't think about putting some of these measures to make sure that when they're on that their opportunity and going through all the easy opportunities out there, that you're not one of those, then yes, you will get caught out. So actually taking inaudible measures that actually not going to make you one of the more vulnerable people is always a step to take. But you simply cannot believe that you'll never going to be targeted because you're too small because hackers don't always go for the inaudible boys out there. They typically go for the easiest targets. If you haven't gone to the extent of regularly updating your patch, regularly reviewing all of your equipment and all of your security protocols, then you're going to be vulnerable. One of the things that they do is they will send out bots to search the net for known vulnerabilities, and if you've been slow in patching, they'll just spot you and they'll hack you and they won't give a damn and then you're in real trouble. A really good example of this is the WannaCry attack that brought down the British National Health Service and a whole load of companies all over the world. It is actually a fact that had all of those companies in patching their software as regularly as they should, they would have installed a patch six weeks earlier that would have stopped it. It was only that organizations that had failed to keep up with their patching that were vulnerable and it's a very simple fact that most of these organizations never thought they'd be hit. If they were more concerned, they would have kept up with their patches. It was the very fact that they were somewhat complacent and hadn't done that that meant that they were the ones that were taken out.
Ben Newton: Yeah, it's interesting the way you framed that Bill, because I mean, that's part of the difficulty in the security realm is that we humans are pretty bad at risk assessment and we tend to not take things seriously until it's already happened. Then we're like," Oh, I should take this seriously now." Literally when you talk about patching, I remember having discussions like that, 16,17, near on 20 years ago where people weren't patching back then. So it's the ongoing problem where it's just not something people are taking seriously enough.
I mean, there is a general level of complacency because people genuinely don't believe it's going to happen to them until it does.
Ben Newton: Yeah, yeah. No, absolutely. So, the truth here is that it's not a question of if, it's a question of when, and it doesn't matter what size you are, it matters how easy of a target you are.
Bill Mew: Well, you say it's not a question of if but it's when, it's not only that, the very fact that something like six months is the typical amount of time that it takes for you to detect an intrusion. I think that's the inaudible days, it means it's not a question of if or when, it may well already have happened.
Right, right. Wow. Yeah, that's pretty sobering. So, myth one, it's very much debunked. We're all at risk and we have to take this seriously. One thing that I thought was really interesting though, when you reached out to me in the arena that you're playing now with... around insurance and I can say that's a place where I've definitely, I've got a lot to learn about, cyber insurance and what that means in this case. So, one of the myths that you were talking about was that we've got cyber insurance, so we're covered. So yeah, I mean, talk a bit how does that actually work and why doesn't that cover us?
Okay. So one of the issues here is that the cyber insurance market simply isn't as mature or as advanced as many of the other insurance markets. So if you have an 18-year-old and he wants to insure a Ferrari, I think there's a fairly accurate risk assessment that tells you that there's going to be a very high premium involved here. When it comes to cyber insurance, because you know so little about an organization, what its technology landscape is, what its internal security inaudible is, it's very difficult to do a risk assessment. Unfortunately, once you do the risk assessment, you then have to try and price the risk accurately and typically the way that has been done in, let's say auto insurance, has been by having a very large book of business, so a lot of experience, a lot of people with a lot of different cars, and you can actually learn over time what the claim history is in order to really refine your approach. In the cyber arena, even Warren Buffet, who's one of the biggest figures in insurance has inaudible that they simply don't know how to approach the pricing of cyber risk. It is just too much of an unknown quantity. Now, one of the approaches that they do take is there is a new type of model of risk assessment and certainly in the credit risk arena, we have companies like Equifax, which will give each of us individuals a credit score. In the cybersecurity arena, we have cybersecurity risk rating weighting firms. Now, some of these companies use web crawlers and they will go out and they search the web or externally facing endpoints for your organization and they will assess them on the basis of known vulnerabilities. So if you haven't patched recently, they'll be able to tell and they'll give you a low scoring. They'll give you a very different scoring the next day if you've just run a whole lot of patches, so suddenly you've got a really good scoring, but nothing internally really would have changed a great deal. This sort of approach, it's... compared to assessing the fire safety of a building by using a photograph taken from the opposite side of the street. inaudible you can see roughly how big it is and whether it's been painted or maintained recently, but you don't know anything about how flammable the contents are. You don't know whether it's got a sprinkler system or fire safety devices. I mean, it's just a really, really crude way of measuring it. But unfortunately, because risk assessment needs to be done in a relatively economic manner without pricing it out of anyone's reach, that's probably the best approach we've got right now. So one of the problems we've had is they don't know how to price the risk. They don't know how to assess the risk and also many of these companies, they boast that they can offer you a quotation on cyber insurance in under an hour. I mean, if something as complex as that inaudible quotation in under an hour, you've got to worry. Now, part of the inaudible that they can afford to do this is the way that the contracts are written. Now, I can certainly provide some details on all of the exclusions that you could include in the show notes, but one of the things that I would stress on people is you've got to have a look at those policies because in most policies there are exclusion, after exclusion, after exclusion that ensure that in almost any instance the company involved that is insuring you has a get- out and we're already seeing this. Take for example, a lot of the claims around the NotPetya attack, because this came from Eastern Europe and potentially from places like North Korea, it was seen as a hostile foreign entity and therefore it was excluded under the war provision. You don't have to have a[ inaudible00:23:04],it just needs to be a hostile foreign entity for them to say," Nope we won't pay for that." There were other organizations where they not have said they won't pay at all, but they certainly weren't paying for everything. There was another one, Norsk Hydro, the Norwegian power company, that had a big ransomware attack and the damage was of the order of 70 plus million euros and they had cyber insurance and it paid out, a whole 3. 6 million. SoImean, that was just a fraction of the cost they faced. So you got to shrug your shoulders say," Well, what's the point?"
Ben Newton: Yeah, well now as you describe this, I'm starting to see the reasoning why you have good lawyers with Crisis Team, because it makes sense. I guess one of the things you need to work with clients on is actually really understanding these cyber insurance contracts,right?
There are some specialist brokers out there and if you don't understand the policies and the market well enough, work with some of these specialist brokers to get you the best policy because it's not impossible. You just don't want to blunder into it and find that you've been given a quote in under an hour and that looks great and we'll go with that and then think that you're[inaudible00:24:29]. Also, you also need to look through that insurance policy to say," What would they pay for?" Would they just pay for the initial fix? Would they pay for some of the damage? Would they pay for the support around the reputation management? Some of the other stuff that you need and if they are going to do that,are they going to provide you with the best team to support you? Because it's a bit like having an open heart operation here. You want the best surgeon because you want the best chances of survival and if your policy only covers a fairly amateur chap who they've specified cause he's not too expensive, then actually that's probably not going to be the surgeon that you want.
Yeah, yeah, yeah. It makes sense. Welland when you started off the whole thing talking about the 18-year-old getting insurance for a Ferrari. I mean, I think that it's really interesting because we have that kind of insurance in our lives. We understand that, we understand health insurance, but seeing how different it is for cyber insurance it even makes me think back to when I was in my 20s and when I had a fast car, I had a Mustang. Had a fender bender and my insurance company kicked me off. Then I had call with them and I'm like," Why did you guys get rid of me? Basically the answer was, after I kept pushing them is," Well, the average person that owns your car's an irresponsible idiot." I'm like," Oh, okay. I get it now." So apparently I got classified that way.
crosstalk that category at all,obviously.
No,of course not. But yeah, I mean it's a lot easier for these companies to do that when you got this long history of understanding of how automobile accidents work. I would that one piece there, cyber insurance is not something that I had really had a lot of familiarity with and I think it really helps the way you're explaining it. So, with the third myth here, again, you started off talking about what you're doing now with Crisis Team and I think it's really interesting, probably in crisis management overall that a lot of companies and organizations say," We've got a plan. We've got it in a Google doc or Word doc somewhere and we have a team." Maybe it's a few people internally designated," They can deal with this. We're good to go." So what's wrong with that?
I suspect there are a few companies out there at this very moment in time dusting off their crisis management plan because they hadn't inaudible and you've got to wonder how well prepared they were for the pandemic and how good their crisis preparedness was. The argument here is that crisis preparedness increasingly going to become a competitive differentiator and you need to be good at it. It may be a health pandemic, it may be an environmental event like a tsunami, or a tornado, or a hurricane, or whatever. It might be a cyberattack and you need to actually dust off those policies and now's not a good time for that, when will it be? You need to consider those inaudible how are you going to respond. Now what we see typically in a cyber incident is that the internal team, they realize something's gone wrong fairly quickly and they're not always the first people to respond, so they could be on the back foot here, but they realize they've got to do something. Typically they'll try a DIY fix. Now, they're not going to be specialists at sort of thing and typically they very quickly find that they're out of their depth. Strangely enough, the peak time for people to pick up the phone to call in specialist incident response teams is actually on a Friday afternoon when the internal team have been trying to do their DIY fix most of the week, they realize and they admit to their senior management," We can't do it. We're out of our depth. It's Friday afternoon, what do we do?" Call in the rescue team. This is when we need to call in the cavalry. Now typically, that organization would have been better off if they'd called those people in straight away to fix the thing properly, to limit any data loss, to limit any damage and to limit any exposure, but human nature is such that we're all typically going to try that ourselves and actually even there at the coalface, the team there facing the incident need to understand that the whole risk dimension and how much damage can be done by not calling in the experts early enough, not getting it fixed quickly enough. We then look at, well, what are the steps that we need to take to fix this kind of thing? Well, we've started to talk about the first one and that's the incident response thing where that you get the best... these the surgeons, these are the guys, you want the best surgeon possible operating on you because you want to survive the operation and you want to come out of it in as good shape as possible. You get these guys in, they do the fix, they also do the forensics. So they will have a look at,well what was the problem? What was the full scope? What are we looking at here? Once they understand that, they can hand that forensics on to team number two and team number two is your cyber law team. Now your cyber law team will look inaudible and they'll come up with a legally defensible narrative. It's really, really important that you inaudible the very best legal advice because you're going to be facing the regulator. You're going to be facing probably some really hot litigation and you need to be absolutely sure that you've been given the best legal advice to put together that legally defensible narrative. Otherwise, you're facing some massive damages here and possibly under new regimes like GDPR, some very big fines. Onceyou've got a legally defensible narrative, that needs to be handed on to team three, which is the reputation management team. Now the reputation management team typically need to come in and they need to sort out whatever's going on in order to try and make things look as good for your brand as possible. These are your brand defense experts. But the problem is that if you look at Equifax, if you look at Marriott, if you look at all of these different organizations, they relied on their internal PR team and their internal PR team and the agency supporting them. These weren't cyber specialists and they didn't understand the difference between a cyber incident and potentially a normal incident. So let me explain in terms that everyone will understand. If you have a normal incident, let's say you've got a bank. The bank has to open its doors to let customers come in and withdraw money, and occasionally some people are going to turn up with guns and they're going to want to withdraw more money than they're allowed. When that happens, everybody understands that the guys with the guns, they're the villains and the victims are the bank and their customers. It's a very simple[ inaudible00:32:05]. The public, press, everyone will understand that without question. When an incident like this happens, you look at all the standard crisis management textbooks, the PR textbooks, whatever. They'll say that the first step you always take in an incidence is containment. You just don't necessarily want anyone to know that something's happened and if you can contain it, that's great. Obviously if there are people wandering around with guns in your bank branches, then it's unable to contain that, there's likely to be people talking about, or maybe a story in the press. So you then make move on to the phase, which is all around showing empathy. So you will wheel out inaudible a senior executive as your spokesperson to show that you're taking it seriously. You will also get him to talk about how much you care for the customers, how you much you're worried for them. You'll make sure they're compensated, you'll make sure that they're all looked after and by showing empathy, you'll gain sympathy and actually, this works and it works time and time again and it's the standard textbook approach to these types of incidents. In most incidents, it will work well. In a cyber incident it won't. The reason for this is, imagine the same bank is hacked. Now, these hackers, and we've talked about the long delay sometimes, of up to 200 days between something happening and it been detected. These hackers, you inaudible won't know who they are, you won't be able to reach them because they could be in North Korea or whatever and they may be inaudible or happen sometime earlier and you could well be on the back foot. Therefore, the problem you have is that no one's going to really talk about the hackers at all. You look at a story in the press about an organization being hacked, the villains in every single story is the organization itself. So in this instance, the bank will get the blame.This is unusual, all crime, you'll blame the criminal, but this is almost the only crime where it's actually the victim, because the bank has been a victim here. It's the victim that gets the blame and when you start to implement a brand defense strategy, if you're not a specialist who understand the intricacies here, the technology, the behavioral patterns, and actually how this scenario's going to work, you're going to take exactly the wrong approach. You're going to put your executives forward to talk in empathetic terms to gain sympathy and they're just going to put in the firing line and they're going to be shot to pieces. So it's very difficult[ inaudible00:34:38]. Going beyond that, you then need to come in with a final team and they're the social media team, because you actually have, at that point in time your credibility will be at inaudible ebb and you'll be... have no credibility to counter the hysteria and the misinformation that's out there. That's when you need independent trust voices and I've been out there, I'm one of the most high profile spokespeople on privacy in this type of things and I've represented a lot of[inaudible00:35: 09], talking in the media, doing that side of thing and you need that whole soup to nuts approach. You need the technical team to do the fix. You need the legal team who are specialists to go in and do the cyber law advice around the legally defensible narrative, you need the reputation management, again cyber experts who understand that this works very differently and then you need that social media support group who are going to actually get rid of that hysteria and the misinformation that could continue for months afterwards and could do even more damage than the initial technical problem itself.
Ben Newton: Yeah. It sounds like you've done this a few times. You lay it out really well.
Bill Mew: Well, I'vegotafewscarsand...But look, it's all about preparedness. We talked at the start here about we weren't prepared for the financial crisis, we weren'tpreparedforthe health pandemic. Typically, companiesaren't preparedfor a cyber attack and it'sgoing to happen and now it's time to think this through. Dust off your crisis management. Have a look at your cyber insurance, look at all those clauses and we'll include details of some of them in the call notes and also think about what isyour incident response provision? Do you have experts on speed dial who are going to come in and save your bacon when this thing goes wrong?
Ben Newton: I think that's a really good way to wrap up there Bill, because I think what you're saying is really relevant with what's going on now. I think you have a really good way of laying it out. As you're describing it, I'm literally imagining in my minds... In my minds, in my mind of things that have happened to me, like at this point how many times my information has gotten stolen, including with Marriott, and other places and seeing how they struggle with this. Even major brands really struggle with this in the beginning. So I think what you're saying is highly relevant and I wish you all the luck in getting that message out.
Bill Mew: Well, weall need to prepare, so in the meantime please, everyone stay safe. Stay well. Use some of this time at home to think through these things because if, as we come out of this pandemic, we're better prepared for whatever comes next, then hopefully we'll all be in a better place.
Ben Newton: Absolutely. Well, thanks Bill for spending the time, coming to us from your moat- surrounded castle with a drawbridge, you stay safe in there and thanks for your timetoday. This was a lot of fun.
Bill Mew: Good to speak to you again and thanks toeverybody for listening. All the best guys.
Ben Newton: Thanks everybody listening to another episode of Masters Of Data and we'll see you next time.
Speaker 3: Masters Of Data is brought to you by Sumo Logic. Sumo Logic is a cloud native, machine data analytics platform, delivering real time continuous intelligence as a service to build, run and secure modern applications. Sumo Logic empowers the people who power modern business. For more information, go to sumologic. com. For more on Masters Of Data, go to mastersofdata.com and subscribe and spread the word by rating us on iTunes or your favorite podcast app.