Chris Hockings [00:00:00]:
It is a cat and mouse game in terms of how quickly we can look at trends and see where those attackers are moving to and how quickly startups are responding to that and then getting consumed by large vendors who can then scale it out globally. Right? So there there’s absolutely a lot of complexity here in terms of changing IT landscape. The attacker’s perspective keeps switching. We have compliance demands coming through. But over time, I’m seeing those converge a lot faster because because of the focus on cybersecurity that wouldn’t have KGSS.
Karissa Breen [00:00:50]:
Joining me today is Chris Hocking, CTO, Security Asia Pacific from IBM. And today, we’re discussing IBM’s X Force Threat Intelligence Index 2024. So, Chris, thanks for finally joining, and welcome.
Chris Hockings [00:01:10]:
Thanks, KB. It’s great to be here with you finally.
Karissa Breen [00:01:12]:
So just for everyone listening, we will be linking a copy of the report in the show notes. But for those wanting to just dive a little bit deeper, we’re just gonna be discussing sort of the main insights and points derived from the report. So let’s start with one of the key insights that I’ll read out. So global identity crisis, the report observed a 71% increase in the volume of attacks caused by use of valid accounts represented the cause of 1 in 3 attacks globally. Now that’s a lot. So talk to me a little bit more about this, Chris.
Chris Hockings [00:01:43]:
Yeah. It’s an interesting statistic in this report, and this is really an increase in year on year, use of these valid credentials. And so for the first time ever, using valid accounts was the cyber criminal’s most common entry point into victim environment. And that re represented what we saw as a 30% increase, in all incidents that X Force responded to in 2023. And so if you look at the attacker’s perspective, you’re thinking of the what’s the easiest way to get into environments in order to fulfill their objective. And this is a new tactic they’re obviously doubling down on, and it means if they’re doubling down on it, it’s working, and that’s that’s for now. So, you know, if you think of them wanting to get to the ultimate prize, which is often extortion, This is this is being seen now as a primary attack vector that they’re using to get started to get to that.
Karissa Breen [00:02:36]:
And just so on the same page, would you be able to find valid account and what that means for people listening?
Chris Hockings [00:02:41]:
Yeah. Valid account is one that we would use. So if you’re working for an organization, it’s an account that that that is valid, that people are using every day to perform their work. And, you know, it’s and these credentials that they’re using have often been phished or stolen, from previous attacks. So the source of those valid accounts, maybe through the dark web, etcetera. And, you know, I think it one of the very interesting points about this is that it’s very difficult to detect this type of attack because, obviously, you know, if, maybe, you’re logged in and there’s another account that’s active at the same time, it’s difficult using, you know, protection mechanisms, of course, to detect whether, you know, that type of, attack is happening in real time. So you’ve gotta be much more advanced in terms of analytics, and you need more better detection systems for that type of attack. Now from a consumer perspective, one of the things that Apple and Google and others are doing, you you would even know yourself if using those those devices is they’re starting to tell you that there’s a password that you may have that might be seen in one of these repositories.
Chris Hockings [00:03:50]:
So that’s really a good example of, you know, a a valid account being used by attackers to get into organizations to ultimately try to inflict the damage they wanna inflict or and gain the monetary objective at the same time.
Karissa Breen [00:04:05]:
Well, you sound like your experience 1 in 3, that’s that’s a lot, would you say? Did that sort of surprise you when you were reading that in this report?
Chris Hockings [00:04:13]:
It did surprise me, but it’s not something that I I would think would be, surprising in general in terms of, you know, the motives that attackers will use to get into organizations. Right? So, yeah, with the with all those harvesting of credentials happening over over the years, organizations, you know, are investing in in access control. And if you look at some of the the the statistics available, there’s a lot more funding around access access management, authentication, multifactor in this country. That’s also happening from a government level. You’re the same campaigns most recently from our minister talking about, how important it was to have Strongpa. So it’s multifactor authentication. And so, you know, that that’s a consequence or a reflection of the of the growing intelligence out there that suggests that attackers are using this as an easy entry point, getting into into systems. And it’s actually very easy to do as well.
Chris Hockings [00:05:09]:
Right? So if you’re an attacker, it’s much more difficult to exploit a vulnerability, launch a campaign that ultimately could be detected within security intelligence systems or SIEM systems. But this one, it’s it’s a much more stealthy attack, where attackers are really hiding in plain sight. It’s very difficult to to to see where they’re where they are at any one point in time.
Karissa Breen [00:05:31]:
And you said before, it’s it’s you have to be pretty advanced to be able to detect this. So what do you what do you mean specifically by that? Because if it’s 1 in 3, I’m guessing people are just gonna have to start to become a bit more advanced.
Chris Hockings [00:05:42]:
Yeah. What I mean by that is that if you look at a lot of the detection and response mechanisms that many organizations have deployed, some of them are driven by compliance of compliance mindset, which is, you know, log collection and then correlation. And a lot of those systems are designed to find known bad in your environment, but it’s it’s not seen as that with correlation systems. So yet you actually need to uplift your ability to detect anomalous activities across datasets that you have on. The use of modern techniques like AI is really helping in this area. Use of behavioral analytics is a trend that’s been around for some time because those systems, what they do is they they look at data across a set of systems, and that could be, you know, endpoints or applications or databases, and they they they build up a baseline that would be normal. And then if there’s something abnormal happening, it will raise that up, and and an analyst can go and investigate, or a reaction can happen in real time. And so, you know, if you look at our database technology at IBM, our security intelligence platform curator, we have this type of function baked in for this specific purpose to try to find that hacker in plain sight, as I said before, across a set of data that’s that’s that’s quite complex.
Chris Hockings [00:07:05]:
So you you need a lot more intelligence and sophistication in your in your threat detection and response system than most organizations would have today.
Karissa Breen [00:07:13]:
Do you think companies are aware of that?
Chris Hockings [00:07:15]:
I believe that the upper end of town, for sure, the the most sophisticated organizations are certainly aware of it. Being aware of it is one thing, but their ability to actually implement this type of approach at scale is is much more difficult. Right? And the world though is moving towards, you know, a much more integrated what they call a cybersecurity mesh. We follow kind of an open platform approach at IBM where, you know, that infusion of analytics at that user experience level to detect these types of things across systems that are not necessarily detected is a is a kind of a 4 core fundamental of our of our approach. So it’s not a it’s not a case of not knowing that it’s needed. It’s often a case of how do they fit it into the budgets, which are which are stretched, and how do we get how do I get that those systems in front of the people that need them in order to, to see these types of attacks?
Karissa Breen [00:08:09]:
Yeah. That’s a good point. I was actually gonna ask you that because, I mean, I’m interviewing, what, 2 people a week or or more. And when I’m speaking to each individual, like, everything that they say matters and makes sense, but, ultimately, like you said, like, fitting it into the budget, how does sort of one go about prioritizing this type of thing? Is it about using this interview slash the report to say, hey, this is what is happening out there. Do you think that moves the needle in terms of the budget, or how does that look from your perspective?
Chris Hockings [00:08:37]:
I think it’s very important that the trends in these reports are are studied, and it might only be at the kind of the executive level, the key points, because the trends often highlight tactics that organizations can use to, to, to, to counter these, these current threats. But my personal opinion and one that I’m quite passionate about is, is innovation and technology disruption in general. I see a need in our industry for a lot more risk taking, I would say, in terms of the way that this problem is is looked at and how those new architectures and approaches need to be deployed in order to maximize the benefits of these new new capabilities like like AI. And so my general impression is that without a constant and continuous innovation program across your threat protection systems, your data security systems, identity, then you’re you’re going to be left with a largely legacy and monolithic approach to solving this problem. So and that needs new skills, diverse workforce, and the embracing of some of that through what would be traditionally a something that was dominated by a few people that know everything about your environment. Right? So I think it’s quite a sophisticated need that, you know, we can’t just sit and and kinda use that phrase. I should be right. We’ll, get to it.
Chris Hockings [00:10:04]:
We actually need to have a continuous disruption and innovation program as part of our cyber initiatives. And from a budget perspective, we see that every day with every customer struggling to keep up with the cost because some of those monolithic practices are simply swallowing up swallowing up way more budget than they really should. And, and the outcomes of, of these programs are not well measured and, and quantified in terms of the business benefit.
Karissa Breen [00:10:31]:
You said before, we’re gonna take more risks, which makes sense. Then it’s always about we’ve gotta reduce the risk. So how do you sort of find that balance between having that line set around, we gotta take more risk to akin to your point earlier, but then balancing it with making sure it’s, you know, a calculated risk.
Chris Hockings [00:10:49]:
Yeah. It’s a, it’s a good point. It’s very easy for CSOs and technology leaders to look adjacent at their competitors or peers in other organizations and say, well, this is how they do it and we should do it that way. But unfortunately, if you’re not at the, at the leading edge in terms of knowing what the industry’s building, what the, how that’s being delivered, what impact that has on your cost base and your speed and and how you scale, all these things are very important, then you’re going to be left with this budget problem. And you you won’t be able to get across your attack surface at the at at the speed by which the attackers are coming at you. Right? So so when I talk about risk, it’s it’s not cyber risk. It’s it’s that we need to innovate and disrupt our traditional legacy thought process around how this problem needs to be resolved because, you know, in the, in, in the days gone by, some of it was comp is compliance driven. It’s and today though, the attacker has the advantage and, you know, the attacker perspective is a lot stronger as our IT infrastructure has expanded beyond, you know, on a premise environment.
Chris Hockings [00:11:59]:
Right? So complexity is high. Attackers have an advantage. If we have a legacy view of how this problem is tackled, then then we’re going to struggle to to protect the organizations in the in the long run.
Karissa Breen [00:12:12]:
You make a great point on innovate and disrupt. But would you say that people, they say that, or they have an awareness, but then don’t really do anything about it. Because it’s very easy to to stand up there as a leader and say, yes. We’re innovating and we’re disrupting, but in actuality, that’s not really happening.
Chris Hockings [00:12:26]:
I’m from a an r and d background. Right? We have this this lab on the Gold Coast at IBM that that that was formed as part of an acquisition of a company that invented online authentication. So they’re we’re still we’re still here building products. And one of the one of the most refreshing things that happens is when people join your organization with new skills, and that might be young people, people from other industries, this diverse view coming into a team and and suggesting ways to do things better is always good for those people that have been in those roles for some time. Right. Now I, I think from a, from an innovation perspective, you don’t have to innovate alone. There’s a lot of roadmap development happening from the big vendors and the platforms that we’re delivering, which foresee these problems and aim to deliver these platforms in a way that make it more efficient to scale out your operations. And I I think when I talk about innovation, it doesn’t mean that organization needs to sit and write code or build their own closed practices.
Chris Hockings [00:13:31]:
It what I mean by that is having a good view in your strategy for what the ecosystem is delivering from a global perspective and how the open community is also engaging in bringing that technology or some of the innovation through, and that might be threat threat detection rules, etcetera. I think that’s the type of innovation that that that teams need in order to make sure that that you don’t continue to deliver or throw good money after bad with solutions that were designed for a different era.
Karissa Breen [00:14:02]:
So how do you sort of get a good view? How does that look?
Chris Hockings [00:14:05]:
There’s a couple of different ways, of course, working directly with your your vendors or your partners, and that could be a consulting practice as well. And making sure that you’re speaking with the thought leaders in terms of the who’s setting the global agenda, how that’s how how and why they’re doing it. Why is as important as how, because when sales teams come and talk to you about, you know, current features or products, you know, these have been years in the making, and they’ve been designed and developed for a reason, for a for a problem that’s that’s known at from a global perspective. And making sure you understand the why as as much as the how can help you bring through some of those poor fundamental architectural principles. So that so that’s that would be number 1. I mean, number 2 is that you just continue to ask the question as to, you know, are we, are we following kind of the best practices? Is this sustainable? Will this scale? Longevity is a is a good indicator as well. How long will this system be relevant for? Is it still relevant today? All of those things, are important. I think the third one is in what’s the open community doing? There’s a lot of open standards.
Chris Hockings [00:15:19]:
IBM contributes to a lot of open standards, things like the open cybersecurity alliance, OASIS. I mean, the strong authentication area with Fido is a very good one. So open standards is a very important piece of, of the puzzle because open technology standards help deliver things like interoperability. And with interoperability, you get better speed and scale outcomes in in in threat detection and response systems. So there’s a there’s a few. I mean, your trusted vendors, number 1. Number 2, keep asking question as to how relevant, and is the cost reflected in the benefits? And the third one is what’s the open community doing and how do you, how do you infuse some of their practices into your, your business processes?
Karissa Breen [00:16:03]:
And how would you determine who is a thought leader in this space?
Chris Hockings [00:16:06]:
Well, sometimes it’s the, it, it’s the open community and what vendors are contributing to some of those open community practices. So that, that, that would be a good, good, good place to, I mean, these three things will connect together. I think it’s, I think from a vendor perspective, the, the market leaders obviously have thought leaders. And so engaging with them and the right people in those organizations is important. And and of course, those advisory firms who who I mean, all of them need to be tested, having meetings and discussions and being open to that and listening for for those types of queues can be done simply by by accepting meetings from people that you think or you follow, who share points of view, whether it be LinkedIn or wherever else that that fit your, I guess, your your approach to addressing some of these areas.
Karissa Breen [00:16:56]:
You said before, Chris, about people having a bit of a legacy view. Would you say that’s pretty prominent still around this legacy view?
Chris Hockings [00:17:04]:
I think it’s common. I think it’s human nature to continue to follow a particular path that’s comfortable for you and has been in the past. So I think, I think it’s a, I think it’s a human nature thing. And I think it’s also difficult for people to take on new approaches and, and and experiment in short iterations without feeling like it’s gonna be a major program. So I think I think it’s that openness to experiment, to, to design new ways of working and to apply that to your existing approach, which will, which starts to build some momentum. So, so yeah, I think it’s human nature that people, gravitate towards those things that they think are comfortable.
Karissa Breen [00:17:48]:
So I wanna switch gears now and go back on the report side of things. So one of the insights that I was reading is that ransomware groups pivot to a leaner business model. So what does sort of a leaner business model look like nowadays?
Chris Hockings [00:18:02]:
So, you know, I I guess we talked a little bit about and the the trend down on on ransomware that we we saw in the report. Organizations have become a lot more adept to detecting these systems with new innovation, of course, coming through tools and technologies. There’s lots of EDR being deployed, machine learning to detect when ransomware begins. Organizations have also become much more adept to protection and response and rebuilding your infrastructure. So lots of organizations are opting against paying because they have a way to get back to the BAU. Right? So this this loss of revenue kinda points to the the fact that attackers are looking and pivoting at at new ways of of doing business because that’s effectively what these people are in this for. And and last year, for example, you look at the, the statistics in our export report, things like backdoors were being sold. Access brokers were selling backdoors and were seen as as a lucrative business.
Chris Hockings [00:19:00]:
But now they’re moving towards a business model where stealing information, credentials, harvesting them, making them available, and selling them is a way to counter the loss of revenue in the in the ransomware space. Right? So it’s really just about cropping up their business model with a new way of of doing business.
Karissa Breen [00:19:18]:
And I’m assuming that their new way of doing business is forever gonna evolve. Right? Because they’re they’re criminals. Of course, they’re not gonna they’re always gonna be evolving how they’re doing things, making it easier, cheaper, faster, etcetera. So how do you think companies sort of handle that? Because we’re always trying to have that one step ahead, which is difficult. Do you think that now people are a little bit more on the back foot? Because as we’ve sort of noticed in the last few years, like, in the velocity now of things that are happening, you know, more things that not even I can report on every single thing that’s happening out there in the globe. So what are you sort of hearing from some of your customers on that front? Yeah. Yeah. It’s exactly what you said.
Chris Hockings [00:19:56]:
I mean, yeah, the attackers will move to the path of least resistance for them in order to get to get to the money. Right? So, but industry’s responding at a space that I haven’t kinda witnessed in my career because of the ability to innovate so quickly. Like, if you look at, for example, attack surface management was something a couple of years ago or a few years ago was was new, but most organizations, at least in the top medium, the top end of town would be performing scans or should be as to what’s exposed on the internet from the attacker’s perspective and prioritizing the resolution of those problems as a priority, because that’s what the attacker will go after first. Right? So so, you know, the industry is moving a lot quicker and also businesses are starting to consume this technology more quickly as well. So I wouldn’t say that, you know, it’s a it’s a hopeless situation, but it is a cat and mouse game in terms of how quickly we can look at trends and see where those attackers are moving to and how quickly the industry and the innovation in the industry around startups are responding to that and then getting consumed by large vendors who can then scale it out globally. Right? So there there’s there’s absolutely a lot of complexity here in terms of changing IT landscape. The attacker’s perspective keeps switching. We have compliance demands coming through.
Chris Hockings [00:21:18]:
But over time, I’m seeing those converge a lot faster because it because of the focus on cybersecurity that wouldn’t have happened in, you know, at least 5 years ago.
Karissa Breen [00:21:26]:
So then another stat that I was reading is that ransomware attacks on enterprises saw a nearly 12% drop globally. So why why do you think there was a drop?
Chris Hockings [00:21:39]:
So ransomware is not going away. I mean, that’s that’s what we observed in our X Force responses, and that’s our incident response team going out and and and resolving it or or helping organizations recover from those situations. So the the gangs have obviously focused, and I talked a little bit before about enterprises becoming a lot more adept in detecting ransomware coming into your organization. And the good news about ransomware is it’s quite a targeted type attack in terms of they they’re, they’re trying to get in through a phishing campaign. EDR is a good place to start. If you can stop them at that point, then you’ve got yourself, you know, a situation where you’ve you’ve you’ve prevented further impact from that type of attack. So EDR has become a very important piece of this puzzle, and the infusion of AI and looking at what ransomware gangs attacks look like has really helped. The backup and restore, as I said, has meant that attackers are finding it more difficult to get to the point where they, they extort the company for a ransom, but they they’re still motivated to to pull data, get into the organizations and pull data, and to use that as the pressure point, which we’ve seen in the report.
Chris Hockings [00:22:50]:
So it’s still the number one objective is to get to the data for extortion. It’s just that ransomware is is not the primary, but well, it’s probably still the primary, but there’s definitely been a drop in the in the impact of that on the on the system on the on the customers that we’ve engaged with.
Karissa Breen [00:23:07]:
And then another interesting stat which I’ll read here is 84% of critical infrastructure incidents where initial access vector could have been mitigated. So how does that sort of work? And this this is important because at the moment, a lot of my interviews, a lot of people talk about critical infrastructure, which makes sense. So I’m very curious then to hear your thoughts on this front.
Chris Hockings [00:23:26]:
Yeah. As you mentioned, you know, I I think we can if we if we kinda break that down, the the mitigation for these attacks, what you would call basic or what industry would have called basic security in the past. And it’s actually kind of some of the some of the ways to mitigate these threats are really fundamental building blocks of cybersecurity, and some of them are actually baked into the essential eight. Right? So in majority of cases, 85%, as you said, 84%. The compromise would have been mitigated by things like patching and multifactor authentication and least privilege. And so the fact that organizations are, have been unable to implement what we would have considered basic security suggests that it’s not as simple as what people would say. And I think that’s reflected in the findings from things like essential eight assessments that have done on organizations. It’s quite difficult to build a whole of organization controls that deliver, you know, widespread patching, multifactor authentication without taking some view of what a risk perspective might be on, what patching to do first, where where can you apply multifactor multifactor authentication for the highest impact? So so that’s kind of what the the 84% says that it could be could be mitigated by some of those basic controls or what I would call fundamental building blocks of cybersecurity.
Karissa Breen [00:24:50]:
Do you think people have different views of basic security? Because, I mean, I’ve spoken a lot on this show people talking about the basics, but again and I’ve spoken about this so many times, like, people still haven’t got patch management correct up to 20 years. Right? So we talk about things being basic, but are they that basic because people still aren’t doing them as as easy as it comes across?
Chris Hockings [00:25:11]:
Well, I think that’s the point. I mean, using the word basic almost is a negative it has a negative connotation towards your an organization’s ability to do something that the word suggest is is easy, but widespread patching implementation implementation of a multifactor authentic authentication scheme for all users Without context, you know, you can’t patch your way to security be just because of the sheer volume of vulnerability. So I think we have to recognize that these things are not basic, but they’re critical in terms of securing your organization, against what the critical infrastructure statistics said was 84% of of attacks.
Karissa Breen [00:25:53]:
And do you think in your experience, Chris, people are moving more to, you know, towards, well, yeah. Okay. It’s not basic, but it is critical. We now need to figure out a way to make this work.
Chris Hockings [00:26:03]:
Well, I I I absolutely see a lot of trends. Even the government is talking a lot about multifactor authentication. And and this is a good example, actually, of what we spoke about before, where the open standards community, large vendors, and then motivation from government also plays a part. Right? So in the multifactor authentication space, it’s been very difficult to implement 2 factor authentication that’s secure. But thanks to work in the open standards area around FIDO and what we now call passkeys, passkeys being the global standard for phishing resistant authentication. These standards being consumed in things like browsers is going to address multifactor authentication widespread. It does and from a citizen perspective, a user perspective, I would encourage all your listeners to turn on pass keys every time a website says that they support it because it is a way to prevent the known account access attack that we talked about at the very beginning of this, podcast. And you’ll see you’re already seeing the government talk implementing passkeys with a with a time frame not yet defined.
Chris Hockings [00:27:14]:
But once Australians all have passkeys available to them on my gov systems and turning that on will mitigate a a breach or or an attack from on your account from outside without some kind of social engineering, sophisticated social engineering. So that’s a good example of where it’s not just companies saying that they need to do it. It’s actually the intersection of the companies needing to do it and the innovation being made available to widespread globally that’s easy to consume by vendors such as IBM or or or Microsoft or or or collaborative organizations that deliver browsers and, and, and those types of solutions. Right. So it becomes pervasive, but just part of our, our being on the Internet. So manufacturer authentication is a really good example there.
Karissa Breen [00:28:00]:
So then another stat here as well is that data theft rose to the most common impact for organizations at 32%. So what’s sort of your commentary on that stat?
Chris Hockings [00:28:12]:
Yeah. So data theft is still, so as I said before, getting to the data is is still a an objective of the attackers. It’s just that ransomware is reducing. Data theft continues to be the objective. And so you need to look at this through an industry lens and apply I mean, attackers just apply the pressure point more that in this a particular industry might be more susceptible to. Know, a ransomware attack might be might be really effective in a in a hospital or a medical scenario. Data theft might be a much and extortion might be a better way of causing pain in a in a breach scenario, right, where where there’s lots of PII data, that can be monetized. One of the other interesting things that’s happening longer term, and we could we could talk about this on another occasion, but stealing, data that’s encrypted that can be decrypted later by quantum computers is also something we need to be aware of, you know, and quantum safe is becoming a a major talking point in the industry simply because these quantum computers, and IBM’s a leader into building these quantum computers and the software stack around it.
Chris Hockings [00:29:17]:
They’re suggesting that, you know, by by 2030 1, there’s gonna be 50% chance that these computers will be able to decrypt data. So if if attackers are stealing data and storing data, it’s also a big problem that you’ll face in the future where the decryption of that data will reveal information that that you wouldn’t want in the hands of unauthorized parties.
Karissa Breen [00:29:37]:
Just going back to the top industries. You mentioned health care, which I understand. What would be the maybe 2 other industries that probably a bit more susceptible to these types of attacks, would you say?
Chris Hockings [00:29:47]:
Manufacturing and is always very high, and financials obviously is always high as well. I mean, they’ve got 2 different lenses to place upon them. If you, if you think about their business model, manufacturing often are building and delivering things for a widespread audience. So, like, attacking a supply chain and causing an impact on the supply chain has an enormous amount of downstream impact. And so so attackers with after manufacturing can disturb that supply chain. So they’re susceptible to the pressure point of things like ransomware attacks. Right? So they’re always high. And during COVID, we saw them being consistently the highest attack, industry.
Chris Hockings [00:30:28]:
And and financial’s always high because, I guess, the distance of IT between the attacker and the and the money is shorter, you know, through a browser, through susceptible users. If attackers can monetize their their campaigns by stealing money out of bank accounts, then, you know, that’s that’s a that’s gonna be a prime objective, and that’s why financial industry is always high.
Karissa Breen [00:30:50]:
So you you raised a good point before downstream impact. Now would you say at times organizations lose sight of downstream impacts? Now I asked that simply because, know, I worked in a large organization myself. Sometimes you can’t really see the needle move when you’re one of 50,000 people. Sometimes it can be very easy to perhaps get lost and not really understand the overall objective. So would you say with your experience, companies forget the impact, especially on the the manufacturing front?
Chris Hockings [00:31:21]:
I think it depends on where they sit in the supply chain. Obviously, if you’re building parts for a car that need to be delivered and there’s there’s a continuous automotive supply chain there that you need to fulfill, then you’re acutely aware of your lack of ability to deliver those parts on time. Right? So so that would be that that’s probably obvious for those organizations. I think it’s what’s less obvious and something that actually the lens of that this needs to be placed upon the the receip the the receiving body is probably in the supply chain of software and software could be open source software. It could be third party software you procure, that on the part of your supply chain, it could be AI models that you deliver on the internet that others can consume. I think it’s the risk of of that today often falls upon the organization that consumes that that content. And you’ll you’ll see lots of discussion and trends where organizations are saying that the supply chain of software needs to be known. So that’s always a vis visibility is always the first step is knowing where where information might be coming from, who’s who’s building it, you know, how’s it supported, what’s included in terms of open source.
Chris Hockings [00:32:39]:
So having, you know, things like software bill of materials is very important. And then connecting all of that together so that if there is an incident in the supply chain, you have a way to to detect and respond or recover from situations like that. So I think from a physical perspective as a supply chain participant, it’s probably obvious what’s less obvious and obvious and and actually where the accountability breaks down is that you’re, if you’re pulling data or, or software from a third party, where does that, where does that all lie?
Karissa Breen [00:33:08]:
Then another point here as well is that, again, manufacturing, those were within the top so that sorry. Industry was in the top, 10 attacked 5?
Chris Hockings [00:33:25]:
It’s the the I don’t have them off the top of my head, but I they it is it is in the report. We actually have a Asia Pacific view of that. So what I can do is we can share that and and your listeners can can access those reports because there is a there is a difference in industry focus from a geography perspective. And a good example of that would be during COVID, Asia Pacific was not only the number one targeted geography, and, you know, that’s a whole different discussion around financial supply chain, but also critical manufacturing processes. But the manufacturing was also number 1 in Asia Pacific. So there’s the the lens of of opportunity placed upon time for an attacker will will dictate which industries are high and which geographies are also high from a priority perspective.
Karissa Breen [00:34:15]:
So, Chris, do you have any sort of closing comments or final thoughts you’d like to leave our audience with today?
Chris Hockings [00:34:20]:
I think it’s very important that someone in the teams of those listening don’t just look at the IBM report. You know, Verizon, the government produced lots of reports in the in the knowledge you build up and the awareness you build up is is really important in decision making. So number 1. I think number 2, you know, a continuous improvement process around disrupting what you would what I would consider slow, monolithic, and high cost approaches to addressing, you know, the bigger bigger problems, things like detection of attack is, is important. I think the third one is the things we’d call basic are not actually, and recognizing that they’re not actually basic, but are so important. And so aligning some of your funding around how best to do a risk based approach to things like multifactor authentication patching is a continuum that will live on forever. So those are probably the three things that I’d leave the audience, with today.