Gerry Sillars [00:00:00]:
Think the important thing is to understand that people are are trying to get into your network and your systems every minute of every day of every year. It’s not something that people will go and hit a pause button because you’ve decided to celebrate Australia Day or Christmas.
Karissa Breen [00:00:34]:
Joining me now is Gerard Silas, more commonly known as Gerry, vice president APJ from Semperis. And today, we’re discussing Semperis’ new holiday risk report. So, Gerry, thanks for joining and welcome.
Gerry Sillars [00:00:47]:
You’re welcome, Karissa. Thank you for having me. Pleasure to be here.
Karissa Breen [00:00:50]:
Okay. So I know we’re sort of a little bit on since the holidays, but, again, you know, there’s more holidays coming up this year, etcetera, where people sort of let their guard down. So maybe let’s start with the quote, attackers don’t take holidays, though. So walk me through this, Jerry.
Gerry Sillars [00:01:04]:
I guess that depends when your holidays are, first and foremost. Can I say I’m talking to you from Singapore today and we are we’ve just finished? In fact, for most of the islands, we haven’t finished yet the Lunar New Year or the Chinese New Year holidays. So all around the planet, people are taking different holidays and different vacations at different times, obviously. And I think that the the quote attackers don’t take holidays. Not a %, I would agree. I’m sure your average hacker will be relaxing on a beach with a pina colada the same as the rest of us if he’s had a good month or a good quarter. But I certainly think it’s true to say that attackers don’t take holidays at the same time as we would go and take holidays. And quite often, again, as you know, the activities or the various activities of attackers quite often automated now.
Gerry Sillars [00:01:55]:
So, you know, we live in a world where that threat is constant today. I think, you know, just from a highlight perspective, I think the important thing is to understand that all people are trying to get into, your your network and your systems, on every minute of every day of every year. It’s not something that people will go and pause button because you’ve decided to celebrate Australia Day or or Christmas. Well, it’s
Karissa Breen [00:02:19]:
the same thing with physical robberies, though, isn’t it? People know that families are going away over the holiday break. Right? So then it’s sort of an easy way and a vulnerable way that people can start to rob their house. Effectively, it’s the same for cybercrime.
Gerry Sillars [00:02:32]:
Yeah. I we have a family tradition. We’ve had it for probably two two decades plus now of watching Home Alone on Christmas day, and the wet bandits certainly hang about in or the wet bandits in that movie hang about to wait for everyone to go on their Christmas vacations before they break into to their premises. So, yeah, I mean, it’s kinda logical when you think about it. Right? I mean, I know there’s stats and numbers we’ll talk about specific to to this holiday report, but it kinda makes sense. You’re gonna try and break in whether that’s physically or digitally to an organization when there’s at least less people about if not everyone’s disappeared. I mean, obviously, as a business, you’ve always got some form of IT staff covering your holiday periods.
Gerry Sillars [00:03:15]:
But, yeah, totally agree.
Karissa Breen [00:03:17]:
So let’s move into the stats. So in the report, it says sixty nine percent of organizations that were targeted by ransomware were attacked on a weekend or a holiday. Now we’ve obviously just gone through that, so that number clearly doesn’t surprise you. But maybe talk us through a little bit more behind that number.
Gerry Sillars [00:03:34]:
I think that number doesn’t surprise me in the context of how many organizations in the as you know, this is an addendum to our annual ransomware report that we did, and we we specifically polled Australian organisations for this holiday report that I think the the most stunning stat for me was that 83% of organisations we polled last year were targeted by ransomware in the past twelve months. That’s a a stunning number, and lots of people think ransomware is a thing in the past. I mean, it it’s it’s absolutely and clearly not. And of that, 83%, I think the number was something like 78% of them paid a ransom, and a very high number paid a ransom on multiple occasions as well. So the 69% less surprising, again, just as we were discussing earlier on, you’re gonna look for any advantage you can get if you’re trying to break into someone’s premises, either digitally or or physically. So the 69% number is less surprising for me than when I first read this report. And I’ve only been with this company six months, and I haven’t seen or hadn’t leaked at prior reports. But I think stunning just some of the numbers in terms of, you know, ransomware is real.
Gerry Sillars [00:04:49]:
It’s still real today. It has been for a decade over a decade now. And, you know, clearly, we as an industry and and certainly from a consumer perspective, still not doing enough to to mitigate that risk, that makes makes it so attractive to to cybercrimes.
Karissa Breen [00:05:04]:
So when you said before, still not doing enough, define enough.
Gerry Sillars [00:05:09]:
One of the challenges, and certainly, you know, the the end of the market, that we’re in is all about protecting identity and all about protecting the core, of identity, which, which we define as as active directory specifically and and intra and intra ID cloud version, Microsoft’s cloud version of active directory and directory services in general, because if active directory is down, then you’ve get effectively, you get no access to any applications, any you can’t access any phone organization. So and this certainly, I mean, you know, again, you know, some of these stats, you know, we made announcements last week on exceptional growth again. We expect to have a great year this current year as well. Organizations, I think historically, and you you work in the cyber industry. You’ve been a practitioner as well, Carissa. So we, in this industry, tend to talk about you know, you’ll remember the times when we were seeing the perimeter. There was a new edge, and people were spending tens of millions of dollars, hundreds of millions of dollars on on firewalls and IPSCs, etcetera. And then the edge, was the new perimeter.
Gerry Sillars [00:06:12]:
Gartner, have said, over the last year that identity is the new perimeter. So I think, you know, while I say not doing enough, I think we’re very often driven and and certainly buyers are very often driven by what’s in vogue at times. But, you know, the the key, the crown jewels of any organization in our opinion is that core identity system. So and certainly, you know, talking to and looking at the organizations that that we engage with and looking at the stats from this report, I would say that organizations today aren’t doing enough to go and protect their crown jewels, their core identity systems.
Karissa Breen [00:06:47]:
Okay. So looking at some of the stats a little bit more, so you guys have broken it down by areas or or verticals. So you’ve got I’ll just read them out because people don’t have it in front of them. Has education at 50%, manufacturing, forty four %, finance, fifty seven %, IT telecommunications, seventy two %, health care, seventy one %, and travel transportation, 100%. Yep. So 100%, like, obviously, that that was that’s quite calculative on that front. So is there anything that you can sort of share around you don’t have to go into all of them, but as I read out some of those stats, is there any sort of additional intel that you can share with us today, Jerry?
Gerry Sillars [00:07:27]:
I think there are some industries that we see that that are, most susceptible, I would say, to ransomware attacks. And and quite often, that’s, just by the very nature of them being so distributed and, you know, and or possibly under investment in in staff, in particular, and access to funds to go and protect their environment. So so the travel and transport industry, hopefully, when you see this next year, has has got a better rating than that. I think also we’ve seen a marked shift, I think, over the last few years from the various actors going and targeting critical infrastructure for maximum disruption quite often as what organizations are, the various organizations are looking to go and cause as much as, for commercial gain. So, you know, travel and transportation, we’ve seen many over the, over the the last few years. We’ve seen a few in Australia, just in the last year or two as well. So I mean, again, I was surprised that that number was was so high from a travel and transportation perspective. But when I think it through, I mean, it’s less surprising, the high value assets that, you know, you go and disrupt.
Gerry Sillars [00:08:35]:
On the airline, for example, you can very quickly, define how much money they’re gonna lose, and across a matter of minutes, hours, and days, if you have, you know, complete fleets of of aircraft grounded as we’ve seen. Again, even not not even from a ransomware perspective, but the the CrowdStrike event last year. So mass destruction across the globe and an inability for people to to get on planes, and that is a continuing story. Hundreds of millions of dollars lost in a very short space of time.
Karissa Breen [00:09:06]:
Yeah. So I know that all of those industries are important, but if I just focus on, again, following this a little bit more with, you know, transportation, for example. Now I know that you’re in Sydney last week when we caught up, but recently, trains went operating. So I was trying to you know, few weeks prior, I was trying to catch up with people. They live further out in Sydney or they live even, like, an hour from Sydney. It really impacted them, but it also impacted people that are frontline workers. They couldn’t get to the hospital. Like, they couldn’t go to university, couldn’t do go to school or one of those sort of things.
Karissa Breen [00:09:36]:
But it does have a domino effect quite quickly. Right? Like, especially for people, if they can’t get home, then on this all of a sudden, what do you do? You gotta walk home. You gotta get an Uber. Then Uber’s automatically surge. There’s just not enough capability to move people around. So do you think that, again, to your point, going on the transportation side of things, it’s just sort of an easier target because the impact can be seen quite quickly, right, and just how much people all of a sudden just they can’t get around at all.
Gerry Sillars [00:10:07]:
Hugely impactful, you know, and and flow that down as well into many years ago. Maersk was a was a very well documented breach that caused global disruption. We had toll holdings in in Australia, double whammy on toll holdings just a few years back. And when you start to think about amplifications and downstream effects when transportation is impacted, so if it’s airlines, if it’s people are moving goods around the planet, so your your short term, your immediate term effects are, you know, you might struggle to get home, you’ve got to literally turn to transport, you may have to, you know, bunk with a friend, you may have to, if you were me, end up in a pub longer than you’d probably ideally like to. Things like the the Toll Holdings one was interesting because one of our advisors at the time was was the Cecil at British Petroleum. And because they were so heavily impacted by that, Toll Holdings provided the confectionery and and signage, etcetera, to all of the stations globally. We had to take a decision on whether we’re gonna close the the shops at the gas stations until they could get back up and running because I think the start something like 80% of 80% of people that go into a gas station go to buy Snickers and Mars bars and stuff like that, not actually to buy fuel. So that today was reputational damage impact of keeping those, shops open.
Gerry Sillars [00:11:27]:
So so, yeah, I mean, again, it’s high value asset has a massive upstream and downstream implications if you can go and disrupt any, whether that’s trains, buses, airlines, very high value and maximum disruption.
Karissa Breen [00:11:40]:
So I’ll move on again now to another stat here. So 78% of respondents reduced their staffing by as much as 50%. Now there’s various reasons to this and theories, but, you know, from your perspective, Jerry, and what you’re seeing here at Semperis, what was sort of the reasoning that for that? Is it because people don’t wanna work week ends? It’s just that companies didn’t believe they needed as many staff. You know, when people out, especially around Christmas time, they go to work. They get a bit of FOMO. Like, well, what is it?
Gerry Sillars [00:12:08]:
Yeah. I mean, I think,
Podcast Voice-over [00:12:09]:
you know, fundamentally, people have got
Gerry Sillars [00:12:10]:
to see qualities, first and foremost, you know, just from a quality of life perspective, mental health, all that good stuff. But, again, I think there’s a tendency to believe I mean, if you’re working a nine to five or an organization that, they work nine to five, then, the vast majority of staff are probably often asked on a weekend. You know, whether your weekend’s Saturday, Sunday, whether your weekend’s Friday, Saturday, depending where you live. Kinda makes sense just that if 80% of my staff or 90% of my staff talk about weekends, then I don’t need the same amount of, staff from an IT perspective, whether that’s cyber or anything else. So, obviously, there’s a there’s a cost associated with having people working both weekends and holidays. Organizations I mean, there’s a there’s an absolute hit to how much does it cost me to go run an operation if I’ve got, large percentages or larger percentages of my staff working at a weekend or over a holiday.
Karissa Breen [00:13:01]:
This where it gets interesting because, I mean, I’ve spoken to people on the show about, like, how do you find the balance between, like, you can’t throw I mean, a business isn’t a business to make money. So I get it to a point where, yes, you gotta be secure. You gotta do that. But it’s gonna come a point where businesses can’t put all of their money into cybersecurity. So how do you strike the balance between we’ve gotta do enough, therefore, you know, we’re not getting ransomware attacks, you know, out the eyeballs, and we have to have stuff where it kinda helps us enough, but also being cognizant to be like, we do you know, businesses aren’t gonna pour all their money on cybersecurity. They’re just not gonna do that. So what would be your advice to manage that where people are sort of staying safe, but managing, like you said, the cost of having staff right around the clock?
Gerry Sillars [00:13:49]:
Yeah. I mean, I think in all instances, as you say, I mean, businesses and businesses are in business to make money. Right? Then every business will gonna define what risk looks like and will invest in operational risk, business risk. They’ll They’ll make investments, whether that’s in cyber or whether that’s in physical security or whether that’s in whatever they do to go and mitigate risk in an organization. And I think for every organization and again, we’ve both been in the cyber space for quite some time. Cyber budgets are, incomparable, to where they were a decade ago and and two decade two decades ago. So, I mean, organizations in general, I think, understand the significance of of cyber and and cyber associated to to business risks. So but it is a challenge.
Gerry Sillars [00:14:34]:
You know, one of the things that we have just are just about to announce is a is an is an operational risk tool, which where we’ll consult with organizations and work with them so they they properly understand how they’re going to recover a human disaster, what does a disaster look like. Because, again, a big part of that is just a black hole. And for organizations today, they understand and may understand where some of the gaps are from a technology perspective, but don’t necessarily understand how to go and recover a business and what processes and people they need to go and put in at the back of that. So it’s it’s a bit of a conundrum. People’s appetites to risk typically are different as well. So I think for most organizations, it’s down to down to risk appetite. What what can they afford to go on investment? No one’s got an open checkbook to to go and just throw it at technology and stuff and humans to protect them from a from a cyber attack.
Karissa Breen [00:15:21]:
But do you sometimes think as well, I’m looking at this really outside the box, that cyber people just have this view, like because, again, like, it’s like we had a you know, if a doesn’t work, then we get a
Podcast Voice-over [00:15:31]:
b, or a c, then we get a d,
Karissa Breen [00:15:32]:
e, f, g, h. Like, we can’t like, it that’s just not realistic for businesses. Like, people go bankrupt. So and I know you’ve sort of answered it, but I think this this point’s really, really important. How do people manage that without compromising themselves, of course, like you said, reputational damage, but they’re not going bankrupt at the same time. Like you said, they can’t just keep throwing endless amounts of money at things that may or may not solve the problem.
Gerry Sillars [00:15:55]:
Yeah. I agree. Like, you know, and it that’s it’s got to be I say it from a starting point. I’m sure organizations all organizations do this. You know? What does disaster look like? How do we go and recover from a disaster? How much would it cost us to go and recover from a disaster? And what investments do we need to go and make to ensure that that doesn’t happen? And to go and then focus on how do we get back to a minimal viable position as quickly as possible. So, again, that’s all you know, we talk a lot about operational risk as if we talk about operational resilience. Sorry. We also talk you know, everyone talks about cyber resilience.
Gerry Sillars [00:16:26]:
But for us, I mean, it’s more about the people, the process, plus the technology at the back end. But, again, it’s not that isn’t simple. And, again, you you brought up a very valid point there. You do a lot of trade shows. And, you know, if you go to particularly large cyber trade shows, it’s a kind of cyclists task. And I see so when you walk into if you go to RSI and you walk into a hall that’s got, you know, maybe up to a thousand cyber companies all doing slightly different things, all trying to convince you that their new shiny toy is the most important shiny toy that you should have in your portfolio. So, you know, I think taking that baseline, understand again, going back to what I said earlier on, and I was going to consult with organizations on, you know, from a instant response operational risk perspective, what’s your baseline? What are the most important things for you to stay in operations in an organization? And going around, certainly with Crown Jewel Systems with, to my mind and I think to our mind as an organization, that’s where the investment needs to be. The investment needs to be at, how do we go protect the things that are core to us operating as a business?
Karissa Breen [00:17:29]:
Do you think as well, Jerry, that companies I know you said before, like, you know, how long does it take to recover from disaster, the impact, the cost, the long tail impact as well, etcetera. I mean, we’ve spoken about all these things at length. But do you also think and I hate to say it, but, yes, the business continuity side of things. Now I’m going to then elaborate on that. For example, fast food place, I don’t know, McDonald’s and Friends, there’s probably they’re they’re probably shipping out a lot of Happy Meals and whatever else goes there. You gotta think, imagine if McDonald’s didn’t operate for an hour, two hours, four, five, twenty four hours. How much is even revenue that they would lose, let alone, hey. We gotta bring in some really expensive external consultants to do all the forensics and do all these other things and PR people and legal people.
Karissa Breen [00:18:12]:
Forget that. Just the actual loss of revenue for those hours. Do you think people are focused on what that looks like?
Gerry Sillars [00:18:19]:
Yeah. A %. Without a shadow of a doubt, they are. Yeah. You know? And if you want a McDonald’s, you can’t get McDonald’s, you go to Hungry Jacks down the street if, you know, if you’re burning desire to have a burger at that moment in time. So, I mean, every organization that I talk to understands and and factors in all those permutations when they are looking at risk. So, you know, risk is loss of immediate revenue, risk is risk. And getting back to the Optus outage that we had in Australia, whenever that was two couple of years ago, now that had obviously a really significant impact to everyone, quickly followed by Medibank.
Gerry Sillars [00:18:56]:
So pretty horrific for for Australia as a as an economy and as a as a country reputationally. The immediate impact was I think I I saw something that I I recall seeing that the the next quarter impact was a a loss of revenue of $1,600,000,000. Now, you know, the downstream impact to that, take years to go and recover and get back to the same position that we’re in. But for sure, organizations, do try and factor in, all of those aspects when they’re thinking about the value of, the value of the tech that they’ve got deployed. And the vast majority of enterprises that I talk to today now typically have a dollar value on an asset, a digital asset. So, you know, an Oracle database may have an x value. AD may have an x plus five value just in terms of if we lost that, what is the what is the damage, to the business. And all of those factors typically are factored in.
Karissa Breen [00:19:53]:
So from your experience, Jerry, what do you think people aren’t factoring in then? Is there anything that comes to mind when I ask you that question?
Gerry Sillars [00:19:59]:
Yeah. I just think that that again, going back to what I said earlier on and increasingly spending time consulting with organizations on, operational resilience, I think there’s a general lack of appreciation and comprehension of what do we do as an organization in the event of a disaster. So in the event of a you know, how do we wanna respond as an organization? So and that’s what we’re trying to help organizations with. So, you know, we’ve got the tools to help them go undercover, ransom and attack, help them go undercover, all that stuff. We’ve got the tools to go and help them take preventative actions to, hopefully, mitigate the risk of what happened. But quite often, it’s it is the people in the process, and that extends far beyond, just the technical aspects, the IT aspects of that. As, you know, you said earlier on, when you’re talking about risk and business risk and reputational risk, there’s a whole bunch of moving parts when something goes wrong. There are good ways to go and respond to an incident.
Gerry Sillars [00:20:55]:
Really, we’ve seen hundreds of really good examples of how not to go and do it. So so there’s a lot more to it than just getting the tech fixed. There’s, you know, depending on which industry you’re in, you might need to go notify a regulator within a set period of time. You might need to notify the government for a set set period of time. You certainly need to go and notify your consumers in a in a period of time with a plan on how to get back to a good state. So Yeah. Again, it’s a and organizations typically that we talk to don’t do that particularly well or don’t do it as well as they think they do because they’re all looking at each other when we do these tabletop exercises exercises with organizations. Everyone in the room is just looking at each other.
Gerry Sillars [00:21:36]:
It’s a bit scary.
Karissa Breen [00:21:37]:
So then on that note, why would you say why would you surmise why there’s a lack of appreciation and comprehension? Or would you say that hindsight’s a wonderful thing? And what I mean by that is I don’t know. Example would be what comes to mind. You’re riding a bike without a helmet. It was fine the first fifty times, but then, I don’t know, maybe you’re a bit hungover the next day, and you’re riding your bike without a helmet, and you fall over and you hit your head and it hurts. So do you think that that’s unfortunately because we’ve seen it happen over the years. Oh, we should have done more when, you know, something happens. So would you say that’s maybe why there’s that lack of appreciation?
Gerry Sillars [00:22:16]:
I think there’s part of that, you know, and and that and that example you gave, the the result of that can be life ending. Right? And it can be catastrophic. You know, you might not just have a sore edge. It might expire. So, yes, I I do think that organizations are doing a lot to go and try and mitigate risk. You know, again, we live in a in a time and in a world where risks just keep and new risks keep coming at us day after day after day. So I think there’s a I mean, it’s certainly not a tendency, I don’t think, to go and to go and bury your head in the sand. But, again, I think in a lot of organizations, probably midsize midsize enterprises rather than than the biggest enterprises, there’s still sometimes a board level of lack of appreciation of of just what that risk is.
Gerry Sillars [00:23:00]:
So, again, to your point, lots of people riding about on bikes without helmets.
Karissa Breen [00:23:05]:
So now I wanna sort of get back to the report again. And this was interesting, which I think we sort of know the answer to, but I wanna, you know, eliminate the stat, which was fifty percent of companies were victimized by a ransomware attack after a material corporate event. So you mean like a Christmas party, things like that?
Gerry Sillars [00:23:24]:
Depends how good the Christmas party was, I guess. But no. I’d I mean, it depends how much money you spend on the Christmas party as well.
Podcast Voice-over [00:23:31]:
But, no, a material corporate event would more likely be something like an IPO or a merger
Gerry Sillars [00:23:38]:
or acquisition or a divestment. So, something that is deflecting the businesses’ attention, you know, because the imperative in those instances is to achieve the business outcome and, you know, not security per se or not, you know, whatever per se. I mean, not it’s not really specific to security in in that instance. But when people are laser focused on on a business outcome that is out of the norm so, you know, again, think about a a merger where you’re going going to consuming other people’s technology. I mean, I I met with a a two IC to SAISO in Australia recently in an organization that, they do a lot of acquisitions of small air businesses. I mean, it’s basically a business model. And I said, you know, how much time do you get to go and assess the the IT risk and the cyber risk? And and this is normally about two days before the deal’s done. So I think, you know, that’s what we mean by a material corporate event where the business is laser focused on achieving the outcome for the business.
Gerry Sillars [00:24:45]:
And in those instances, security takes a takes a back seat.
Karissa Breen [00:24:49]:
So speaking of back seats as you were speaking, what about large so for example, major vendors have major conferences around the world. So do you think that even from a vendor perspective that, you know, they’re they’re focused on doing these big conferences. Right? Or, conversely, you got RSA in places like that where people are so focused on that. Do you think as well that could be an opportunity where people’s guards are a bit down perhaps or they’re not you know, their eyes aren’t maybe as focused as they they normally are because they have a big event in front of them, etcetera.
Gerry Sillars [00:25:18]:
Could be. I mean, that that it depends on I guess that depends on the size of the organization, Carissa. You know, your your core IT staff, your defenders of an organization are less likely to be involved in going to a large event like that. But, again, I mean, anything that’s taking people away from their day jobs, and going to do something else where they’re working somewhere else nine to five and and not focused on what the day job would be. Yeah. For sure. I mean, it could be, but less of a a challenge, I think, than the ones that I I discussed earlier.
Karissa Breen [00:25:49]:
Yeah. So I think it would just even be the people attending those events, right, that are you know, perhaps there’s thousands of people, perhaps that could be an opportunity. I mean
Gerry Sillars [00:25:57]:
Yeah. I mean, that’s as good as a holiday, I guess. You know, you’ve got a seventy, eighty thousand, whatever that is, hundred thousand IT staff attending RSA. I’m sure there’d be an interesting interesting one to go and see if we could put in a report how many organizations were were breached at a time that all the technical staff were attending an event. That would be an interesting start to have for sure.
Karissa Breen [00:26:18]:
Yeah. Just as you were speaking, that’s just what came to mind. Right? So let’s I’m gonna read out so so, again, going through some of the industries, the percentage. So 50% of companies were victimized by a ransomware attack after a material corporate event, which Jerry has outlined. And then to push now a little bit more, 50% was education, thirty percent in manufacturing, 43% in finance, IT, telecommunications, fifty four percent, and health care was 29%. So I’m guessing, again, Jerry, none of those stats really surprise you given what you just discussed. As we’re seeing now nowadays, there’s a lot more, you know, m and a happening, more IPOs, etcetera. So, again, people’s guards are probably a little bit down, so it’s an opportunity to to to strike.
Gerry Sillars [00:27:03]:
For sure. I mean, these organizations are gonna research. And when I go research and when organizations are most vulnerable for whatever reason, whether that’s holidays, whether that’s whether that is a a major corporate event, whether that’s whether that’s a a decade a once in a decade Christmas party or whatever. The attackers are good at their jobs. I mean, you know, people are doing this doing this full time. They’re spending as much money more than the people are trying to defend against them. So they’re pretty sophisticated in in terms of understanding the best times to go and try and penetrate an organization. But, yeah, I mean, I think that probably the the only one I think that’s or the most interesting ones might be health care, health care being lower, than anyone else.
Gerry Sillars [00:27:43]:
And, you know, perhaps that’s mean, health care has a tendency to be seven by twenty four three sixty five, more so perhaps than some of those other segments.
Karissa Breen [00:27:52]:
So how can people prepare for, you know, the same I mean, it’s it’s sort of a conundrum a little bit because it’s like, know, if you’re getting your company acquired, for example, you wanna be able to tell media and get the word out there, but, again, you’re sort of opening yourself up for risk. So how would you sort of prepare an organization so to make sure they aren’t taking the right steps and the right measures? Therefore, they’re not underselling all the good news and the things that they’re doing, but then also making sure, like, hey. We don’t have, like, a massive incident happening at the same time.
Gerry Sillars [00:28:19]:
I think it’s getting back to properly understanding people process and and the technology required to be able to process procedure and and the technology required to go and to go and mitigate risks. I mean, we are doing an increasing amount of work with some of the big four practices who do a lot of m and a and investment work in core component when they’re advising organizations. And, again, you’ve got to have fairly deep pockets, obviously, if you engage in these organizations to go and do this type of work for you. But they are spending months preparing a risk analysis of what you need to do. Go to a wireless business. Once it’s acquired, what do you need to do to go and try and integrate this business as seamlessly as you possibly can and or divest this business as as simply as you possibly can. So I think a lot of it is around people process, ensuring that you understand the risks, and understand what you what you’re getting into. Again, kind of contradictory to what I said earlier on because, you know, that instance I gave you where this organization are typically acquiring smaller businesses, but, you know, two days notice to go and assess technology risk in an organization is hardly sufficient.
Gerry Sillars [00:29:25]:
And consulting with partners. So, again, I mean, there’s I don’t think there’s any magic wand to go and to go and fix this, but, you know, just understanding at the CL level what the risk is first and foremost. So, again, typically, in the instance of an acquisition or a divestiture, the C level are aware. They’ve been given a report by whoever they’re working with typically to go and understand the risks, the business risks, the technology risks, operational risks, etcetera, going to ensure. And, again, from our perspective, you know, active directory is is the most critical, and should be the most critical aspect in every major and acquisition. So ensuring that the organizations are working with partners, you know, whether that’s us, whether that’s big four, whether that’s, some of other partners earlier in our ecosystem to go and understand, the the risk of technology risk and have a have a plan that we can execute against the, delivers outcome. That, that they require and make sure that, certainly, again, going back to our core component, that those kind of jobs are protected. And, you know, if the worst happens, you can roll back or recover quickly.
Karissa Breen [00:30:28]:
So So I just wanna ask you probably one more question around the stats. I know that we’ve spoken. We’ve covered a lot of ground here again today. But for those of you who wanna do a little bit more digging, we will be linking the report in the show notes. So, Gerry, one other question I have for you is a three respondents say they had an identity recovery plan in place. So maybe walk us through the plan. What does it look like in your eyes just at a high level?
Gerry Sillars [00:30:55]:
That’s the most surprising stat for me, Charissa. When again, it’s an addendum to the report that says seventy eight percent of respondents paid a ransom, in the last twelve months. So without me trying to do a whole bunch of Aris Medical gymnastics in my head here, I mean, that eighty three percent of respondents said that they had an identity recovery plan in place. Yet, probably ninety percent of that eighty three percent ended up with a ransom attack, and about two thirds of them paid it. So
Karissa Breen [00:31:27]:
But it’s probably a basic plan. Is that what you’re sort of saying? Like, it’s probably rudimentary.
Gerry Sillars [00:31:31]:
I may have backup and recovery in place, and, you know, I think I can go and recover from a backup, for example. But when I go and do that, it didn’t work. Or when I went and did that, I was dinged a second time or a third time and a fourth time. I think that was thirty two percent of respondents, in the ransomware report that said it’d been done. I think Germany had the highest incidence of people being suffering or being being around some multiple times for the for the same incident. Because the other the other aspect of this as well is that, you know, we’re dealing with people that are criminals, and they’re not necessarily honorable. Some of them may be lots of them aren’t. So someone tells you you’ll get your encrypted data back, and quite often that doesn’t happen.
Gerry Sillars [00:32:12]:
Someone tells you pay me once and don’t worry about it. Quite often that doesn’t happen. So yeah. But I think there’s a and, again, I see this every day of the week. There’s a there is a basic understanding or a basic belief, I think, that people can get their core identity systems such as active directory. But in reality, that doesn’t work out so well, and it is a disturbing the organizations that think they’ve got a plan never actually tested it or never actually tested it in earnest or with any degree of regularity. So so I think people believe that they have an ability to go and recover. Hopefully, they never need to find out that they can, to be honest.
Gerry Sillars [00:32:47]:
But, you know, again, I don’t think people understand how complex it is to go and recover. And I I’m in a core identity system such as active directory. Microsoft’s best practice is a 29 step process. And if you hand that off to Microsoft to go and do which they’ll do for you, it gives them backup copy. It takes them typically up to five days to give you a set of instructions back to say, here’s how you can see that 29 step in your environment to go and recover and follow these steps, follow these specific steps in order, or you’ll need to start again. So, yeah, I think people believe that they have that covered, but in reality, I don’t think we do.
Karissa Breen [00:33:26]:
So, Gerry, do you have any sort of final thoughts or closing comments you’d like to leave our audience with today?
Gerry Sillars [00:33:31]:
Get a plan. You know, you don’t want to be you don’t want to be have the police at your front door with the wet bandits and the wet bandits have flooded your your house all your way to Christmas. Again, I think it’s just people process, having a plan, having a recovery plan. We’re happy to help, obviously, and we’re happy to consult people and how they effectively go and do that. But it’s important to understand, though, that you need to be more vigilant. You need to be vigilant all the time, but you need to be as vigilant, if not more vigilant, when you’ve got a reduced number of staff that focuses on defending your environment for whatever reason, whether that’s a corporate event, a significant corporate event, or whether it’s because it’s Christmas or it’s Hanukkah or it’s, it’s Chinese media.
