Today to end the season hosts Mike Urbanik and Andrew Rose welcome CISO Andrew Rose for a conversation about the future of Cybercrime and Cybersecurity in the world today. CISO Andrew speaks about the new wave of cyber-attacks, how they come about, and have changed through the years. The discussion leads into preventive measures that can be taken to make sure that you are properly ready not if but when an attack happens to you.

Special guest Andrew Rose is an award winning CISO, Speaker, Brand Evangelist, Industry Analyst, NED & Board Advisor, CISO Mentor, Ultra runner - passionate about driving information & cyber security through a people-centric focus. He is also a board level Advisor with recognized expertise in information security and risk management, ISO27001, information security strategy; security organization and budgeting, security awareness, EU Data Protection, business engagement; information security policy development; and governance, risk, and compliance (GRC) initiatives.

Andrew Rose began a cybersecurity awareness program in 2016 while at a major agricultural bank after recognizing that the ag sector wasn’t getting the attention it needed about the risks posed by cybercriminals and other adversaries. He helped coordinate several symposiums and events focusing on the topic. He is now an independent contractor and volunteers his time to bringing cybersecurity awareness, education, mitigation, and response to the ag and food supply chain (and other special projects). His focus is on mitigating emerging threats. In addition to his experience in cybersecurity, he has a deep understanding of banking/finance, risk management, and other professional service sectors related to food, agriculture, and climate.

Michael Urbanik is an Account Executive with R.K Tongue Co., Inc. and is licensed in both Life & Health and Property & Casualty Insurance. He has experience working with both large and middle market commercial clients. He enjoys helping his clients understand the risks they face and develop cost effective plans to successfully mitigate and transfer these risks.

Did you enjoy today’s episode? Think we missed an important sector that should have been discussed? We here at DTC, Inc. would love your feedback on today’s episode! Please email us your comments and questions at AskUs@DTCtoday.com.

Read on with our most recent blogpost: When it comes to Cybersecurity make sure you’re not giving your data away.

Want to hear more? Past episodes are all posted, including on YouTube, Season 2 to be coming soon- follow and subscribe on your favorite podcast app to ensure you don’t miss out on the conversation!

Listen on

Apple Podcasts Spotify Amazon Music Podcast Index Overcast iHeartRadio +

Share Episode

Share on Facebook Share on Twitter Share on LinkedIn

Read on with our most recent blogpost: When it comes to Cybersecurity make sure you’re not giving your data away.

[Intro Music]

[00:00:00 Andrew Rose] Welcome to Cyber Savvy. This podcast was created by DTC to bring awareness, mitigation and response to cybersecurity threats companies and organizations face daily. Be prepared. Be cyber savvy.

Good morning. Good afternoon. And good evening. Wherever you may be listening from. My name is Andrew Rose, and this is the DTC Cyber Savvy podcast with my valiant co-host, Mike Urbanik from R.K. Tongue

And for those of you who listened to many of our prior podcasts, you're familiar with his deep grasp of the risk management field as it pertains to cybersecurity, as well as his measured tone.

That said, Mike, can you let our listeners know more about who you are and what R.K. Tongue is?

[00:00:53 Mike Urbanik]

Absolutely. And thank you for that intro, Andrew.

Again, my name is Mike Urbanik. I work with R.K. Tongue. We are an independent insurance broker based out of White Marsh Maryland.

We predominantly work with medical and white-collar industry CPAs, but of course I'd call us insurance generalists as we can handle almost any risk that comes our way.

Glad to be here talking about cyber liability and cyber risk.

It is the hot topic, the new emerging threat when it comes to businesses and just trying to help them understand what it is, how to get their heads around it, protect themselves properly and provide insurance products that might fit their risk needs.

[00:01:34 Andrew Rose]

Thank you, Mike. And I don't think you really even did R.K. service there, as great as you are, it is a phenomenal partner of ours.

They provide white glove service. They are the best of the best. And that's who we try to partner with here at DTC. There's a lot of folks out there that provide similar services, but rarely do they rise to the level R.K. Tongue does. So, I appreciate you being here and helping out with this.

And today we have a special guest. I was giving a cyber presentation probably a year ago and I showed up and someone said, “Wow, you don't look anything like your picture”. I said, “What he talking about?” They said, “Well, Andrew Rose, that does cybersecurity doesn't look like you, nor does he sound like you”. And I said, “Well, who is this fella?”

So, I looked him up and sure enough, there's another Andrew Rose out there who is a cybersecurity specialist. And not only is he a cybersecurity specialist, he’s in almost an exact same lane as me looking at those future threats and emerging threats. And I figured since,

Well, listeners, I'm going to let you in on a little secret here. This is Halloween Day today, but you're probably gonna listen to this in two weeks. So, we're recording this on Halloween.

And I thought, what better theme than talk about what the scary emerging threat is coming next and bring the international expert in here. So, Andrew, please tell us a little bit about your background, who you are, and also let us know a little bit about Proofpoint. How did you come to be in your role there?

[00:02:53 Guest Andrew Rose]

Yeah, hi chaps.

Thank you for inviting me along today, so I'm sure it won't get confusing having two Andrew Roses on the podcast. I'm sure it'll be fine. You get through somehow.

So, I’ve been in security for quite a long time now. So, I was the chief information security officer for two global law firms for about ten years. And that was sort of in the year 2000 - 2010, leading the two of the biggest law firms in the world through security transformations.

And just embracing the whole cybersecurity threat really. Did that for ten years. Then I left and joined Forrester Research, and I was a Forrester analyst for about five years focusing on security management and the role of the CISO. And I was I loved that job. I loved it. But I was tempted away by an even more interesting job.

So, I left Forrester to become the chief security officer at UK Air traffic control, where security really meant something, you know, safety, critical systems, ensuring that, you know, planes could fly across and land in the UK. So really, really important, really interesting job. And it was transforming security there as well for about five years. And then I moved on to MasterCard, helping them run real time payments in the UK and all of the ATM network as well.

So, moving trillions of dollars around every year.

And I was there for a few years and then I moved onto Proofpoint. So, my role at Proofpoint is I'm sort of the connective tissue between the security organization that is Proofpoint and the CISO community to try and make sure that as we design strategies and create products, that they're the right products for the right users in the right way.

So, we make sure that we stay aligned with the community and stay aligned with the threats that are out there.

And Proofpoint itself is... people may know Proofpoint certainly in the U.S. they will really well known for email security. That's where all heritage really is. But there's a whole platform that provides defense across the whole cyber-attack chain these days.

Within that Proofpoint portfolio. So, starts with the emails, but we've also got security awareness tooling with 40 plus languages.

So, you can apply security awareness across your global organization in a consistent way, no matter what language users are going to consume it in. We have tools that look for escalation of privileges and lateral movement and attackers get it.

We have the world's leading insider threat tool as well, looking at behavior analysis and looking at what people are doing within your network to try to identify malicious actors. And then finally we wrapped it up with an information protection tool which really prevents that data. Leaving your organization or moving between cloud repositories so you can make sure that you've got several chances across the attack chain to detect and stop the attack.

And it seems to go well. We think we're supporting about 87% of the Fortune 100 organizations use our products. So Proofpoint is very much a household name in the US and a growing name elsewhere across the across the globe.

[00:05:43 Andrew Rose]

Yeah, I do know that I sent some secure emails back and forth. I do send security emails back and forth to Bank of America and I see the Proofpoint logo at the bottom of that one.

So that's good to know. Good to know. That’s certainly credibility right there. You know. Well, I mean, the theme of this is emerging threats. And I went through and did some Internet searches on everyone's top ten emerging threats and what's out there. And it seems that the top of that list is A.I. social engineered attacks. But, Andrew, I'm curious from you.

I mean, what are the top demons that keep you up at night in terms of emerging threats?

[00:06:17 Guest Andrew Rose]

Oh good Lord. There's a whole long list of them. But A.I. is probably a good place to start. And I think the social engineering one specifically, because that that does worry me, because you look at FBI figures and the FBI say that business email compromise is probably the most financially impactful threats that businesses face right now.

And it's just a simple stuff of sending in a fake invoice or, you know, trying to convince somebody to pay a bill or buy some gift cards for you. It's very simple, easy entry level stuff.

And so, you think most people should be quite good at stopping malware detecting it. You know, you receive a text message from your CEO at three in the morning saying, “Please pay this invoice.” You’re like that's probably not him, it’s probably not really want me to pay, he’d send me an email so so that's where it is right now.

It's incredibly effective attack, but actually it's pretty basic. So, I'm quite scared about what happens next in terms of when the attackers start to use A.I.,and other technology used to build really much better social engineering tools.

So as an example, imagine that we've always said that the way to identify social engineering is look for the grammatical mess ups in the email.

You know, they'll be poorly configured, the grammar will be terrible, the spelling will be awful.

That's not going to work at all. They're going to use ChatGPT and other A.I. tools to create perfect emotively, engaging, creative languages, you know, all in local language for the recipients. And so, it's going to be really compelling. And then you can rap on the back of that.

You can say, Well, now I'm going to create a voicemail from the CEO and send a voicemail through it and then what I'm going to do now is create Deepfake video of the CEO saying, Please pay this invoice. And you can imagine that the poor finance clerk, you know, at some point they're going to go, Yeah, this is the CEO.

He really wants me to pay. And so, it's going to be interesting to see how this social engineering 2.0 really builds on and all these new technologies come in to really enable the attacker to be so much more powerful.

So, from the social engineering perspective, I think there's a lot of risk though.

[00:08:16 Andrew Rose]

Oh there's a ton of it.

And I heard a private story recently of almost the exact scenario happening. So it's it's in the wild and this is being utilized right now by our adversaries.

I don't know about you, but

I tend to be a little bit of a honeypot on LinkedIn and I get all kinds of social engineering assaults. Some of them are fairly simple to discern, but the latest ones are. I can tell that it was a ChatGPT enabled message because they pull certain keywords out of my profile and put that into that message. And I'm like, Ah, clever. That's interesting how you do that. Mike I'm curious, you know, because if these types of attacks are indiscernible from a legitimate type of invoice being delivered or message from the CEO, does the liability. still fall on the company. I mean, what kind of defense do we have against something like that?

[00:09:10 Mike Urbanik]

That's a great question and also before I answer that, I'll say that what scares me too, about the ChatGPT and the use of a lot of these A.I. tools is they make manual labor of finding this information and typing an email out happened in fractions of seconds and they multiply it.

So not only are we going to see better attacks, but we're going to see probably infinitely more because they can just tell the program, go sniff out X data, put it into Y email and send it to Z. People and boom, it's just going to be working 24 seven around the clock. That scares me as well, Andrew and Andrew, you know, don't forget that. But when it comes to the liability component, that's a great question.

I think a lot of the unfortunate in my industry, we try to be forward thinking as much as we can, but it's hard. We use information, cases, claims data that we see happening to design products and then design applications to accept or decline risks.

So cyber is really challenging because it's evolving at instance of seconds, it's so much faster than anything else. So compare let's just say cyber risk and a liability product to home building. I mean, home building, you understand what materials go into homes, you understand soil in certain areas. Okay. Number of storms that happen on this coastal region, how often they happen and they can use those algorithms to design a product at a price. Cyber,

It's very hard because what might be the number of coastal storms for an industry change overnight and then you might design a patch to...for the Microsoft product that they're on. And okay, now this number of storms are gone and then we rechange the patch and the number of storms now is back up to 100 a year.

So, it's very hard for carriers to design a product. So, I think the A.I. component will only exacerbate that problem even more.

I don't doubt they will start.

And we've seen this trend. So, what used to be, you know, a two-page insurance application to buy cyber liability five years ago is now a ten page application. They're asking critical questions.

I wouldn't be surprised if that turns into a 15 or 20 page document. And then they start saying, okay, you're telling me you're using MFA, you're telling me you're using these products. Show me proof, show me evidence, and maybe they're going to start asking for cyber training for your employees. Show me that your employees have gone through cyber training.

Show me some credentialing.

How they do that, who are the reputable sources?

I don't know. But it would not surprise me if carriers start underwriting this risk even more so than they are now, knowing that threats like that are coming down the pipeline.

[00:12:07 Guest Andrew Rose]

I think one thing the analogy used there about storms and sort of understand the frequency of storms, one of the things that makes cyber liability. Insurance interesting is the fact that it could just be one storm that covers the whole globe effectively.

You get one vulnerability, and it affects everybody. So, the scale of the storm can be very variable as well. But I also like the what you're saying about the spear phishing piece about being able to craft specific emails. And I think that's going to be really interesting to see because we've always said spear phishing is a lot more- people are more vulnerable to spear phishing because it speaks specifically to likes and dislikes in their social media profile and stuff.

And yeah, you'll be able to get A.I. just to pull that data out. And so, every email becomes a really well-crafted spear phishing email which just ramps up the risk. So, it's really interesting to see how trust is being weaponized by the attackers so much. And this is the primary attack model as well. And it's not like this is just something they do to keep some pennies coming in while they hack firewalls around the back.

The people are the primary attack surface of most organizations.

And so this weaponization of trust is their primary attack model. So, we need to really focus on how we can reduce the risk from the social engineering and how to reduce the risk from A.I., if possible, to make sure that our people are as well prepared as possible to recognize and respond to these attacks when they receive them.

[00:13:28 Andrew Rose]

One thing, too, that I've noticed I've been focusing on the passive insider threat risk, and these are people that are inside your organization that resist password changes, that fail the phishing test. And we found a correlation that these same people are the ones who are susceptible to social engineering attacks, whether around romance, finance, job opportunity, these academic things.

So how do you find these people? Either isolate them for advanced training, limit their network access, have some sort of H.R. action around them. But it just an interesting factoid that's emerging that the same people that are inside your organization that are those vulnerabilities are also at home.

They can bring a hitchhiker back to work with them. hat was unintended as well.

[00:14:11 Guest Andrew Rose]

There's a really interesting piece of data that Proofpoint helps our customers with, and it's basically a Venn diagram and it has three different circles to it. One is who is being attacked in your organization? So, who are the emails coming in to with this malware attached to them, what is fraud attached to them?

One is who's privileged. So, who's got access to the finance system? Who can write a check on their own?

Who's got domain up and privileges to the whole network? And the final circle is who's vulnerable. So, who doesn't change the password? Who has failed the security awareness training or not even taken it? Who clicks on links regularly? For bank, being able to overlay those three domains, you get real insight into where the risky people are, because some people, they may click on stuff but they don't have access to anything and they're not very attacked, so they don't receive attacks very frequently.

So, their risk is quite low. Being able to put those three together means that in an organization of, say, 20,000 employees, you can find the four or five people who were your biggest risk and just going to stand by their desk and educate them properly. Otherwise, if you don't know this, you're just sending 20,000 emails out into the ether and hoping that people read it and take it seriously.

So being able to target your highest risk individuals is so, so powerful to CISO’s these days. A real a real game changer in terms of insight and being able to reduce your risks surface.

[00:15:26 Andrew Rose]

Mike, question for you, let's say that an attacker gets in through one of these vulnerable people and it executes an attack on the organization, would that mean that that insurance might not pay out at that point in time?

How do you handle- I'm just curious.

[00:15:40 Mike Urbanik]

Yeah, it's a great question. So, I'm going to say everything is a case-by-case scenario and we could probably maybe go through some claim scenarios, and I could say, okay, this might work. So, I would say first off is depends on the answers they put on the application.

And if they told the carrier, yes, we use MFA, yes, we have firewalls, yes, we do all these things and then, Oh they file a claim and the carrier comes into help indemnify them, you know, bring in IT professionals to either remove the malware or what have you.

And Oh, they find out in the process you had none of these things you represented to them. Well, that's insurance fraud, right?

You can't say one thing and do another. So most likely they would still help you with the claim, but they would drop you as a client and that potentially makes you uninsurable in the future. You don't want that to happen. You might say, yes, I pulled one over on the carrier, but your kind of black marked from the marketplace.

But let's say a scenario where you have done all the right things, you have all the tools and I mean, I've seen it before. People have thousands, tens of thousands, hundreds of thousands of dollars they spend every year as an organization to protect themselves.

But the bad guys still get it. I mean, they're infinitely crafty.

It's just it's just the nature of this risk. And they get in the carrier, you give them a call and they would come in in that scenario and say, hey, look, you made a mistake.

It happens. You were doing all the right stuff. This was an incredibly crafty email, and they will indemnify you, whatever that means.

You know, sending the notifications if that's part of the process, bringing in new computers, removing the malware, removing access, changing passwords. It can be a lot of time and energy to solve one of these risks because they're so, you know, intangible. It's hard to understand where it is at times.

But if you do all the right things, even if you make a mistake, they will still come in and rectify you and indemnify you.

[00:17:37 Andrew Rose]

Yeah, and we've touched on this in the past, is how do they get in? Who are they? How do they get in? And usually, the first level entry point are low level street gangs that have gotten free keys off the Internet. They've scanned the unpatched list to go and look for unpatched vulnerabilities.

And they get in and they sell that access upstream to a more sophisticated operator who then deploys to their customer service and demands Bitcoin or whatever type of payment they want to get out of the process.

One of the things that I have heard about. And Andrew, I'm curious if you've seen this in the wild is wiperware, you know, ransomware, they’ll hold your information hostage until payment is made. But I've heard that there's wiperware out there where they just break your machines and there is no ransom note it's just a pure loss of your machinery.

I've heard about it more in pre wartime footing with Taiwan and North Korea as well with some of their adversaries. Have you seen anyone deploying that, whether from a corporate espionage standpoint or otherwise in the wild?

[00:18:38 Guest Andrew Rose]

We have. It's a difficult one because criminals tend to want to create a finance income stream for themselves and wiperware doesn't really help them with that very much because there's no way back.

There's no way for them to sell the access back to the data. So, wiperware doesn't seem to be terribly common in criminal enterprises.

Occasionally you'll see things like NotPetya, which was actually, you know, wiperware and what the story behind that is, is, you know, was that released too early or was that just not created or crafted correctly did it just hit an enterprise by mistake?

Some wiperware you don't seem to see too much of in the normal criminal enterprises but you’re right that you do see it in nation state attacks.

So, we saw it at the start of the Ukraine invasion. Russia started to throw wiperware at Ukraine and it's it's interesting, why wiperware?

Probably because you know I think it's a really good way to try and initiate social change because if you can invade an area, then wipe all the citizen records, then what better way to reregister the whole of the population and say, right now you're going to be registered on to our systems and now you're are population, and now this is our country.

So, you can see sort of there's a sense in it, as it were, just having this ultimately destructive attack with no way back from it. It gives them an excuse to repurpose the whole of the society around there. So, I think I've only really seen wiperware really in that context. And so that tends to be pretty limited, pretty focused, pretty targeted, and not really yet from the criminal gangs who make up, you know, a lot of the noise these days.

[00:20:10 Andrew Rose]

Well, good. You know, since we're talking about future threats, we've got to bring up Quantum. I know it's always five years away or something like that, but I know it's got a lot of people very, very nervous right now.

What have you thought about this? What have you looked at? What have you heard? Andrew, I'm curious from your stance at Proofpoint how you are thinking about Quantum and the implications on cybersecurity.

[00:20:30 Guest Andrew Rose]

Well, I’m no deep technologists who can claim to understand quantum, particularly. However, what I've seen is I've seen some of the biggest organizations in the world already starting to embrace this, which is really cool.

I was working with a large company just recently and they were running workshops and sessions preparing for this quantum revolution to come along to understand how I know how this would impact their business, how this would impact the threats to their business, and start to hypothesize about potential solutions.

And they ran a whole two day workshop on it, and they brought in experts, quantum experts, to explain it to Ros Luddites, and they had lots of different people in the room.

It's a concept called threat casting. We just bring lots of people and talk about the threats and just hypothesize about what it could look like, and they take it all the way and write it up into documents.

Really powerful way of doing it. But they were looking at, you know how this could impact public cryptography on which so many of our processes are built these days. Looking at the risk of data theft, which is quite interesting. So, I’m already hearing stories about nation states stealing secrets from other nations, knowing that they can't decrypt it because the encryption is too good.

But just waiting until well, Quantum will be along in 5-10 years. Then I'll see what's in here. So, really interesting that they've got that sort of advanced thinking about how Quantum may unlock secrets in the future, which could then be horrifically damaging.

So, it's- for me it's it is that five year away threats but organizations that are out there are definitely looking into this to try and prepare themselves so they can be ahead of that threat and understand what post quantum cryptography looks like. From my personal perspective, I can't offer too much insight into that. Really. I think.

[00:22:11 Andrew Rose]

it's terrifying. You know, the more I just even conceptualize what it is, I mean, just think of it from offense defense standpoint, what does that even look like? I mean, how do you it's it's kind of like countering a chess master and you're just beginning to start to play chess at that point in time.

[00:22:26 Guest Andrew Rose]

It's going to be interesting to know whether it's quantum computers are going to show up initially, though, and how, you know, is it just going to be there's going to be four or five around the world. Is that and it's going to be owned by the big nation states? Is that how it's going to start or is it going to rapidly move into where we could actually commoditize this and suddenly everyone's got a quantum chip stuck in the back of that laptop, which does one's processing for you.

I guess that will change how the whole dynamic moves. But yeah, it's going to be interesting to see how it all develops and it's worrying time because so much is built on the cryptography which becomes vulnerable to this. So, we are going to need to rethink so many different processes regarding finance, regarding commerce and work out how we can change our systems to enable this.

But hopefully we get ahead of it now. Then we stand a much better chance.

[00:23:13 Andrew Rose]

Mike, did you have something that you wanted to add about that?

[00:23:16 Mike Urbanik]

I was just going to comment on the fact that, if you cannot identify who the attacker is, just makes it so challenge going to defend against the risk. Right. It wasn't anything major, but I was just feeding off of you guys.

And I was thinking that, you know, if you have a person then you have now this quantum engine, or quantum computing.

How much savvier, how much smarter, how much more infinite are the number of attacks? Can it just bypass the human element and go right through the firewalls?

Because again, right now I see from the data the human element is the biggest weakness.

And then are we just removing that completely because now tools like Quantum can just go right, right through all of these digital barriers that exist today. So, from my understanding or what I read, just like you Andrew, I'm no deep, deep mind here, but it is just a whole new element that could change.

And you know that I think too the carriers can they design anything or a product to help companies here and, there's just a lot of question marks, lots of question marks when we look at the future here.

[00:24:22 Guest Andrew Rose]

There really are, I mean, it's interesting to see them trying to develop this post quantum cryptography solutions, and they'll get so far with them thinking that it's going to work is going to work, and then suddenly it falls apart.

It's like, okay, this is no good. Start again. So, it's interesting to see how far we're getting in that and whether we're going to find a solution in the near future. Still many different irons in the fire, but some of those are failing as we go.

[00:24:45 Mike Urbanik]

Yeah, and I want to go back to the storm analogy earlier, and I'm going to give a not a good metaphor, but something I think it might be relevant. So, if you paid attention to insurance in America and all right now a state that's very hard to get insurance in is Florida.

They had a number of really bad hurricanes over the years, and carriers have experienced a lot of bad property losses. So, they said, hey, look, we just don't understand the metrics for Florida we're going to pull out.

So, let's say there were initially ten homeowner's insurance carriers you could go to and now they're down to two or three. So, what happens is the ones that stay absorb all the bad losses and risks and they drive up their prices a lot.

So, what used to be a $1,000 homeowner's policy, you know ten years ago is now no joke $10,000.

If you can get insurance and you have to basically go with whatever the two carriers, the three carriers left in the marketplace will offer. My fear and this is, you know, maybe fear mongering, maybe worst case scenario, a product like Quantum comes out and it could be so revolutionary to this industry so quickly. Carriers lose faith in designing products and they say, hey, look, we don't understand the landscape anymore.

We have too many dollars on the line next year through no fault of the clients. They could be risk free for those years. They just say, “Hey, look, we will pull all products because we don't have a good handle on this”.

And then all of a sudden, the ones who do stay in the space can charge, ten times the price or there's just less options available to people.

And I think that's just always bad for a consumer in a capitalist marketplace where, options drive prices down. If something like this comes along, it could be really devastating or revolutionary to the landscape of insurance products, because, again, insurance carriers put a lot of money on the line.

And so, we'd all always think of them as our friends, but they do come in with the checkbook at the end and indemnify you.

But if they don't understand what they're indemnifying in the risk, they're not going to design a product. So, I wanted to draw that analogy. When we talk about this and we think about cyber, it's just so fast moving. I don't think people think about what it takes on the back end to, secure these companies.

[00:27:13 Guest Andrew Rose]

Yeah, it's a very good point, actually, because it's interesting watching the cyber insurance market sort of go through different waves. It was ransomware comes in and starts to completely transform the organizations threat sort of model and costs a lot of money.

Then you see cyber liability insurance going up in price and actually pricing out some of the people who are purchasing it.

And so, they move back to self-insurance again, which is what they were beforehand to just go. We we'll just- we'll just live without insurance If it goes wrong. We just stump up the bill and then it comes down in price as people start to get an understanding about, okay, we're ransomware, we sort of understand where it is.

But it's interesting seeing it go through these movements and start to hopefully mature over time. But I think the whole cyber landscape is just so, so volatile. I think you are going to keep seeing this over and over again. It's much more volatile and pretty much any other insurance market I can think of really.

With so much of any vulnerabilities, because you can patch 10,000 of your 10,001 machines, but the one machine you didn't patch can be the one-way in.

And so, it looks from the outside it done all the right things, but still, you're vulnerable.

It's a difficult thing to risk model.

I do have some sympathy for insurance organizations trying to work out what risk are we taking on here, how much risk should we accept? How do we understand what risk we're taking on?

Because organizations are complicated and intertwined and the services, they deliver are complex. It's difficult to unpick that and understand exactly what risk you've taken on.

[00:28:38 Mike Urbanik]

You're absolutely right. I'll give you one more analogy or what we saw to happen in a similar scenario. So, when COVID came out, obviously we were all very confused.

We didn't understand what the risk was, how sick could people get, what damage could it do? And in America, we shut down a lot of businesses. We said, hey, only mandatory businesses and we put restrictions. So, what ended up happening for a lot of businesses is they needed to furlough, lay off or fire employees. Well, we saw a huge number of wrongful termination claims come out.

So, an employee pursuing an employer saying, hey, you laid me off, you terminated me, restricted my hours wrongfully during this COVID period. And a lot of carriers, there's a product for that called employment practices liability, which indemnifies and protects and pays legal defenses for businesses against these type of claims coming from employees. It helps provide defense. The carriers knew there was a wave of these claims in coming and they put a moratorium on new risks for the industry.

So, let's say, 2021, you wanted to buy this product in July, you could not buy it. There was a moratorium. They were not accepting new risks. So, it was either you had it or you couldn't get it.

And I don't know if that would be something that we could see in cyber, until ultimately, yes, you can get it now. But it took them about a year and a half, two years. And I'll tell you, I never got more phone calls asking for a product in my time than during that time period.

So, again, you know, we try to take things we've seen and we apply them to different scenarios. Might not be the perfect method but look at cases like the Florida storm scenario.

I look at things like EPLI and COVID, and then it's like, Hey, as a business owner, I'm very sympathetic to you because you have to pay a lot of expenses. You're getting nickel and dimed for everything that seems like these days. This is one more thing, but it's crucially important.

And it's like if you don't get it now, will you be ultimately blocked out of the marketplace or not have anything of the future? And again, I don't want to fearmonger anything or push people towards it, but these are questions I have, and I try to help guide my clients through when they look at this risk in these scenarios.

[00:30:54 Andrew Rose]

Well, one of the things I saw a recent survey that said in 2024, I think it will or maybe it's 2023 that four out of five CISOs were going to pay the ransom.

And it appears that there's been so many ransomware attacks. These gangs have now found the sweet spot, not demanding too much, that sort of Goldilocks area of the ransom note that people are paying and businesses are now making this part of their budgeting process. How much do we put in there and question for both you, it's just is this becoming background noise?

This is this is something that's always going to be there that businesses need to take account for and then Mike to your point, if a carrier drops somebody in there self-insuring that cost is going to get passed on, you know, that's the cost of doing business. The consumer will pay more. And do we just accept that background noise that there will be persistent ransomware attacks always?

[00:31:43 Mike Urbanik]

Yeah, that's a great question. I mean, here's how I think people should think about insurance in a way.

So, you are paying a company to take on your risk, risk transfer. So, in any given year, let's say your office and all your belongings could catch on fire and it would take you $1,000,000 to rebuild that building and put all the tools and resources back into it.

You could be sitting on $1,000,000 in your bank account self-insuring that risk properly, or you could pay travelers $4,000 a year to take on that risk. Most business owners say we'll buy the insurance. Better than sitting on $1,000,000 because I can use that capital elsewhere, right? I think that's simple business 101.

When you come to a cyber component, you can't go to a outside vendor necessarily and say, “okay what is all of my data worth? What should I expect to pay?”, Because these ransomwares, there's no rhyme or reason necessarily how much they set. I've seen them take hold of hospitals and the initial demand was $2.4 million and then they settle for $70,000 in Bitcoin.

How do you know how much to budget for? How much would it cost to replace all your computer systems? I’m sure you could go get a quote, but is that accurate at the time of downtime, things like that. So that is part of the risk transfer that business owners, I guess, need to think about. And again, I sympathize with them. I talked to my dentist and they're like, “Mike, I just want to be a dentist, you know, that's what I do.” and I'm like, “Well you're also a business owner and this is a new threat for business owners. So, you got to wrap your mind around it because it just won't go away if you bury your head in the sand.”

But I don't know if I answered your question, Andrew, But that's what I think when it comes to self-insuring this risk, it's going to be very hard when you compare it to other risks because it's hard to understand what is the quantifiable amount. You need to either self-insure or hold on to. It could be very little, $500 in Bitcoin to some guy in Africa, India, North Korea, or it could be, $1.3 million and the guy says, if you don't pay, I will hold all of your data. And how do you get that back? What's that cost component? So, it could be very large in the spectrum and it's hard to quantify that and self-insure it.

[00:34:00 Guest Andrew Rose]

There’s so much to unpack in this topic, unfortunately. So just pick a couple of things. I don't agree with that four out of five CISOs would pay, Not quite... because I don't really know any CISOs who want to pay. The fact is that they realize that that's the cheapest way out of it, and often they're encouraged by their insurance company because the insurance company has a very sort of financial perspective on it to go, “That's the cheapest way out of this. Let's just take that.” So, me as an insurance company, I'm minimizing my losses here and I'm willing to pay that amount to just pay it and go on.

So, I think CISOs do feel that they're often encouraged to pay to get to take the simplest path out of the crisis that they’re in. But I don't think many of them feel comfortable with that, because it's not just a case of, “I pay the money, I get the keys, I decrypt the data and we're good. We're back working again.”. I always have to ask the question, “How on earth can you trust your environment?” You've had somebody on your environment with an admin privileges doing goodness knows what. Surely, you've got to build it from the ten back up again and so there's a reluctance there just to simply say this is decrypted data and carry on. That's not how it is at all. So, there's that aspect to it.

I think one other interesting thing, Michael, you said about how much insurance to get. There was one really interesting case, probably a UK based case. I'm not sure, but the organization of retail organization, online and proper shops retail had a ransomware attack and the cyber liability. So, attacker phoned him up and said, right, okay, well we would now like you to pay $8 million in ransom. And they went, “$8 million?! We haven't got that sort of money! That's outrageous! That'll take us under.”

To which the attacker said, “Well, that's what your cyber liability policy covers you for, because we stole your data. We've looked through it. We found the policy and it covers you for $8 million. So, if you wouldn't mind, just $8 million, please.”

So, even having a policy can become a liability in itself, because suddenly the attackers know how far they can push you and what the limits of that that coverage is. And therefore, I'm not harming you. I'm just harming the insurance company, give me the $8 million. I think they actually managed to talk it down to $2 million.

So, I certainly hope they gave whoever did that negotiation a good pay rise that year, because that's pretty incredible work. But interesting that, again, having the policy can become a liability in itself.

[00:36:19 Andrew Rose]

That's a great point. And I think we covered it one of our earlier podcasts, that when attacker gets into your system, when they start moving around one of the first place as they go is your backups. They find those and shred them so you can't restore your systems.

The second place they go is to find your insurance documents, because just like Andrew said, if they pull that and find out what your range is, in fact, Mike, I think that we've discussed keeping them printed and not connected to your network. I mean that's just extra step that most- an owner or step almost that most business owners wouldn't even contemplate.

Have you started to see that as well? Are you recommending your clients not store their insurance stocks on their servers?

[00:36:56 Mike Urbanik]

I haven't personally recommended that. It is funny, you know, we've gone full circle now. We said, “Hey, paper is vulnerable, go digital, and now digital is vulnerable. Go back to paper.” We’re just running around rat wheel here. It's not a bad idea. I mean, but we ultimately then run into the challenge of convenience versus security. And that's everyone has a different temperature gauge there. There's a high wire act to walk because everything we do on a digital platform… faster, more convenient. But now we're running the security component.

So, I haven't personally recommended that. I mean, we deal in digital, we use a comparable product to Proofpoint to secure all send all of our documents securely, and so hopefully they're not getting a hold of those things. But ultimately, every server I send it to is probably different. Some are more secure and more protected than others. So again, questions, how do we protect something when it's so different for every single business and every single person?

[00:37:57 Andrew Rose]

Well, if you listen to our cybersecurity folks in D.C., they'll say “MFA everything”, multi-factor authenticate every single thing that's out there. And when I sent the email out to the two of you about some different topic, I know Andrew, you said, “Well, what about man in the middle and other ways that you can get into an MFA, encrypted or secured system?”

Can you talk a little bit about that? Because I think people need to understand what could happen and how it could happen.

[00:38:27 Guest Andrew Rose]

Yeah, I mean, MFA has been perceived as a bit of a silver bullet for quite a few years, but I think the attackers noticed that this was going to start disrupting their income streams and so started to invest some time and money in actually bypassing multi-factor authentication. And so that's what we see. We do see, again, very much attacks on humans.

So, if it's an attack to create a fake web page which asks you to enter your, you know, your ID password and MFA token. You put in the token, and they steal it. They log on as you and then you get an error message coming up. But it all looks very legitimate. But by that point they’re in. All you'll see fake Microsoft 365 applications.

So, you receive what appears to be a document in SharePoint. You click to open it thinking, well we all use SharePoint in our organization it comes up saying, permissions are required, and we get so many of these cloud popups coming at us that many people will just go, “Okay fine. It appears to be an internal document. I'll just click and get permissions.”. But actually, what you're doing at that point is you're giving the attacker permissions to access your 365 accounts without MFA.

And if you change your password, they can still access it. They're accessing it as an application. So, there's different techniques that attackers have built up to bypass multi-factor authentication. And again, all focus is back on logging on is the human. And it's that little phrase that we use is that attackers don't hack in, they log in. And that's so so true these days. I think the Verizon data breach report said that 50% of successful attacks use stolen credentials.

So, it's all about the attack on people. If I can compromise the individual, I can now log on to the systems. I can now log on to the enterprise and then move myself around laterally and look good. And that all comes down to the fact that we've designed our systems differently. It used to be, in the olden days is it worked a decade ago, now everything was in the head office. If you wanted to access something sensitive, you had to log on through the firewall into the data center or come into the office physically and get access to that data.

Now, organizations aren't like that. Now, all of our data is shared. The four winds, it's all in different cloud services. It's in SharePoint, it's in Workday, it's in Dropbox, it's in Google Cloud, it's all over the place. And so now the central hub is no longer our data center. The central hub is the identity of the user, and they access data wherever that happens to be. So that this puts our users definitely in the firing line of attackers. And what protects our users when they’re logging on, multi-factor authentication.

So that's why multi-factor authentication is such a focus for attackers these days because they will not be denied at getting to that user, logging on as that user so they can access the data, escalate their privileges and deliver the whole attack that that they want to deliver.

So it, it is a risk, MFA still essential. Do not think that it's not useful because my gosh, it is. So, you really it is non-negotiable. You must have it in place. But don't think it's going to give you 100% impenetrable security. It's just it's just not. It's still vulnerable to that people-based attack where people will hand over credential to the wrong person by mistake.

[00:41:33 Andrew Rose]

Yeah. And I compare it a lot to marketing. I've got 20 years’ experience in marketing and customer experience. So how do you move someone down that chain? And I see a lot of similarities between the MFA hacking and marketing. We use the nudge, we tap you a few times and I've seen MFA attacks where they'll send the target multiple text messages during a busy period of time and sometimes, they just they say, yes to one of them and that's all it takes then. I really love how you frame that perspective. That's one way to look is it's not hacking in there logging in with credentials at that point in time.

[00:42:09 Guest Andrew Rose]

They really are. You reminded me about that overwhelm one, and it's so true. You know they'll just send you a text message every 15 seconds until you eventually go, oh my god, yes, stop it. And they will. Eventually, people will just give up and think it's some sort of system glitch and just click the other answer just to make it stop. But at that point, you are logging your attackers, right?

[00:42:26 Andrew Rose]

It plays in that sense of urgency. As a human being, we're like, this must be urgent. It keeps on coming back in here. So, yes, you know, I'm not sure who's sending it or why they're sending it, but it seems to be raising alarms.

[00:42:39 Guest Andrew Rose]

It all comes back to, as we started to about social engineering. It's all about the people. That's where the risk really is. You know, all of these technologies that we put in place are great, but every one of them can be bypassed by somebody every one of them can be subverted by somebody making the wrong choice or clicking on the wrong button or making an exception for the wrong reason.

So that's where attackers focus you know, it's difficult to break through a really technical firewall. It's quite easy to get someone to click on the wrong thing and suddenly invite you in. So, people are where the risk is at.

[00:43:09 Andrew Rose]

And we touched on it in this podcast. A couple of different sets of adversaries are out there. The common criminals, the scam artists, they're looking to make money, but also nation states, and they're both looking to make money and they have ulterior motives about what they want to accomplish, how they want to either cripple or weaken potential adversaries or take people off the stage before another event occurs. And shame on us if we're not taking a lot of notes from what's going on in Russia and Ukraine right now in the cyber wars there. And I feel that we need to- it's a dark subject, but we need to broach the topic of migrating into potential wartime footing and having nation states be the actors behind some of these broad based attacks that we might see.

Mike, first question to you. I understand with the attack on Merck that Merck said, “this was a wartime attack”. The insurance company said, “no, it wasn't” and there's some debate there. Can you talk about what it means for coverage if it's determined that it was an act of war versus a corporate espionage assault?

[00:44:10 Mike Urbanik]

Yeah, that's a great question. So, most insurance policies are going to say, “Our policy does not pay in an act of war.”

So that has been a longstanding clause to insurance policies. If bomber plane from another country flies over and drops a bomb, the two countries are at war, they're going to say, “Yeah, we're not going to pay for that.”

Now there is condition to policies for terrorism. It used to be optional. You could say, “yes, I would like coverage for terrorism. No, I would not like coverage for acts of terrorism.” So, let's say that same scenario plays out, but it's not necessarily a nation state, but a organization and I’m not even going to attempt on this podcast to define terrorism and who falls into that bucket. But an organization with a mission and a cause, blows up a building, your building's next door to it.

You used to be able to opt in or opt out of that coverage. Most carriers now automatically add that in. They said, “Hey, we're not doing this optional $150 or $250 coverage.” We are just adding it as part of the policies. So, I would guess there's going to be depending on who it comes from, what organization they find out, is it a nation state? Is it maybe a terrorist, someone who's been put on the terrorist watch list?

Because those organizations are always hungry for revenue. And this is a great means to get revenue. Could it fall into that bucket? There's going to be a lot of questions that come up it is a nation state. My understanding right now is they are paying claims, or they are resolving claims, if they come from nation state attacks because the U.S. is not in a state of war or with any of these other countries at the moment.

But that could change, let's say, a hypothetical scenario. North Korea and the U.S. go into a state of war and then all these businesses start getting cyber-attacks and then insurance carriers decline them, because now that is the new digital landscape in war. We haven't seen that play out. I'm sure there are conversations on carrier sides to understand what that would be.

I would say we won't know until we get there. But it's very possible that if that scenario plays out, your policy will not be as robust as you thought it was, because now claims are getting declined because of that longstanding, you know, war clause policy.

[00:46:39 Guest Andrew Rose]

There's a load to unpack in that as well. Actually, it's really interesting because what you're finding is that now countries aren't declaring war. I don't think Russia's declared war on Ukraine has it? It's just a special military operation. So, you're not even getting to that stage of having the clarity of are we or are we not? And I think one of the things that worried security officers, was very much around the fact that insurance companies were able to self was able to self-attribute and to be able to say, well, we think this came from Russia, therefore this is a nation state, therefore we're not going to pay it.

And that worried chief information security officer’s ability was given to insurance companies, we just thought to be to see something they don't like and just say that it was Russia therefore there not paying, which was worrying.

But one of the key things I think is attribution is so, so difficult in the cyber space. You know, as you said, if a plane flies over and drops a bomb on your building, then it's pretty fair to go, well, not planes from that country. Nobody else delivers bombs like this. But actually, in cybersecurity, the people who work for the nation Monday to Friday will then go home at the weekend and become a part of the criminal gang and try and make their own profits for themselves, probably using many of the same tools and capabilities that they were using during the week.

So, it becomes difficult to say, are they working from a nation state perspective or from a criminal self-interested perspective? And also the fact is that bombs that are the cyber bombs, as it were, are reusable. So, you can find a North Korean malware and you can pick it up and you can send it back at North Korea or you can pick it up and reuse it and send it elsewhere.

So suddenly, what you're receiving looks like it may have come from North Korea. It looks like a North Korean malware that you've received, but it's actually being crafted by some Eastern European criminal gang. So again, it becomes really difficult to attribute and say this is nation state, this isn't. And it must be very difficult for insurance companies to really draw that line. And I guess at the moment, drawing the line on the on the side of paying out to build that model, build the confidence in the whole infrastructure around cyber liability insurance is probably the wise thing to do, But we'll see if that changes as things develop, Really.

[00:48:44 Mike Urbanik]

Yeah, and hard for me to say, Hey, I'm giving you a blanket statement that applies to all claims scenarios. Every claim is unique. Each of these will have an adjuster to understand where it came from and you know, I say this, but everyone's completely different, are you a online business retailer? Are you a medical facility, or are you a department defense contractor? You might get a different answer based on what business you are and who's on the other end. So, it's very hard to, you know, say that and be 100% confident. So, I don't want to mislead anyone listening to this podcast.

[00:49:17 Guest Andrew Rose]

I agree completely. I think I say that the answer to every cyber security question is, it depends. I think that's the only the standard answer you can have to cybersecurity issues.

[00:49:27 Andrew Rose]

Well, since we're asking hard questions here and since I've got Andrew on the podcast here, thank you again for being here, for many years, the U.S. government had a stance that we don't do offense, we'll just absorb the attacks, we’ll mitigate, we'll respond to those.

Obviously, we know that might not be the proper answer to that. Andrew, have you seen private industry taking an offensive stance to fight back? I'm sure. I mean, not to broach the legalities behind that, but just have you seen operations or people holding themselves out and you don't need to disclose names either. Don't want to name that risk. But I'm just curious because it seems that have to weather these attacks and then we have to pay the insurance which respond to them and patch our systems. It would be great if we could punch back a little bit. Just… this is Andrew thinking out loud and not endorsing anyone to punch back.

[00:50:18 Guest Andrew Rose]

Indeed, and it's a conversation that comes up. I'm certain, certain CISOs have exactly the same thought, you know, why can't we punch back? Why can't we just attack the attackers who are attacking us? And it seems like a logical concept. The problem is, it comes back to attribution again. How can you be certain that you're attacking the right person? Because you may be causing more damage, and especially when an attack can be- come from several different places.

So, you know, if I'm an attacker in Russia, why wouldn't I hack into a server in France, then a server in the UK, then a server in South America and then attack you in the US? Why wouldn't I do that? And then you as a US victim would go, my God, we're being attacked from South America. Let me hack back at them. You're hacking somebody who's already a victim. You're not attacking the right person. And so that's the major problem around this, is how do you get to the ultimate attribution of who did this and make sure you were attacking the right person.

Otherwise, you're just causing cyber mayhem and chaos just as bad as they were. So that's what really keeps people back from going on that cyber offensive front and I'm sure the governments do it. I'm sure they do. I have no evidence to confirm that, but I'm sure they would do. But in private industry, although it's talked about, I haven't seen anyone do it yet.

[00:51:34 Andrew Rose]

Yeah, I haven't either. I mean, I've heard whispers and rumors, but I tend to stay away from those crowds. It's kind of like going to the dark web. Yeah, you're always curious about it. You just don't really want to poke around learning more information.

[00:51:45 Guest Andrew Rose]

Absolutely. I mean, just imagine the insurance claim, like, well, who attacked you? Oh it was this major bank in the U.S. What? A major bank of the US attacked you? Yeah, they attacked us. You know, it becomes a really difficult conversation.

So, yeah, I think most times I haven't seen any organization that's taken it past the ‘we should be able to do something about this’ stage which is a fair conversation and born out of frustration. But ultimately, we have to be the good guys here and so we just have to defend ourselves better, get better at protecting ourselves, better at recovery, better at not letting these things impact us and then move on.

[00:52:20 Andrew Rose]

Well, one of the genres of movies I love to watch are spy versus spy. And if you watch the movies, there's plenty out there and there's fewer on corporate espionage. And we've talked about some of the different classes of opponents out there.

I'm sure it goes on, but I don't know that it necessarily gets the press coverage that would reflect the abundance of corporate espionage going on. Andrew, what is your perspective? Have you seen anything? And again, you don't need to share any names, but I'm just curious, is this something that we need to keep an eye on?

[00:52:49 Guest Andrew Rose]

Yeah, it is there was a really interesting article I read recently, and I can't quite remember which magazine it was in.

It was about a major soft drink retailer and how China tried to steal information regarding the inside of their tin of their drinks tin. And it's such a- it's such a trivial thing we don't even think about.

But to China, that was really important technology that they wanted. And so, they were trying to get people to leave the organization, come back to China with that information. So, information corporate espionage like that is very true. And there are other organizations out there as well who have this is a major problem. There was one organization who manufactured engines and they knew that their engines were getting ripped off and copied.

So, what they started to do is actually put elements within that engine which were entirely useless and so when the copied engine turned up. They could point to that go, “So why's that little elements in there?” and people would go, “Uh... Because it's important…?” It's like, yeah, we know because we designed it to our system has an entirely superfluous feature which nobody would ever need to do and suddenly it's in your engine.

So, we can see that our copyright has been stolen over here. So, it definitely happens and some countries are much more active in this area than others because they're trying to build their own economies and make sure they don't fall behind in any way. But you do see attackers starting to try and incentivize the espionage or even incentivize just the disruption of organizations.

So certain car manufacturer in the U.S., one of their employees was offered $1,000,000 to go and put a USB stick into one of the domain controllers, and that was whether that was to disrupt the system or to steal data and disrupt their system, probably. But they were nation state or foreign actors looking to try and incentivize this espionage and this disruption of organization.

So, it does happen. And we have to be really because corporate espionage is a real thing. And what we're seeing now is because of credential theft, which I mentioned earlier, credential theft is now a big issue, an insider threat, because insider threat for us used to be, well, you got criminal people inside our organization and negligent people. And honestly, there weren't that many criminal people and negligent people, but always negligent. So insider threat was sort of tolerated. But now with credential theft being such a big deal, now we've got external malicious actors on our network looking like, they're looking like Bob from accounts, looking like a legitimate user. And so they can access data, they can pull data out, they can send it elsewhere, and we can't even see it.

So we need to be so much better with that insider threat piece now. And the tools that we used to have, such as whistleblower hotlines are just entirely useless. They just don't work anymore. You don't you don't see Bob from accounts turning up in a Ferrari in the car park now that this doesn't happen because want to come to work anymore because they work remotely, work from home.

You know all of those old ways of working don't offer insight into that credential theft piece. So corporate espionage and that's insider threat is a big deal for so many organizations these days something that we really need to keep focused on. But it's just- I’m going on about a bit too much. But the corporate espionage piece as well is often not prioritized by organizations too much because the impact is often not immediate.

You know, you're losing intellectual property that will come reward your organization in 5 to 10 years when that product is developed out there. So actually, if information leaves, you don't even notice it leaving and you don't really feel the impact or see the impact for several years, which again downplays it as a risk, so many organizations don't take it seriously enough. But we are seeing some of the major organizations around the globe really taking this insider risk more seriously these days. We just need to get other organizations to catch up, too.

[00:56:44 Andrew Rose]

I saw a statistic in an article that of the reported insider threats, corporate espionage. It appeared that the maximum or the top end of the payout was $100,000 for access those credentials and it averaged around $56,000.

Now, those numbers are probably just reported instances. I don't know if that range exists or not, but if you think about your corporate secrets, your trade secrets, if somebody is offered that kind of money and they're in a department and they give you that access, like you said, once it's gone it's like the wind is already out there. You don't even know that's blowing around.

Mike, one of the things that you had mentioned, too, that you wanted to discuss was the future of regulations and the future of insurance. Given the changing landscape, do you want to comment on that?

[00:57:33 Mike Urbanik]

Yeah, absolutely with this episode being about the future. I think my perspective comes with dealing with the clients who are trying their best to protect themselves at a reasonable price and plan for the future. So, we seen in all trends, all data that the number of attacks goes up every year, year over year. Where then does the regulation or direction come from for businesses to design a defense that's going to work and be effective? And I mean that in the sense it going to come from U.S. government bodies?

We've seen some stuff coming down the pipeline and it's more of the stick versus the carrot. So, it's regulations like the high tech act, HIPAA, which say, hey, you medical providers collect a lot of personal identifiable information. You're being trusted with this. If you do not manage this correctly, we will levy fines and penalties on you. And in the state of Virginia, it can be up to $50,000.

There's a bunch of regulations and reporting hoops you have to jump through and it's basically that threat from the state that if you have one of these attacks, you will be punished. And there are people who are very aware of that. There are people who are not aware of that and that certainly guides actions.

We see companies like the insurance providers saying, hey, if you want insurance liability coverage, you need to implement firewalls, you need to implement MFA, you need to do these things. I've seen even I.T. vendors saying, hey, we will provide services to you, but we need to see a copy of your cyber liability before we enter into arrangement. So, we're seeing both the private industry with insurance companies, I.T. vendors shaping the future. We're seeing it a little bit from the government with these acts. I know there's some stuff attempted to be pushed through congress.

I haven't really paid attention to it too much because it doesn't really look like it has legs. But I was just as curious as you guys, you know, where do you see the future steering this, driving it? And you might be just as confused as I am. I don't know if you have an answer, but who do businesses turn to and say, All right, guys, what should I be doing as a prudent business owner to protect myself? It just kind of seems like a little bit of the Wild West, a little bit wide open field at the moment.

[01:00:11 Guest Andrew Rose]

I think regulation is actually really interesting in terms of where it goes next because there are so many challenges to it. Regulation, what does a regulator do if they want to try and reduce the risk in organization? Do they a create a specific list of things you must do? And they are sort of very specific. You must do x you must do y you must do z, this will reduce your risk.

They can do that and that's useful and that would raise standards across all the organizations. But it's slow, horribly slow. It's going to need to be updated regularly, which no one likes to do and it's not context friendly. So, whether the organization receives, they say, well, that doesn't apply to us in our particular scenario. So how does how do we interpret it? So being specific is an effective control, but horribly bogged down by other issues. So, do you go the other way? Do you go there do you go right? You must manage your own risk. Okay, so that becomes really easy to write and maintain as a standard, as a regulatory standard, but entirely useless for organizations to receive because then they go, well, we'll just do what we've always done, then fine. Okay, we'll get let's ignore it. So how do you- I guess the third option is outcome based. You go, don't get hacked or we’ll find you figure it out. And it's like, okay, well, that's how we might have to do something then. So how do you blend all those three together to create regulation that's going to be effective? And I think that's a really difficult thing to do. And I think regulators are probably constantly challenged by that. But I think the insurance industry actually has a place, a part to play in this because insurance industries have real visibility of the risk data. So, what really matters and what so you can be specific about that.

You can be much more agile in changing the requirements in terms of what should be done and what shouldn't and show trends and start to demand things ahead of time. You got skin in the game as well in terms of, you know, if they lose, you lose. So, there's just lots of different aspects that insurance companies can actually bring and actually start to, to be a better regulator than the regulators are and give those standards and say, if you meet our criteria for our insurance, then you're compliant with the standards that the industry requires.

And actually then the industry or the industry regulators have got to do that is say go and get insurance from these vendors. And if you pass and you get the insurance, then we know you're good. And so it's, I wonder whether there's an opportunity for insurance companies to really step up and start to be part of the regulatory solution. And I think that would help everybody, especially when it comes to third party risk management, because as a security professional, one of the things you worry about is the fact that my organization depends on 5000 other organizations to deliver a value proposition. And I I've got to understand the risk in every one of them to understand the risks that I hold.

That's really difficult to do. However, if they all had insurance policies and the insurance industry had certain standards and no other able to share the risk that they're seeing in those assessments, that could really help me from a security operator to look at and go, Well, actually all of these guys are good. These three organizations have got great risk ratings from insurer. Therefore, I should focus on them. So, I think there's a huge opportunity for insurance to step up and become a real partner to both security professionals and the industry regulators.

[01:03:19 Mike Urbanik]

Yeah, I’m not going to disagree with anything you say there. I think all of that resonates and makes complete sense. The component of the regulations that I think is the most interesting and the one that would most be most impactful is the attempt to limit certain organization’s ability to collect information. And let me put that into perspective.

So, let's say you go and you join your local Kroger or grocery store and you want to get a valued member card. Well, they collect your first name, your last name, your home address, your email, your phone number. The question now, I think a lot of regulators ask and you can take that scenario and then multiply it to Twitter, to Facebook, much more prevalent data collectors.

Should they really have access to that? Do they have a right to that data? And all these businesses would say yes, because we profit off of it heavily. But then when they leak the data, they're not, you know, levied the fines correctly. And that's that is a whole other podcast in and of itself. But I think if we could get to the gateway, that barrier of entry and say, okay, which organizations really should be collecting this information, you shouldn't have access to socials, and zip codes, and what have you. You're a grocery store.

You certainly don't need that. And they probably help themselves by not being a target for an attack collecting those things. So that's the type of legislation and direction that I've seen it coming from that I could think would be beneficial because it detracts from the data being put out there.

I think that's an interesting way of going about it. Hopefully it gets legs. I know it's going through the legislative process now, but it's certainly going to be challenged because data is big business and big money to have that information, sell it, use it, do whatever it is you do. And certainly, we all benefit it on the back end, maybe in ways we don't see. But it does help grease the wheels of technology. The tradeoff is convenience for security. That high wire act, again,

[01:05:25 Guest Andrew Rose]

It's interesting because all your organizations, all the data scientists and every big organization will hate that idea, that proposal, that they can only collect data that they really need because they love to collect every iota of data they can throw all together and go, look, people in red cars buy on a Tuesday, that's, let's, can we use that somehow.

So yeah, the data scientists will hate that concept, but actually I think it's a good one that you could you build up a certain level of trust to the security you build. And by achieving that level of trust, then you can collect certain data fields and then you're allowed to sort of if you can increase your trust, you can increase you can increase the amount of data you collect. Seems like a sensible way forward. Frankly.

[01:06:01 Andrew Rose]

Andrew, you are a CISOs, CISO. You are the nexus of CISOs around the planet. You get to see things that a CISO in isolation may only see in his window. But you're seeing a lot of different viewpoints here. What are some of the things emerging threats that we haven't talked about today that should be on our radar screen as well?

[01:06:22 Guest Andrew Rose]

Oh lordy, we've covered a lot of ground today. I think one thing we perhaps haven't touched on, and I hate to go back to it, is A.I, again and how A.I. will start to help both attackers and defenders. That's one thing we haven't really talked about social engineering aspects of A.I., but we didn't talk about the technology aspects. I think that's something that we need to think about too.

So A.I. will help the attackers to, as we mentioned, find vulnerable people and target them more appropriately. But it also helping to create better malware and find vulnerabilities more rapidly and to scout out networks. So, there's going to be more tools for the for the attackers, but then it's going to be new attack models as well, because once A.I. is started to be embraced by every organization, then, you know, are we going to see attackers breaking into an organization and poisoning the data that the A.I. uses to make its choices?

So we'll actually see an A.I. making the incorrect choice because the data was poisoned. Or we'll see that, and A.l. LLM will be used within the organization to help the analysts do their job better. So, one example I've been using is, you know, you speak to a network team, and they say, well, have you got a network diagram for a network? And they'll go, well, no, I haven’t got one, I've got 150. Does that help?

And so, because the network so complex is that 150 network diagrams. So, for them to understand it better, creating an LLM which enables them to work with their network diagrams, to go well where’s was are biggest vulnerability was the biggest weakness? That can be really helpful for the network team.

Problem is, if an attacker logs in with the right credentials, they go straight to the same LLM and go where’s their biggest vulnerability was the biggest weakness, and they use that against the organization. So, there's a whole developing attack surface regarding A.I. and how it's being used in our organizations and how the attackers will use it either against us or use our own LLMs our own A.I. to better navigate our own networks and better enable their own attacks.

So, I think that's something we need to think about as well. And that's still very much early days, but it's something that's on the on the horizon.

[01:08:25 Andrew Rose]

And just from a game theory standpoint, I mean, it sounds fascinating. You know, if you take the parties and the emotional impact and financial impact out of it, it's a game play. It just for some of our listeners who might not be as savvy. LLM stands for Large Language Machine learning which is one of the tools that A.I. uses. Can you explain that in a little bit just for the non-technical folks that are in the audience?

[01:08:52 Guest Andrew Rose]

Well, I'd count myself with those non-technical folks, frankly, when we get to this level, but it basically just gives you a human interface to what may be very technical. So actually, you know, as with the network diagram on 150 network documents showing how your network fits together, it's really complicated to try and figure out how that looks. So you can go to an LLM and just ask a simple human question. So where are all the ones that are connected to the Internet?

And it can assimilate all that data, scrunch all that data, and come back a human response going, Oh it's a network 4 network 5, it's over here. So, it just enables you to interface with huge amounts of data in a really human friendly way and it creates, you know, just a very pleasant interface to work with. You can ask normal questions and get pretty normal answers back at the level that you want, and you can push and say, Well, give me a bit more detail about this.

And I'd recommend to everybody who's listening to this, if you haven't played with ChatGPT, go and log on to it. Go and set up an account, log on to chat and start playing with it, because it will open your eyes to the huge power of A.I., which is about to revolutionize so many things in our world.

So A.I. is transformational and you don't really understand it until you start tinkering with it and playing with it. So, set yourself up with a ChatGPT account and start to just play and really understand how it's going to make things so much different.

[01:10:13 Andrew Rose]

I agree. I love it. I was an early advocate of open A.I. and use all their tools and I am absolutely stunned at the - I shouldn't say stunned - It's very good. I can still discern, however, when I've asked it to do a task and the language they use, and perhaps I'm not using the right I don't know nuance or accent or regionality of the articles responses have asked them to create for me, but I can still see it.

But I guarantee in eight months I won't be able to tell the difference between A.I. generated text and it's something I would have written, or another expert would have written. You know, again, the emerging threat, it's already on the shore. It's here it is. It's not going to be a threat of tomorrow. It’s the threat of today, it is. Yeah.

So, Andrew, I do want to give you a little bit of microphone here as well to promote yourself. Again, I was not being facetious when I said your CISO’s, CISO, you are the man internationally. If you do a Google search, you’re the name that comes up in the top five as well. Talk a little bit more about what your role is, what you see the future for Andrew, how people can get in touch with you, what ways that you want to interact with them. What are some of the things that you'd like to get out of our audience?

[01:11:30 Guest Andrew Rose]

Well, I guess I'd just like to stay connected with people, just to understand what CISOs and security professionals are experiencing out there. It's one of my key focuses is to understand how security professionals can be better served. How they can be better supported to make those tough decisions to where to invest, how to protect your enterprises, what to prioritize first.

There's so many different decisions and security is such a complicated area that each one of us as security professionals struggles. We all struggle with this. So, if we can work together, if we can act as a community and share insights, share experiences, share stories, share solutions, everybody benefits. And I'm really keen to sort of be at the heart of that and help cross-pollinate ideas between security professionals so that they can all learn from each other, so I can learn from them, and we can really help security move forward and enable us to protect our own organizations.

In terms of getting in touch with me, probably the simplest way is on LinkedIn, really. I think I to get Andrewrose1 as my LinkedIn profile. I'm not quite sure what your number is, but have a look on LinkedIn and, and you will find me on there and I think I've actually also got a Twitter or ‘X’ account, however you call that one, which is @Andyroseciso, so Andyrose c i s o. So again reach out to me on there as well. I'm more than happy to speak to any of you guys and listen to your stories and share my insights as well regarding cybersecurity and on my journey through all this, this wonderful world of security.

[01:13:00 Andrew Rose]

And I appreciate that. And we'll put your contact information somewhere around on in the narrative below this podcast and we'll make sure that you get people get a hold of you there.

One thing that we did discuss today, but it popped up on the top ten list of emerging threats is the lack of awareness companies have for after an attack happens. Used to be in the old days we'd say it's not if it's when. Now the new it's not when it's again.

So that preparation of the C-suite to be able to operate without pieces of critical information, not being able to pay invoices or make payroll without records. I strongly encourage companies to tabletop exercise the aftermath of an attack, and that typically is going to involve the C-suite that's non-technical. It's not going to be the CISO or the CTO because they've got their own issues to deal with. If you're a CFO and you've got no invoicing records, billing records, payable records or anything like that, you still need to conduct your business in some way.

So, I would encourage folks out there, not only understand the nature of attacks, but also the nature of your response as an organization to these attacks.

[01:14:08 Guest Andrew Rose]

Yeah, it's a topic I've talked a lot about recently. It's the concept of cyber resilience, because having been in this industry for so long, I’ve seen a change. So, it started was I.T. security in the first days was just like, please make those PC’s of their stuff getting hacked.

It was I.T. security, then it moved to information security. It was a case of, well, actually, this information is valuable. Can we protect it? Then it moved to cyber security, and that was more about, well, hang on. A digital attack and physical consequences so, let's try to stop that happening. And now we're just moving into this phase of cyber resilience and really the difference I suggest, between cyber security and cyber resilience is not having that downtime not being taken offline by ransomware or by a malware attack, data leakage or whatever.

It's about continuing your business, even though you know you're being attacked, even though you know you have an attacker on your network, how can you continue to operate? How can you continue your medical services to your customers even though your network is under attack? And that's where I think a lot of us needs to focus for the next generation of cybersecurity maturity. How can we start to keep, say, some of the systems safe from those cyber attacks so that we can keep business running even though the attack is happening?

[01:15:23 Andrew Rose]

I love that concept again, I mentioned I've got many years experience in marketing and one of the things that we started implementing were dark web pages, understanding that our website could be taken offline. You need a rollover site immediately. I love the cyber resiliency philosophy. That's something I'm going to explore over the future.

So, Mike, we’ve covered a lot of territory here and I really do appreciate your insights here because I know that some of them were more philosophical, they weren't permanent at this point in time. And you really have painted a nice picture there from your perspective in risk management.

What are some things that we may not have covered or some things that you want to stress from our discussion today?

[01:15:59 Mike Urbanik]

I think we've covered a lot, so I don't want to beat anyone over the head anymore. I think, you know, there's a takeaway - the threat of cyber attack just isn't going away. Hopefully it'll get better. The landscape as regulators, companies just get better about managing this. But right now, it is daunting.

Don't shy away from the problem. If you're a business owner out there listening to this or an individual, you can't just turn your head away or put your head in the sand and just pretend like this isn't there. It is not an easy thing, but it is manageable. You can do it and you can probably stop 99.9% of all attacks with some pretty minimal barriers in place.

You know, so don't shy away from it. Work with your managed service provider, work with companies like DTC, implement products like Proofpoint. And if you do these things, you will stop, like I said, 99% of the attacks. So don't think this is unachievable and throw your hands up and give up. You can do a lot of good for yourself and protect your business, which is most likely your biggest asset. That's the takeaway I want people to go with today.

[01:17:15 Andrew Rose]

Andrew, I'll let you have some closing thoughts there as well.

[01:17:18 Guest Andrew Rose]

There's not much to disagree with there. You can tackle this pragmatically by putting in place some really good hygiene aspects such as email filtering, awareness, training, patching your systems, multi-factor authentication, encrypting your backups and keeping them offline, having you know careful account management, regular penetration tests. All of those things are relatively easy to put in place, but they will help you so, so much in preventing one of these things happening to you.

However, there's always that one case. There's always that one thing that gets through. And so, despite all your investments in preventing this thing happening, you have to consider what do we do when it does happen? What am I processes for dealing with the emergency wallet when it happens? And what is my process for getting our business back, running once it has happened?

And that may involve you working with your insurance company who are obviously very experienced in dealing with these issues and helping you get back on your feet, or it may involve you just sort of working on your own and your own tech guys to figure out what that looks like. But don't mess that piece out. Don't put all of your focus into prevention. Think about detection, think about response and recovery as well, because those are very important.

And finally, realize that it's not just about technology far far from being just about technology. This is so much about people. So do not neglect educating your people about cybersecurity.

Tell them why it's important. Make sure they're aware of the type of threats are likely to receive and what they're meant to do when they do receive them. So, think about the people aspect, because so much of our money gets spent on the technology side, but actually the majority of the risks, it's on the people side. So again, don't neglect that make those balance up better and you'll have a much better protected organization.

[01:19:06 Andrew Rose]

Fantastic advice. This is wonderful and I appreciate you joining me today.

As our listeners might recognize, Andrew has a different accent than Mike and I do, and he's calling from a whole different time zone, so I appreciate him making the time to get on this podcast with us. And I know Mike is sitting out in the mountains with a few lean hounds that are ready to run outside. He just can't wait to get out there and see him chase rabbits or whatever it is they're going to do in the mountains.

But thank you, gentlemen, so much for joining us today on the Cyber Savvy Podcast. And again, my name is Andrew Rose. DTC is a premier managed service provider, taking care of the computer systems for specialty medical offices. They are elite and just like I mentioned, R.K. Tongue is white glove elite as well. That's who we associate. And this is another reason why Andrew Rose, our friend from Proofpoint, is on here as well. We try to bring you the best, the best to give you the perspective you need to make sure that you are cyber savvy and as protected as possible in your business interests.

[01:20:08 Outro Music]

We would love to hear from you. Please email us your questions or comments to askus@dtctoday.com New episodes of Cyber Savvy, are posted the second Tuesday of every month.

For more detailed information, visit our Web site at DTCtoday.com. Be prepared. Be cyber savvy.

Cyber Savvy

Future of Cybercrime and Cybersecurity

Listen to this podcast on