Breaking Point: The Escalating Threat of Ransomware and Data Breaches

Show Notes

In a live stream discussion,  experts Robert Kornovich and AV discussed the escalating threat of ransomware and data breaches. They emphasized the importance of proactive planning and regular training for staff to recognize and respond to potential threats. They also highlighted the need for organizations to prioritize their most critical services and ensure they have the necessary resources to recover quickly in the event of an attack. The experts warned against complacency and the false sense of security from relying on cybersecurity insurance or AI tools. They also advised organizations to regularly review and update their cybersecurity policies and procedures and consider seeking external help in case of a breach.

Stay up to date on industry trends!

Download our free eBook:
➡ https://bit.ly/2023techguide

Learn More About Avero:
➡ https://www.averoadvisors.com

Connect With Us:
LinkedIn: https://www.linkedin.com/company/averoadvisors
Facebook: https://www.facebook.com/averoadvisors
Instagram: https://www.instagram.com/averoadvisors
TikTok: https://www.tiktok.com/@averoadvisors

Connect With AV:
LinkedIn: https://www.linkedin.com/in/verekar

(865) 415-3848 | info@averoadvisors.com

Transcript

Megan (00:00):

The promotion, but I couldn't stay away. Oh, now we're live. So were we not live a while ago. Okay. Sorry guys. Welcome to our live stream today. Happy to be back. I've been out for a few weeks, but I just couldn't stay away with this topic, escalating the threat of ransomware and data breaches. So I have two very esteemed experts on this topic. Mr. Robert Kornovich, who is the director of advisory services, and I think you guys might know AV already, who is our founder and CEO here at Avero. So just to kick us off, what does this topic mean to the two of you and what is ransomware and what does it mean to have a data breach and whoever can take that first? Robert (00:48):

Yeah, I'll start first because the reason why this is important for me is because we consistently see issues on the client end with almost every client we work with. Doesn't mean everyone is in a bad state, but there are a couple things that I'm still consistently seeing even in organizations that have really taken great efforts and great strides to beef up their internal and external security. So this topic is near and dear to my heart. It's a common thread with every client AV (01:17):

And I'll echo those sentiments and not just near and dear, but it's also scary, right? From a service provider perspective, when clients put their trust in you, you have to be on top of everything without any excuses. You don't have any excuses. So we have a deep understanding of what that means, not just from a practitioner's perspective, but as executives and leaders. What this means to the clients that we talk to on a daily basis, the Chief Executives, the Mayors, the City Managers, because at the end of the day, if there is ransomware or if there is data breach or something bad happening in your environment, it's not the IT director or the CIO in the newspapers, it's the Mayor, it's the Chief Executive. So...Robert (02:07):

Our enterprise risk too. So it's the domain and purview of those executive leaders. AV (02:13):

So it's been our, we've professed this since inception is that don't treat this as an IT issue. Yes, it is at the very baseline of it, but it really revolves around what impact is going to have on your organization as a whole and who's going to be in the press. It's the chief executive is the council, so don't disregard, this is not something I understand or it's not my job to do this. It's absolutely your job to pay attention to how this is being handled. Megan (02:47):

Yeah. So how does ransomware work? Can you guys give me some examples of how this gets into an organization and just the catastrophe that it causes or could cause? Robert (03:02):

Yeah, so your biggest attack factor is still your end user's device that they're using, the device they have in their hands or the computer they're using on a daily basis. Attacks that don't use that are incredibly rare because there's an element of social engineering, which is I'm going to send you a link or something that looks legitimate and get you to click on something or open a file. And then usually the codes inside of that and it's a lot, I'm a pilot, so we talk about aviation incidents, talk about, it's usually a chain of things that occur and if you stop the occurrence of one tiny piece of it, then the incident or the accident doesn't occur. It tends to be the same thing in ransomware. You haven't updated your endpoint security in a while. You haven't trained your staff about how to recognize emails that have social engineering in them or going with their gut feeling that, you know what, this doesn't sound right.
(03:55)
I'm going to call this person and see if they actually sent this email. So it's usually a combination of security issues. Maybe you gave some of your users full administrative rights on their workstation to fix a problem one day. You haven't trained them in a while, you haven't developed a plan to teach them to come to you as soon as they think something is going on and then they click on an attachment or a link, they launch the ransomware and then the headache starts. And what's scary, I think what people need to really, really think about is you're not going to know that very instant. You're going to find out sometimes your end user days later that this is going on. We see that pretty consistently. So it has to be proactive. You can't just wait for someone to give you a call and say, Hey, all the files on my computer are encrypted and I got this message demanding that I send them a bunch of Bitcoin. AV (04:47):

And it's not always enterprise, right? Social engineering is, it's not necessarily just on the computer. You have people doing social engineering on the phone, scamming older folks, scamming young people on text messages, right? Go get Apple gift cards and we've heard stories of people getting 3000, $4,000 worth of gift cards for an unknown number they just got. So it's very deep in the psyche of people to, I don't know, be trustworthy of someone on the other side of the phone. And no matter how much you spend on network equipment and SIMS and cybersecurity programs, if your staff is susceptible to social engineering, really that's what you need to protect against because that's what leads to bad stuff coming into your network. Robert (05:39):

And the bad actors in this case that are sending you the ransomware, they are hoping and are usually a hundred percent correct on there is a flaw in your processes in your security and it even stretches out to, you might have the tools to stop mitigate the ransomware attack, but you don't have data backups that you've tested in a while. So if you restore data, it's not there and you start seriously thinking, I'm going to have to pay this ransom to get my data back. So they're banking on the fact that you've got a floss somewhere that you are the typical IT shop with a million things going on and maybe your executive levels leadership hasn't prioritized some of the budget things that you have in there. I'm not going to blame it blanketly on this because I think a lot of 'em are trying, but it's a competing interest and sometimes they don't get the funding for it. But again, it's not just the incident itself, it's the fact that you're not going to be able to recover your data or you're not going to be able to do it correctly. Or in some cases we've seen users or IT shops that accidentally deleted good data because they hadn't tested their backup in a while. So it essentially had the same effect as the ransomware. AV (06:48):

Yeah. So what's the solution, Robert? I think we've talked about this at length previously, but is there a specific software or a hardware set or a stack that you need to really button things down and is it a one and done kind of thing? Because these are the questions we get from our clients, even if they're not asking us directly, you can think of the client. I'm thinking about how do you do this if there is no one real answer. Robert (07:21):

So as we always talk about it, it's always carried. Good cybersecurity practices and protection are carried from moment to moment. There is a set it and forget it. There's never a time when you can take your eye off of your workstation patching that you can take an eye off your planning and it really is, it's the most important stuff hopefully you'll never need is another way to look at it as well because it becomes a competing interest with everything else you're trying to do in it. So it's typical, I'm going to let workstation patching slip this month, they'll get caught up next month. You miss a critical update that exposes the vulnerability. So I've been finding a way to distill this down because we've done several talks on this with long presentations and we do long reports in some cases for clients and we really have to go through the risks.
(08:07)
I really wanted to distill it down to planning. Planning has so many benefits. You put a plan together for disaster recovery and for an incident mitigation, you practice it, you find the flaws, you find the things that you need to change, you improve the plan, you practice it again, and I think it has two, maybe even three really good results on that. One, you're going to be ready to jump on this incident next time it happens and stop it quickly and not take months. And we've seen in local government, it take months for them to get their systems back. I mean, think about this. Everything in your shop and in your municipal government was down for months. This is not uncommon. So the planning is the best way to get you to stop the incident, get recovered, and get back up and running. I think it also flows into budgets.
(08:59)
If you identify that I'm going to need this particular piece, I have a vulnerability here, I need to have better data backups. I need to have ones that take snapshots throughout the day and not just one full backup at night or one full backup a week that we see or one full backup a month, which unfortunately we have seen a few clients do. It's going to help you drive that conversation with your executive leadership. We tested this, we found this to be a problem. This is how much it costs to fix. Easier to have that budget discussion, and it's also easier for you as ACIO to tell your leadership what your budget budget needs to be. And then processes will just simply get better the more that you test them, improve upon them, talk about them with your team, and at the same time get your full team's because as the CIO, you're not the one responding to the incident that day. Maybe you're out of town, maybe it's someone further down your IT chain, especially if you're a small shop that has to do the disaster recovery on this, make sure that you have that plan, that you test it, you have everyone involved. I think that's the quickest, simplest, straightforward way to help mitigate risk.
(10:10)
I didn't mean to leave you guys. Megan (10:10):

Do you guys have any success stories where a client actually did do? I don't know. I'm experiencing some cutting in and out. Can you guys hear me okay still? Robert (10:24):

Yeah, AV (10:24):

Yeah, you're good. Megan (10:29):

Okay. Okay. Sorry. Sorry about that. Can you guys provide me with an example or a success story where a client of ours actually did their data backups and they actually had a plan for when they experienced a ransomware attack? AV (10:48):

I can't name names or you, yeah, can't name names. But yes, several instances of when this has been done, right? We had a client where we implemented a cybersecurity policy and the right tools, and it doesn't mean you have to buy tools from us or go get new stuff. A lot of times you have things that have been in place that have never been installed, that you've never closed all the ports, you've left some things open for some vendor that doesn't work with you anymore. So taking a look at your existing infrastructure and a lot of times because it's the easiest thing to do, it shops go out and buy the best things they can and never implement them because they haven't bought the service, they haven't bought the support, they don't know how to do it. There's other priorities. So they plug this thing in and they don't install it.
(11:40)
It's like buying a 20,000 window and leaving it open. So our audits and our strategic planning helps them close those loopholes and close everything up. The second thing is documentation is critical. Cybersecurity planning, disaster recovery planning, incident response. What do you do when a cyber event happens? What do you do when ransomware is suspected? Do you forward an email onto it that says if you're using Google, it'll show you a poke sign. This is probably a phishing attack. Don't do anything with this report is spent, but you instead forward it onto it and now it spreads. What is the right way of handling this? So all of these things we help with, so having done this for this particular client, they had an incident and they were able to mitigate it I think within seven minutes, meaning from the time that somebody saw an email come through and they had even I think clicked on the link, but they immediately figured out that it was wrong and they made the right call, meaning they went through the checklist that they had been trained on and called the right people and they were able to isolate that desktop and prevent the spread.
(13:01)
But that doesn't mean that it was foolproof, right? You had to still test the rest of the network and make sure that everything was fine. But turns out that critical action of that employee reaching out through the right channels and following the process is what saved the day for them. Robert (13:16):

Yeah, I want to talk about the complacency component, which comes with proactive approach. And I know a lot of IT shops, especially in their annual reports on budget, like to highlight, we prevented 13,000 attacks, things like that a day. Those metrics are great, but they're going to lull people into a false sense of security honestly. And you're going to think that, hey, we've got this taken care of. I can go back over and go concentrate on this project or these things that need to be done internally because that complacency is very easy to start building in. I would recommend that unless you really, really absolutely have to give stats on we've trained this many people on our staff and we've mitigated this many incidents, I would be very careful who you put that in front of because you're going to send a false sense of security. Some of it's like I lock my garage door at night, I don't know how many people necessarily come up and jiggle the handle to try and get in the room. So I can't tell you how many people have been prevented because I parked Robert (14:16):

My Robert (14:16):

Car in a well lit spot or I locked the doors. All these simple things so it becomes easy to load yourself into, I must be doing things so either I don't have to worry about it or I don't have to constantly improve. And both of those are, again, that's what the bad actors are banking on is you're going to get complacent. AV (14:36):

Well, and it doesn't mean anything, right? 13,000 attacks a minute. Of course they're happening right now because it's not some hacker in a hoodie and a mask trying to get into your computer. It's software. They've released software into the wild that's trying to get into every vulnerable network out there, and therefore they're trying to force their way into it. So the best way to do it to them or this particular group of bad actors is to just overwhelm your network. So of course they're going to try and sneak in one past the goalie, right? You're trying to constantly hit the goal. So the numbers are misleading, but what happens if you do get attacked is what matters the most. Megan (15:26):

What are your all's thoughts on the statement? It's not if you're going to receive a ransomware attack, when do you think that's a true statement or how do you feel about that? Robert (15:42):

I think you just have to assume you're going to get hit because you are. If not at this place you're currently working at CIO, you're going to get hit in your career. It's going to occur and you're not going to be able to tell exactly what kind of an attack it is. You're just going to get that phone call of, Hey, someone's encrypting all the folders on the accounting drive. Just assume that it's going to happen at any moment and do everything you can. And again, resources are finite. So not telling you go out and spend 3 million when your total IT budget is $400,000, but if nothing else, planning is going to be able to help you identify what resources do I need externally? So when this does happen, I can bring in people from neighboring agencies who want to partner. I've got a vendor identified all that planning doesn't require significant amount, significant amount of money and outlay and maybe supplement with managed services to what you need, but I'll say it 10 more times. The planning is the piece that's the most important. AV (16:49):

Yeah and it doesn't always have to be ransomware. That's the most painful externally and internally you can just have malicious actors doing it for fun. They don't want anything. They just want to see you in pain. So they'll delete files and encrypt files, throw up memes on your computer for fun and disrupt business. You're not in the news necessarily, but you're dealing with something really weird here. So yeah, you're going to deal with something of this sort in your career, so just be prepared for it and the best way to do it is be prepared and protected for when that happens. You know what gears to kick into. Robert (17:34):

Yeah and part of this topic is also data breaches. So you have to recognize that you have staff internally that could be doing nefarious things. We had a client where they're pretty sure there were some people on their staff that were leaking sensitive to the press to try and make a point about something or for who knows what reason. You have to take just the fact that you're dealing with human beings on your staff and they have their own vulnerabilities. Social are not that ransomware exploits. There's also just that's people in there who have access to sensitive information that are either handling inappropriately on purpose or by accident. That's part of the whole scheme, which is why when we go in and look at this, we talk about policies and procedures and getting everyone aligned onto how do you going to enforce that? Do you actually have a policy that tells 'em they can't do that other than maybe it's against the law? So how do you take steps to really control your data security and your data breaches if you don't have documentation that's actually been vetted and tested? Megan (18:34):

How would you all suggest training for end users as it relates to ransomware data breaches? How would you make sure that the employees are up to date on policies and procedures and what steps to take if something were to happen? AV (18:52):

I think it needs to be ongoing, but there's tools like know before that do random testing on what they've been trained on to see who falls for certain things. But I think there's also a sense of hope that I have because of the newer workforce coming into the market that is more savvy with these things that doesn't make it foolproof. It's just a little more hope that there is no easy ransomware or phishing attacks that can get you like what's happened in the last 10 years. It's usually someone pretending to be a cousin on Facebook. AV (19:30):

They'll send you a link .AV (19:32):

Or pretending to your boss saying, Hey, click here and access your raise or promotion letter. People need to be more not trusting of anything on the internet. And that's the beginning of tightening things down. Robert (19:50):

Yeah, constant conversation is what I come down to. It should be identified as the number one risk that you have these days because it really is when these do happen and these things are in place to allow the situation to get worse, it becomes catastrophic careers and incredible payouts of money. And by the way, your cybersecurity insurance, you better check that and see what the terms are on that. Because customers who've come to us after the fact, were surprised by they had to pay the first a hundred thousand dollars or the insurance company wasn't going to cover you because you don't have an updated cybersecurity planner set of policies and procedures. So constant conversation is probably just the best way to handle it going forward and just keeping your staff, especially those in finance like AV was just alluding to, is letting them use what they have to do for compliance already to help them bring cybersecurity into that mix as well.
(20:51)
I'm one of the people in this process for printing checks for vendors. I know I'm not just going to take a handwritten note from someone that says, cut me a check from this account to this vendor. It does happen every so often, but most people pretty savvy. You can incorporate cybersecurity into those types of compliance issues as well. It really is the same mindset. You're proactively mitigating an enterprise risk in your organization. Doesn't matter if it's it, if it's finance, if it's pr. Again, this is why it's the domain of people in compliance and as well as your executive leadership. AV (21:26):

And you made a good point, Robert Insurance, it's like litigation, right? The prevailing the sage advisors don't let it go there. It's not going to lead to a good outcome, or rather the outcomes in your favor may not happen. So yes, have those things in place, but it's the last ditch Hail Mary that you'll have. Once you have ransomware, you can't count on it. And most of the time it's what people count on. We have cyber insurance, you're still going to have to go through the pain. So what if they pay the ransom? You're going to be stuck with restoring your files. You're going to be stuck with restoring confidence. You're going to be stuck with replacing your hardware and software and the ransom people. The bad guys are going to get paid because you have insurance. So it's one strategy. It's not all of it. And we go through this 22 point framework with our clients and show them exactly where they stand based on national standards and best practices. And correct me, Robert, but I don't think cyber insurance is even in there as one of the standards. Robert (22:37):

No, because you can't rely upon it. And organizations, depending upon how they manage their risk pool, whether they self-insure, which is possible. A lot of people just don't even read the fine print on the cybersecurity. It's ACFO going out and buying it and like, okay, this is my backstop. But I was just thinking of a situation with someone who came to us a couple of years ago, got hit with ransomware, every single workstation got hit and got taken down. The organization determined that the quickest way to get up and running was to buy new workstations, get them configured and get them up and running, and then do something with the old workstations, either just a abandon them completely or use them for spares later on. Cybersecurity insurance said, no, we're not paying for that. Your old workstations are perfectly fine. You just need to go in there and wipe all the ransomware off of it, which is a huge task to do when you're just trying to get your operations up and running.
(23:30)
So you're going to get a lot of surprises unless you actually look at that policy and read it with someone who knows what they're looking for. And again, work that into your disaster recovery plan. If I had to make a claim against cybersecurity, let's test it out. Let me put a scenario together real quick in my head and test it against my cybersecurity insurance and see if, and you can call your cybersecurity insurance and give them what ifs. You can give them scenarios. They're going to tell you how this is going to play out for you. So I would don't just buy it blanket and think, okay, I'm good to go. I got a million dollars protection. You're going to have to run that down and make sure that you're getting exactly what you need. Because cybersecurity insurers are getting hit constantly with payouts and they had to start doing something to mitigate their loss. Megan (24:19):

I want to dive into vulnerabilities or things to look for. So I know a lot of times when we go into an organization, the CFO may not know what questions to ask the IT director. And so what can different department heads or people within the organizations, what can they look for or what are some of the factors that contribute to some of these increased vulnerabilities? AV (24:47):

So I'll let Robert get into the details, but this is one of the most visited pages on our website. I'm going to give a link to it. It's questions to ask. The IT director,
(25:00)
Again, huge fan of the profession. Many great friends in the profession. Robert used to be a client, CIO of mine. But people that we constantly talk to, the CFOs, the CIOs, the c-suite executive directors, if they're stuck with a bad CIO that they don't know what questions to ask, they don't know what's good, what's bad. Are we cyber secure? Yes, we are. What does that mean? What's the next three levels or layers of questions to ask? That's where we step in. And so we wrote this, it needs to be updated. We wrote this I think during covid, and it's been one of the most visited pages on our website. I'm going to link it to in the comments here, but Robert, what are your thoughts? Robert (25:48):

As a head of your department? I would ask for a tabletop exercise. And if you can make it something that's a little bit of a surprise, work it out with your CEO or your executive director, but test it. Let's pretend that there's been a massive ransomware incident or that there's a regional disaster and suddenly your services are unavailable tabletop. Exercise that with it for half an hour or an hour and see do they really have a plan and do they know what actually needs to be up and running first? In your department, you would be surprised as to what it thinks is a priority. They think that something like this over here is a priority. Well, guess what? That doesn't affect interaction with the public. That needs to come up secondary or even later on down the list. I need to be able to start taking payments from the public or in cases of housing authorities.
(26:38)
I still have to continue to house people. I still have to report things to HUD on a regular basis. I can't just say, oh, ransomware, I'm down for two weeks. So really test and use your gut instinct because a lot of times we go in and we talk to executive leadership and their gut instinct. If something is just not right, I need you guys to run that down. It is almost always 100% correct. So go with what your gut is telling you as to, yeah, it seems reasonable what these folks are doing. Or boy, that tabletop exercise did not give me a good sense of security on this. This needs to be looked into. AV (27:13):

And that's even more amplified if you're running older systems on-premise ERP solutions that you think are being backed up and you're not in the cloud. You haven't adopted cloud because you don't trust the cloud. But here you are on-premise, not having done backups right for the last three years or more. And yes, you may have the tapes to prove that you did backup, but have you ever tried to restore them? So again, data breaches and ransomware from external sources is yes, one big attack vector and a huge risk, but there's many risks in your own organization that that need to be looked at in addition to looking at how you protect yourself from the outside. Megan (28:04):

So now that I've identified the vulnerabilities or the risks, right? I'm ACFO, how do I start with an incident response plan? How can I work with my IT team to sort of either revamp what we already have or let's just erase everything and start at the beginning? Robert (28:23):

Yeah, I think it starts with prioritizing what is the most important services in your organization and look at it from an aspect of what can I afford to have down for an hour? What can I afford to have down for a day? And then for a week, and even for a month, in some cases, you might be able to go a month without a service. That's pretty rare, but get clear in your head as to what you're trying to uphold rather than prevent, this system has to be running constantly. I cannot stand to have half a day down. We're not able to use this process. And then that discussion then drives, well, what budget does it need or do I need to help with so that we can guarantee that downtime is not more than five minutes a year, the five nines or 6, 9, 7 nines.
(29:11)
I'm not even sure what they're up to at this point, but it's significant outlay of cash. If you want to have complete reliability and redundancy that ensures that you are not down at any particular time. You have to have that before you can approach it and work a lot of that out. And it is going to be looking for that because they're not experts on your department. You are. You're the one that has to bring the information to them and say, this is what I need and this is what I expect from my organization. And get that worked out because it is probably not going to come ask you that question. They're going to assume that email's the most important thing to get up and running. And so if something happens, they're going to spend half a day just trying to get mailboxes up and running and mail's important, but it's probably not the most critical service that you're providing. And what makes your organization unique do to serve the public? AV (30:01):

And most organizations are trying to run a lean IT AV (30:05):

Organization. AV (30:06):

Their best practice is outsourced to the vendors get managed services software as a service, whether it's vendors doing most of the heavy lifting in theory. So when something like a data breach or a ransomware attack happens, now your lean organization is a liability because you don't have enough hands or enough cycles to take care of the data breach. So I think one of the first things you need to put in the incident response plan and budget for it is outside help. There's cyber experts that can jump in and do nothing but that for the next week to pinpoint where things came from and more important tell you how to restore your services in a quick way instead of spinning your cycles on figuring out what happened when you don't have the expertise. The other thing we've seen it shops do if they're the first ones to discover a breach is not tell anyone.
(31:06)
I think it's the first thing to do is inform your executives because again, they're the ones that will be in the media for a cyber breach, not the IT department. So as far as incident response planning goes, I think these are the first thing you do. Seek help to pinpoint what door is open, what gates open, close it, find out how you're going to restore your operations the quickest way possible, and along the way, inform executives, inform everybody you can. That is starting with the c-suite. Well not everybody, but definitely the people that need to respond to this from a legislative standpoint, from a media standpoint on how to manage this risk. Megan (31:57):

So how are emerging technologies such as AI and machine learning, how are those being utilized by cyber criminals? Robert (32:11):

Yeah, it makes processes more sophisticated. It gives a lot of answers that would usually take a couple of days to figure out what are the vulnerabilities in this organization. The reason why when we do assessments for a lot of our clients, we mark the cybersecurity piece of it very, it's confidential. It really cannot be exposed to the public because even if it's fairly benign in a good report, you might be giving someone the key that allows them to put the puzzle together as to how to hack your system. And that doesn't mean someone's sitting there for days on end trying to figure out how am I going to hack your housing authority? But they're going to go to the best opportunity and use something like AI to quickly figure out, well, these guys haven't budgeted for replacing their endpoint security in a while. It took me two seconds to figure that out through ai.
(33:02)
I'm going to launch an attack against them and I should be pretty successful. So it makes processes quicker and relevant. Information gets into your hands a lot quicker if you know what you're asking for. But on the client end, on the other side of the equation, it has to be recognized as it's still a tool. This is an information tool. It does not replace what you actually need to do. So I don't want clients to get comfortable with, well, I've got AI on board, so if I have an incident, I can just ask it. Right? Boy, trying to put a plan together in the middle of the critical incident is the worst outcome. It will lead to very dangerous, unpredictable outcomes in almost every single case. AV (33:49):

Well, in two points I want to make. One is AI. If you're trying to use that as your cybersecurity incident response plan development engine, right? It's going to give you what it thinks is good for you. You're a unique organization and it needs to be unique to you down to the person who should be called first if there's an incident, what phone numbers use, all of that. The second point is, I actually forgot what the second point was, but using ai, you can create a shell of a plan, but definitely have someone with the expertise to understand your own operations, your own infrastructure, and then come up with a specific plan for you. Robert (34:33):

AI has been around for a while, widely available for at least a year, if not longer. I've yet to run into anyone who used it to successfully stop a cybersecurity attack and recover. It always comes back to those key points. We've talked about Megan (34:50):

Small to medium sized enterprises with limited resources secure themselves against ransomware. Sometimes they don't have the resources or the financial capacity to purchase cybersecurity insurance or to hire someone or bring someone from the outside in. So what would be your advice to those businesses or organizations? AV (35:14):

I think that's the lazy excuse is we don't have money. You do for something like this, and again, you need to think of this as protecting your police station or your school buildings. This isn't just buying software. It's like we've talked about ERP system implementations. Don't treat this like you buying another license of Microsoft. This is a huge deal, so find the money. I've been serving governments for almost 20 years, and I know there's always money in the banana stand. Robert (35:52):

Yeah. And if he's 100% correct, these are not sophisticated solutions. They're affordable solutions. And a lot of it goes back to the points we've made here, which is just your time and effort to build a plan and talk to your c-suite folks and figure out how to do this because it's opportunity, right? Cybercrime is almost always a crime of opportunity. You are an easy attack vector because you've never trained your end users. They're not going to sit there and try and figure out through a sophisticated algorithm, how am I going to break into your sophisticated endpoint product that you purchased? They don't do that. It's like, it's like someone criminal on the street. They're going to look for an unlocked door or an open window as their crime of opportunity. And if you lock your doors and keep your windows closed, chances of you having your car burglarized are incredibly lower than if you didn't do those two things. So these are not sophisticated, expensive solutions regardless of the size of your organization. AV (36:52):

And again, that price fallacy is everywhere. We were in a meeting yesterday where a critical process was not automated because of how much it costs or it was too expensive, and when pressed on, well, how much was it? There was no answer. It was just too expensive. And so who's asking that question? And in what sense is it expensive? In this case, it's more expensive not to do a plan, not to have an assessment, not to have an incident response plan, not to have a SIM in place. It's going to be infinitely more expensive to the extent of losing your mayorship or losing your job as a city manager. Again, CIO will probably weather this out because you need them to restore and come out of the situation, but it's the top executives that will feel the pain the most. Robert (37:49):

Inaction is almost always more expensive than actually taking an action. AV (37:57):

Absolutely. Megan (37:59):

What emerging cybersecurity trends should organizations be aware of as they plan for the future? Robert (38:07):

I think it changes day to day. I think that's part of the concept here, which is having someone in your staff, and it doesn't have to be in it. That's the key thing. Someone on your staff who's dedicated to cybersecurity, in fact, we like to house that with someone who's in compliance. If you have a compliance officer or compliance department, that's an easy way to use a mindset that's already there for controlling risk and adding cybersecurity to it without adding technical stuff. And that person can be involved with, if it's a housing authority, HUD gives briefings on technical topics on a regular basis, just someone who's keeping an eye on the trend, maybe talking with other organizations, state agencies that provide cybersecurity and anti-terrorism teams. Having someone involved in that who's got a constant pulse as to what's going on and is able to bring that back and say, this is an emerging threat. This is a new social engineering tactic. I think we need to let our end users know about it. It's going to be the best way for you to be able to do that. AV (39:12):

Yeah. So emerging trends. There's always something new. I had a different sticker last week. Someone bought someone out. The tools are the same. Yes, they'll get better with AI infused within them, but so will the ransomware attackers and the bad guys. So this is going to be ongoing, and you just have to be vigilant and cognizant of what's going on around you in real life. Megan (39:41):

Yeah. Should we dive into being attacked personally, having your personal data breached? As someone who is at that executive level in an organization, would it affect their day-to-day job and how they represent the organization and how can people protect themselves? Robert (40:05):

Yeah, it can happen, especially if you don't have clear policies and delineations as to how you're going to handle data so that people know that I'm not going to transact work stuff on my personal cell phone or my personal computer, especially without identifying the risk involved first. So in cases like law enforcement, they are very big on keeping two separate things there. This is my personal cell phone. I don't do work on it. This is my work cell phone. I don't do personal work on it and making sure there's a delineation. So if you're in a sensitive area, which most people are, you need to make that delineation early on so that a loss in one area does not affect the other area. And I know it's terrible to have to carry around two phones, but again, until you've actually had it happen to you where part of a legal discovery on a lawsuit or something and they need to confiscate your phone, then suddenly it becomes very real and becomes very serious. And you don't want to wait until that point to decide, how am I going to handle this in my organization? AV (41:06):

Well, there's many ways around that, but again, it all boils down to risk profile and how do you compartmentalize? It's difficult for someone like me, private life. Business life is very intertwined, but even within that, we need to find ways to separate ourselves and have data cleanliness and integrity between the business and personal lives. Megan (41:37):

Sure. As we wrap up today, do you two have any final thoughts as it relates to data breaches in ransomware? AV (41:47):

I think we'll repeat ourselves to the bitter end. AV (41:51):

Protect yourself. AV (41:53):

There is no silver bullet. Ask any questions you want of your IT folks. Go down to the third or fourth level of depth, and we can provide those questions to you to make sure that you're getting the answers that will help you sleep at night. Because yes, we we're cyber secure and you don't have to worry about anything is not quite the answer you should be looking for. Robert (42:17):

Yeah, and I'll do the standard thing I've been saying on these sessions, which is if you need to talk someone, talk to someone and get some ideas or try and wrap your head around something, give us a call. I love handing out free advice just in a simple Zoom session or a phone call. We can tell you what you need to look for and have an eye on. Megan (42:38):

Yeah, absolutely. Well, thank you guys for joining us today. Again, we can be reached on any social media platform. We're all over the place, and I will reiterate what the two of them said. Please reach out if you have questions or you're confused about something. We do love to build relationships and give free advice all the time. We truly care about our prospects and our clients. So thank you for joining us today. We'll be live next Monday, I believe. So it's different. So catch us next Monday and we can't wait to see you guys then. Thank you for joining us. AV (43:10):

Thank you, Megan.