Innovation Heroes

TRANSCRIPT - The Real Supply Chain Crisis: Ransomware

October 14, 2021

Ed 

This episode of Innovation Heroes is brought to you by Windows Autopilot. Unbox, login, and take off with Windows Autopilot today. Visit shi.com/windowsautopilot. [music plays]

 

Michael 

It's, kind of, like the cat's out of the bag now, and you know some of these ransomware moves now have been in the spotlight. These are people who are making a lot of money and then they're going to go after, specifically, companies that are willing, and able, to pay the ransom. [music plays]

 

Ed 

Hey, everyone. I'm your new host, Ed McNamara, and you're listening to the first episode of season three of Innovation Heroes, a podcast exploring the people in businesses, making a difference in our constantly disrupted world. Well, let's get into it. Every year, October brings to mind spooky stories. [thunder rumbles] But, if you're in the IT industry, you're in for another scare because it's also Cybersecurity Awareness Month, and we need to talk about the nightmare cases that have been plaguing us. [Halloween scream] There's definitely been scream-worthy headlines in the news recently.

 

Reporter 1 

It's another attack on critical infrastructure, this time the food supply. The world's biggest meat producer, forced to curtail operations after a ransomware attack.

 

Reporter 2 

The US government is once again scrambling tonight to contain what some experts are calling one of the biggest ransomware attacks ever.

 

Reporter 3 

What would you do if every computer in your office was hijacked by hackers? That's what happened to a Norwegian company recently, and they faced the dilemma to pay or not to pay.

 

Ed 

What's the thing that connects all these stories? One word: ransomware. But why does it seem so prevalent? What's making it different and worse? We know that cybersecurity threats are ever evolving, so we need to stay hyper vigilant, but, in order to move forward securely, you have to know exactly what you're up against. I used to think that the scariest part of ransomware was the ransom itself. You see these huge dollar figures in the headlines [cash register kachings] and it makes your stomach drop. In 2018, the average ransom fee was $5,000, a mere pittance compared to the numbers we saw last year, which clocked in at a whopping $200,000. And that number is really just the tip of the iceberg. It doesn't account for things like lost working hours, increased insurance premiums, or PR fees for dealing with the aftermath. And who's to say that you actually have your data back? After all, can you really trust a hacker to keep their word? It's definitely a scary world out there. And that's why we need a trusted cybersecurity hero to help keep us safe. And who better, or more trusted, than one of our favorite guests from last season, Michael Wilcox? Michael is the Chief Information Security Officer in the Field at Stratascale. He's spent a lot of time getting into the heads of SISOs, and figuring out how to help them step up their cybersecurity game in order to stay ahead of the bad guys. Michael, welcome back to Innovation Heroes.

 

Michael 

Good morning, and it is a pleasure to be here and to have this chat with you. Looking forward to it.

 

Ed 

Absolutely. So we're just in time here for Cybersecurity Month. What do you think is the biggest thing we need to be thinking about coming into 2022?

 

Michael 

I think this is actually the 18th year anniversary of Cybersecurity Month and, if we look back on 2020 and 2021, both have actually provided us with some pretty good historical context of what the future probably holds. At least, it gives us some ideas of what we should focus on as cybersecurity professionals. I always say the best predictor of the future is patterns from the past. So we've still got a few months to go before 2021 wraps up, but some of the highlights are a focus on protecting our employees in the new-world landscape that is ongoing through the year. I've seen some interesting headlines, this year, with the General Data Protection Regulation. GDPR is finally getting some teeth, and we're seeing some companies get some pretty big fines, and so some of our customers are spending a lot more time on increasing the maturity of their Governance, Risk and Compliance posture. And then, businesses are increasingly more focused on improving their resiliency across the board. On this last point, 2021 was riddled with a variety of cybersecurity attacks, which have emphasized the increasing sophistication of attackers, and especially the resurgence and evolution of ransomware.

 

Ed 

Right. So, as the podcast is titled Innovation Heroes, it sounds like we're going to be talking about a little bit of innovation villains today.

 

Michael 

[laughs] There's a relationship between the two, for sure.

 

Ed 

On the 18th anniversary of Cybersecurity Month, have we cured anything in cybersecurity? Or are we still dealing with some of the things that we dealt with 18 years ago, and then have added to that?

 

Michael 

Well, that's a good question, and I think a lot of it ties back to the basics. 18 years ago, security looked a lot different. The way that we handled security was all about the perimeter. If you had antivirus, a firewall, VPN, and some logging and monitoring, you had a pretty good security program. But today, we have all of these mobile devices, everything has an IP address, companies are moving to the cloud, we're trying to enable our customers to shop digitally, so it's a totally different environment. But, I think if we go back to the basics, that will actually cover a very large percentage of what we need to do as cybersecurity professionals.

 

Ed 

You know, a lot of people, you know, take actions because they simply don't want to get into a headline for the wrong reasons, right? And, right now, it seems to be ransomware. Why is ransomware such a problem now? And is it better or worse, or just more publicized?

 

Michael 

So, I definitely think that the media has played a role in this. I'm not saying that they've necessarily sensationalized it, but we do have a lot of headlines. It's hitting a lot of the major news periodicals, and executives and boards of directors are absolutely paying attention to this because we've seen disruption in supply chains. We've seen a lot of companies that were unable to perform their business as a result of these attacks. Back in 2016, there was a hospital on the west coast that became a victim, and I think probably the reason that this sticks out in my mind is because they actually did pay the ransom, and that's generated many debates about whether or not ransom should be paid in the event that an IT department is unable to get systems back online as quickly as the business wants or needs them. But, since then, over the past few years, we've seen ransomware grow in terms of sophistication, and the groups that profit from ransomware continue to sharpen their tools, techniques, and procedures. In the beginning, ransomware was kind of a spray-and-pray technique where attackers created malware to encrypt systems, in the hope that the data owner would pay a fee or ransom to be able to access the data. And, if they made the payment, usually in the form of cryptocurrency, the idea is that the victim would thereby be able to decrypt the original data and use it again. But, over the past few years, we've seen companies investing in communication and awareness for their employees. That's kind of the low-hanging fruit. Attackers will try to send in messages where employees click on links, thereby infecting their systems, and that's really important, but the traditional delivery and execution of ransomware software has evolved, and it's less about the attacker sending emails out to the world, and hoping somebody just randomly clicks on a link. Now, it's more about the groups doing research on the companies, understanding their victims, and they're playing a long game of gaining access to their systems using zero-day exploits, vulnerabilities which have not been discovered by software companies and the businesses that use them, and they're actually doing supply-chain attacks to embed their malicious code onto unwitting downstream computers. And, in a nutshell, this has allowed the attackers to get in, to lurk, listen, and learn, and then perform very well-executed and timed attacks. [music plays]

 

Ed 

So Michael, we talked about headlines, but what are the stories that you heard or the headlines that you saw that really made you sit up and take notice about how cybersecurity needs are changing?

 

Michael 

On a personal level, I remember coming home from a trip in May this year, and I was driving home from the airport, and I noticed I was running a little bit low on gas. I stopped to get gas on the way home, and the gas stations looked like crime scenes. There was yellow tape on the pumps, or orange cones preventing me from getting to the pump, and I stopped at several stations without being able to fill up, made it home before the fuel light came on, but it was a couple days later before I could fill up. And this stuck out in my mind because I was watching the headlines of a ransomware attack that took place, and I was noticing that many individuals and businesses were affected by that supply-chain disruption. There's another one that sticks out in my head, and this is actually a very unfortunate one. This was a peer of mine, shared a story about a friend of his that had a small company that went out of business after getting hit with ransomware. He lost all of his customer information, all of his reports, and deliverables. In a nutshell, they did not get their systems restored. They lost all their data. They went out of business. And there's the metrics to back this up, which a lot of people aren't talking about. I'm sure the global pandemic has affected this, but there was a 2019 report that said that 60% of small companies close within six months of being hacked. And then, specifically, a more recent report said 31% of US companies closed down after falling victim to ransomware. So this has real-world consequences. It also speaks to the importance of having a good back up, which is something typically performed by IT personnel. And in smaller companies, this work is often done by a limited number of personnel, or is performed by a managed service provider, and that ties in to the third thing that sticks out in my head for 2021. There is a company, major software company, which produces remote management software used by small service providers, and I think the company itself did a stellar job of being transparent and proactive with updates on the attack, but the reality was, a lot of small downstream businesses spent days or weeks with limited system availability to run their businesses, including payment fulfillment, inventory, systems, and a bunch of other things that were critical to their businesses.

 

Ed 

So you mentioned the 2016 west coast hospital as an example, and that seemed pretty terrifying to me, because it's much more than just technology there. That's the treatment of people's health there. Are there any vertical, whether it's healthcare, or whether it's a business vertical, is there anybody more susceptible to it, or less, or are we all at level risk, at the same risk of a ransomware attack?

 

Michael 

The attackers are targeting companies that, essentially, have revenue streams. When they're doing the research now, they're looking at the company's bottom line, they're analyzing how much money the company could probably pay out, and they're going after those. I think, over the past year, we've seen some major headlines because the ransomware that was used was created by ransomware groups that were doing ransomware as a service, and it was used against some companies within verticals that tie in very closely to critical infrastructure. And I don't know that that was necessarily their intention, but that's one of the reasons why we've seen these major headlines. And some of these ransomware groups have actually backed off where they said, "Whoa. Loss of life is not something that we want to engage in."

 

Ed 

Michael, you mentioned groups a few times, and it doesn't really seem to be these ransomware attacks are by lone rangers. Looking back, you know, there's been historic precedent from like-- really, it's an organized crime more than anything, and the notion has always been, throughout history, it's like, "Well, why don't these smart people just channel that energy and that ability into something positive?" How important is it to understand the motives of people who are conducting these ransomware attacks?

 

Michael 

Yeah, that probably would take some time to unpack, and I guess part of this is just my personal opinion. You know, I've been in the cybersecurity space for a very long time, and I've always wondered why attackers do what they do. You know, initially, you have that Mount Everest mentality of-- and that was a long time ago, but hackers wanted to see if they could get into systems, simply because they were there. In some cases, there have been bragging rights for individuals to be able to hack into certain organizations, and you've always got this divide between the white-hat hackers and the black-hat hackers. You have that gray space in between, but I think it really comes down to financial motivation and, based on the fact that these companies can be breached without physically having to enter a building-- you can do this remotely from an IP address on the other side of the world-- I think they've continually raised their game, and they've increased their tactics, techniques, and procedures because the payouts are so incredibly large. I think, with cryptocurrency too, if you can get X number of Bitcoin, just by threatening somebody or getting software onto their systems, there's an incredible payout, and we're talking about millions of dollars. The headlines earlier this year, where you're looking at, you know, $17 million. Even if a company only pays three or $4 million, that's a significant amount of money, so I think a lot of it is, as you said, Ed, that it's organized crime, these individuals are able to get into companies without ever setting foot, but they're also doing a lot of work. They're very organized, they're very talented, they understand code, they understand how to gain access to zero-day exploits. In fact, they're writing a lot of this malicious code and, like I said before, they're getting into systems and they're listening, and they're learning, and they're lurking, and there may be a larger endgame at play here as well, right? Because, right now, we've seen a lot of these companies be targeted around the holidays. I was kind of surprised because we had an attack Memorial Day this year. We had an attack around the Fourth of July. Going into the weekend, when a lot of people's defenses are down because people are enjoying their holiday weekends, I thought we'd see something bigger. We haven't, and that kind of concerns me because I wonder, based on dwell time in the industry, if there's something that's going to rear its ugly head later. Maybe they were able to inject their code into certain systems and they're still listening, and learning, and lurking, but who knows when they're actually going to unleash this code and affect supply chains again?

 

Ed 

This episode of Innovation Heroes is brought to you by Windows Autopilot. Unbox, login, and take off with Windows Autopilot today. Visit shi.com/windowsautopilot. [music plays]  We all know hybrid work is here to stay, so companies need to deliver devices and support to remote employees, wherever they are, and they need to be safe doing it. Recent reports show that as many as 69% of SMBs in the US have already lost sensitive data in security breaches. Windows Autopilot is here to help, and to make things easier, too. Welcome to the device deployment revolution. By leveraging SHI Zero Touch X and Windows Autopilot, any Windows 11 device can be set up directly for your employee. Once a user receives their shiny new Windows 11 device, they simply unbox it, login, and take off. Within minutes, Autopilot automatically installs the apps and settings, and employees can set them up anywhere an internet connection is available - at home, the office, or even a hotel room. Windows Autopilot with SHI Zero Touch X for Windows 11 enables IT to deliver ready-to-go devices directly to users, freeing up more IT hours, while improving employee satisfaction in the process. Visit shi.com/windowsautopilot for more information. [music plays] [music plays] I don't know if you can tell, but Michael is definitely a realist. But I think that's what you need when it comes to cybersecurity. We can't always stop the hackers, but we can adapt and be ready. That is, once Michael tells us how to do that. [music plays] Even with the cost of cyber attacks climbing, it seems like, for some companies, the cheaper option might be to pay the ransom, if and when it comes to that, rather than investing heavily in upfront security or defenses. Is that smart? Is that flawed? Is there a hybrid approach?

 

Michael 

To me, this conversation is really a business conversation. In the past, I've always advocated that we need to be proactive, rather than reactive, but in today's environment, Ed, given the increasing sophistication of attacks that are taking place, I really do think that we need to embrace that mantra, "It's not a matter of if. It's a matter of when." 'Cause businesses have invested a lot of money in their cyber programs, they need to continue to invest to increase the maturity of their programs. However, what we don't want is for leaders of businesses to think that all that money invested today has been for nothing, right? So, by taking a position of assume breach, and this is something you can do is just assume that you've been breached, and running through scenarios with the business, you can increase everybody's understanding and gain their perspective. So you know, we've seen cost, actually, this year, I think it's basically because some of the ransomware groups have disbanded a bit, but again, they may actually come out again a little bit stronger, that the costs are going down in some cases. Cybersecurity is becoming a national priority, but people need to be as prepared as possible. They need to overprepare, have a game plan for when things go off the rails, and know how they're going to address it, and there are some obvious problems with paying a ransom. Obviously, there's, one, you may not get your data back. These are criminals. And, although they promise that they're going to give you the key to decrypt your data, it's not guaranteed, and many people argue that, by paying ransom, we're creating an environment which encourages this behavior. So you need to plan properly, but you should also have conversations with your executive leadership team to understand what the thresholds might be that would influence a company to pay a ransom, 'cause when we see these headlines that a CEO made the decision to pay a ransom, they were in a position where they did a risk analysis, and it may sound like a lot of money to some people, you know, $4 million, $17 million, but in these multibillion dollar organizations, that loss of production, the financial and reputational impact for the organization could far outweigh, and so they say, "We're going to pay the ransom to get the business up and running."

 

Ed 

Before, what you say is the inevitable, when this is going to happen, you know, how do SISOs get the rest of the C-suite on board, in terms of preparing and, kind of, having your ducks in a row for how you're going to choose to react if and when a ransomware attack happens?

 

Michael 

I'm talking to a lot of SISOs who have been in their organizations for many years, you know. They've been in some of their companies for 10, 15 years, but now they're getting called into the boardroom to provide, kind of, a state-of-the-union address. And so, they are trying to figure out how to have those conversations. You need to understand, from a SISO perspective, what the business' crown jewels in intellectual properties are. We can spend a lot of time trying to boil the ocean, making sure that we're protecting what we perceive to be the most important assets, but amazing things can happen when you sit down with a business, and talk to them. You can, basically, prioritize and understand what the business is focused on, whether it be certain assets, intellectual properties, could be mergers and acquisitions that the company is planning, and so, having that conversation can be a game changer. I actually just wrote an article on this topic, which is going to appear on the Stratascale website, and one of the things that I talk about is how to get through to the board of directors and have key conversations with them. And one of the things that I found to be very advantageous, is to do a tabletop simulation. Instead of talking about key performance indicators, and throwing three-letter acronyms at them, which usually isn't very effective, by coming up with a simulation, where you can sit down, present a hypothetical scenario to the business, with business leaders at the table and say, "If we were actually affected with ransomware, what would we do?" And one of the key things that I try to get out of those conversations with them is, "Would you pay the ransom?", because the headlines never play out that the SISO of a company decided to pay the ransom. It's the CEO. So, if you can get this answer from your CFO or CEO, it can be a game changer. Of course, the answer usually starts with, "It depends. Like, if you're not able to get the data or the systems back online, then we're probably going to need to do what we have to do to get the business back on its feet." But, this can definitely open the door to a much more meaningful dialogue with executive leaders. [music plays]

 

Ed 

So, you talked a bunch about how to get that right. What are some of the ways companies are getting this wrong, in your opinion?

 

Michael 

So, I think that one of the things that they're doing is, they are-- it's like taking an advanced calculus class before you actually take the prerequisite classes, right? We've got a lot of concepts that are floating around right now. They're excellent concepts. By the way, one of them is zero-trust network architecture and, instead of following that historical model that we apply to perimeter-based security, it was, kind of, like the hard, crunchy shell, and the soft, chewy center, where you were protecting your data center and all the users on your network, now we have to take a different approach. But, when I'm talking to some leaders at organizations, they're talking about doing zero-trust, and they're getting into some very advanced topics like IT and OT segmentation. So, just real quickly, I'm sure a lot of the listeners understand this but, in an IT environment, you're typically looking at knowledge workers, you're looking at the systems that you're accustomed to working with to do job duties. In an OT, or Operational Technology environment, you're looking at industrial control systems. You're looking at manufacturing lines. Oftentimes, these are legacy systems, which don't follow the same standards as our IP-based devices, and they're talking about doing segmentation, and that's fantastic, but you need to have a game plan. You need to make sure that, culturally, the company is ready. Another thing that they're getting wrong is they're jumping into the technology, instead of actually looking at the processes. A lot of organizations don't have third-party supplier programs in place. So you need to assess your third-party companies, who you're doing business with. Understand their security posture, and one of the ways that you can do this is by having a more mature Governance, Risk and Compliance program. This is going to help you establish effective controls, used to safeguard the confidentiality, integrity, and availability of data.

 

Ed 

How much of a risk are those third-party companies? Is that a typical way in?

 

Michael 

You're only as strong as your weakest link, and some of the SISOs that I'm talking to, they've done their due diligence, and they can tell you precisely how many companies their organization is doing business with. One of the best things you can do is, especially in larger organizations, is work with the leaders of your sourcing, purchasing, procurement departments, and actually understand who you are doing business with. Where are those lines of credit extending out to? How are you interacting with those businesses? In many organization, the list is thousands, or tens of thousands of companies, and that's a lot to focus on. So, by having a good Governance, Risk and Compliance program, you can start to assess the big companies, first and foremost, to make sure that they've got the right security controls in place. But then, you can start to look for how those businesses are actually connecting to your network, and make sure that you have the right protective controls in place, as well.

 

Ed 

So, as Chief Information Security Officer in the Field at Stratascale, you're talking to customers every day. How can Stratascale help with clients' cybersecurity planning?

 

Michael 

Well, the individual in our office of the CTO, and we've got a group of stellar field CTOs that have years of practical, hands-on industry experience, across many different technology areas, and, really, our role is to provide peer-level, non-sales insights and assistance. And so, just having conversations with business leaders, I've seen a lot of value. We're getting really good feedback from our customers. This is something that they've actually been seeking, and I think that's why Thai Lee, you know, our president, has created Stratascale underneath David Olzak, and so, they're actually leaning in and having really good conversations with us. But, more importantly, we have practitioners that have really deep experience within domains of cybersecurity, automation, digital experience, data intelligence, and we have a lot of customers talking to us about cloud. So, we can talk to companies about where they're at, what their vision is for the future, and then we can solution. We've been doing fantastic workshops with some of our customers, bringing our practice teams to the table, where we're doing current state assessments, helping with roadmap development, and then really understanding the efficacy of the controls that they have in place, and helping to drive some cost efficiencies, as well. One of the other areas that I work a lot with here at Stratascale is Innovation Labs, and that's our research arm. And they continually observe and research market trends. They're looking at the market, they're looking at venture capital companies, disruptive technologies, and how they can help in business, and a lot of our customers are actually talking to us about, "What do you see on that bleeding edge? What's on the horizon?" And so, a lot of it is just, I think, great things can happen when people talk. We're spending a lot of time talking to the existing customers, qnd then, we're talking about where they want to go in their programs, and making sure that they've got the right tools and processes in place to do that.

 

Ed 

Now, and I will add, with a plug for you guys, a lot of what you're doing and what you're finding in your thought leadership is on stratascale.com/insights. That's where a lot of that is being published today, so we really appreciate that. Thank you very much for being my first guest on the podcast, in my first year as host. I really appreciate it. Michael, it's great talking to you.

 

Michael 

Ed, thank you so much. I really enjoyed it. [music plays]

 

Ed 

Halloween isn't the only scary thing we're thinking about this month. But being aware of the frightening reality of cybersecurity is absolutely a necessity in today's world. Risk is on the rise. And the old way of doing things just doesn't cut it. The most expensive business mistake you can make is keeping your head in the sand because, even if you're willing to pay to get your data back, that's just one piece of this puzzle. It's a dangerous world out there, but doing your research and having a plan is the best way to move forward, even in the face of such sinister cyber villains. I'm so glad we have heroes like Michael to keep us ahead of the bad actors as much as we can be. Thanks for listening to this episode of Innovation Heroes. Next time, another of our all-time favorite guests returns. Intel's Stacey Shulman is back for a third round, and she's got a big topic in mind: how to bring the fun back to innovative tech in our post-pandemic world. If you enjoyed this episode, then consider being our hero. Smash that like and subscribe button to Innovation Heroes, wherever you get your podcasts. Innovation Heroes is a Pilgrim Content production in collaboration with SHI. Our producers are Tobin Dalrymple and Jessica Schmidt, with production assistance from Carmi Levy, Ronny Latimore, and Jane Norman. I'm your host Ed McNamara, and I'll be back with another amazing story in two weeks. [music plays] This episode of Innovation Heroes has been brought to you by Windows Autopilot and SHI Zero Touch X for Windows 11. Unbox, login, and take off today. Visit shi.com/windowsautopilot for more information.

Podbean App

Play this podcast on Podbean App