[00:00:00] Speaker A: I think the important thing is to understand that people are trying to get into your network and your systems every minute of every day of every year. It's not something that people will go and hit a pause button because you've decided to celebrate Australia Day or Christmas.
[00:00:19] Speaker B: This is kvk.
[00:00:20] Speaker C: I'll be completely silent.
[00:00:22] Speaker A: As a primary target for ransomware campaigns, security and testing and performance risk and compliance. And we can actually automatically take that data and use it.
[00:00:34] Speaker C: Joining me now is Jared Sillers, more commonly known as Jerry, Vice President APJ from Sempras. And today we're discussing Sampras new holiday risk report. So Jerry, thanks for joining and welcome.
[00:00:47] Speaker A: You're welcome, Clissa. Thank you for having me. Pleasures to be here.
[00:00:50] Speaker C: Okay, so I know we're sort of a little bit on since the holidays, but again, you know, there's more holidays coming up this year etc where people sort of let their guard down. So maybe let's start with the quote attackers don't take holidays though. So walk me through this, Jerry.
[00:01:04] Speaker A: I guess that depends when your holidays are first and foremost. Chris, I'm talking to you from Singapore today. And we are, we've just finished in fact for most of the island, we haven't finished yet the, the Lunar New Year or the Chinese New Year holidays. So you, all around the planet people are taking different holidays and different vacations at different times, obviously. And I think the, the, the quote attackers don't take holidays. Not 100%, I would agree. I'm sure your average hacker will be relaxing on a beach with a pina colada the same as the rest of us if he's had a good month or a good quarter. But I certainly think it's true to say that attackers don't take holidays at the same time as we would go and take holidays. And quite often again, as you know, the activities and the various activities of, of attackers quite often automated now. So you know, we live in a world where that threat is constant today. I think, you know, just from a highlight perspective, I think the important thing is to understand that or people are trying to get into your, your network and your systems on every minute of every day of every year. It's not something that people will go and pause button because you've decided to celebrate Australia Day or, or Christmas.
[00:02:19] Speaker C: Well, it's the same thing with physical robberies though, isn't it? People know that families are going away over the holiday break. Right. So then it's sort of an easy way and a vulnerable way that people can start to rob Their house. Effectively. It's the same for cybercrime, 100%.
[00:02:33] Speaker A: Yeah, I, we have a family tradition, we've had it for probably two, two decades plus now of watching Home Alone on Christmas Day and the Wet Bandits certainly hang about and. Or the Wet Bandits in that movie hanging about to wait for everyone to go on their Christmas vacations before they break into their premises. So, yeah, I mean, it's kind of logical when you think about it, right? I mean, I know there's stats and numbers we'll talk about specific to, to this holiday report, but it kind of makes sense. You're going to try and break in whether that's physically or digitally to an organization when there's at least less people about, if not everyone's disappeared. I mean, obviously as a business, you've always got some form of IT staff covering your holiday periods, but. Yeah, totally agree.
[00:03:17] Speaker C: So let's move into the stats. So in the report, it says 69% of organizations that were targeted by ransomware were attacked on a weekend or a holiday. Now, we've obviously just gone through that, so that number clearly doesn't surprise you, but maybe talk us through a little bit more behind that number.
[00:03:34] Speaker A: I think that numbers doesn't surprise me in the context of how many organizations in the. As you know, this is an addendum to our annual ransomware report that we did. And we, we specifically polled Australian organizations for this holiday report that I think the, the most stunning start for me was that 83% of organizations we polled last year were targeted by ransomware in the past 12 months. That's a stunning number. And lots of people think ransomware is a thing in the past. I mean, it's, it's absolutely clearly not. And of that 83%, I think the number was something like 78% of them paid a ransom, and a very high number paid a ransom on multiple occasions as well. So the 69% less surprising. Again, just as we were discussing earlier on, you're going to look for any advantage you can get if you're trying to break into someone's premises, either digitally or physically. So the 69% number is less surprising for me than when I first read this report. And I've only been with this company six months, so I hadn't seen or hadn't looked at prior reports. But I think stunning, just some of the numbers in terms of ransomware is real. It's still real today. It has been for over a decade now. And clearly as an industry and, and certainly from a consumer perspective, still not doing enough to mitigate that risk that makes it so attractive to cybercrimes.
[00:05:04] Speaker C: So when you said before, still not doing enough, define enough.
[00:05:09] Speaker A: One of the challenges and certainly the end of the market that we are in is all about protecting identity and all about protecting the core of identity, which we define as Active Directory specifically and entrance an Entra ID cloud version, Microsoft's cloud version of Active Directory and directory services in general. Because if Active directory is down, then you've got effectively you get no access to any applications, any, you can't access any form of organization. So, and this is certainly an area, you know, again, you know, some of these stats, you know, we made announcements last week on exceptional growth. Again, we expect to have a great year this current year as well. Organizations, I think historically, and you work in the cyber industry, you've been a practitioner as well, Carissa. So we in this industry tend to talk about, you know, you'll remember the times when we were saying the perimeter, it was the new edge and people were spending tens of millions of dollars, hundreds of millions of dollars on firewalls and IPS's, et cetera. And then the edge was the new perimeter. Gartner have said over the last year that identity is a new perimeter. So I think, you know, while I say not doing enough, I think we're very often driven and certainly buyers are very often driven by what's in vogue at times. But you know, the key, the crown jewels of any organization in our opinion is that core identity system. So and certainly, you know, talking to and looking at the organizations that we engage with and looking at the stats from this report, I would say that organizations today aren't doing enough to go and protect their crown jewels, their core identity systems.
[00:06:47] Speaker C: Okay, so looking at some of the stats a little bit more. So you guys have broken it down by areas or verticals. So you've got, I'll just read them out because people don't have it in front of them, has education, 50%, manufacturing 44%, finance 57%, IT telecommunications, 72%, healthcare 71% and travel, transportation, 100%.
[00:07:12] Speaker A: Yep.
[00:07:13] Speaker C: So 100%, like obviously that, that was, that's quite calculative on that front. So is there anything that you can sort of share around. You don't have to go into all of them. But as I read out some of those stats, is there any sort of additional intel that you can share with us today? Jerry?
[00:07:27] Speaker A: I think there are some industries that we see that are most susceptible, I would say, to answer where attacks and quite often that's just by the very nature of them being so distributed and or possibly under investment in staff in particular and access to funds to go and protect their environment. So the travel and transport industry, hopefully when you see this next year, has got a better rating than that. I think also we've seen a marked shift, I think over the last few years from the various actors going and targeting critical infrastructure for maximum disruption. Quite often is what organizations are, the various organizations are looking to go and cause as much as for commercial gains. So you know, travel and transportation, we've seen many over the, over the last few years. We've seen a few in Australia just in the last year or two as well. So I mean again, I was surprised that number was so high from a travel and transportation perspective. But when I think it through, I mean, it's less surprising the high value assets that, you know, you go and disrupt an airline, for example, you can very quickly define how much money they're going to lose. And across a matter of minutes, hours and days, if you have, you know, complete fleets of aircraft grounded, as we've seen again, even not, not even from a ransomware perspective, but the crowdstrike event last year, so mass destruction across the globe and an inability for people to get on planes. And that is a continuing story. Hundreds of millions of dollars lost in a very short space of time.
[00:09:06] Speaker C: Yeah, so I know that all of those industries are important, but if I just focus on again following this a little bit more with transportation, for example, now I know that you're in Sydney last week when we caught up, but recently trains weren't operating. So I was trying to, you know, a few weeks prior, trying to catch up with people. They live further out in Sydney or they live even like an hour from Sydney, it really impacted them, but also impacted people that are frontline workers. They couldn't get to the hospital, they couldn't go to university, couldn't do go to school or any of those sort of things. But it does have a domino effect quite quickly. Right. Like especially for people if they can't get home, then all of this all of a sudden, what do you do? You got to walk home, you got to get an Uber, then Uber's automatically surge. There's just not enough capability to move people around. So do you think that again, to your point, going on the transportation side of things, it's just this was an easier target because the impact can be seen quite quickly. Right. And just how much people all of a sudden just they can't get around.
[00:10:06] Speaker A: At all hugely impactful, you know and flow that down as well into many years ago Maersk was a, was a very well documented breach that caused global disruption. We had Toll holdings in Australia, a double whammy and Toll holdings just a few years back. And when you start to think about the ramifications of the downstream effect when transportation is impacted. So if it's the airlines, if it's people are moving goods around the planet so your short term, your immediate term effects are, you know, you might struggle to get home, you've got to literal alternative transport. You may have to, you know, bunk with a friend. You may have to if you and me end up in a pub longer than you'd probably ideally like to. Things like the toll holdings one was interesting because one of our advisors at the time was, was the CISO at British Petroleum and because they were so heavily impacted by that Toll holdings provided the confectionery and sandwiches, et cetera to all of the stations globally. They had to take a decision on whether they were going to close the, the shops at the gas stations until they could get back up and running. Because I think the stats something like 80% of, 80% of people that go into a gas station go to buy Snickers and Mars bars and stuff like that, not actually to buy fuel. So that today was reputational damage impact of keeping those shops open. So, so yeah, I mean again it's high value asset has massive upstream and downstream implications if you can go and disrupt any, whether that's trains, buses, airlines, very high value and maximum disruption.
[00:11:40] Speaker C: So I'll move on again now to another stat here. So 78% of respondents reduce their staffing by as much as 50%. Now there's various reasons to this and theories but you know, from your perspective Jerry, and what you're seeing here at Semperis, what was sort of the reasoning that for that is it because people don't want to work weekends? It's just that companies didn't believe they needed as many staff. You know, when people out, especially around Christmas time they go to work, they get a bit of fomo like well, what is it?
[00:12:08] Speaker A: Yeah, I mean I think you know, fundamentally people have got to take holidays first and foremost. You know, just from a quality of life perspective, mental health, all that good stuff. But again I think there's a tendency to believe, I mean if you're working a 9 to 5 or an organization that work 9 to 5 then the vast majority of staff are probably often on a weekend. You know, whether your weekends Saturday, Sunday, whether weekends, Friday, Saturday, depending where you live. Kind of makes sense just that if 80% of my staff or 90% of my staff talk about weekends, then I don't need the same amount of staff from an IT perspective, whether that's cyber or anything else. So obviously there's a, there's a cost associated with having people working both weekends and holidays organizations. I mean, there's a, there's an absolute hit to how much does it cost me to go run an operation if I've got the large percentages or larger percentages of my staff working at a weekend or over holiday.
[00:13:01] Speaker C: This is where it gets interesting because, I mean, I've spoken to people on the show about like, how do you find the balance between, like, you can't throw. I mean, a business isn't a business to make money. So I get it to a point where, yes, you're going to be secure, you got to do that. But it's going to come a point where businesses can't put all of their money into cyber security.
So how do you strike the balance between we've got to do enough, therefore, you know, we're not getting ransomware attacks, you know, at the eyeballs, and we have to have staff where it helps us enough. But also being cognizant to be like, we, you know, businesses aren't going to pour all their money on cybersecurity. They're just not going to do that. So what would be your advice to manage that where people are sort of staying safe, but are managing, like you said, the cost of having staff right around the clock?
[00:13:49] Speaker A: Yeah, I mean, I think in all instances, people, as you say, I mean, businesses are in, businesses are in business to make money. Right. Every business will gonna define what risk looks like and will invest in operational risk, business risk, they'll make investments, whether that's in cyber and whether that's in physical security or whether that's in whatever they do to go and mitigate risk in an organization. And I think for every organization, and again, we've both been in the cyberspace for quite some time, cyber budgets are incomparable to where they were a decade ago and two decades ago. So I mean, organizations in general, I think, understand the significance of cyber and cyber associated to business risks. But as a challenge, one of the things that we're just about to announce is an operational risk tool where we'll consult with organizations and work with them so they, they properly understand how they're going to recover from a disaster. What does a disaster look like? Because again, a big part of that's just a black hole for organizations today. They understand and may understand where some of the gaps are from a technology perspective, but don't necessarily understand how to go and recover a business and what processes and people they need to go and put in at the back of that. So it's a bit of a conundrum. People's appetites to risk typically are different as well. So I think for most organizations, it's down to, down to risk appetite. What, what can they afford to go and invest? I mean, no one's got an open checkbook to take on. Just throw it at technology and staff and humans to protect them from a, from a cyber attack.
[00:15:21] Speaker C: But do you sometimes think as well, I'm looking at this really outside the box, that cyber people just have this view, like, because again, like, it's like we get a, you know, if A doesn't work, then we get a B and a C, then we got a D, E, F, G, H. Like we can't, like that's just not realistic for businesses. Like, people go bankrupt. So, and I know you've sort of answered it, but I think this, this point's really, really important. How do people manage that without compromising themselves? Of course, like you said, reputational damage, but they're not going bankrupt at the same time, like you said, they can't just keep throwing endless amounts of money at things that may or may not solve the problem.
[00:15:55] Speaker A: Yeah, I agree. You know, and it's got to be, I think from a starting point, I'm sure organizations, all organizations do this. You know, what does disaster look like? How do we go and recover from a disaster? How much would it cost us to go and recover from a disaster? And what investments do we need to go and make to ensure that that doesn't happen and to go and then focus on how do we get back to a minimal viable position as quickly as possible. So again, that's all. You know, we talk a lot about operational risk as if we talk about operational resilience. Sorry, we also talk, you know, everyone talks about cyber resilience, but for us, I mean, it's more about the people, the process, plus the technology at the back end. But again, it's not, that isn't simple. And again, you, you brought up a very valid point there. You do a lot of trade shows and, you know, if you go to particularly large cyber trade shows, it's a kind of thankless task, you know, See, so when you walk into, if you go to RSA and You walk into a hall that's got, you know, maybe up to a thousand cyber companies all doing slightly different things, all trying to convince you that their new shiny toy is the most important shiny toy you should have in your portfolio. So you know, I think taking that baseline, understand again, going back to what I said earlier on and I was going to consult with organizations on, you know, from an instant response, operational risk perspective, what's your baseline? What are the most important things for you to stay in operations and organization and go and surround certainly those crown jewel systems with to my mind and I think to our mind as an organization, that's where the investment needs to be. The investment needs to be at how do we go protect the things that are core to us operating as a business?
[00:17:29] Speaker C: Do you think as well, Jerry, that companies, I know you said before, like, you know, how long does it take to recover from disaster? The impact, the cost, the long tail impact as well, etc, I mean, we've spoken about all these things at length, but do you also think, and I hate to say it, but yes, the business continuity side of things. Now I'm going to then elaborate on that. For example, fast food place, I don't know, McDonald's and friends, there's probably, they're probably shipping out a lot of Happy Meals and whatever else goes there. You got to think, imagine if McDonald's didn't operate for an hour, two hours, four or five, 24 hours, how much is even revenue that they would lose, let alone, hey, we got to bring in some really expensive external consultants to do all the forensics and do all these other things. And PR people and legal people forget that just the actual loss of revenue for those hours. Do you think people are focused on what that looks like?
[00:18:19] Speaker A: Yeah, 100% without a shadow of a doubt there. Yeah. You know, and if you want a McDonald's and you can't get McDonald's, you'll go to 100 Jacks down the street if, you know, if you're burning desire is to have a burger at that moment in time. So I mean every organization that I talk to understands and factors in all of those permutations when they are looking at risk. So you know, risk is the loss of immediate revenue. Risk is risk. And going back to the Optus outage that we had in Australia, whenever that was two, a couple of years ago now, that had obviously a really significant impact to everyone. Quickly followed by Medibank. So pretty horrific for, for Australian as a, as an economy and as a, as a country. Reputationally the Immediate impact was, I think I saw something that I recall saying that the next quarter impact was a loss of revenue about $1.6 billion. Now, you know, the downstream impact of that, I'm taking years to go and recover and get back to the same position that we're in. But for sure, organizations do try and factor in all of those aspects when they're thinking about the value of the value of the tech that they've got deployed. And the vast majority of enterprises that I talk to today now typically have a dollar value on an asset, a digital asset. So, you know, an Oracle database may have an x value, AD may have an x +5 value. Just in terms of if we lost that, what is the damage to the business? And all of those factors typically are factored in.
[00:19:53] Speaker C: So from your experience, Jerry, what do you think people aren't factoring in then? Is there anything that comes to mind when I ask you that question?
[00:19:59] Speaker A: Yeah, I think that again, going back to what I said earlier on, and increasingly spending time consulting with organizations on operational resilience, think there's a general lack of appreciation and comprehension of what do we do as an organization in the event of a disaster. So in the event of a, you know, how do we respond as an organization? So, and that's what we're trying to help organizations with. So, you know, we've got the tools to help them go undercover, ransomware, attack, help them go undercover, all that stuff. We've got the tools to go and help them take preventative actions to hopefully mitigate the risk of that happening. But quite often it's the people in the process, and that extends far beyond just the technical aspects, the IT aspects of that. As, you know, you said earlier on, when you're talking about risk and business risk and reputational risk, there's a whole bunch of moving parts when something goes wrong. There are good ways to go and respond to an incident. And really, we've seen hundreds of really good examples of how not to go and do it. So. So there's a lot more to it than just getting the tech fixed. There's, you know, depending on which industry you're in, you might need to go notify a regulator within a set period of time. You might need to notify the government within a set period of time. You certainly need to go and notify your consumers in a, in a period of time with a plan on how to get back to a good state. So, yeah, again, it's an organization typically that we talk to don't do that particularly well. Or don't do as well as they think they do because they're all looking at each other. When we do these tabletop exercises, exercises with organizations, everyone in the room is just looking at each other. It's a bit scary.
[00:21:37] Speaker C: So then on that note, why would you say why? Would you surmise why there's a lack of appreciation and comprehension? Or would you say that hindsight's a wonderful thing? And what I mean by that is, I don't know. Example would be what comes to mind. You're riding a bike without a helmet. It was fine the first 50 times, but then, I don't know, maybe you're a bit hungover the next day and you're riding your bike without a helmet and you fall over and you hit your head and it hurts. So do you think that that's unfortunately, because we've seen it happen over the years? Oh, well, we should have done more when, you know, something happens. So would you say that's maybe why there's that lack of appreciation?
[00:22:16] Speaker A: I think that's part of that, you know, and that example you gave, the result of that can be life ending, right? It can be catastrophic. You know, you might not just have a sore head, you might expire. So, yes, I. I do think that organizations are doing a lot to go and try and mitigate risk. You know, again, we live in a. In a time and in a world where risks just keep a. New risks keep coming at us day after day after day. So I think there's a. I mean, it's certainly not a tendency, I don't think, to go and. To go and buddy your head in the sand. But again, I think in a lot of organizations, probably midsize enterprises rather than. Rather than the biggest enterprises, there's still sometimes at a board level, a lack of appreciation of just what that risk is. So, again, to your point, lots of people riding about in bikes without helmets.
[00:23:05] Speaker C: So now I want to sort of get back to the report again, and this was interesting, which I think we sort of know the answer to. But I want to, you know, illuminate the stat, which was 50% of companies were victimized by a ransomware attack after a material corporate event. So you mean like a Christmas party? Things like that?
[00:23:24] Speaker A: Depends how good the Christmas party was, I guess. But no, I mean, it depends how much money you spend on the Christmas party as well. But no, a material corporate event would more likely be something like an IPO or a merger or acquisition or a divestment. So something that is a deflecting in the business's attention, you know, because the, the imperative, the imperative in those instances is to achieve the business outcome and, you know, not security per se, or not, you know, whatever per se. I mean, not, it's not really specific to security and in that instance, but when people are laser focused on, on a business outcome that is out of the norm. So, you know, again, think about a merger where you're going to consume other people's technology. I mean, I met with a 2IC to CISO in Australia recently in an organization that do a lot of acquisitions of smaller businesses. That's basically their business model. And I said, how much time do you get to go and assess the IT risk and the cyber risk? And they said normally about two days before the deal's done. So I think, you know, that's what we mean by a material corporate event where the business is laser focused on achieving the outcome for the business. And in those instances, security takes a, takes a backseat.
[00:24:49] Speaker C: So speaking of backseats, as you were speaking, what about large. So for example, major vendors have major conferences around the world. So do you think that even from a vendor perspective that, you know, they're focused on doing these big conferences, right. Or conversely, you got RSA and places like that where people are so focused on that. Do you think as well, that could be an opportunity where people's guards are a bit down, perhaps, or they're not, you know, their eyes aren't maybe as focused as they, they normally are because they have a big event in front of them, et cetera.
[00:25:18] Speaker A: Could be. I mean, it depends on, I guess that depends on the size of the organization, Carissa. You know, your, your core IT staff, your defenders of an organization are less likely to be involved in going to a large event like that. But again, I mean, anything that's taking people away from their day jobs and going and doing something else, where they're working somewhere else 9 to 5 and not focused on what the day job would be. Yeah, for sure. I mean, it could be, but less of a challenge, I think, than the ones I discussed earlier.
[00:25:49] Speaker C: Yes. So I think it would just even be the people attending those events. Right. That are, you know, perhaps there's thousands of people. Perhaps that could be an opportunity. I mean.
[00:25:57] Speaker A: Yeah, I mean, that's as good as a holiday, I guess. You know, you've got a 70, 80,000, whatever it is, 100,000 IT staff attending RSA. I'm sure there be an interesting, interesting one to go and see if we could put in a report how many organizations were Breached at a time that all the technical staff were attending an event. That would be an interesting stat to have for sure. Yeah.
[00:26:18] Speaker C: Just as you're speaking, this is what came to mind. Right. So let's, I'm going to read out. So again, going through some of the industries, the percentage. So 50% of companies were victimized by a ransomware attack after a material corporate event, which Jerry has outlined. And then to pushing that a little bit more, 50% was education, 30% in manufacturing, 43% in finance, IT, telecommunications 54% and healthcare was 20.
So I'm guessing again, Jerry, none of those stats really surprise you given what you just discussed. As we're seeing now nowadays, there's a lot more, you know, m and a happening, more IPOs, et cetera. So again, people's guards are probably a little bit down. So it's an opportunity to just to strike for sure.
[00:27:03] Speaker A: I mean these organizations are going to research and when I go and research when organizations are most vulnerable for whatever reason, whether that's holidays, whether it's whether that is a major corporate event, whether that's whether that's a decade, a once in a decade Christmas party or whatever, the attackers are good at their jobs. I mean, you know, people are doing this, doing this full time. They're spending as much money more than the people are trying to defend against them. So they're pretty sophisticated and in terms of understanding the best times to go and try and penetrate an organization. But yeah, I mean, I think that probably the only one I think that's or the most interesting ones might be healthcare. Healthcare being lower than anyone else. And you know, perhaps that's, I mean healthcare has a tendency to be 7 by 24, 365 more so perhaps than similar as other segments.
[00:27:52] Speaker C: So how can people prepare for, you know, the same. I mean it's sort of a conundrum a little bit because it's like, you know, if you're getting a company acquired, for example, you want to be able to tell media and get the word out there. But again, you're sort of opening yourself up for risk. So how would you sort of prepare an organization so to make sure they are taking the right steps and the right measures, therefore they're not underselling all the good news and the things that they're doing, but also making sure like, hey, we don't have like a massive incident happening at the same time.
[00:28:19] Speaker A: I think it's going back to properly understanding people process and the technology required to people process procedure and the technology required to Go and to go and mitigate risks. I mean we are doing an increasing amount of work with some of the big four practices who do a lot of M and A and divestment work and core component when they're advising organizations. And again, you've got to have fairly deep pockets obviously if you're engaged in these organizations to go into this type of work for you. But they are spending months preparing risk analysis of what you need to do go and acquire this business once it's acquired, what you need to do to go and try and integrate this business as seamlessly as you possibly can and or divest this business as simply as you possibly can. So I think a lot of it's around people process ensuring that you understand the risks and understand what you get into. Again, kind of contradictory to what I said earlier on because you know, the instance I gave you where this organization are typically acquiring smaller businesses but you know, two days notice to go and assess technology risk in an organization is hardly sufficient. And consulting with partners. So again, I mean there's, I don't think there's any magic wand to go and to go and fix this but you know, just understanding at the CEO level what the risk is first and foremost. So again, typically in the instance of an acquisition or a divestiture, the sea level are aware they've been given a report by whoever they're working with typically to go and understand the risks, the business risks, the technology risks, operational risks, et cetera, go and insure. And again, from our perspective, you know, Active Directory is the most critical and should be the most critical aspect of every merger and acquisition. So ensuring that organizations are working with partners, whether that's us, whether it's Big four, whether that's some of other partners out there in our ecosystem to go and understand the risk, the technology risk and have a plan that we can execute against that delivers the outcome that they require and make sure that certainly again going back to our core component that those crown jewels are protected and you know, if the worst happens, you can roll back or recover quickly.
[00:30:28] Speaker C: So I just want to ask you probably one more question around the stats. I know that we've spoken, we've covered a lot of ground here again today. But for those of you who want to do a little bit more digging, we will be linking the report in the show notes. So Gerry, one other question I have for you is a three respondent say they had an identity recovery plan in place. So maybe walk us through the plan. What does it look like in your eyes? Just At a high level.
[00:30:55] Speaker A: That's the most surprising stat for me, Carissa, when again, there's an addendum to the report that says 78% of respondents paid a ransom in the last 12 months. So without me trying to do a whole bunch of arithmetical gymnastics in my head here, I mean that 83% of respondents said that they had an identity recovery plan in place, yet probably 90% of the 83% ended up with a ransom attack and about two thirds of them paid it. So.
[00:31:27] Speaker C: But it's probably a basic plan. Is that what you're sort of saying? Like, it's probably rudimentary.
[00:31:31] Speaker A: I may have backup and recovery in place and you know, I think I can go and recover from a backup, for example, but when I go and do that, it didn't work. Or when I went and did that, I was dinged a second time or a third time or a fourth time. I think that 32% of respondents in the ransomware report that said they'd been done, I think Germany had the highest instance of people being suffering or being paying a ransom multiple times for the, for the same incident. Because the other, the other aspect of this as well is that, you know, we're dealing with people that are criminals and they're not necessarily honorable. Some of them may be, lots of them aren't. So someone tells you you'll get your encrypted data back and quite often that doesn't happen. Someone tells you pay me once and don't worry about it. Quite often that doesn't happen. So, yeah, but I think there's a. And again, I see this every day of the week. There's a, there is a basic understanding or a basic belief I think that people can get their core identity systems such as Active Directory, but in reality that doesn't work out so well. And it is a disturbing. The organizations that think they've got a plan never actually tested it or never actually tested it in earnest or with any degree of regularity. So. So I think people believe that they have an ability to go and recover. Hopefully they never need to find out that they can, to be honest. But you know, again, I don't think people understand how complex it is to go and recover. And I'm in a core identity system such as Active Directory, Microsoft's best practice is a 29 step process. And if you hand that off to Microsoft to go and do, which they'll do for you, you give them a backup copy, it takes them typically up to five days to give you a set of instructions back to say here's how you go through that 29th step in your environment to go and recover and follow these steps. Follow these specific steps in order or you'll need to start again. So yeah, I think people believe that they have that covered, but in reality I don't think they do.
[00:33:26] Speaker C: So, Gerry, do you have any sort of final thoughts or closing comments you'd like to leave our audience with today?
[00:33:31] Speaker A: Get a plan. You know you don't want to be. You don't want to be. Have the police at your front door with the wet bandits when the wet bandits have flooded your house earlier. Christmas again, I think it's just people process having a plan, having a recovery plan. We're happy to help, obviously, and we're happy to consult people and how they effectively go and do that. But it's important to understand though that you need to be more vigilant. You need to be vigilant all the time, but you need to be as vigilant, if not more vigilant when you've got a reduced number of staff focusing on defending your environment for whatever reason, whether that's a corporate event, a significant corporate event, or whether it's because it's Christmas or it's Hanukkah or it's Chinese New year.
[00:34:13] Speaker B: This is KBCast, the voice of Cyber.
[00:34:17] Speaker C: Thanks for tuning in for more industry leading news and thought provoking articles tools, Visit KBI Media to get access today.
[00:34:26] Speaker B: This episode is brought to you by MercSec. Your smarter route to security talent Mercset's executive search has helped enterprise organizations find the right people from around the world since 2012. Their on demand talent acquisition team helps startups and mid sized businesses scale faster and more efficiently. Find out
[email protected] today.
