• Garrett O'Hara

    Garrett O’Hara is the Principal Technical Consultant at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies. When not talking about the cyber security landscape, data assurance approaches and business continuity Garrett can be found running, surfing or enjoying the many bars and eateries of Sydney's Northern Beaches.

    Comments:0

    Add comment
Garrett O'Hara
Content

This week we are featuring an interview focused on ransomware and conducted by a Senior Analyst from the Economist, Wade Islan. Wade’s guest is Ciaran Martin, Professor of Practice in the Management of Public Organisations.

Prior to joining Oxford, Ciaran was the founding Chief Executive of the UK National Cyber Security Centre, part of GCHQ. Ciaran brings his expert analysis to this conversation and provides his perspective on what board members should know about ransomware, steps organisations can take to protect themselves, the value of human versus the technical controls and processes, resource considerations for best outcomes, the nuances in ransomware for different countries, the politics and global collaboration required to fight the problem, and what the future of ransomware will likely look like.

Content

The Get Cyber Resilient Show Episode #75 Transcript

Garrett O'Hara: Welcome to The Get Cyber Resilient Podcast. I'm Garrett O'Hara, but today, that doesn't matter, as we have a very different type of episode. Instead of me, you'll have Wade Islan, who is a Senior Analyst at the Economist. He's interviewing Ciaran Martin, Professor of Practice in the Management of Public Organisations at Oxford University. Many will know Professor Martin as the Founding Chief Executive of the U.K. National Cyber Security Center, part of the Government Communications Headquarters, or GCHQ.

The conversation focuses on ransomware, with Professor Martin providing perspective on what board members should know, steps organisations can take to protect themselves, the value of human versus the technical controls and processes, resource considerations for best outcomes, the nuances in the ransomware experience in different countries, the politics and global collaboration to fight the problem; including to pay or not to pay, cyber insurance, and finally, what is the future? Over to the conversation.

Wade Islan: So as an opening question, what is ransomware and why is it on the rise?

Ciaran Martin: Ransomware is extortion done by computer hacking, simplest way of looking at it. You mentioned the two ways of doing it the first is what you might call a bit flippantly classic ransomware, and that's locking you out of your network, so you can't use it. It's sort of involuntary encryption of the network, so you just wake up one morning and the whole organisations network doesn't work and there is a demand note often written in slightly broken Google translate English, and emailed to your IT service's desk saying, "Pay us some ransom in crypto currency or you'll never get back into your network."

The problem with that from the criminals point of view is that, if you have some form of usable backup that's in some way retrievable, then you can't be held to ransom at- for access to the system, because you can get into it some other way. You know, if I stole your pen, I couldn't hold you to ransom to give your pen back if you've got another perfectly good one that you can just grab from a- from a shelf.

So over time, as defences have got a bit better ransomware has evolved a bit, so that involves an element of threatening to publish sensitive data, to leak sensitive data or sell it. So let's say, if you were a supermarket, they might take your online customer details and sell it on the dark web, or threaten to sell it on the dark web, unless you paid.

If you had some sensitive IP or gossip or something that you didn't want published, they might do that to you so often these days, as well as threatening to keep you locked out of the network, 'cause that does matter. Backups are difficult and painful and costly, and some people still don't have them. And there's almost a double threat these days to leak sensitive data. So often that alongside the ransom note, they might send you some data to prove that they've got it and- and to threaten to- to leak it.

Why is it one the rise? Because it works really well for the criminals. There's a whole bunch of reasons why that is, but it's very lucrative. I mean, you mentioned $350 million paid in proven ransoms in 2020. I suspect the real figure is far, far higher, but you don't have to disclose. In 2021, research has shown that one criminal group a Russian group known as DarkSide, collected at least $19 million in nine months, in 2020- 2021. And that's just one group. Uh, so it's very lucrative. It can be at countries where the law isn't particularly well en- enforced, defences are still weak, and the money can flow quite easily. So for all of those reasons, if you're a cyber criminal, it's kind of easier to make money doing ransomware than it is trying to sort of steal a dataset and figure out what to do with it once you've stolen it.

Wade Islan: So, Professor Martin, would you say that all business leaders; for instance, board members, should know about ransomware?

Ciaran Martin: I think the first thing that every business leader needs to understand is that, the criminals are pretty undiscerning about who they select. I mean, these guys have targeted hospitals and healthcare systems. Some people say they don't target them, but they just hit them because, you know, there's no sort of "H" sign on the internet to say "I'm a hospital," uh, but when they find out it's a hospital, sometimes they back away, and sometimes they don't. Um, but if a bunch of criminals are prepared to attack say, a National Healthcare system, as they did in Ireland, or a Vaccine Registration Service, as they did in Italy, then they're not going to have too many qualms about coming for any particular company if- if they've got money, so, that's the first thing. It is, you know, most normal businesses will face no threat from the Russian state. Very few will face much of a threat from the Iranians or whatever. But you will face a threat from- from- from- from ransomware criminals.

The second thing is that, an awful lot of this is about resilience and recovery. So, if you take that sort of classical ransomware do you have backups? Do you know how to activate them? Do you have sort of non-cyber business continuity plans that can help you keep going in the event of a major disruption?

And then, I think the third and fourth thing. The third is sort of preventative, moreover, your basic defences. Most ransomware criminals aren't that sophisticated, sometimes they are, but often they're exploiting basic vulnerabilities. You know, the system's administrator isn't properly protected, Two-Factor Authentication is involved, Windows whatever isn't patched, etc., etc. So, you know h- how's your organisation made it harder for ransomware criminals to get in?

And then the fourth point is about instant recovery, instant response. You know, do you know how you'd cope? Who's going to talk to the press? Who's going to send the letter to customers? Who's going to talk to the Government, if you're an unregulated sector, and- and so on? And, are you going to pay? What's your plan? Etc., etc. Have you thought it through? So those are the four things I think the business leader should think about.

Wade Islan: So, in light of the four things you just laid out, what would you say that the best steps an organisation can take to protect themselves are?

Ciaran Martin: Well, I would... Basically, there are a bunch of preventative things that can be put in place, and then there's a bunch of planning. So the preventative things are, a good patching policy, multi-factor authentication, and so, that's sort of reducing the risk of things happening. Anomaly detection has a slightly more complicated [inaudible 00:06:22]. But, basically, do you have... Um, as well as the sort of, you know, firewalls where, you know, for pen tests- for penetration testing and so on. Uh, do you have a capability that can detect anomalous activity on your network? In other words, can- if somebody is there who shouldn't be there, does something flash up and go "beep"?

So there's a whole bunch of sort of technical preventions that you can do. But then there's the planning. So, do you have backups? How closely connected are they to the network that might be taken offline? How easy are they too recover? And so forth. That sort of thing is really important. And test your assumptions.

You know, if you think back, you mentioned in your introduction where you mentioned the Colonial Pipeline Hack. The reason it became so famous was, you know, there were countless other ransomware hacks and attacks on big American and other Western countries, and big American businesses over the last few years. And you've never heard of most of the attacks. The reason we all heard about Colonial Pipeline was because of the attack on their ordinary enterprise network. They felt they had no choice but to shut down the pipeline.

Now for most organisations with a bit of critical plant you have assurances that the controls of the plant aren't dependent on the ordinary IT network. Well, in Colonial's case, that turned out not to be true. And no doubt, they accepted assurances and good faith that the pipeline's controls were sufficiently segregated from the main network, that it would be okay if there was a major cyber attack.

So organisations should test their assumptions, and test them again. You know, are you really, really sure that if you are an energy company, if you are a hospital? You know, we had the- the shops in Sweden having to give away fresh food for free, 'cause they couldn't sell it, because their chip and pen machines didn't work. People should just think through their dependencies and plan the worst.

Wade Islan: How much of this comes down to the human factor versus technical tools? You listed both processes, as well as a number of technical solutions. Some were simple and some perhaps more involved. But how should an organisation think about striking the balance between the two aspects and what is the role of the human factor in all of this?

Ciaran Martin: Well, the human factors important, but I'll play the contrarian here and stress the technical, but the technical, of course, has to be planned by human beings who know what they're doing. But at the end of the day, very few organisations are primarily Cybersecurity organisations. And the Colonial Pipelines is an energy company that runs oil through U.S. The health and services executive in Ireland is a Healthcare Commissioner.

You don't want to try to pretend that these organisations need to become primarily Cybersecurity organisations, or become, you know, expert Cybersecurity organisations. That's not their purpose. So, the reason I say that, is that, you want, in a sense, a sufficiently good set of technical defences, so that people don't have individuals whose job is something else. It's keeping a pipeline running, it's commissioning health care, it's proving health care, whatever. You don't want those people having to make 10 cyber security decisions a day. So you want to have good blocking mechanisms so that very few fake emails make their way to these peoples in-boxes, so they don't have to spend an hour a day wondering, "Well, should I open that email? Or should I send this to your IT for scamming or whatever?"

You know, take away as much of the decisions from people as often as you can. How do you do that? You do that by good technical defences. But then, of course, there is a human dimension to it, and it's often exploited. So, you know, to give you an example, more sophisticated attackers will scour things like LinkedIn, and then they'll try and find the system's administrator of a network that they're interested in and they'll try and maybe... 'Cause the system's administrator owns the keys to the kingdom for networks.

You've seen this time and again, where someone has maybe cultivated the system's administrator or looked at his or her social media accounts, and, you know, guessed that their password might be the same name as their pet on Twitter, that they've put pictures on Twitter, etc., etc. So you need to educate people about their own vulnerabilities. But you need to make it easy for them, so for example, last year, Oxford University introduced Two-Factor Authentication.

I happen to think they did it quite well, but for a lot of people, it was quite a disruptive thing. "What's this? Why am I getting a text message on my phone before I log into the network?" For older academics, it was a bit, "Oh, you know, remote access is my lifeline to work. W- what's this, uh change?" But we need to make it as easy as possible for people to follow the rules, otherwise, they do things wrongly. And then you need a supportive and nurturing cyber security environment, where you make it easy for people to do the right thing.

Wade Islan: And would you say that there are resources that most organisations already have that could be better utilized, rather than where new investments may be needed? Thinking more about technical solutions in this case, but it may also be in human expertise or- or in their people.

Ciaran Martin: Security does get better as new versions and updates and more modern technology gets rolled out, because we're more conscious of it, we spend more money on research, we integrate it more, we think about it more when new products and services are rolled out. So, there is something about keeping your estate up to date. So during the pandemic, for example, when I was in government in the U.K. at the start of the pandemic, when all the organisations started really quickly working from home in an unexpected and unplanned way, you know, one of our advice in the British government was, I- if possible- if you're giving people new IT to work remotely, if possible, make sure it's quite up-to-date. Maybe we contributed to the rule on laptops, and sort of thing. But, if you're fishing stuff out of the closet that you're about to dispose of as waste but now you need stuff for your employees to work remotely from, then that's likely to be quite insecure, try and invest a little bit in, you know, more modern stuff.

So I think there is stuff about maintaining what you have. I think then, do you need new investment defences? You need an honesty board discussion. It'll vary from organisation to organisation. What risks are you running? Who's likely to be after you? Because, you know, if you've got some really sensitive IP, you might have all sorts of people, including the elite hackers of the Chinese 3PLA after you, but if you're just selling fast moving consumer goods, then you'll probably be more interested in cyber criminals.

If you're doing a lot of business in energy in Russia, you've got a whole different set of problems. So, you know, work out what your risk is, work out what defences you've got against them. And then, work out what you need. The one thing I would say is, don't buy stuff that you don't understand. Genuinely ask vendors, "What harm do I face and what will this product or service do to reduce the likelihood of that harm happening or mitigate its impact?" Basic questions that you'd ask about anything else. Just because it's cyber security, don't say, "Ooh, this looks shiny. Let's have it."

Wade Islan: So far in our discussion, we've focused quite heavily on North America and Europe. I mean, understandably so, because of where the focus of majority of the attacks is. How would you suggest that business leaders from other parts of the world should be thinking about the issue of ransomware? Are there any differences, I guess would be the question? There may not be.

Ciaran Martin: Well, I've looked a little bit in Japan, which is quite interesting, 'cause I'd assume that Japan would have a language advantage, in that, in a lot of countries, English is the second language, and therefore, you know, a lot of the cyber criminals will be, at least in some way, proficient in English. And therefor, English speaking economies, or those that do a lot of business in English, like in Western Europe, will be targeted. But, Japan has suffered its fair share of that ransomware as well. So, you know, any country that's on the wealthy side of our worlds sort of sad unequal divide, and I think has got the sort of issues that we've been talking about.

So far, in sort of less rich countries, I think I haven't seen it. I may be wrong, but I haven't seen it spiral in the same way. And if you take Latin America, for example, a lot of countries there have been very early adopters of mass digital commerce. But, it's been done sometimes in quite an insecure way. So, sort of, you know, personal data and security's one of the biggest issues around- um, around there, and identity fraud, and, you know, large scale financial fraud, and that sort of thing. And, now having said all that, goes back to the point that defences against those sort of risks are pretty common to good defences against ransomware. So, I think it's largely the same advice.

Wade Islan: So I recognize that a lot of the solutions you've just offered, or suggestions for organisations you've just offered, go beyond ransomware. So turning back to ransomware for a moment, what do you feel is not getting enough attention?

Ciaran Martin: Well, firstly, good cyber security, the type we've just been talking about, is the best defense against ransomware. I mean, ransomware is just a cyber attack, followed by extortion. That's why defences against [laughing] ransomware are pretty similar to defences against other forms of cyber harm.

What's missing, I think, in ransomware? Well, political attention was missing, but, you know, there's been so many, sort of, high profile disruptive. I think that's been the difference. It's actually started to mess with peoples every day lives, in ways that are quite horrible and unpleasant. So, political attention is no longer lacking.

The G7 summit in the UK earlier this year had President Biden, Prime Minister Johnson, and President Macron, and all the others, sign up a commitment on dealing with ransomware. And- and I think one aspect of it that was receiving relatively light attention, was the sort of Russia safe haven problem. But President Biden [inaudible 00:15:19] to President Putin that he takes that very seriously.

So I think the one thing that now needs a lot of attention is the money. And the reason why ransomware is exploding, is because it's very easy to move large amounts of money around. And it's a hard problem, but, now if I can express one tiny bit of frustration with development since the G7, if you say compare with, um... You know, we're coming up to the 20th anniversary of 9/11 and revenue is reflecting on that, and after 9/11, one of the things that I remember, was that Western states became worried that the easy flow of illicit finance was one of the reasons where international terrorism was flourishing. And so, the Financial Action Task Force set out 40, really quite detailed and hard-hitting recommendations that were quickly adopted by the Western financial sector. That made it very, very hard to move illicit money around, if you were connected to a terrorist group. And so, a group of experts gone after the money.

Now, in the G7 communique ransomware, there were similar sentiments. We need to look seriously at stopping the flows of money, but where is the follow-up? Now, that could be the question of banning or restricting payments by companies, and people are divided on that, to have my own piece. But, I- I can see it as a slam dunk. I think it's a very difficult issue. But the American Administration is very interested in transparency requirements on crypto currencies, 'cause most ransomware payments these days, although not on start, they were in dollars, but now they're in crypto currency. And most are paid in crypto currency.

The Biden Administration is very interested in exploring that route to restrict the flow of money. But again, that would require global coordination, and I don't really see where that's happening at the moment. Maybe all will be revealed a bit later. But I think we need a bit more urgency, because the thing that distinguishes ransomware, I think, from all other forms of cyber crime, is just how lucrative it is. And it's lucrative because you can move crypto currency around very, very easily, and that's what's probably missing is. Um, I'm not an expert in it, and it's not really a cyber security issue, it's a financial crime issue. You know, how do you stop this? But I think we need the worlds best minds working on this to try to get after that aspect of the problem.

Ransomware attackers have no political agenda. All they want is money. That is 100% of their motivation. So if you find ways of restricting the flow of money, whatever they may be, you find ways of reducing the problem.

Wade Islan: So you mention that there is growing consensus even political consensus now around combating ransomware, and government agreements in this area. But, where might you push back against received wisdom or current expert consensus around the issue of ransomware?

Ciaran Martin: Well, there's no consensus on the banning of payments issue, and I'm not sure of where the balance and debate lies. I mean, I think governments think it's too hard and that it'll have too many unintended consequences, and they may well be right. I just think it is worth doing the work to look in detail as to whether or not it would work. I mean, the UK has for a long time refused to allow the payment of ransoms to terrorists groups, even in extraordinarily difficult situations with threat to life and indeed murders. So, too, have the Canadians or other country's sort of quietly taken a different approach in facilitated payment. So I think that we should have a really, really rigorous robust look at that.

Where we push back against the sort of consensus though, is that I think by accident, 'cause I- I assume good will, and I believe that most people in the debates in the U.S., in the UK, and Europe, and so forth, are acting in good faith. But does this thing around we're almost promoting by accident, this sort of pro-criminal narrative that ransomware attacks are always existential. In other words, you're gonna go out of business and people may die if you don't pay. So let's think about this, first of all, threat to life in ransomware is not unknown, but it's pretty rare. It's horrible when it happens, but it's pretty rare. And let's not base policy on the- for everything on those very rare cases.

I mean, there's this myth that ransomware is always existential, and if you pay, there's a sort of "flick back on and everything's okay" switch. A, that's not true. I mean, look at Colonial Pipelines, they paid and they're still recovering. But ransomware batters the computer network, so it takes time to recover. So paying doesn't automatically make everything right, and actually just recovering can also be the best- um c- can be the best option. So I think we should push back on this narrative a bit, because, you know, it doesn't help if you portray something as [inaudible 00:19:45], when actually, it's quite nuanced.

Wade Islan: So if your organisation were targeted by ransomware, do you think that you would pay? And t- to perhaps phrase that a little more fairly, you know, how should a firm think through that decision?

Ciaran Martin: So I think, you know, [inaudible 00:20:04] wrote an article with someone, and they [inaudible 00:20:06] we learned the U.S. from the Brookings Institution, and if you do a ban on a phone, there are real problems with that, because there will be cases where, you know, there is existential risks. Not all of them, but some of them. And so, I think, you know, we are gonna have to. I mean, it's a National Security risk, this President Biden has said that, and the British Government has indicated that ransomware is a National Security risk. So, in such cases, we're not doing enough to provide, you know, state support to victims of serious crime, so I think we need to think that through. But we are where we are.

So at the moment, the honest question is if my organisation or an organisation I was running is hit by ransomware? Well, it depends on the starting point. You know, are we well backed up? And if you are, then I think there's a really strong incentive not to consider paying. And nobody wants to pay, you know, I don't think anybody sort of pays happily. I wouldn't think that for a second. But I think, you know, sometimes the incentives are just too easy to pay, so I would exhaust every possible option. And you asked to go back to the point about received wisdom that I wanna push back on.

There's this specific thing about the extortion risk on leaking of data. Give me an example of where an organisation has refused to pay and has been humiliated or devastated by the leaking of very sensitive information. Actually, there's not many. And there's just not enough dispassionate, factual analysis of the problem. We- and- and that's why, when these attacks happen and these poor chief executives and heads of organisations are left paralyzed subjectively don't understand. Being told that it's all existential and, you know, the company's going to go bust. And even if it's not going to go bust, all the sensitive information is going to be dumped on the open internet tomorrow, if they don't pay X million dollars in crypto currency.

It's a lot more complicated than that. They have to find ways of giving people balanced information, because if we do give people balanced information, I bet more people will follow the path of the Harris Federation of schools, and just say, "You know what? This is a real pain. It's humiliating, it's costly, it's devastating, but we don't make it any less of those things by paying some criminals."

Wade Islan: Thank you. Could you explain for you listeners what cyber insurance is and what the role of cyber insurance is in the ransomware story?

Ciaran Martin: Cyber insurance is basically a product that will require the insured to pay out in the event of harm caused by a cyber attack. So, it's a good thing and it should... I mean, insurance is a good thing. That's why we have it, and if it didn't exist, we'd invent it. It tends to, and helps, security. I mean, that's why physical security has been enormous to help out insurance demands for locked doors, locked cars, cars parked securely, that sort of thing. But, cyber insurance, I think, has struggled to have that broader impact for the public good that insurance normally does, and why is that? There are PhD's being written on this as we speak, and no doubt, the companies keen to make a profit, and rightly so. Looking at it very closely.

So one is, it's quite hard to measure harm, so ransomware is actually one of the few errors of cyber security where it's quite easy to measure harm. How much did you pay in the ransom, how much did it cost you to recover, and you know, can you estimate how much business did you lose? Now let's take away, back to the famous U.S. attack, when a lot- Target's customer database was stolen; 46 million people and some credit cards. But not enough information on the credit cards to use them. Well, what's the harm there? You have to write out letters to Target customers. That's a lot of postage stamps.

Now, there's no direct financial harm to the company. Do people switch to other shops? Maybe. But, again, you don't quite know how. Um, what's the damage to the whole economy? Well, depends what happens, did somebody buy them in the dark web? What do they do with them? Essentially, it's quite hard to measure. A [inaudible 00:23:52] once talked to a British regulator, saying, "You know, when I'm levying penalties for cyber negligence, what harm am I punishing? What..." you know? So that's one of the reasons why insurers have- have found it difficult.

Another is liability. So there's a case going on in the Swiss courts at the minute, where, um a- an insurer has refused to payout on the grounds that the hackers were nation state, and therefore, it was akin to an act of war. Uh, the victims point is we'll hang on. I mean, most or an awful lot of cyber attacks are from nation states and they're way short of an active war, because we never invoke Article 5 of the NATO Treaty, for example, so how on earth could they- you know, could they be treated as acts of war? So how do you portion liability when, say, a nation state exploits very weak cyber security?

You know, if a nation state does a sort of top-class, highly sophisticated job, then you can say, well, an organisation can say, "Well, how on earth were we supposed to defend against that?" But if it's actually exploiting the fact that they haven't patched their network, well, you know, what does that mean? So it's hard to do harm and it's hard to do liability. So, I think that's two of the reasons why cyber insurance has sort of struggled. But I would hope in the long-term that that's starting to get better. We certainly need it to.

Wade Islan: Looking towards the future, where do you think we're- we're headed when it comes to ransomware? So what will the next year to 18 months for ransomware look like, or what about even 5 to 10 years from now?

Ciaran Martin: I'm horrible at predictions, Wade, but you've asked me, so I'll give it a go. Um, so ransomware will go in one of two paths; so one path is sort of, it gets worse before it gets better path. And that's where, you know, there's increasingly socially disruptive hacks happen more and more to hospitals in particular. And actually somebody gets hurts or even worse, because of, say, the collapse in particular, but of healthcare provision, and so on. And then, you have that sort of concerted effort, you know, real urgency, cracking down on flows of money. You know, it becomes just too embarrassing for Russia to host some of these criminal gangs and they start to put pressure on them, and we squeeze the problem.

I think there's a decent chance of that, but sadly, it does- it is predicated on having a period where it does get worse before we decide enough is enough. There's alternative path, which is actually it remains in a high base with more careful hackers. I mean, there's some anecdotal evidence of discontent within the ransomware racketeer ranks, because, you know, they were having a perfectly good time quietly extorting wealthy Western Chief Executives, without anybody noticing. But then, when some people got a bit reckless and started taking out pipelines and health care systems, the world started to notice, and they started to feel a bit uncomfortable. So, if they knocked out on the head a bit and went back to their quiet and lucrative business model, maybe the worlds political attention, given everything else that's going on, would go away, and we will have a significant problem, so that's the sort of two alternative visions in the next two years.

In the next 10 years, I'd be optimistic. I'd be optimistic for a bunch of reasons, but the main one is, I take the view... And I hope I'm right... But, I take the view that, you know, in a decade or a few decades, we will be talking about the right to safe software and the right to safe hardware, just like we talk about the right to safe travel, safe drinking water, and so forth. You know, we won't allow shoddy practices, we won't allow bad products and services on the market anymore, because digital is just too important. So I think standards of cyber security, you know, if you look at the administration in the U.S.'s, you know, $10 billion plan and its detailed executive order. You look at the money, Britain and European Union, you see it's been putting it in this continent. You know, I think we will get better at securing cyber space. And that won't mean that everything's rosy.

Ransomware is so egregious and it's such an avoidable harm because cyber attacks won't go away, cyber risk won't go away, cyber vulnerabilities won't go away. But ransomware is making ridiculous amounts of money from very weak defences, and that gap should be easier to closer than some of our other vulnerabilities.

Wade Islan: So you've just, I think, painted a pretty optimistic scenario of the future.

Ciaran Martin: It's long-term.

Wade Islan: Yeah, the long-term future. Do you think that there is a more pessimistic version of that long-term future, and if so, what might that look like?

Ciaran Martin: So one of the biggest risks at the moment, is the fact that malevolent people can now buy fairly serious capabilities. And most of the ransomware activity isn't terribly sophisticated, but these people have an awful lot of money now. I mean, like I said, one group got $19 million in nine months. I don't know what its end-cut costs are, but they're not very much. You know, a bunch of hackers, bunch of computers, it's Canada, bunch of middle men. But, you know, certainly I imagine they are making extremely tiny profit on $19 million. Well, you know, what can happen with that sort of thing, given the amount of stuff for sale. That would be a worry. And that sort of weaponization of cyber space, I suppose we've got to work through. But I would still tend to the more optimistic way.

Wade Islan: No way, that's- that's great to hear. And, obviously, I'm- I'm hopeful that that's how things will turn out. So we're ending each episode by asking our guests to give their 30 second elevator pitch for business leaders around each episode's theme. What would your proposal be to business leaders for protecting their organisations from ransomware? I know you've already, you know, run through this at length, but if you had, again, trapped in an elevator, you had 30 seconds to make your best argument, what might it be?

Ciaran Martin: Three things. Number one, check if you've got backups and that your team know how to get them and ploy them. Number two, check your basic defences and business continuity plan. Is it up to scratch? Basic questions about patching Two-Factor Authentication, the instant response plan, stuff like that. Third thing, if it does happen to you, don't panic and don't believe the hype, and get some good advice. And don't pay.

Wade Islan: Thank you so much for joining us today, Professor Martin.

Ciaran Martin: That was great, thank you, Wade. Thanks for having me.

Garrett O'Hara: Thanks to Professor Martin and Wade Islan for today's episode. As always, thank you for listening to The Get Cyber Resilient Podcast. Jump into our back catalog of episodes, and like, subscribe, and leave us a review. For now, stay safe, and I look forward to catching you on the next episode.

Tags
Principal Technical Consultant

Garrett O’Hara is the Principal Technical Consultant at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies. When not talking about the cyber security landscape, data assurance approaches and business continuity Garrett can be found running, surfing or enjoying the many bars and eateries of Sydney's Northern Beaches.

User Name
Garrett O'Hara