Dan is a 20 year veteran of the ICT industry working for global and local vendors in bringing new and innovative technologies to market in the ANZ region. During his career, Dan has been passionate about bringing a local voice and insights to global technology challenges. As the Editor of GetCyberResilient.com Dan casts a keen eye across the hot topics, trends and pulse of local security practitioners to curate stories from near and far that are most impactful in addressing our evolving risks.
In the news this fortnight we discuss how Australia, along with a host of other countries, named China as the perpetrator of the Microsoft attack. We review how Australian organisations have been quietly paying millions in cyber ransoms. We explore how board members may soon be liable for cyber-attacks. And we deep dive into two high profile attacks - the zero-click Pegasus spyware sold to authoritarian governments, and the supply chain ransomware attacks against Kaseya.
The Get Cyber Resilient Show Episode #64 Transcript
Daniel McDermott: Welcome back to the Get Cyber Resilient show. Today is our first in the news episode for season four and our 64th episode Overall, my name is Dan McDermott and I'll be your host for today. One of our resident cyber security experts, Garrett O'Hara, Unfortunately, won't be joining us today. Gar is feeling unwell.
We've been told it's not COVID. which is good news. I think it's just being run-down from working too hard. So, we wish Gar a speedy recovery and look forward to hearing his dulcet tones again. Next week today, my copilot and expert is Bradley Sing, and we will be exploring the hot topics of how Australia along with other countries, have come out and named China as the perpetrator of the Microsoft attack.
We'll review how Australian organisations have been quietly paying millions in ransom from the tsunami of cyber crimes. We'll explore the focus on boards becoming liable for cyber. attacks, And finish with a deep dive into two of the highest profile attacks. Recently, the Pegasus spyware sold to authoritarian governments to track a- activist activities and the supply chain ransomware attack against Kaseya, impacting their managed service providers and end user clients.
Brad, welcome back to the show as always, a lot has happened in the last month, since we spoke, including being back in lockdown, which is not so good, but let's kick things off today by reviewing how Australia and other nations have come out and explicitly named China as the instigator of the Microsoft attack.
What can you tell us? I guess, About this. And the r- some of the reasons why, you know someone like Australia who'd been pretty conservative over the years of not actually naming nation states uh, and attributing blame often have now actually taken this, this, I guess, proactive. step?
Bradley Sing: Yeah, no, certainly Dan and look, attribution is something we've talked about before.
But look before that. Thanks again for having me on the show and thanks to our listeners for joining us again in season four. Um, Firstly, I found it a little bit hard to I've had no outlet for the news. Like so much stuff has been happening. So it's really awesome to be able to share this. with everyone. Um, in terms of attribution and- and kind of what we've heard very recently from the home affairs minister in terms of the Microsoft exchange hack at the start of the year, Hafnium, if anyone remembers that [Laughs] we're going through so many different names, but they are making Wikipedia entries, [laughs] so there's a lot of history being created as well.
which is Probably not the greatest thing, [laughs] but hey, we're learning at least at the same time. Um, effectively what happened is Australia and it's allies have come out six months, post this incident publicly attributing China to the attack, or at least Chinese-based groups. Um, it's kind of interesting. If you look around the world, like the EU haven't gone as far to directly.
call it A nation state attack, but they're saying that you know, it's potentially some elements coming from China. It's kind of a new world we live in, right? Like it's the, instead of the individual person hacking you or you know, maybe somebody just going after a monetary gain. Maybe there's a political ambition behind it.
Um, I also read a report this morning, and again, it's kind of hard to verify that a whole range of universities in China, have just been targeted by American-based hackers. So. it's going both ways by the look of it.
Daniel McDermott: Yeah. There's no doubting, it feels like it is an escalation of the notion of cyber war.
Right. In that it is actually, you know, getting to that sort of level and and becoming part of the narrative as to, you know, what is actually happening between countries and what will that mean? Um, we see a lot of commentary, you know, like in the news now about what will be the ramification of this. Right. And I think that's going to be really interesting to- to see this play out.
Um, as you say, we sort of see, you know, it's... sort of some attacks going back the other way, what will China's response be to being named and being called out explicitly? Um, what will that mean from here? And it feels like it will just be an escalation in many ways. And I think many commentators have also said, so what.
was- What was the point of doing this? Like, you know, like all you're doing is this sort of poking the bear a bit. Right. Um, you know, and sort of China's been slapped with a wet lettuce leaf a little bit in terms of like, you know, being named but boo-hoo, what, what from here? So definitely I think a watching brief on this one and you know, it is it's concerning though, right?
Because it feels as. though It is, it could escalate and could result in something else. And we don't want, you know, bigger attacks and greater, you know, unforeseen sort of societal impacts if you like flowing on from a cyber attack, as we saw at, like colonial pipeline or, you know, the healthcare provider in- in Germany last year.
And those, those societal impacts that actually that ripple out from, from these cyber attacks in the first place.
Bradley Sing: That- That's a great example though, like, what is the repercussion? Because like uh, we- we all pay attention to the news. Like it's a very geopolitical tense world at the moment. Uh, I think I was reading the other day that uh, England is um, going to uh, sail their HE HMS England. Sorry, messing it up. What is it called? Their key flagship aircraft carrier task force group. Right? So, aircraft carrier and its escort. They're gonna sail that kind of uh, I guess, near China, right. For the first time in a long time. That's about all you can do, right? Like, aside from that, you can do a lot of gray warfare or asymmetrical warfare as they call it.
Um, what is the response? I guess the other side just starts doing it as well. [laughs] Like where does it end? Do you start doing things like sanctions? I think we're seeing evidence of that. But does it also become something that governments can't control? Like I think to a degree right now, it's, it's working in their favor, but these hackers at the end of the day, like they're trying to get money They're r- trying to get revenue. They're trying to survive. If their government tells them not to do something, they still need to make money. Like [laughs] it's not like that ecosystem's dismantled unless there's really good legislation. And that's back to some of the points we've talked about before. And I think we're seeing in the media right now.
Like it's all around the idea of the only way to. Destabilize, this is to destroy the ecosystem behind it. Right?
Daniel McDermott: Yeah. And as you say I mean, that is, you know, getting to the point of being able to, you know, w- what is it? Know- know your customer or KYC in terms of like ransomware payment or Bitcoin payments, AKA ransomware payments.
[laughs] Right. Um, and- and therefore not being. able to, Sort of make those anonymous and actually, you know, be able to track who is involved in that. And know the chain of that of that flow of that money you know, at the moment it- if you can't track that, that creates this environment where it does become, you know, easy, f- easy for them to actually claim the funds and actually get the money coming flowing through.
So there are so many angles that need to be looked at to, to look at stopping this. Um, and you know, I think. we can Say that we're- we're sort of at the pointy end of it, right at the moment it feels, and certainly Australia have been, you know, their government have announced their ransomware Task Force, which is, you know, a good step forward.
But again, like, you know, is that going to be active and proactive enough to, to be able to make some of these changes And Australia alone, can't do it either, right? It is um, a problem on a global scale. So a lot to play out and a l- and a lot to see here. Moving to the next story that that we've looked at, which is, we know that ransomware has been a- a- a plague for a- a long time now.
Um, and it just keeps growing and growing, but we're actually starting to now see reports around the fact that Australian organisations are actually having to pay out millions and millions of. Dollars To these hackers as part of this, this this pandemic of of cyber that is going on what can you tell us about, you know, Australians paying ransomware?
Bradley Sing: Yeah. Like in, so this data came out uh, quite recently in in terms of report from the ACSC. Um, we can share the details about it kind of in the show notes, but there's a couple of, I guess, key kind of things. So one third of Australian organisations hit by ransomware attacks, paid the ransom. So that's one third.
which... [laughs] That seems like a large amount, right? Like I'm just thinking out loud here, like that that's a lot. So that's a significant amount. Um, these payments were encouraged which encouraged further attacks are typically kept secret. And this comes back down to, I think the disclosure rules around a ransom and I believe and I c- I could be wrong.
I don't think you actually have to disclose a ransom. You have to notify the, or you're meant to notify the [laughs] the- the OAIC if you uh, have had a data breach, but I don't know if ransomware technically falls into that, category?
Daniel McDermott: No, you don't,
Bradley Sing: Right, and then I also... yeah.
Daniel McDermott: Like- like, there is no mandatory disclosure of, of ransom a- as such. And that's one of the, the elements that the government's obviously looking at is this, you know, shining a light on it.
Right. And which you're doing here with this report. as well.
Bradley Sing: And I always thought... I've just, always thought about the uh, mandatory data breach laws, because I know they came in. I remember when they came in we, like, there's a big song and noise about them and everyone was talking [laughs] about them nonstop for uh, every, every month it seemed. But what, if, like, how mandatory is it? Like, I just wonder, like how many, of, like what, what breaches are actually going unreported, and what is the gray area here? An- And then there's also that, that link back to I think, National security to a degree where like, we're not always, it seems like some breaches aren't being disclosed straight away.
because, It's like, we want to get more information out it or again, yeah. There could be some of Intel intelligence gathering there as well. So it's crazy though. Like I thought these statistics were just absolutely ridiculous, but I think it correlates, and proves everything we're seeing in terms of why a- again, the ecosystem of ransomware exists and why it's becoming a bigger problem.
Like we're got the data right there. uh, one third of Australian organisations uh, paid the ransom.
Daniel McDermott: Yeah. and- And the research from the ACSC, and even in Mimecast our own research over the last 12 months, which we we see that up to 64% of organisations surveyed admitted that they have you know, been the subject of a ransomware.
attack. I mean, that's enormous, right? It- It's nearly two thirds of all organisations. Um, so the breadth of the problem is, is growing. There's no doubting that. Um, and then, like you say, like you know, a number of people are paying that ransom. We also saw that only about half who paid the ransom actually got their files back.
Bradley Sing: Wow, really
Daniel McDermott: there's uh, you know, just because. you pay doesn't mean that you know, I mean, they they are cyber criminals at the end of the day that they're going to uphold their end of the bargain in that you know they got their money and, and then they didn't actually uphold their end of the bargain or provide the keys or return the data either.
So, and there's no doubting that there is a link between data breach and ransomware because often, you know, files will be exfiltrated and there will be a breach of data As part of the ransom right And then-
Bradley Sing: Oh, you can get more money, right? Like if you... one thing is the aspect of the business, unable to to keep running.
But if you then have data, which you can
Daniel McDermott: Mm-hmm [affirmative].
Bradley Sing: ...blackmail source information, it's just so much more powerful. Um, I was thinking about the idea and and you know, We talk about legislating, the idea of potentially not paying the ransom, but. It's kind of a great idea, but you know, if it gets to the point where it's illegal to pay the ransom, but a company wouldn't be prosecuted, if it was lifesaving for them to pay the ransom.
let's say they delivered an essential service, right. Would hackers then start targeting those types of companies like hospitals, health care more because they- they actually then also can, can pay the ransom. So you've got to be really careful in terms of how you legislate this and- and kind of. I guess Set the rules.
And then back to your point, there's only a 50% chance you're going to get the data back anyway. So maybe the legislation should be more around resilience, like, you know, having backups,
Daniel McDermott: Mm-hmm [affirmative].
Bradley Sing: ...having copies, because we know it's going to happen. So I g- I guess, legislating back ups is probably a hard thing to do, [
Daniel McDermott: Laughs].
Bradley Sing: but something about data integrity, right.
Or the integrity. of service.
Daniel McDermott: Yeah. It's not an easy one to solve, but it certainly is. Uh, like you say, you don't want those unintended consequences of saying. "Well, It's illegal to pay it except if you're in these industries. So guess where all focus goes right? straight to those industries that that then become even more vulnerable, which is obviously not the idea.
So it's a tough one, but it's uh, one that is also being looked at, you know, being addressed, I guess, through the notion of how do we make boards more accountable as well. Um, and look at, you know, what is the role. of sort of Company directors and their liability as part of sort of these cyber breaches as well. Um, what's going on in this space and is is this something that, you know, we think will h- make a meaningful impact on you know, on, I guess, accountability and therefore, hopefully I guess is the idea is, is that if boards are more aware and more.
accountable That they're actually able to provide, and release the funding for, you know, our it and security teams to actually take those proactive steps and put the right measures in place to to, to become more resilient.
Bradley Sing: Yeah, certainly. So I think this originally came about the idea of making boards more accountable in the 2020 cyber security white paper.
And I think it was more of just like a recommendation back then, but quite recently, it's hit the media a lot I think it's been debated or at least brought up within parliament a couple of times. Um, I think it's absolutely fantastic. an- And I think already to a degree under the notifiable da- data breach laws, like I I thought a company director could already be potentially liable, but I guess this makes the actual board more accountable.
It makes a lot of sense in terms of what I hear from you know, our customers or, or just, you know, IT teams and and people in it security where they've still got that challenge of trying to get budget for cyber security, like, and they need to go to the board for that. So if the board are accountable and they, they start to understand the, I guess the risks associated with it, then I think it's absolutely fantastic. Um, I think the reality is that it only starts at the top and unless there's any. type of Risk identified by the board, then why would a company really bother to, You know, with with the effort of corporate governance, there's so many other areas they need to focus on.
It kind of reminds me. And and I've we've heard this analogy before, but how organisations really took on uh, H&S-
Daniel McDermott: Mm-hmm [affirmative].
Bradley Sing: ...and that's now like a company-wide... you know, every- everyone's accountable you have like a, a H&S warden, like you have a fire warden on each odd floor, right? Like why don't we have a cyber security warden on each floor who can help identify a phishing attack or just acts as an SME?
I- I'm not too sure, but maybe in- in the future, we'll- we'll kind of have that degree, but no, I think, I think it's great. And I- I'd love to see this brought into legislation. or brought into law.
Daniel McDermott: Yeah. and I think the notion of like an H&S and workplace health and safety, you know, is a great, Sort of parallel. Right. And looking at that in terms of, a- a- an example of, as you say, that it moves out of, you know, a a department responsibility to a corporate
Bradley Sing: Yeah, exactly
Daniel McDermott: wide responsibility which then becomes much more aware for that everybody plays a role.
And what does that mean? Um, and I think that that's part of then, the whole notion of, you know, cyber security awareness training as well. Right. We, we talk about the fact of making users aware. but It's also like making them feel comfortable and be able to call things out. If they see, you know, the wrong things, how do they actually have a mechanism to to raise a hand actually call things out and then be able to get support for actually what, you know, what measures would need to be taken to rectify that as well.
Um, when you have, you know, all eyes on something, you know, you're gonna see a lot more, you're gonna, you know, and you're gonna notice What is happening and then there'll be, a, you know hopefully better responses and more transparency of what's actually happening as well from, you know, a company's response to this as well.
So it feels as though it can only be a good thing, right. of actually increasing that accountability making, you know, it a company-wide responsibility, And having more people involved in that process It definitely feels like a good thing. Um, and you know, and if there's ways of, you know, driving that accountability and ensuring that that happens and getting then the right response to it you know, hopefully we're on the- on the right path and again, help each organization sort of get better and, and protect themselves, which we know, you know, protects the- the supply chain and it protects the community as well.
Um, in terms of. that.
Bradley Sing: I do think just, I mean, moving out loud here and I'm I'm not sure if the stat, maybe- maybe you might know Dan, but what is the average age of a board member uh, in Australia? Right? Like cyber attacks just didn't exist in
Daniel McDermott: Mm-hmm [affirmative].
Bradley Sing: ... in [laughs] 20 years ago. Like it wasn't a threat that they ever thought about, but I mean, you know, there's been cold wars.
there's been Many geopolitical times before where, where people were scared of the outside, but also I think to a large degree, Australia's had this great prosperity and and a great sense of peace and calm over the past 20 to 30 years, really, since probably [laughs] 1991, if if you will. Right? So.
Daniel McDermott: Mm-hmm [affirmative].
Bradley Sing: This is new for us. Uh, This is new for boards.
This is new for our staff. So I think, yeah, but like absolutely. To your point, like user awareness is, is is fundamental to this. And I know we keep har- harping on about it, but if- if I think really out loud, like did did user awareness, cyber security awareness training really exits five to 10 years ago. Like, I- I don't think it did, did it.
Daniel McDermott: No, but it- it a little bit of the tick the Box mandatory compliance, but definitely not in [crosstalk 00:16:54]-
Bradley Sing: Yeah, right.
Daniel McDermott: ... anything else. And, and like you say, I think it that- that also highlights, you know I think one putting the focus on it because it's not a natural conversation for the board. Right. As you say, but also highlights
Bradley Sing: Mm-hmm [affirmative].
Daniel McDermott: ...the need for diversity of boards.
Right. Um, in terms of profile, age, demographics, you know all different backgrounds in order to. To bring different perspectives and make sure that you know, they are keeping up to date with what's required as well today. So it's you know, cause some of those requirements, yeah, are very different to... and- and the threats and what they are dealing with are very different to to how things have been in the.
We're going to now take a look at two of the- the big breaches of the last sort of uh, month or so. Um, and we'll start off with Pegasus and the notion that spyware has actually been sold to some of the au- authoritarian governments around the world, in order for them to keep track of, of, like some of the activists and journalists and lawyers that, are... that they want to know what's going on and actually keep track of their sort of activity and, and communication.
W- What's going on here and and what's the implications.
Bradley Sing: Uh, I just love the names. They give these, these tools Pegasus. uh, Different planets [
Daniel McDermott: Laughs].
Bradley Sing: ...and all these won- weird, and wonderful, th- uh, mythical creatures. Um, so Pegasus is one, which we've, we've, we've heard about for quite a while. And I think we actually spoke about it on the show probably a couple of seasons ago.
So originally when it was initially kind of reported the reason it's hit the news again recently, and I guess, sorry for our listeners, just to, I guess, give a bit of background around Pegasus. So Pegasus is a piece of [laughs] law enforcement spyware. [laughs]. So the idea is that if you, you're meant to have a legitimate reason to pur- uh, purchase it, you can purchase it off an- a, an Israeli-based security organization.
And effectively it makes use of zero days, which I guess, at least in the past were unique to Pegasus, which effectively allows you to. I think it's called zero click, right? Where you can effectively just send an SMS a WhatsApp. an iMessage, some, just like a very kind of benign kind of communication to a phone without the person interacting with it on the other end at all, you can therefore effectively gain full access to the phone.
So the contacts, the messengers- messages, it's effectively a remote access tool, if you will. That's crazy. Right. That's that's ridiculous. Um, I know like, if you think back to things like the... I think it was the- the, maybe the Boston marathon or the San Bernardino shooters over in America, where I think the FBI were trying to pay a million dollars to get into the the iPhone or something and and they just couldn't and apple wouldn't unlock it.
So this is something. which, you know, I iPhones are incredibly secure, but to be able to deploy and deliver and gain full access to something with no interaction from the other end is absolutely ridiculous. So it's effectively spyware as a service,
Daniel McDermott: Mm-hmm [affirmative].
Bradley Sing: um, in terms of some of the targets. uh, allegedly it was the Ar- Arab Royal family, over 600 politicians and government officials, 64 business executives a whole host of human rights activists, 100's of journalists and and over 50,000 phone numbers. Um, I watched a documentary quite a wh- a while ago around it and I believe one of the targets was even Jeff Bezos himself. Um, so, [laughs]. and it... I guess back to that point around accountability and, and kind of governance around some of this type of stuff, like how can anybody protect against this?
Like, this is I... what I always think. of nation-grade hacking, right? Like these are tools which governments and
Daniel McDermott: Mm-hmm [affirmative].
Bradley Sing: ...the ri- the richest people in the world can use That It's not something that anybody can just kind of pick up off the street.
Daniel McDermott: No, and it definitely points to the old notion of, you know, information is power. Right. Um, and you know, it is like you say, pretty Scary to think that, you know, that these type of, you know, true spyware activities is going on.
And it is the thing that you sort of see maybe in movies or on TV shows and, and sort of, you know, look at what you know, spy agencies might be doing and stuff. But the fact that it's becoming more mainstream, like you say, it's not necessarily mainstream, but [laughs] definitely more mainstream and spyware as a service.
I don't think I've heard of that one before, but it's a very scary proposition.
Bradley Sing: Yeah, no, it's just it's, it's, it's absolutely crazy. Isn't it? But This is the stuff we know about too. Right. [Laughing] So if you think about the stuff we don't know about listeners, like uh, I probably sound like a conspiracy podcaster or some-
Daniel McDermott: [Laughing].
Bradley Sing: ...or something, but that's definitely not the intention.
I I think it's just the reality that we live in a very hyper-connected world. And I think it's got gre- great benefits for us. You know, like the amount of data you can get on your phone, like, you really just need a phone today. [laughs] You you don't have to move, you c- you don't own a computer, you can have one device and you're connected to everything.
But I think with that, just comes, Yeah. Uh, an understanding that being connected, your data is out there and you can be the most powerful person in the world and- and still fall victim to- to your privacy. So be careful about what you put up there and, and probably, you know, don't have millions of, of sensitive photos in your iCloud or or anything too, auspicious, I would suggest.
Daniel McDermott: Yeah. That's definitely a a very sort of scary thought, and there's no doubting that. And I think as uh, I think if Gar was here, I think he'd be talking about his tin foil hat again at this stage. And and trying to maybe p- provide an air gap between his iPhone and [laughs] and the world. I'm not sure how that's gonna play out for him, [laughs] but, uh but it certainly is it- it's concerning and um, And there's no doubting that this you know, again, a developing area that is gonna have, you know, keep coming up and have more legs as as we sort of see the implications of how some of this information might get used again as well. So there's no doubting that the last story we wanted to dive into today was looking at the- the Kaseya attack.
Um, so Kaseya is an it solutions developer and for MSP's and enterprise clients. and it was announced that it had become a- a victim of a cyber attack on July 2nd. Um, this has been sort of spoken about as the notion of sort of. a Supply chain ransomware attack that's because it attacks a a vendor, or supplier if you like, but who are part of that ecosystem of supplying to managed service providers.
Um, and they're obviously then they're on-selling and on-delivering services that have become vulnerable because of the compromise, Brad what's and what's happened with the Kaseya attack, and what sort of implications can we sort of see rolling out into this market and and the implications. for people?
Bradley Sing: Yeah, it's interesting like, the- the Kaseya one, because it- it's obviously got a lot of publicity because the effect uh, and reach has been so large. Um, some people are drawing some similarities to the SolarWinds breach an- and personally, I think that's a great comparison because if we think about what Kaseya as, as a software does, like it gives you remote access into thousands of computers and effectively allows you to manage something really easy.
Like how do you deliver desktop support? which is What MSPs do, a lot of- a lot of them um, kind of offer as a service. Um, I like to think that these are pur- you know, they're purpose-designed enterprise software solutions, which allow you to gain remote access into computers, and pretty much do everything that a hacker would wanna do.
Um, hackers used to, and they still do. I'm sure they, they spend a whole range of effort trying to get Um, remote access tools which are usually known about by every single provider out there. So they spend a lot of time encrypting them, hashing them and trying to deliver them in- in fancy, clever ways to- to gain access to these systems.
But if you can hit the- the the supply chain, if you can hit somebody who who uses software, which already has all round access into thousands of computers in my mind, that's a lot easier than trying to individually get these little pieces of software And, like that's- That's huge, right? And If we think about SolarWinds, the scary thing about SolarWinds was that it was undetected for quite a while, or or potentially also under-reported for quite a while as well, which, which went to, to, to potentially why the scale was so bad.
Um, Kaseya again, and w- I haven't really looked at the, the timeline of this and we're probably reporting on this slightly a a few weeks after it's happened now. but It makes you wonder about all those other tools there. And and I think I was chatting to Gar, but we were chatting to Gar about this the other day. and, Like what happens when team Viewer me gets popped?
Like how many team Viewer end points are there around the world? Like Team Viewer is something? Synonymous with personal users, not just business users, like, or some yeah. even something like Skype, right? Like messaging services as well, like [laughs] it starts to raise that question. You know, Someone compromises Facebook's backend one day.
I mean, maybe they already have like, [laughing], it's a it's a scary thing, isn't it?
Daniel McDermott: Yeah. And then there's that flow on effect. And and this is, you know, one. where, You know, a lot of, you know, small to medium size businesses would be supported, you know, through MSPs, who they wouldn't even realise, you know, that are now utilising Kaseya as part of that, that solution to them.
And all of a sudden they they're sort of vulnerable and potentially part of, sort of that attack chain and really have no idea themselves. And, and haven't been involved. in, You know, making those decision, purchases, and, and yet they're sort of subjected to the risk and and the attack that's come as well. So you certainly feel for them and, and you know, cause it's definitely out of their control.
So there's no doubting that, like you say, that notion of being able to get in once, but to get to many you know, is obviously going to be. you know, Very I th- I think, you know, sort of lucrative in a, in a strong sort of, you know presence for attackers to go after because of the scale that they can get to through a single attack, rather than like you say, trying to deploy it multiple, multiple times,
Bradley Sing: Uh, you made a really good point there.
I think also in... just in the fact that a lot of. these I guess the, the organisations which are ultimately compromised would have no idea who Kaseya is, or even [laughs]... it wouldn't appear on like a PO or or as logs or the books or anything like that. So, and now we're telling organisations that, you know, your bo- your boards suddenly going to become more accountable for cyber security, where a lot of this stuff is out of your control.
Like to your point, like, y- you don't [laughs] know about it, but suddenly you're having to deal with the fallout to a degree. So, That brings me to, I think, a a- a- careful consideration where however they do legislate stuff, we need to make sure that. It really is for the benefit of the business and it, you know, we're not trying to have, a- have a
Daniel McDermott: Mm-hmm [affirmative].
Bradley Sing: ...blame game because if it turns into like, you know, just trying to get money for insurance, or for tax reasons or for whatever it is, then it, then it would d- delusion to that.
But if the ultimate outcome is like, we want to find out what, happened, the company wants to protect its staff and its clients, then yeah, it- I- I think it becomes something we all work towards
Daniel McDermott: No, it's a great point. Where does the liability actually lie? Right? And That's that's a difficult one [laughs] as to, like you say, when you go through those supply chains and look at who, you know, who is responsible and where does that that buck stop?
Um, so definitely a lot to, to play out in that space. Look, thank you, Brad, for your insights. and expert analysis today and thank you all for listening. Uh, next week's episode will feature a return guests. We have Prescott Pym from Verizon who will take a deep dive with Gar into the Re- Verizon DBIR report for 2021. In a world of many cyber and threat reports the- the Verizon DBIR report is the seminal annual review. And it will be great to hear the trends and insights of the past very eventful year. Also, if you are craving more cyber security insights, please check out the Mimecast podcast called Phishy business.
Now, this is produced by Mimecast EMEA team, and has a wealth of great guests and knowledge. shared. So until next week, stay safe and we'll be in touch again soon. .