WEBVTT 1 00:00:00.210 --> 00:00:02.940 Anna Delaney: Hello. Welcome to the ISMG Editors' Panel. I'm 2 00:00:02.940 --> 00:00:06.330 Anna Delaney and here's our weekly roundup and analysis of 3 00:00:06.330 --> 00:00:09.900 the top cybersecurity stories. And I'm joined this week by my 4 00:00:09.900 --> 00:00:12.660 brilliant colleagues, Mathew Schwartz, executive editor of 5 00:00:12.660 --> 00:00:16.080 DataBreachToday and Europe; Suparna Goswami, associate 6 00:00:16.080 --> 00:00:19.890 editor at ISMG Asia, and Tony Morbin, executive news editor 7 00:00:19.950 --> 00:00:21.840 for the EU. Great to see you all. 8 00:00:21.000 --> 00:00:23.310 Tony Morbin: Hi, good to be here. 9 00:00:23.490 --> 00:00:25.140 Mathew Schwartz: Wonderful to be here. Thanks for having us. 10 00:00:25.170 --> 00:00:27.300 Suparna Goswami: Wonderful to be back, Anna, after a long time. 11 00:00:27.360 --> 00:00:30.900 Delaney: It's been too long. Suparna, you are at a summit, I 12 00:00:30.900 --> 00:00:31.290 believe. 13 00:00:32.220 --> 00:00:34.890 Goswami: Yes, correct. So the background, as you can see, it's 14 00:00:34.890 --> 00:00:38.280 that of the in-person summit in Bangalore that we had last week. 15 00:00:38.580 --> 00:00:42.270 So we had our first in-person event in Bangalore after 2019. 16 00:00:42.300 --> 00:00:45.540 So it was great to meet everyone, needless to say, and 17 00:00:45.540 --> 00:00:48.750 great to be back and feel the actual feel of the summit, you 18 00:00:48.750 --> 00:00:52.440 know, so it was just fantastic to be back on the ground meeting 19 00:00:52.440 --> 00:00:55.260 people. So just wanted to have that as a background. 20 00:00:55.920 --> 00:00:57.600 Delaney: Suparna, what was the highlight for you? 21 00:00:57.000 --> 00:01:03.210 Goswami: The highlight was that it went entirely smooth. It was 22 00:01:03.210 --> 00:01:07.590 a hybrid summit, it went entirely smooth. And then we had 23 00:01:07.890 --> 00:01:11.850 first-time speakers who were fantastic, and some lovely 24 00:01:11.850 --> 00:01:15.750 topics to talk about. And we exceeded the number of guests 25 00:01:15.780 --> 00:01:18.480 who we anticipated, the number of delegates we anticipated. So 26 00:01:18.480 --> 00:01:20.250 that was a good problem to have. 27 00:01:20.640 --> 00:01:23.670 Delaney: Yeah, I loved watching all the photos appear on social 28 00:01:23.670 --> 00:01:29.130 media. Looked like a great event. Tony, industrial systems 29 00:01:29.130 --> 00:01:29.550 perhaps? 30 00:01:30.060 --> 00:01:34.110 Morbin: No, no, this is the Lloyd's of London building with 31 00:01:34.110 --> 00:01:38.790 all the infrastructures on the outside because I want to be 32 00:01:38.790 --> 00:01:42.450 talking about insurance today. And so, Lloyd's a good place, 33 00:01:42.690 --> 00:01:47.940 back to the origins of, you know, insurance, with shipping 34 00:01:47.940 --> 00:01:49.770 insurance and so on in the coffee house. 35 00:01:51.690 --> 00:01:54.810 Delaney: Fantastic view from within as well, isn't it? 36 00:01:54.840 --> 00:02:00.240 Morbin: Yes. Well, from the elevators as well. Not the 37 00:02:00.240 --> 00:02:01.080 outside of the building. 38 00:02:02.010 --> 00:02:05.430 Delaney: Fantastic. Okay, look forward to that. Mathew, how 39 00:02:05.430 --> 00:02:06.510 very elegant. 40 00:02:07.680 --> 00:02:10.290 Schwartz: I finally got to return to Amsterdam, a little 41 00:02:10.290 --> 00:02:14.790 bit like Suparna, for the first time in several years, due to a 42 00:02:14.820 --> 00:02:19.800 slight social disruption, I guess we can call it, right? So 43 00:02:19.830 --> 00:02:24.090 it was wonderful being back. This is a room that I had on one 44 00:02:24.090 --> 00:02:27.690 of the canals, the hotel room looking out to the evenings, it 45 00:02:27.690 --> 00:02:31.980 just opened the window and watched the Dutch world go by. 46 00:02:31.000 --> 00:02:32.230 Delaney: It's a fabulous city. love it. And I am in the gardens 47 00:02:32.230 --> 00:02:33.490 of Hampton Court Palace, where King Henry the Eighth lived with 48 00:02:32.500 --> 00:02:37.510 Schwartz: That's a great question. And there is this 49 00:02:33.490 --> 00:02:40.960 his wives and all that. And it was taken at a recent flower 50 00:02:41.020 --> 00:02:47.110 show. And it's definitely worth a visit if you are in this part 51 00:02:42.970 --> 00:02:47.650 really fascinating attack. Fascinating, if you're not on 52 00:02:47.110 --> 00:02:50.440 of the world in the U.K. So Matt, my question for you, has 53 00:02:47.650 --> 00:03:04.720 the receiving end of it, of course, that came about at the 54 00:02:50.440 --> 00:02:53.620 there been a sudden increase in the danger posed by online 55 00:02:53.620 --> 00:02:55.780 attacks to industrial environments? 56 00:03:04.750 --> 00:03:11.050 end of June, when our colleagues reported on a steel foundry in 57 00:03:11.110 --> 00:03:15.370 Iran that was hit by hackers who claimed to started a fire. And 58 00:03:15.370 --> 00:03:19.000 there's some really dramatic footage that got posted to 59 00:03:19.000 --> 00:03:23.260 social media. Now the hackers appeared to be playing by a few 60 00:03:23.290 --> 00:03:27.310 ground rules, unusually. In particular, they said they 61 00:03:27.310 --> 00:03:31.960 waited to cause this fire until there was no one present. So an 62 00:03:31.960 --> 00:03:37.660 unusual, I would say, amount of preparation and a safety 63 00:03:37.660 --> 00:03:42.460 conscious ethos, which we might not normally see from criminals 64 00:03:42.550 --> 00:03:47.260 operating online. So what does this all mean? And again, I put 65 00:03:47.260 --> 00:03:51.820 that question to experts: we've seen this big attack hitting 66 00:03:51.850 --> 00:03:55.330 Iran and the attacker said the purpose of this was to highlight 67 00:03:55.330 --> 00:03:58.000 the fact that this steel foundry, which is part of a 68 00:03:58.000 --> 00:04:01.090 holding company, it's been sanctioned, and they also hit 69 00:04:01.090 --> 00:04:03.760 apparently a couple of other foundries been sanctioned by the 70 00:04:03.760 --> 00:04:07.960 US and yet, it continues to trade. Apparently, allegedly, 71 00:04:08.050 --> 00:04:10.180 it's still doing a roaring business. It's one of the 72 00:04:10.180 --> 00:04:14.410 biggest suppliers of steel products in the Middle East, 73 00:04:14.410 --> 00:04:19.360 apparently. So they wanted to highlight this. So what is all 74 00:04:19.360 --> 00:04:23.800 this? It's hard to say, although it's really fascinating because 75 00:04:23.800 --> 00:04:28.000 there's a play on a name in terms of the group that's 76 00:04:28.000 --> 00:04:32.200 involved. I won't attempt to pronounce the group's actual 77 00:04:32.200 --> 00:04:36.820 Persian name, but it translates to Predatory Sparrow, which, if 78 00:04:36.820 --> 00:04:40.630 you're in cybersecurity circles, seems like a bit of an innate 79 00:04:40.630 --> 00:04:44.650 joke given that so many of the advanced persistent threat 80 00:04:44.650 --> 00:04:49.630 groups in the nation-state military hacking teams, have 81 00:04:49.630 --> 00:04:53.800 these designations started by FireEye about where they're 82 00:04:53.800 --> 00:04:57.790 from, what they do. So some experts are saying this sounds a 83 00:04:57.790 --> 00:05:00.370 little bit like Charming Kitten, right? Predatory Sparrow, 84 00:05:00.370 --> 00:05:04.780 Charming Kitten. Well, Charming Kitten is a group, at least, 85 00:05:04.780 --> 00:05:11.260 attributed to Iran's military intelligence apparatus, which 86 00:05:11.260 --> 00:05:13.750 has been responsible for a number of attacks. So, long 87 00:05:13.750 --> 00:05:18.250 story short, this could be Israel trying to stir things up 88 00:05:18.250 --> 00:05:21.940 a little bit or some other nation-state group. Experts 89 00:05:21.940 --> 00:05:24.610 think this is probably a nation-state group because it's 90 00:05:24.610 --> 00:05:28.510 very difficult to hack industrial control systems. It 91 00:05:28.510 --> 00:05:32.200 typically takes a laboratory environment where you purchased, 92 00:05:32.500 --> 00:05:36.730 eBay or whatever, the exact systems being used in the 93 00:05:36.730 --> 00:05:39.070 environment. And you've attempted to get the right 94 00:05:39.100 --> 00:05:44.080 software and patches and everything in place in the lab, 95 00:05:44.200 --> 00:05:49.180 so that you can design malware that will work. Checkpoint said 96 00:05:49.180 --> 00:05:53.440 that it saw the malware using this attack. And it traces to 97 00:05:53.470 --> 00:05:58.300 malware that was used last year against Iran in attacks that are 98 00:05:58.300 --> 00:06:02.860 believed to have been done by Israel, which in one case, 99 00:06:03.100 --> 00:06:08.200 disrupted train travel, and in another case, disrupted the 100 00:06:08.200 --> 00:06:11.800 ability to access fuel from pumps for certain people in 101 00:06:11.800 --> 00:06:16.990 Iran. So long story short, I don't think that we are seeing a 102 00:06:16.990 --> 00:06:19.390 dramatic increase in attacks against industrial control 103 00:06:19.390 --> 00:06:24.040 systems, they remain a concern. At their worst, they can cause 104 00:06:24.190 --> 00:06:28.540 loss of human life. You have a foundry here, if this fire had 105 00:06:28.660 --> 00:06:32.080 happened when the equipment had been manhandled, if it had 106 00:06:32.080 --> 00:06:34.420 happened, and there were people around this, could have injured 107 00:06:34.420 --> 00:06:37.330 people very badly. So, thankfully, that didn't happen 108 00:06:37.330 --> 00:06:40.870 in this case. But it's a useful reminder that a lot of these 109 00:06:40.960 --> 00:06:44.710 environments can be hacked. We're seeing a lot more use of 110 00:06:44.710 --> 00:06:48.400 IT equipment, not necessarily OT (operational technology) from 111 00:06:48.400 --> 00:06:51.640 it, but lots of IT equipment too, switches and things from 112 00:06:51.640 --> 00:06:54.850 Cisco, Juniper, that have well known flaws being used in these 113 00:06:54.850 --> 00:06:58.330 environments. So, definitely, any organization that runs an OT 114 00:06:58.330 --> 00:07:01.510 environment needs to take a good hard look at how it's protecting 115 00:07:01.510 --> 00:07:05.320 its networks. Because the next time hackers come calling, it 116 00:07:05.320 --> 00:07:09.370 might not be Israel allegedly attempted to stir things up a 117 00:07:09.370 --> 00:07:09.730 little bit. 118 00:07:11.010 --> 00:07:13.620 Delaney: Very interesting. And it reminds me that the time 119 00:07:13.620 --> 00:07:16.260 around the start of Putin's evasion of Ukraine. There are a 120 00:07:16.260 --> 00:07:20.190 lot of people thinking or predicting that Russia would 121 00:07:20.190 --> 00:07:23.490 target ICS. And commentators are saying actually, it's very, very 122 00:07:23.490 --> 00:07:27.240 difficult to do that successfully. Reminds me of 123 00:07:27.240 --> 00:07:32.280 that. So the main lessons learnt from this would be? 124 00:07:33.230 --> 00:07:35.270 Schwartz: The main lessons learned, if you want an 125 00:07:35.270 --> 00:07:37.700 operational technology environment, be aware that this 126 00:07:37.700 --> 00:07:41.780 can happen, keep a close eye on what needs patching, what hasn't 127 00:07:41.780 --> 00:07:46.340 been patched. And there are a variety of techniques that can 128 00:07:46.340 --> 00:07:51.050 be used to safeguard these systems in a secure, safe 129 00:07:51.050 --> 00:07:54.200 manner. And safety is, of course, the management of a lot 130 00:07:54.200 --> 00:07:56.930 of these environments. But there are a lot of approaches that can 131 00:07:56.930 --> 00:08:00.080 be used to lock these environments down. Even if you 132 00:08:00.080 --> 00:08:03.440 can't patch the underlying systems, which can be five, 10, 133 00:08:03.440 --> 00:08:06.590 sometimes 20 years or more older. So you just need to make 134 00:08:06.590 --> 00:08:10.070 sure you're keeping a close eye on all of these things. 135 00:08:10.190 --> 00:08:13.520 Basically, have a plan, constantly be reviewing it, make 136 00:08:13.520 --> 00:08:16.280 sure that you're not at risk from these types of attacks. 137 00:08:16.580 --> 00:08:19.610 Morbin: It's also a reminder that, you know, the 138 00:08:19.610 --> 00:08:22.400 Ukraine-Russia situation isn't the only cyber war because the 139 00:08:22.850 --> 00:08:25.700 Israel-Iran has been going on for some time. You know, Matt 140 00:08:25.700 --> 00:08:30.080 mentioned some of the attacks that, you know, Iran has faced, 141 00:08:30.080 --> 00:08:33.950 but Israel has also had water treatment plants affected. It's 142 00:08:33.950 --> 00:08:38.780 had its air raid siren going off. So, you know, I mean, I've 143 00:08:38.780 --> 00:08:41.990 spoken to people on the offensive cyber side in Israel, 144 00:08:41.990 --> 00:08:45.170 and there's activity going on. And, in fact, Matt did an 145 00:08:45.170 --> 00:08:48.350 article where he mentioned the fact that, you know, they 146 00:08:48.350 --> 00:08:52.970 weren't best pleased in Israel when when it was found that they 147 00:08:52.970 --> 00:08:57.020 were seen celebrating the fire in the steel plants. 148 00:08:58.310 --> 00:09:00.710 Schwartz: Yeah, supposedly, there was a briefing for a 149 00:09:00.710 --> 00:09:03.320 high-level official by an Israeli military intelligence 150 00:09:03.320 --> 00:09:07.610 unit. It's supposedly featured the footage captured by CCTV 151 00:09:07.610 --> 00:09:10.850 cameras of the foundry, experiencing this fire, 152 00:09:10.910 --> 00:09:13.610 supposedly, but the defense minister ordered an 153 00:09:13.610 --> 00:09:18.650 investigation into any potential leaks. So again, this does — 154 00:09:18.680 --> 00:09:22.550 yes, as Tony, you know, rounded up really well there, this 155 00:09:22.550 --> 00:09:27.440 affects lots of people. And it's been a particular aspect — your 156 00:09:27.440 --> 00:09:32.180 angle to Israeli Iran relations, or the lack thereof. 157 00:09:34.010 --> 00:09:38.210 Goswami: If I may add one of the points that lessons learned that 158 00:09:38.210 --> 00:09:40.940 Matt was saying — so maybe we had — I was reading, it's 159 00:09:41.150 --> 00:09:44.030 essentially just because it happens rarely, do not really 160 00:09:44.030 --> 00:09:47.960 ignore it. And that's what there's an important lesson, 161 00:09:47.960 --> 00:09:50.330 right? That just because the attack happens very, very 162 00:09:50.330 --> 00:09:53.840 rarely, do not ignore the side of the attack. 163 00:09:54.830 --> 00:09:57.950 Schwartz: Absolutely. And I was saying safety because if you 164 00:09:57.950 --> 00:10:02.900 talk to anybody in industrial environments, that's their first 165 00:10:02.900 --> 00:10:06.110 and foremost concern. And I think they often think of it in 166 00:10:06.110 --> 00:10:10.160 a physical manner. I mean, we saw the fire being caused by 167 00:10:10.310 --> 00:10:14.150 equipment being mishandled. And I couldn't tell personally what 168 00:10:14.150 --> 00:10:15.860 was going on. But there was stuff spilling all over the 169 00:10:15.860 --> 00:10:19.730 place, looked like molten metal was going everywhere. That's 170 00:10:19.730 --> 00:10:23.000 obviously physical, but they need to remember — and there's 171 00:10:23.030 --> 00:10:26.750 been a growing push by, for example, CISA in the United 172 00:10:26.750 --> 00:10:30.650 States, telling critical infrastructure and industrial 173 00:10:31.430 --> 00:10:36.560 infrastructure providers to always think of cyber as well. 174 00:10:36.920 --> 00:10:40.460 All these systems are run by computers. And it's not just 175 00:10:40.460 --> 00:10:46.640 that molten metal might get tipped over the networks, the 176 00:10:46.640 --> 00:10:50.540 systems that run these very environments are also at risk. 177 00:10:50.540 --> 00:10:53.720 So, absolutely this needs to be more of a concern, but I think 178 00:10:53.720 --> 00:10:56.810 we are seeing greater attention and focus on it now, which might 179 00:10:56.810 --> 00:11:00.320 be, Anna, to your point. Are we seeing a rise in these attacks? 180 00:11:00.380 --> 00:11:04.850 Is the threat going up? No. But I do think we are seeing more 181 00:11:04.850 --> 00:11:09.170 focus on it. And one side-effect of this attack is we are talking 182 00:11:09.170 --> 00:11:10.490 about it, which is good. 183 00:11:11.530 --> 00:11:14.080 Delaney: Great insight, Matt. Thank you very much, Matt. 184 00:11:14.260 --> 00:11:18.580 Suparna, You've been speaking with CISOs based in Sri Lanka, 185 00:11:18.610 --> 00:11:22.360 which, as you all know, is facing turbulent economic times 186 00:11:22.360 --> 00:11:27.940 and political upheaval. How are CISOs, security leaders being 187 00:11:27.940 --> 00:11:28.990 impacted, Suparna? 188 00:11:30.190 --> 00:11:32.650 Goswami: So, yes, and I'm working on a feature on the 189 00:11:32.650 --> 00:11:35.410 economic crisis and its impact on the cybersecurity market in 190 00:11:35.410 --> 00:11:39.490 Sri Lanka. So, I spoke to a few CISOs there and thought though 191 00:11:39.490 --> 00:11:42.670 they're saying that the business priority as far as cybersecurity 192 00:11:42.670 --> 00:11:46.180 is concerned has not changed for now, they're not sure whether it 193 00:11:46.180 --> 00:11:49.480 will stay this way in the coming months. So, essentially, from my 194 00:11:49.480 --> 00:11:53.170 conversation, there were three or four highlights. So, one was 195 00:11:53.200 --> 00:11:57.130 license renewal and they are facing difficulty in renewing 196 00:11:57.130 --> 00:12:02.110 the license because they are not able to procure dollars. There's 197 00:12:02.110 --> 00:12:05.920 difficulty in procuring dollars because the central bank has put 198 00:12:05.920 --> 00:12:11.080 lot of curbs there. And dollar value has gone up, I think 80 to 199 00:12:11.080 --> 00:12:15.610 90% in the past three months. So there are multiple companies out 200 00:12:15.610 --> 00:12:18.220 there who are facing a tough time redoing the licenses for 201 00:12:18.220 --> 00:12:21.340 the products they have deployed. And a few security practitioners 202 00:12:21.340 --> 00:12:23.860 from the manufacturing industry that I spoke with said that 203 00:12:23.860 --> 00:12:27.190 currently their licenses for DDoS attacks has expired and 204 00:12:27.190 --> 00:12:31.150 they have requested the vendors to extend their service to the 205 00:12:31.150 --> 00:12:34.810 existing investment. I also spoke to a vendor who has a good 206 00:12:34.810 --> 00:12:38.170 presence in Sri Lanka. And the spokesperson said that they have 207 00:12:38.170 --> 00:12:41.830 received requests from companies to make best use of the existing 208 00:12:41.830 --> 00:12:44.560 investments as new investments in cybersecurity products are 209 00:12:44.560 --> 00:12:48.670 difficult to our challenge now, and they have also been 210 00:12:48.670 --> 00:12:52.570 requested to set shops in Sri Lanka so that they can pay in 211 00:12:52.570 --> 00:12:55.510 Sri Lankan rupees, not necessarily dollars. But given 212 00:12:55.510 --> 00:12:58.510 the situation, it is tough for them to set up a shop now in Sri 213 00:12:58.510 --> 00:13:01.750 Lanka. And the second one, which I found very, very interesting 214 00:13:01.750 --> 00:13:05.410 are that cyber insurers are shying away from insuring the 215 00:13:05.410 --> 00:13:09.490 companies in Sri Lanka. And not surprising because given the 216 00:13:09.490 --> 00:13:11.920 inability of the Sri Lankan companies to pay in dollars, as 217 00:13:11.920 --> 00:13:14.830 well as the sad state of the economy, cyberinsurance 218 00:13:14.830 --> 00:13:18.490 companies are wary of providing or renewing insurance of the 219 00:13:18.490 --> 00:13:22.060 companies in Sri Lanka. And this has been the case for the past 220 00:13:22.060 --> 00:13:26.440 one year. And even if they are going ahead and reinsuring one 221 00:13:26.440 --> 00:13:28.480 of the companies, they are charging very, very high 222 00:13:28.480 --> 00:13:32.410 premiums. The premiums have again gone up quite high. And 223 00:13:32.410 --> 00:13:36.070 the third one was on threat landscape, though more or less, 224 00:13:36.070 --> 00:13:39.490 the threat landscape has remained the same. The country 225 00:13:39.490 --> 00:13:42.850 is witnessing an increase in state-sponsored attacks as well 226 00:13:42.850 --> 00:13:46.450 as phishing attempts. So, adversaries are sending fake 227 00:13:46.480 --> 00:13:49.090 emails, marking it as fundraising for the government 228 00:13:49.120 --> 00:13:53.260 and people are falling prey on that, and there's an increase, a 229 00:13:53.260 --> 00:13:57.370 lot of increase — I think one of the reports that 60% increase in 230 00:13:57.370 --> 00:14:02.170 phishing attempts in the past two months. So yes, these were 231 00:14:02.170 --> 00:14:04.510 the main highlights from my conversation with them. 232 00:14:04.950 --> 00:14:08.220 Schwartz: One of the tactics we often see practiced by Russia, 233 00:14:08.220 --> 00:14:11.940 in particular, is never let a good domestic crisis of your 234 00:14:11.940 --> 00:14:15.390 enemy go to waste. Are we seeing that in Sri Lanka, do you think 235 00:14:15.390 --> 00:14:18.660 — with the rise that you've charted in phishing attacks, 236 00:14:18.690 --> 00:14:23.250 other types of attacks — is that adversaries in a geopolitical 237 00:14:23.250 --> 00:14:27.450 sense of Sri Lanka attempting to stir the pot? 238 00:14:29.610 --> 00:14:34.290 Goswami: Hearing, but one thing the security practitioners, they 239 00:14:34.290 --> 00:14:38.070 said, you know, they are happy about is there's a lot less 240 00:14:38.070 --> 00:14:40.920 ransomware attacks because they know they loan people to pay the 241 00:14:40.920 --> 00:14:41.490 ransoms. 242 00:14:41.790 --> 00:14:42.900 Schwartz: There's no money, right? 243 00:14:43.290 --> 00:14:46.320 Goswami: Yes, there's no money, so they were like one cannot 244 00:14:46.320 --> 00:14:48.930 really be bothered about the ransomware attacks, because they 245 00:14:48.930 --> 00:14:52.620 know that we won't be able to pay them back. So yes, that's 246 00:14:52.620 --> 00:14:55.170 one of the silver lining, they said. Thankfully, you don't have 247 00:14:55.170 --> 00:14:57.150 to deal with the ransomware attacks for now, at least for 248 00:14:57.150 --> 00:14:58.110 the next few months. 249 00:14:58.890 --> 00:15:01.590 Delaney: Yes, Suparna, just take us through about how you go 250 00:15:01.590 --> 00:15:04.290 about investigating this because this is fascinating, and it's 251 00:15:04.290 --> 00:15:08.250 really current, obviously. So you're speaking to CISOs and 252 00:15:08.000 --> 00:15:13.100 Goswami: Yes, I'm speaking to CISOs, I'm speaking to vendors. 253 00:15:08.250 --> 00:15:08.970 vendors. 254 00:15:13.790 --> 00:15:17.750 But yes, of course, as you know, not all CISOs are ready to come 255 00:15:17.750 --> 00:15:20.180 out and comment that yes, they are facing these kind of 256 00:15:20.180 --> 00:15:26.000 attacks. So it's like, yes, as an industry, we are facing this, 257 00:15:26.000 --> 00:15:29.540 but nobody is ready to accept or they have accepted offline, but 258 00:15:29.540 --> 00:15:33.110 they don't want me to quote them that, yes, they are facing these 259 00:15:33.110 --> 00:15:36.740 attacks. Now, I spoke with one of the insurance companies, as 260 00:15:36.740 --> 00:15:40.790 well. And that company said that yes, we are not providing for 261 00:15:40.790 --> 00:15:44.810 now any, you know, we are wary of Sri Lankan market, we are not 262 00:15:44.810 --> 00:15:48.290 really reaching out, or even if there is an insurance renewal, 263 00:15:48.710 --> 00:15:52.610 we are thinking, we are charging really high premium. But again, 264 00:15:52.610 --> 00:15:55.640 he said you can't actually quote me on this because that would 265 00:15:56.210 --> 00:16:01.610 have a bad name. But yes, CISOs I reached and vendors to get to 266 00:16:01.610 --> 00:16:04.370 the other side of the story, what are they hearing? What is 267 00:16:04.370 --> 00:16:08.600 their roadmap? And for them, the roadmap for now is this month, 268 00:16:09.590 --> 00:16:12.170 these few months it's fine, because the budget approvals 269 00:16:12.170 --> 00:16:14.990 have been done. But next year, they are revisiting their 270 00:16:14.990 --> 00:16:18.470 priorities. Even the board, for that matter, the CISOs said, 271 00:16:18.830 --> 00:16:22.820 even the board for now, it's fine, because the budgets have 272 00:16:22.820 --> 00:16:25.850 been approved. For next year, they are revisiting their 273 00:16:25.850 --> 00:16:28.010 priorities, and new investments will be hard to come by. 274 00:16:28.790 --> 00:16:31.130 Delaney: Well, good luck, Suparna. I look forward to 275 00:16:31.310 --> 00:16:35.690 reading the feature when it comes out. Thank you. Tony, 276 00:16:35.720 --> 00:16:38.240 Suparna mentioned cyber insurance. I know you want to 277 00:16:38.240 --> 00:16:40.760 speak about it. So, what's happening in the market? 278 00:16:40.810 --> 00:16:43.390 Morbin: Well, absolutely. And the premiums going up is 279 00:16:43.390 --> 00:16:48.250 obviously the main issue. I was just really going to talk about 280 00:16:48.640 --> 00:16:52.120 the cyber insurance industry isn't working for insurance, 281 00:16:52.180 --> 00:16:55.270 brokers or their customers, according to a recent report by 282 00:16:55.300 --> 00:16:58.960 Panaseer, and it's noting the cost of cyber insurance policies 283 00:16:58.960 --> 00:17:02.140 in the U.K. and the U.S. are expected to rise for the next 284 00:17:02.140 --> 00:17:04.990 two years, and I can see a similar thing happening 285 00:17:04.990 --> 00:17:09.640 elsewhere. Now, obviously, the ransomware attacks up 93% 286 00:17:09.700 --> 00:17:14.020 year-on-year from 2021. By some estimates, as well as the number 287 00:17:14.020 --> 00:17:16.960 of successful attacks, means that insurance is becoming 288 00:17:16.960 --> 00:17:20.350 harder to get, becoming more expensive. And we've average 289 00:17:20.350 --> 00:17:25.090 payouts of about $3.5 million dollars in the U.S., it's hardly 290 00:17:25.090 --> 00:17:29.200 a surprise. One of the issues is that insurers are struggling to 291 00:17:29.230 --> 00:17:31.990 accurately assess an organization's security posture 292 00:17:32.170 --> 00:17:36.130 and what the risks are that were involved. 87% of insurers in 293 00:17:36.130 --> 00:17:39.130 this recent survey, say they want a more consistent approach 294 00:17:39.130 --> 00:17:43.810 to analyze cyber risks. Insurers need better information to price 295 00:17:43.810 --> 00:17:46.660 the risk. And as Nik Whitfield, the founder and chairman of 296 00:17:46.690 --> 00:17:49.870 Panaseer, who did the report, said questionnaires aren't going 297 00:17:49.870 --> 00:17:54.490 to cut it. One of the reasons is that cybersecurity insurers 298 00:17:54.580 --> 00:17:59.110 increasingly want direct access to customer security metrics and 299 00:17:59.110 --> 00:18:02.650 measures. They want to see real, live data coming from a customer 300 00:18:02.680 --> 00:18:06.760 about their security posture. Now, from my perspective, that 301 00:18:06.760 --> 00:18:09.580 can only be a good thing for the industry, as cybersecurity is 302 00:18:09.580 --> 00:18:12.670 still very immature. And while there are best practices being 303 00:18:12.670 --> 00:18:16.330 enforced in some sectors, such as finance, there's no overall 304 00:18:16.330 --> 00:18:20.140 agreed definition of what good cybersecurity looks like, what 305 00:18:20.140 --> 00:18:22.660 the minimum standards should be expected, or what percentage of 306 00:18:22.660 --> 00:18:25.630 budget spend is appropriate. And certainly no agreement on how 307 00:18:25.630 --> 00:18:28.570 these standards can be enforced. So, while you've got things like 308 00:18:28.570 --> 00:18:32.200 the Biden executive order in the U.S., the cyber central's in the 309 00:18:32.200 --> 00:18:35.800 U.K., providing a certain sort of baseline cybersecurity 310 00:18:35.800 --> 00:18:38.710 requirements for those dealing with the state, the free 311 00:18:38.710 --> 00:18:43.000 enterprise market has so far failed to establish consistent 312 00:18:43.000 --> 00:18:47.290 cybersecurity norms. So what is it that the insurance rate is 313 00:18:47.290 --> 00:18:49.990 important when they're assessing potential customers' security 314 00:18:49.990 --> 00:18:54.250 posture, top of their list is cloud security decided by 40% 315 00:18:54.850 --> 00:18:58.900 security awareness, 36%, application security 32%, 316 00:18:59.050 --> 00:19:03.160 vulnerability management 31%, previous access 31% and patch 317 00:19:03.160 --> 00:19:06.880 management 30%. Now, none of these will come as a surprise to 318 00:19:06.880 --> 00:19:09.460 security professionals. And obviously, they're all things 319 00:19:09.460 --> 00:19:12.160 that you should already be doing. But what's different is 320 00:19:12.160 --> 00:19:14.650 the need to share the information with your insurer to 321 00:19:14.650 --> 00:19:17.980 reduce your insurance premiums or even secure insurance in the 322 00:19:17.980 --> 00:19:20.980 first place. And that will include providing evidence, 323 00:19:21.010 --> 00:19:23.920 information, and even working with the insurer to improve your 324 00:19:23.920 --> 00:19:28.630 security posture. But obviously, you know, the insurers 325 00:19:28.630 --> 00:19:31.780 themselves aren't actually that confident that the information, 326 00:19:32.350 --> 00:19:34.090 you know, even with that information that they can 327 00:19:34.090 --> 00:19:37.210 accurately price the risk. It's a very dynamically changing 328 00:19:37.210 --> 00:19:40.720 environment, increasingly sophisticated threat actors and 329 00:19:40.720 --> 00:19:43.900 unprecedented events coming in thick and fast. Plus, it's a 330 00:19:43.960 --> 00:19:47.410 global nature of incidents. They're very rarely isolated. 331 00:19:47.410 --> 00:19:50.890 Maybe the OT ones are an example of the isolated ones, but 332 00:19:50.890 --> 00:19:55.360 generally they tend to be quite pervasive. So insurers and 333 00:19:55.360 --> 00:19:58.930 potentially insured are voting with their feet, one in 10 334 00:19:58.930 --> 00:20:02.620 insurers in the U.K. say they're likely to get out of the cyber 335 00:20:02.620 --> 00:20:05.860 insurance market if the method of ensuring risk stays the same. 336 00:20:06.430 --> 00:20:08.860 And from the other side of the insurance, simply take the tack 337 00:20:08.860 --> 00:20:11.770 of forever increasing their premiums, they priced themselves 338 00:20:11.770 --> 00:20:14.860 out of the market, and companies decide not to get insured and 339 00:20:14.860 --> 00:20:18.220 just put aside the resources to absorb the impact of an attack, 340 00:20:18.370 --> 00:20:21.190 which is something that's happening. So it's in both 341 00:20:21.190 --> 00:20:24.010 sides' interests for the pricing to be realistic and 342 00:20:24.010 --> 00:20:27.310 proportionate to the risk, it's predicted that there will be 343 00:20:27.310 --> 00:20:30.430 increased friction, because most organizations don't want to 344 00:20:30.430 --> 00:20:33.550 share their sensitive internal data with anyone, let alone 345 00:20:33.700 --> 00:20:37.210 third parties that have a right to audit. But ultimately, the 346 00:20:37.210 --> 00:20:39.880 organizations will need to demonstrate good security 347 00:20:39.880 --> 00:20:43.300 behaviors across the entire environment, which means having, 348 00:20:43.360 --> 00:20:46.540 ensuring accurate data to prove that they were low risks. 349 00:20:48.540 --> 00:20:51.150 Delaney: And this is actually coming up in roundtables. I'm 350 00:20:51.150 --> 00:20:54.930 hearing from security leaders as well, venting the frustration, 351 00:20:55.290 --> 00:20:58.290 when they call up the insurer. The insurer doesn't know what 352 00:20:58.290 --> 00:21:01.050 they're offering. They have no idea what they are actually 353 00:21:01.050 --> 00:21:05.520 covering. So yeah, there's a lack of information education 354 00:21:05.520 --> 00:21:09.720 there. Matt, what are you hearing as to how this is going 355 00:21:09.720 --> 00:21:10.710 to evolve? 356 00:21:10.000 --> 00:21:13.630 Schwartz: Well, I mean, I think as Tony was indicating, it's a 357 00:21:13.630 --> 00:21:16.840 little bit of a chicken and egg problem, you need to have really 358 00:21:16.840 --> 00:21:21.430 robust, well documented, well thought-out information security 359 00:21:21.460 --> 00:21:26.380 programs, plans, procedures, people, technology in place. And 360 00:21:26.410 --> 00:21:29.380 sometimes there's a disconnect then in terms of how you 361 00:21:29.380 --> 00:21:34.180 interface with an insurer if you don't have that. And so, we see 362 00:21:34.180 --> 00:21:36.550 some interesting innovation for there's a company called 363 00:21:36.550 --> 00:21:40.000 Coalition, for example, based in the States. It's a cyber 364 00:21:40.000 --> 00:21:44.350 insurance startup, it's got a $5 billion valuation. Last week, I 365 00:21:44.350 --> 00:21:47.860 believe, it secured an extra $250 million dollars in funding 366 00:21:48.010 --> 00:21:52.480 to drive a U.K. expansion. And what Coalition is doing is 367 00:21:52.480 --> 00:21:56.860 taking a really cybersecurity-centric approach 368 00:21:56.890 --> 00:21:59.530 in terms of knowing what organizations should be doing, 369 00:21:59.920 --> 00:22:02.980 looking to see if they are doing that, and then using that to 370 00:22:02.980 --> 00:22:07.510 help price the plans. But there's a lot of back and forth 371 00:22:07.510 --> 00:22:11.470 there, right? They can also help the organization make, do what 372 00:22:11.470 --> 00:22:13.630 they need to do, your organization can work with them 373 00:22:13.630 --> 00:22:17.020 to better do what they should be doing. So, if there's a will, 374 00:22:17.050 --> 00:22:20.410 there's a way, there's an insurance product. And I suspect 375 00:22:20.410 --> 00:22:24.400 that we'll see this more kind of focused, tailored, and 376 00:22:24.400 --> 00:22:28.750 sophisticated approach to the problem. I know holistic, it's 377 00:22:28.750 --> 00:22:31.780 overused, but it is a holistic approach. They're saying if you 378 00:22:31.780 --> 00:22:36.580 want great cybersecurity, and if you want insurance — because who 379 00:22:36.580 --> 00:22:39.700 doesn't — to cover your risks, this is how we're going to do 380 00:22:39.700 --> 00:22:42.910 this. Now, to Tony's point before, though, how many 381 00:22:42.910 --> 00:22:45.940 organizations have the wherewithal or the internal 382 00:22:45.940 --> 00:22:49.810 expertise to make use of this or to honor this kind of approach 383 00:22:49.810 --> 00:22:53.110 or devalue it? I don't know. But I think that that's where we're 384 00:22:53.110 --> 00:22:56.290 going to see the most bang for the buck is organizations that 385 00:22:56.290 --> 00:22:59.620 can walk the walk, talk the talk, not just via their 386 00:22:59.620 --> 00:23:01.390 insurance, but in terms of how they're approaching it 387 00:23:01.420 --> 00:23:02.050 themselves. 388 00:23:03.110 --> 00:23:05.630 Morbin: Yeah, the insurance industry is wanting to have the 389 00:23:05.630 --> 00:23:08.750 kind of telemetric data that they get from... 390 00:23:10.550 --> 00:23:12.290 Schwartz: Every other thing they insure. 391 00:23:12.320 --> 00:23:14.600 Morbin: Yeah, things like the transport industry, and the 392 00:23:14.600 --> 00:23:20.780 survey had something like 44% of insurers, not confident about 393 00:23:20.810 --> 00:23:23.090 the way that they were evaluating risk in 394 00:23:23.090 --> 00:23:28.220 cybersecurity. So, you know, it affects both sides, the 395 00:23:28.970 --> 00:23:32.270 companies that want to be insured are not necessarily 396 00:23:32.450 --> 00:23:36.020 creating the data level and sharing it, the insurers aren't 397 00:23:36.020 --> 00:23:39.440 really necessarily, that show what data they really need and 398 00:23:39.440 --> 00:23:42.710 how to use it. So we're talking about an immature industry. And 399 00:23:42.710 --> 00:23:44.780 yet, we're talking about something that, you know, 400 00:23:44.810 --> 00:23:48.440 normally regulation is the big driver of people actually 401 00:23:48.440 --> 00:23:53.030 adopting safer approaches. But insurance is another one, 402 00:23:53.030 --> 00:23:55.190 because people want to lower their premiums. So they have an 403 00:23:55.190 --> 00:23:58.640 incentive. There's an incentive on both sides. And we're talking 404 00:23:58.640 --> 00:24:03.320 about a market that's forecast to grow from 11.9 billion this 405 00:24:03.320 --> 00:24:07.760 year to 29 billion in 2027. So it's not something that's going 406 00:24:07.760 --> 00:24:11.540 away, it's going to increase, but it's quite flawed at the 407 00:24:11.540 --> 00:24:11.930 moment. 408 00:24:12.150 --> 00:24:15.210 Schwartz: Yeah, that's a great point study. Because if the 409 00:24:15.210 --> 00:24:18.450 insurers get a better sense of what they're looking for, like 410 00:24:18.450 --> 00:24:20.940 you say, from a financial perspective, they have it, they 411 00:24:20.940 --> 00:24:24.510 will be able to demand it. And we could see some really good 412 00:24:24.540 --> 00:24:28.500 changes and improvements, where they come in and say, "Look, the 413 00:24:28.500 --> 00:24:32.190 best in class companies with the lowest premiums are doing it 414 00:24:32.190 --> 00:24:34.800 this way. Would you like our help to help you do it this 415 00:24:34.800 --> 00:24:37.800 way?" And hopefully, more organizations say yes. 416 00:24:38.530 --> 00:24:41.020 Delaney: Hopefully, indeed. That's great. Great points. 417 00:24:41.050 --> 00:24:45.640 Thank you all. So, final question. What's something new 418 00:24:45.640 --> 00:24:48.550 that you've learned in cybersecurity, this week or 419 00:24:48.550 --> 00:24:49.180 recently? 420 00:24:52.120 --> 00:24:56.080 Goswami: So, I'd like to point up to a tweet that my colleague 421 00:24:56.830 --> 00:25:01.810 Rashmi mentioned to me. It was not new learning as such, but I 422 00:25:01.810 --> 00:25:05.530 found it interesting that Russia experienced the most data 423 00:25:05.530 --> 00:25:08.950 breaches in second quarter, for second consecutive quarters in a 424 00:25:08.950 --> 00:25:12.610 row. Because I always had the impression that Russia is the 425 00:25:12.610 --> 00:25:15.130 one who is attacking the other countries, but they're also 426 00:25:15.820 --> 00:25:19.240 facing large number of breaches. So that came as a surprise too. 427 00:25:19.410 --> 00:25:22.200 Delaney: Yeah, definitely. That's a great one. 428 00:25:22.350 --> 00:25:25.770 Schwartz: Ukraine's hacker army or friends there are, appear to 429 00:25:25.770 --> 00:25:29.130 be having an impact. I've been hearing that. And I'll just, on 430 00:25:29.130 --> 00:25:32.160 the heels of that, one of the things that I learned at RSA 431 00:25:32.160 --> 00:25:35.460 this year, back in June, and that I have to keep reminding 432 00:25:35.460 --> 00:25:40.620 myself about is Russia is very much launching online attacks 433 00:25:40.710 --> 00:25:44.670 against Ukraine. But many cybersecurity experts I've spoke 434 00:25:44.670 --> 00:25:50.700 to say that Ukraine's defensive ability is the best in Europe, 435 00:25:50.970 --> 00:25:53.940 they think. So there's been a lot of chatter about how there's 436 00:25:53.940 --> 00:25:58.050 been no cyber war, define cyber war how you will, but in terms 437 00:25:58.050 --> 00:26:01.620 of online attacks, aimed at supporting Russia's invasion 438 00:26:01.620 --> 00:26:05.250 being launched by Russia and allies, that are many of those, 439 00:26:05.670 --> 00:26:08.580 but a lot of them aren't having the impact that Russia might 440 00:26:08.580 --> 00:26:09.180 have desired. 441 00:26:10.740 --> 00:26:13.170 Morbin: Yeah, because they'd already seen NotPetya. And 442 00:26:13.230 --> 00:26:17.070 they'd been under attack since, well, at least 2014, but before 443 00:26:17.070 --> 00:26:19.740 that, but you know, seriously under attack since then. So, 444 00:26:19.950 --> 00:26:22.230 yeah, they had a lot of practical real-world experience. 445 00:26:22.290 --> 00:26:22.770 Delaney: And training. 446 00:26:22.770 --> 00:26:23.310 Schwartz: Definitely. 447 00:26:24.570 --> 00:26:25.650 Delaney: Tony, what have you learned? 448 00:26:28.080 --> 00:26:30.300 Morbin: I was going to cheat and just say, well, you know that 449 00:26:30.720 --> 00:26:36.210 cyber insurance is going to grow to 29 billion by 2037. Also, you 450 00:26:36.210 --> 00:26:39.630 know, just looking at this subject, I did see that a couple 451 00:26:39.630 --> 00:26:42.960 of states, California, for example, the state is mandating 452 00:26:42.960 --> 00:26:45.690 cyber insurance. I didn't realize that it was mandated. 453 00:26:46.260 --> 00:26:48.750 But so that was quite interesting. 454 00:26:49.770 --> 00:26:51.900 Delaney: I read recently that ransomware attacks have 455 00:26:51.900 --> 00:26:56.280 increased 500% in the last year. I don't know if you agree with 456 00:26:56.280 --> 00:26:59.730 that, Matt, but I'm sure your articles on ransomware have 457 00:26:59.730 --> 00:27:01.260 increased 500% this year. 458 00:27:03.250 --> 00:27:07.060 Schwartz: It just feels like it, right? My really short answer 459 00:27:07.060 --> 00:27:10.840 there is we really don't know the full volume of ransomware 460 00:27:10.840 --> 00:27:14.320 attacks, because the only ones to get publicized are the 461 00:27:14.590 --> 00:27:18.460 victims who don't pay, and they get publicized by the criminals 462 00:27:18.520 --> 00:27:23.590 who wish they had. So there's a lot of competing interests. I 463 00:27:23.590 --> 00:27:26.440 will say that the volume of attacks is always higher than we 464 00:27:26.440 --> 00:27:30.430 want. And also here in Britain, the National Cybersecurity 465 00:27:30.430 --> 00:27:32.920 Center has said they're seeing an increase both in ransom 466 00:27:32.920 --> 00:27:38.560 payments and attack on victim volume. So yes, 500%, I don't 467 00:27:38.560 --> 00:27:42.130 know. But still alarmingly high, I suppose. 468 00:27:42.400 --> 00:27:45.700 Delaney: And the demands in ransom, you know, ransom 469 00:27:45.700 --> 00:27:48.340 demands, the figures are higher than ever as well. 470 00:27:49.210 --> 00:27:49.960 Schwartz: Sometimes. 471 00:27:51.220 --> 00:27:53.530 Delaney: Well, these are great nuggets of information. Thank 472 00:27:53.530 --> 00:27:55.840 you very much. That is unfortunately all we have time 473 00:27:55.840 --> 00:27:59.320 for. But Matt, Suparna and Tony, thank you, and enjoy your week. 474 00:28:00.190 --> 00:28:00.910 Schwartz: Thank you, Anna. 475 00:28:01.090 --> 00:28:01.780 Morbin: Thank you. 476 00:28:02.040 --> 00:28:04.230 Delaney: Thanks so much for watching. Until next time.