"How should I be thinking about cybersecurity?” Part 4

Media Thumbnail
  • 0.5
  • 1
  • 1.25
  • 1.5
  • 1.75
  • 2
This is a podcast episode titled, "How should I be thinking about cybersecurity?” Part 4. The summary for this episode is:

Interviewer: How do you see cyber risks increasing in the future?

Speaker 2: How do I see cyber risk increasing? Facetiously, I would say on a daily basis, but that's actually not so facetious. As I showed on my bio slide, I spent five years with the FBI Cyber Crime Task Force. And that was a very enlightening experience, because what I realized was cyber criminals are no different than any other type of criminal in that they're basically lazy, which is why they're criminals and they don't have legitimate jobs. But make no mistake about it, they're also very technically astute. In fact, they're some of the most brilliant people I've ever encountered. They just happen to be on the wrong side of the law, all right? As a result, make no mistake about it, these are not individuals. These are not loner individuals living in their mom's basement, somewhere in Romania. This is a large, organized, multi- tiered economy with specialized skills, serving each other. Take ransomware, for example. You may think ransomware again, is one person sending out some harmful script to one company. Not so. Ransomware is an entire economy. There is a layer of the industry that writes the ransomware script. There is a layer of the economy that sells that. There is a layer, there are service clouds for ransomware. There are end user license agreements. There are support organizations. There are payment processing systems for ransomware. There are ransomware payment negotiation levels of service providers. It's one layer after another. This is an entire shadow economy, folks. It is very well organized. I think sometimes we, as legitimate business people underestimate the sophistication of the cyber crime community. I really do. When it comes to ransomware, the sad truth is that a small or medium sized business is just as likely to be attacked as a large company. As a matter of fact, in some cases, remember I told you that cyber criminals are basically lazy, right? In some cases, it's easier for them to attack a small or medium size business than it is to be a large enterprise, and here's why. If the smaller medium size business has a lack of defense to start with, what'll happen is the ransomware criminal will get in first, in what we call a stealth mode, will steal as many documents as they can. If they can steal the copy of the cyber insurance policy, if they have one, they'll find out what the aggregate coverage limit is for that company. They'll then launch the ransomware attack, and they'll ask the maximum of the coverage limit that they know that company is covered for. So in that case, it's just as likely the small or medium size business would be attacked than another one. Another thing about another target, if you will, for small and medium sized businesses is, just because your revenue is not in the billions does not mean that you don't have something that a cyber criminal organization would be interested in. You may be a tier three or tier four provider for the Department of Defense. Here in the Midwest, there's a lot of manufacturing, small manufacturing companies, that kind of thing. You may think you're only making nuts and bolts, but the fact of the matter, that nut or bolt eventually ends up in a battleship or something like that. There are criminal organizations that are very interested in that information and are very, very likely to attack that company, even though it's relatively small. So, I think to boil it down is the intelligence, for the value of the data itself. And then the ransomware, the ability just for the financial gain.