EPISODE 3
Why Your Company Needs Cyber Risk Management

EP 3: Why Your Company Needs Cyber Risk Management

Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.

Sign Up Now!

About this episode

June 7, 2018

Kip Boyle, CEO of Cyber Risk Opportunities, talks with Jake Bernstein, JD and CyberSecurity Practice Lead at Newman DuWors LLP, about why every company needs good cyber risk management.

Tags:

Episode Transcript

Kip Boyle: Welcome to the Cyber Risk Management Podcast. Our mission is to help executives become better cyber risk managers. We are your hosts. I'm Kip Boyle, CEO of Cyber Risk Opportunities.

Jake Bernstein: And I'm Jake Bernstein, Cyber Security Counsel at the law firm of Newman DuWors.

Kip Boyle: And this is a show where we help you become a better cyber risk manager.

Jake Bernstein: The show is sponsored by Cyber Risk Opportunities and Newman DuWors, LLP. If you have questions about your cyber security related legal responsibilities ...

Kip Boyle: ... and if you want to manage your cyber risks, just as thoughtfully as you manage risks in other areas of your business, such as sales, accounts receivable, and order fulfillment, then you should become a member of our cyber risk managed program, which you can do for a fraction of the cost of hiring a single cybersecurity expert. You can find out more by visiting us at CyberRiskOpportunities.com, and NewmanLaw.com.

Jake Bernstein: So Kip, what will we be talking about today?

Kip Boyle: Today we're gonna talk about why every company needs good cyber risk management.

Jake Bernstein: Okay. Every company. Kip, let's just go ahead and start. Why do our listeners need cyber risk management for their companies?

Kip Boyle: Okay, I thought you'd never ask. In today's economy, you need ... Any organization, any company is gonna need computer systems just about as much as they need customers to serve, and something to sell them. The whole idea of cyber risk these days is if you could somehow disconnect from the internet, and still stay in business, that would be the best possible way of managing all these cyber risks. But it's just ... We've adopted the internet so thoroughly and so completely that that's just not really a possibility anymore.

Jake Bernstein: Well and I would say that the internet is the business enabler for a lot of companies these days. You think about market leaders and how much Amazon has disrupted the entire retail industry, that slow decline of the old mall. Disconnecting might seem like the easy solution for a business, but it's just not realistic.

Jake Bernstein: Given that, what are some examples of where the technology backfires and hurts you?

Kip Boyle: Right. I'm thinking of a couple examples right now. They're very high profile examples. If you want to learn more, if listeners want to learn more, this should be a very easy thing to ... Just Google some of this. Last summer, 2017, there was a computer worm called NotPetya. It swept across Europe for quite some time. There were two logistics companies that were particularly affected by this. I think that the story about how they were affected is instructive.

Kip Boyle: The first one was called TNT, which is a subsidiary of FedEx. They do small package delivery, ground based small package delivery. They're kind of like FedEx in the United States and elsewhere, or UPS. The second company that was really affected badly by NotPetya was Maersk. They're a container shipping company. That's ocean going shipments. In both cases, those companies got hit so hard with NotPetya that they actually lost control of practically all the packages and containers in their custody. When I say lost control, what it really comes down to these days is, and this speaks to the nature of the internet, but if you're a logistics company and you can't access the data about the shipments that are in your possession, if you can't move that data` then you can't move the goods. They'll just sit in the shipping yards, or in the warehouses, and that's pretty much the end of your business day. As you can imagine, it's a cardinal sin to not be able to move freights.

Jake Bernstein: Oh yeah. Well if you're a freight company that can't move freight, you're a company that's losing a lot of money every second.

Kip Boyle: Right. The great irony of it is that you can move the freight, you just don't know which ship to load it on, or which truck to put on. You have no idea where it's suppose to go. You have possession of all these boxes and containers, but you have no idea what to do with them.

Jake Bernstein: To be fair, freight handling has always been a fairly data intensive business. It's just that now that it's all computerized, and why wouldn't it be, if those computers don't work, you're unable to do much.

Kip Boyle: Well and even if you could somehow crack the computers open and look at all the files in there, you would never have enough manpower to process all that stuff. It's so highly automated now that the idea that you're gonna fall back to a manual procedure is just out of reach. We've scaled it so much that we just can't take it back and actually process it.

Jake Bernstein: No, not at all.

Kip Boyle: No. As a result of this, Maersk, for example, lost over $500 million in expected profits. Shipyards all over the world were idled. In some cases ships couldn't even dock because there was no computer control available to tell them which cranes were going to remove containers from the vessel, and which containers needed to be placed upon them. Just the impact of idling container ships around the world is really staggering.

Jake Bernstein: Devastating, really.

Kip Boyle: Yeah. The FedEx subsidiary, TNT, the packages just piled up in the warehouses. Whenever I've sent a small package or if I'm expecting to get one, an Amazon delivery or something like that, I like to be able to go and do tracking. Where is the thing? When's it gonna show up? None of that was working, so customers had no idea. They couldn't do self-service and figure out where their packages were, when they were gonna be showing up.

Kip Boyle: If you think about it, not only did FedEx lose a lot of money, but the people who count on the small businesses just abandoned them in droves, and went over to another small package delivery company that wasn't nearly as heavily affected by NotPetya, called DHL. They're a subsidiary of the German post office.

Kip Boyle: It's really interesting. If you go into the public records and you see FedEx disclosing these financial hits to their company, at the same time you can go over to DHL and you can actually look and see how their volumes were trending up. DHL didn't do anything special other than they just stayed in business. What a marvelous thing to do, right?

Jake Bernstein: Yeah. Were they lucky, or do you think they had just greatly superior cyber risk management?

Kip Boyle: I wish I knew the actual answer, and I hope that it gets revealed at some point. I don't know that it matters very much because if you're listening to this podcast and you're trying to do a better job of managing your cyber risks, I would suggest taking the maybe I'll get lucky path as probably not the way to go.

Jake Bernstein: Definitely not the way to go.

Kip Boyle: No. What you want to do is think about DHL, and you want to think about how can I be the DHL when the time comes. How can I still be standing and staying in business when my competitors are flat on their back? Maybe I can just get up faster than they can. This is competitive advantage, going on right now.

Jake Bernstein: Yeah. Even if you just folded your knees and then stand back up, that's better than getting knocked flat on your back and staying there for a while.

Kip Boyle: Exactly. Exactly.

Kip Boyle: Let me tell you about this other story I'm thinking about.

Jake Bernstein: Yeah, I was gonna say, what's the other story and does this one have a happy ending or no?

Kip Boyle: This one has a really horrible ending because ...

Jake Bernstein: Oh, dear.

Kip Boyle: ... because at least Maersk and FedEx are still in business. They got hit pretty hard, and it's gonna sting for a while, but they're still in business.

Kip Boyle: Another example, very high profile, there was a law firm in Panama City, Panama called Mossack Fonseca. You and I have talked about Mossack Fonseca so, so much. Well that's the law firm that gave us what we affectionately call the Panama Papers now.

Jake Bernstein: Panama Papers. Yeah.

Kip Boyle: The Panama Papers. Of course, that was widely reported in the press. There were thousands of stories about what was discovered by digging through the Panama Papers, 2.6 terabytes of data that was exfiltrated from the law firm over a period of 18 months, and ...

Jake Bernstein: Just remind us, when was that exfiltration, and when was it all publicized?

Kip Boyle: Well it all happened ... The publication started to happen in early 2016. But the exfiltration of the data actually started 18 months prior to that. For 18 months, some outsider was pulling data out of the law firm over their internet connection, and nobody at the law firm had any idea that this was going on. They were completely oblivious to the fact that they had been attacked, hacked, and that their files were being removed on a regular basis.

Kip Boyle: Of course, the consequences as we all know were very serious to the people who use the services of Mossack Fonseca. What's it's a little less ...

Jake Bernstein: Clients?

Kip Boyle: Yeah, the clients. What's a little less well understood is that the law firm itself was fined, and laid off staff, and ultimately earlier this year, they went bankrupt, and they're not in business anymore.

Jake Bernstein: Let's say it's midway through 2018, we'll just say it was ... Well actually it was started publication in April of 2016. Two years after publication, this law firm, which ... It wasn't 100 year law firm, but it had been around for a while.

Kip Boyle: 1977.

Jake Bernstein: 1977, is gone. Obliterated.

Kip Boyle: Completely blown up.

Jake Bernstein: Completely blown up. That's pretty striking.

Kip Boyle: Yeah. It took a couple years, as you pointed out, for them to do that. But these days, what we see is you either go out of business very, very quickly due to a cyber attack. I'm thinking of a company called Codes Spaces, where in less than 12 hours, they were bankrupted. There was another law firm called Puckett and Faraj, and they were out of business in less than a week. Sometimes it's a very fast hit and a flameout, and other times it's what I would call a long slow slide into oblivion, which is what happened with Mossack Fonseca.

Kip Boyle: What I think about is even though that law firm was engaged in, I think we can all agree, unethical, and in certain cases, probably illegal activities. Maybe not in their jurisdiction, but in the jurisdictions of their clients. It was a big law firm, they had a lot of people that worked for them. Now there's a lot of people out of work. Now they can't provide for their families. The social impact of this on the law firm side is pretty big. Nobody won.

Jake Bernstein: Nobody did win. Well, other than the person who perhaps was trying to get them out of business. They did succeed, which is interesting to note.

Jake Bernstein: Are there any estimates about what the cost of this is going to be over the next five years?

Kip Boyle: Yeah. There's some ... If you roll up all the cyber risk together and you think about the failures that are going to happen, or that we think is gonna happen, the graph is one of these up and to the right kind of things, which typically people want to see up into the right. But this is one of those where, no, you don't really want to see that.

Kip Boyle: In 2015, the total cost of all cyber failures around the world was about $500 billion, which is an enormous number, $500 billion. In 2021, so we're looking forward just three years, that number is gonna rise from 500 billion to six trillion. As far as we know, it's gonna continue to climb. It's a staggering number. I've never seen one trillion of anything, let alone six trillion of something.

Jake Bernstein: Exactly. Very much so.

Kip Boyle: It's just crazy. Our listeners are right to wonder, what the heck's going on here? Why is this happening. You and I have talked about it. There's essentially a big shift happening. You do a good job of explaining this.

Jake Bernstein: The situation is that it's not possible for the bad guys to ... Let me rephrase that. The bad guys have to be right one time. The good guys have to be right all the time. If you look at the numbers, they're staggering because these attacks are automated, as we mentioned, and the scope of attacks. You think about just one of the major credit card companies. It just stated that to date, in 2018, they've already seen 20 million cyber attacks on their systems and servers.

Kip Boyle: Yeah, it's so inexpensive to attack.

Jake Bernstein: It basically costs nothing to launch the attack. Think of impact that 20 million, even unsuccessful bank robberies would have on society. It would be like a war zone. I'm not even sure ... I don't even think there's been 200 thousand bank robberies in the history of the world, let alone 20 million in six months.

Kip Boyle: Only in a digital domain could you have 20 million attacks.

Jake Bernstein: Yeah and it's not slowing down. The cyber space, it doesn't conform to our pre-existing legal and physical defense mechanisms. We can't just go and arrest bad guys who are in a country where what they're doing, particularly as long as they do that to us, is legal. Sometimes even encouraged. Sometimes, not even encouraged, but directly controlled by state actors.

Jake Bernstein: The situation is just not going to change for the better. They always say police are responders, they react. They can comb, investigate and clean up a crime. But if you want to stay safe all the time, you've got to hire your own bodyguard. That's what you see people do. You've got to hire your own physical security. Likewise, if you want to stay safe in the cyber realm, you need to take matters into your own hands and really work on your own cyber risk.

Kip Boyle: Yeah. I think about ... I have this movie that plays in my head when I explain this to people. It looks like there's an executive sitting at their desk, and they're enjoying all of the internet infrastructure, and the electricity, and the air conditioned work space, and all. We've got this highly evolved, modern workplace and environment.

Kip Boyle: Once you get on the internet, it's almost like you're living in a log cabin again, out on the frontier where there's no police protection, no fire protection, the calvary lives in a wooden fort two days away from you by horse. If anybody comes around to mess with you on your homestead, you're on your own, so hopefully you know how to load your gun, you've got plenty of bullets, and you can defend yourself long enough to keep from losing your place. It's almost like this Hollywood transformation in a moment from this very modern situation, to a pioneer situation.

Kip Boyle: But I think that's what people have to realize, is that on the internet we're all pioneers, and all the infrastructures, and protections, and governance that we're accustomed to, it just simply doesn't exist right now.

Jake Bernstein: No. It's like the wild west. Law enforcement is few and far between, and they have to get lucky to do anything impactful.

Kip Boyle: Right. Why is this happening? As you pointed out, on the one side you've got this amazing technology that is now in the hands of cyber criminals, and they're using it to attack at astounding rates, while at the same time taking advantage of these antiquated governance systems that depend on physical jurisdictions, and so forth. It actually reminds me of a time in the past when another similar situation came up which is in the 1930s and 1920s in rural America, you had gangsters in very fast cars with handheld machine guns who would rob a bank branch, and then quickly drive to the state line where they would be free from pursuit, and where there was no state police waiting to apprehend them on the other side of the border because the police and the town that they had just robbed had super slow cars, they had no radios, they had these revolvers that were probably army surplus and not working very well.

Kip Boyle: A lot of people don't realize this, but it took until about the mid '90s, I did the research, it took about until 1995 to get to the point where robbing a bank branch just wasn't feasible anymore. There were so many great protections, silent alarms, dye packs, bullet proof glass. The FBI and the banks worked with each other to figure out how to neutralize this threat. It took decades to figure this out. I don't know why we should think that it's gonna take anything less than decades to sort out the situation we find ourselves in now.

Jake Bernstein: I agree. It will be a very long time, and it will require new modes of operation and thinking. In the mean time, I think the take away here is you can't really on the government or police, or law enforcement of any kind to keep you safe. You need to secure your home, you need to secure your business. In the cyber realm, it's even more true than ever before.

Kip Boyle: Even the defenses that we have are not guaranteed. Intrusion detection systems, intrusion prevention systems, you can spend a ton of money on the latest state-of-the-art in technological defenses and they're still not gonna be foolproof by any stretch of the imagination.

Kip Boyle: When Target, the retailer, lost control of all those credit cards, and they went back and did the digital forensics, they found that the attack was in fact detected by their systems. The problem was is that the alarms, or the alerts to the attack, were either never seen by a human or weren't processed in a way for the controllers to understand that what was happening was this massive theft in progress.

Kip Boyle: You've got technological issues that are gonna keep you from preventing bad stuff from happening.

Jake Bernstein: There's your slow cars and lack of radios. We might have this technology, but despite the name, they're not necessarily very good at detecting or preventing intrusions. But they are a start, and I think that you're gonna see these tools evolve over time into something that is eventually useful. Eventually, I think is fair to say, we will get to a point where you've got sound alarms, and ink bombs, and things like that. But one, we're not gonna get there without a lot of struggle. A lot of stuff is forged in conflict, and that's what's happening here.

Jake Bernstein: Before we end, why don't you tell us, who is the modern day gangster? We don't have Al Capone running around with his Tommy Gun. Who do we have?

Kip Boyle: I think of it as if Tony Soprano learned how to use the internet. Let's say Tony Soprano and Jeff Bezos somehow were able to morph into a single criminal. That's really what we've got here these days. I really get frustrated with Hollywood, and the newspapers because they would have us think that the adversary that's expected to cause six trillion dollars worth of damage is some kid wearing a hoodie in the basement of his mom's house, drinking Mountain Dews, eating Cheetos, and having nothing better to do than to troll around on the internet. Nothing could be further from the truth.

Kip Boyle: A great example of this is a guy named Bogachev. One of his online identities is Lucky12345. If you go out to the FBI.gov website, you'll see his wanted poster up there. He's got a reward on his head right now for $3 million, for his arrest, his apprehension. He lives in Russia. As far as we can tell, he's protected by the Russian government, the Foreign Intelligence Services. Why are we so interested in Bogachev? He's stolen over $100 million from U.S. banks using technology. The guy, as far as we know, has never set foot in the United States during that crime spree, which he continues to aim toward us.

Kip Boyle: But the problem is, he's so well protected, that as long as he never leaves the physical spaces where Russia's not going to give him up to the United States, there's no way to know if he'll ever face any kind of trial for what he's done.

Jake Bernstein: Russia's not ... Yeah. You need international cooperation. When you have international belligerent states, or at least uncooperative ones, your options are very limited.

Kip Boyle: Very limited. This has gone from a criminal investigation, to an international incident. This is war by other means. The United States, Russia and China have a lot of tension between the three of them, and a lot of weapons pointing at each other. But instead of using these so-called kinetic weapons ... Actually no, igniting bombs and blowing stuff up, we're lobbing digital weapons at each other right now. There's a whole [inaudible 00:24:51].

Jake Bernstein: Cyber war. The cyber war is being fought.

Kip Boyle: [inaudible 00:24:52]. The cyber wars are going on right now. Everybody who's connected to the internet is really a foot soldier as these cyber wars are unfolding around us.

Kip Boyle: By the way, the NotPetya worm virus that we talked about in the beginning of the episode, that was Russia aiming a cyber weapon at the Ukraine. It just got out of control, and Maersk, and FedEx, that was collateral damage.

Jake Bernstein: Collateral damage.

Kip Boyle: They weren't actually even the targets.

Kip Boyle: We live in a world where crosstalk you don't even leave your office and you find that you're in a cross fire, in a hail of digital bullets, and you get hurt.

Jake Bernstein: Frightening.

Kip Boyle: That's the world we live in now. I think it's important for listeners, for executives to understand what's really going on, and how this is gonna continue to unfold. You're gonna need to do more than just think that you can prevent bad stuff from happening. You're gonna need insurance, you're gonna need response capabilities, public relations strategies, because it's inevitable that we're all gonna get hacked sooner or later. But you definitely don't want to look like Equifax, trying to inaudible crosstalk respond to something really horrible that's happened to your customers.

Jake Bernstein: No.

Jake Bernstein: Agreed. Agreed.

Kip Boyle: Anyway. Hey, everybody, thanks for joining us today on the Cyber Risk Management Podcast. We talked about why everybody needs cyber risk management.

Kip Boyle: Thanks everybody for joining us today on the Cyber Risk Management Podcast.

Jake Bernstein: Remember that cyber risk management is a team sport, and needs to incorporate management, your legal department, HR and IT for full effectiveness.

Kip Boyle: Management's goal should be to create an environment where practicing good cyber hygiene is supported and encouraged by every employee. If you want to manage your cyber risks and ensure that your company enjoys the benefits of good cyber hygiene, then please contact us and consider becoming a member of our cyber risk managed program.

Jake Bernstein: You can find out more by visiting us at CyberRiskOpportunities.com and Newmanlaw.com. Thanks for tuning in. See you next time.

Headshot of Kip BoyleYOUR HOST:

Kip Boyle
Cyber Risk Opportunities

Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).

YOUR CO-HOST:

Jake Bernstein

  Newman DuWors LLP

Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.