Cyber Shield | Overcoming Blind Spots in Private Equity Cybercrime Prevention

Patrick Westerhaus: Thank you, Irina. Good afternoon, good morning, wherever you folks are. Thank you for taking your time. Spend a little time with Eisner and for here as we talk about a topic near and dear to my heart and near Dear Scott's heart around the concept of cyber-crime and cybercrime prevention. This should be a fairly fun presentation or we hope it's a fun presentation. We're going to have some polling questions. As we said, they probably are going to be the easiest polling questions you've ever gotten in an accounting CPE class. Trust me, as a recovering CPA, I think these should be layups, so we're going to have some fun today. But we're also going to try to bring folks through a journey based on collective, six decades between Scott and I of being hands-on with some of the worst actors in the world and help folks to really understand.

We're going to start with some history. We're going to give some context, we're going to do some use cases, and we're going to make our case, and in my opinion, that cyber as a strategic risk, as a business risk, as a financial risk, the most important people within an organization are the C-suite. And in my huntable opinion, the CFL, it doesn't take too much to read the headlines to understand the drastic financial impact that everybody is suffering as a result of what criminal and criminal actors and nation state actors are doing. And so we're going to spend some time getting folks to understand how the world works, the amount of compromising compromises and hacking that has occurred over the past two decades and how that rocket fuel and this compromised information is driving. What I would consider is this next stage or next phase that we're in in the cyber world, which is brute monetization.

Again, I've come at this as a profession for a long time. My philosophy starts with and ends with cyber as a tool that facilitates fraud, theft and espionage by and large. And so if you focus on the output and the outcome and the actual crimes that are occurring, that cyber is facilitating and you step back and understand the business risk that the truly is and understand that cyber crime and the cyber crime world is a business as well. So walking away from today will be some key themes as we talk about blind spots. And those blind spots that we really like to highlight are what we're doing here to help folks understand financial risk and also at the same time, understand this rail of security that is the hardest to deal with, but we spend an awful lot of time on, which is the human risk.

And so this is going to be also a very personal presentation for you all to arm you with tools and techniques to protect yourself, protect your family, protect your loved ones, and understand, and I'm sure you've heard the theme that cybersecurity and cyber crime prevention starts with you because it truly does because over my lifetime I've seen the threat really materialize and move forward to targeting the individuals and the people that I see over and over again that are being targeted the most are folks that are in the most consequential positions in organizations and for folks in the private equity world we're CFOs and really thinking through how does this impact my Port cos and my financial investments? It does tremendously. You can no longer look at cyber as just a thing that needs to be managed. It is a strategic risk and actually can be a competitive thing that you use when you look to exit your organizations and your companies.

So we'll talk about how to bring that visibility down into your portfolio companies but also how to ask the right questions to challenge your technology leaders to really understand, boy, what am I getting for all this investment in cyber? So we got to package, agenda, we're going to keep going here, but really appreciate your time and we look forward to sharing some more stories and hopefully some tips and trades and how to deal with this ever evolving and fast paced world. Alright, so right out the gate we're going to start with a polling question and I'm going to leave this up for a little bit and this usually drives a lot of the conversation, so please answer it honestly. And I've done this presentation so Scott, a number of times, so I can't wait to see what people have to say. So we'll leave it up here for about 60 seconds. And again, no right answer here, it just gives us a good baseline of what people's opinions are. All right, and a little bit more time. Yep. We'll give it a little bit, another couple seconds

Astrid Garcia: And I will jump in here. I know that some of these answers are a bit long, so you might have to scroll down to hit the submit button. So just remember, select one of the answers and if you don't see the submit button, just scroll a little bit down and make sure that you submit it so we can register your answer.

Patrick Westerhaus: All right, that's probably enough time. I'm going to move it forward and see what we've got for results. Okay, that's about right. That's usually we're about lands, but a good spread across in terms of what people think when they hear the word cyber crime. So that's good. So this will set the good baseline. Yes, it is scary, there's no doubt and victims are real. I'm sure most folks on the call have either been directly victimized or no, a next akin that's been victimized or had a colleague get another company that's had to deal with a major cyber breach. So again, cybercrime has infected all of us, is going to continue to affect all of us. However, the good news is there's a lot of things you can do to level yourself up, lever the organizations up. And one of the consistent themes I also want to leave you with today is criminals always have a say.

And a lot of companies don't understand and think that things are just moving too fast and they have no ability to essentially meet them where you need to meet them, which is you need to meet them at the point where the data that they have stolen is no longer valuable. Because if you do that, then you can fundamentally uplift your organization and lead with understanding that if you factor in what the criminals have and can use and make it harder for them, again in over two decades of working against some of the worst actors in the world, I know one thing still remains true, they remain lazy, so make it harder for them. But starts with changing that mindset. Alright, so where do we begin? What I'd like folks to understand is that when you hear the word cybercrime and cybercrime world, it really is a business.

It is matured to the point where there are organizations that are put together and people sometimes like to bucket this and think about this in organized crime fashion. And while yes, there are organized criminal groups that function in the cyber crime world, but there's also what I would say is a disorganized economy and a disorganized business model that exists and people all have jobs and they all have things that they need to do to feed a larger customer and a supply chain that they have to continuously feed with stolen information and then there are buyers for that stolen information. So what this chart and this graph is really showing is that along the way, and this one is very geared towards the fraud scenario, there are multiple different people that do a job. There are malware coders and people that create malicious software, which is all what malware stands for, and they build that software to exploit essentially systems.

Then there are hackers and there are people that are going out and looking and targeting victims who are then going to use that malware to be able to compromise either the person or the system or the organization. Once that compromise is done, depending upon the objective, they will either provision access and then sell it off to the next criminal. Who's looking to buy access to systems, to bank accounts, to email accounts to whatever they need depending upon the fraud or the crime they want to commit. And so they're, believe it or not, call centers and organizational things that are set up so that if you don't have connectivity to those compromised systems, you could literally call into a call center and complain and there's support tickets that are put in and there's all sorts of infrastructure that's in place to continue to feed this business.

So very much like the business that you are in, that's how a lot of this works today. Moving down the chain, there are other people that after they've committed the fraud, aren't very good about how to move money. So we start to get into the end money laundering aspect of it and that's where the business leaders come into play. So people that really understand what are the controls that are in place to look for suspicious money movement. There are professionals that know how to do this and there are professionals that know how to then integrate that stolen funds into the system and then they're off and running to fund other objectives. Again, leaving you with this idea that cybercrime and cybercrime world is a business, people have jobs, people have functions. So as you think about your organization, you really need to mirror what they're doing, not only from the people, from the technology, from the talent and everything that you're doing to be able to harden your defenses against.

So thinking like a business and thinking like criminals. So this gives a little bit more of a detailed example. I know ransomware is in the news all the time and I'm sure you can't pick up a paper without reading about the next company that suffered a major data breach, which is usually tied around a ransomware event. But what I'm also trying to drive the point on, although focus the last one on fraud in essentially account takeover ransomware works the same and you would believe it or not, that it's even more well organized. So there are people that are paid to do nothing but test systems. So they're looking at your company's to find are their vulnerabilities. It usually starts with username and password, which is usually a credential replay attack. So they're looking for a place to log in with stolen information after they've gotten that initial access, which initial access broker, then they sell it off to the gangs who are looking to then deploy a piece of software that will then essentially encrypt the system.

So a a ransomware, however, ransomware is evolved because after encrypting or pre encrypting the systems, there's usually a bunch of data that's stolen. Well, what is that data being used for? It's to fuel the economy in the cyber crime world for fraud and anything else that wants to occur. The ransomware operators and the people that deploy the malware, if you will have bought that tool kit from another different group who are developing essentially the encryption mechanisms that are being used and dropped within the enterprises. After a ransom is paid, then the proceeds are split up amongst the groups. And there's a lot of different groups that affiliate with different ransomware tools and tool sets and that's why you have the word affiliate on there. So as you can see, there are roles, there are responsibilities and there's actually a fair amount of organization and targeting that occurs prior to a compromise. Some are random, some are targets of opportunity, but a lot of times targets are being done and picked out specifically. Alright, we're going to do the poll question here. So which profile do you think best describes a cybercriminal? What would you say, Scott? Don't cheat for them but it's on point.

Scott Wright: I'm going to go with A, you've worked against A before and B and C.

Patrick Westerhaus: Yeah. Alright, give it another

Scott Wright: Minute or so. 30 seconds. Yeah.

Patrick Westerhaus: Oh okay. Another 30 seconds. We will see if I did my job right. And folks are listening,

Scott Wright: A lot of responses coming in.

Patrick Westerhaus: All right. Time's up next we'll see what people say. Ah, these are the results I like to see. So here's the inside secret. Each one of these people, again, as Scott has said, he's had bad actors that he's worked against. And so from cases in the FBI to people that I was dealing with when I was at the big global bank to helping to remediate companies in my current role and dealing with folks and individuals and helping 'em understand in context who went after them. So to me, the crimes have evolved such that the most dangerous people in this entire cycle, in my opinion, are not the Mountain Dew drinking, teenage punk living in the basement of his or her parents. It's actually the sophisticated stock trader. It's people that understand how to move money, that understand how to create front companies that from my experience, are the most dangerous actors in this because of the most sophisticated and they understand how to put networks together and really motivate people in order to essentially participate in the schemes that are going on. Alright,

Scott Wright: And I think if I could just interrupt, I think that dovetails nicely with one of the things you've always said, which is if you can turn a computer on, you could be a cyber criminal.

Patrick Westerhaus: That's a great point, Scott. So yeah, that's right. So usually if I'm in front of a live audience, I usually try to start with a question and people raising their hands, which is yes, do you get up in the morning? Can you turn your computer on every hand? Everybody hand always goes up. Can you navigate your way to a website and download a piece of software? Absolutely. Do you know how to put your credit card in or maybe your Bitcoin address in to go buy something? Yes. Fantastic. Congratulations. You are a cybercriminal world, a cyber criminal in 2025, and that is the truth. It's just crime folks. And if you start thinking about it and breaking that apart, and that's why cyber crime is a compound warden. Yes, there's a technical piece of this, but too much of the mindset within companies says we can out tech our way out of this problem.

It's an impossibility. That's why you get to flip the script and really thinking about the objectives and the scope and the things that folks are doing and worry vulnerable. And that's why I mean about having that criminal mindset. So we're going to spend a little bit of time on fraud today. I'm going to touch on ransomware again, but this really kicks off the fraud conversation. And it was funny because at the beginning before we jumped on Arena was talking about why she had to re-authenticate into a credit card portal and why banks were thinking and making it harder. It was just simply in the past she'd already authenticated and made sure that everything within that session was good to go and she had to skip all the bypass to FA and secondary authentication. I said, wow, it's because of what's happening. So generally what this slide is showing you is that the bad guys have evolved in terms of how they go after people and how they commit fraud.

And what they've done is upgraded their tool set because back in the day, and I experienced this at the big bank, they were building capabilities that were very loud and noisy. It's the best way to describe it, where we could see in the technology stack things coming in that just didn't look right. And you generally put blocking technology and cut those sessions off. Well, because the technology's getting really sophisticated what the bad guys are saying and forget it, I'm not going to try to attack the session the bank or the credit card company or the email provider. I'm actually just going to go after the people and I'm going to go after and build tools that infect browsers on computers. And that's what this is. The outgrowth of what is occurring is bad guys have created tools to go after your browser so that if you are infected with this particular threat, anytime you log in across the internet, it is triggered to collect everything on you.

What's generally called an information stealer. So they are vacuuming the internet, they're taking all usernames, passwords to FA codes, session codes, everything. So even if you're triggered on an Amazon or your work computer, you're logging into the environment in your network or you're on your banking or your Netflix or whatever the heck you are, it is designed to just vacuum it all up and send it up to a server for them to be sold off. So here's what that enables. Again, going back to this idea that anybody could be a cyber criminal, traditional in-person, criminal organizations like cartels and folks that generally have made a living on physical crime have now realized how easy it is to participate in a cyber crime because again, they don't have to build the technical capabilities to be able to get access to what they want. So a lot of these organizations fund themselves to these tools including the nation states.

So you read a lot about North Korea, there's a lot in the news about this. Sometimes there's estimates that go back and forth coming out of the US government and other five I countries that collaborate with the United States that estimate how much money has been stolen vis-a-vis fraud and theft and scams, especially via crypto by the North Korean actors and what's that done, what that has been used to fund other objectives. And when you talk about that, it's primarily their nuclear program that is a verified fact. And so thinking through this and understanding this is that again, what this stuff is enabling is anybody that traditionally wasn't in the cybercrime world to be there. Alright Scott, I'm going to hand this to you and annotate and give folks the statistics and what does this really mean in terms of the impact that's occurring downstream particularly to people.

Scott Wright: Thanks very much Patrick. And just going back to that one prior slide, I think we want a foot stomp, if you will, the exponential growth of info steeler use from one year to the next. Cybercrime is an increasingly growing and metastasizing problem and the use of some tools that are able to bypass your traditional network defenses are increasing. Unfortunately we have some statistics, they're a little bit dated. We're waiting for the new statistics to come out later in December. But in December of 24 there was an estimated 43 billion reported in digital crime. Now I think the word to underscore there is reported there's a ton of additional cyber crime activity happening that never gets reported. And Patrick is going to talk a little bit about some of the top frauds that do take place and certainly the different sectors and institutions that are affected.

Patrick Westerhaus: So I hate to start with this first one, but people are like, what the heck is pig butchering? Well, unfortunately, it is what is essentially labeled as the top scam that is going on vis-a-vis dating apps and frankly high net worth individuals that are being targeted online effectively, essentially for high yield investment scams, which have been going on forever. But this one is much more geared towards crypto. And oftentimes it starts with social media recruitment. It starts with laying out an entire dossier on individuals. A lot of this crime is being facilitated actually in Vietnam and Cambodia and unfortunately is being done through human trafficking where people are being human trafficked into these data and call centers in order to essentially, and they're handed to dossier and people to then go after and create an online recruitment scenario where people essentially take a lot of their wealth and think they're investing in a crypto scam, a crypto investment and with a lot of returns. And then effectively once the pig has gotten fattened up, then they essentially slaughter it, steal the money, and then they're left with nothing. All their wealth has been drained and the stories are horrendous.

Scott Wright: It's a lot of retirees. It

Patrick Westerhaus: Happen a lot in our retirees and happening a lot in our elderly community. It is devastating count takeover fraud is what I was just referring to in the past. It's still a thing, it's still going great. Gangbusters lus, it continues to evolve because the tools continue to get better. Synthetic identity fraud. This one is basically what we're going to get into here next, which is because of all the compromised data. So everybody on this call I'm sure has been a victim of a breach. So what happens is bad people take individual pieces of people's identity and compile it together and voila, create a brand new person, the synthetic piece of it. And companies are having a hard time understanding who they're dealing with or what they're dealing with when it comes to essentially a fake persona. Deepfake business email compromise, the deepfake piece of it is fine.

I think that's more trying to highlight the idea that AI and essentially the voice and video clones that are occurring, particularly for C-suite CFOs, CEOs where if you're out there and you're doing a lot of public speaking and your persona is taking over, the technology is so good that we literally, we've had clients where they're in conference calls and they get a video call in, they think it's their boss trying to approve a big money movement and it's a deepfake, it's an email or it's a deepfake, it's an AI generated image that was really perfected and companies have moved millions of dollars. So net of that is slow down, even questioning your boss. As hard as that is, if you're looking to move a ton of money, you need to question it. Government impersonation, yes, that has a lot to do with relying upon trust and being essentially people from the IRS people from the Social Security Administration remote IT support generally is how these people are doing this. But I think these stats are going to hold, the schemes are probably going to remain the same with a couple of additional ones that are very disturbing that are up and coming. We'll get to that towards the end. But something to think about and how they're attacking the teenage group for attack. That's called sex portion.

Alright, so I've talked a little bit about this compromised information. So think about this as the rocket fuel. So what we are showing here is just one month of stats related to by country how much data has been stolen. So this is generally speaking what we bucketize in the breach scenario, but remember I talked a little bit about the info steelers and the malware threat. So all that information that's getting sucked up is also in these things. So these are a record count of what can be actually discernible because this data is sitting out in the internet and there are companies that collect it for the good that then provided to people like Scott and I to help companies deal with it in a good way. But this is just one month of data statistics. And so this is the rocket fuel as I like to say, this information on people and on companies that is used in that cybercrime world. So that first stage data that's been used now. Now think about it, how easy it is to get compute power, get some cloud space, you get some of these data files and how cheap it is to use some tools on top of it and it's not going to take very much for people to be able to mine that and come up with very specific companies and people to target.

So what does that data consist of? I think this comes as no surprise to people, emails and passwords and you name it. You name the pieces of information that are being essentially stolen and used and when you have all this at your fingertips, it really is not that hard to think through about why so much, so many scams are going on and why the account takeover fraud is through the roof. It's because again, you have everything you need on people and people are very open with where they work via social media. They're very open and a very trusted society. So when you take this rocket fuel and mix it in with the culture we have in the us, it's no surprise about why we're the number one targeted country. Of course the richest country. So if you're looking to conduct a financial fraud scam come stateside distribution by incidents, what we're trying to drive through here is just the category of where the data is generally being taken.

Now again, you're probably looking at the top stat combo list and spam list. So just like remember I was talking about how cyber criminals trade this data around and there's a whole economy that gets fueled and everything like that. There is no honor among thieves. So a lot of times when theses steal data out of a company, if it's a tremendously valuable company like a Netflix or Verizon or at t or something like that, they will name the data file because it becomes a very enriching moment for them because now their buyers know exactly that they've got a very rich set of information to go after. Other times it's just a repackaging of previous stolen information. That's why it gets sent to the combo and the spam list. But by and large we've made our best attempt to kind of break it down by industry.

Alright, so I'm going to pass this here to Scott here in a second. So what does this mean? So now we're going to go through the two different phases of the presentation. We're going to talk about how we've oriented you on how it works, the threats, what's happening. And again now we're going to move into the blind spots. So where are those blind spots that you have in your organization? I think a lot of smart folks on the call are probably picking up already that we're going to foot stomp and continue to foot the human risk and human risk element of it. So here at Eisner we spend a lot of time helping folks understand what that is and what that means. So what this is a representation of is a client of ours and a company. So data protected, anonymized by simply looking at just an email of domain of a company. We're able to pull these raw stats back based on and drill it down to an individual email address to represent who's in the most compromised state in your organization by job, family. And believe it or not, most of the time Scott, and this is a layup, who are the biggest violators of essentially the misuse and using your work email address kind of across the internet when they shouldn't be? What

Scott Wright: Based on our work with clients, what we're seeing the vast majority is the gc. Unfortunately the CFO, it's very largely crown jewel holders. People within an organization that have significant broad access, they have administrative responsibilities, administrative access, and unfortunately they're the ones that are most targeted and they're the ones that are ultimately the most vulnerable.

Patrick Westerhaus: And how has a lot of this data happen, Scott, particularly at the enterprise level, knowing that we look at the email address, what is the number one thing that we see over and over again that fuels how exposed people are vis-a-vis their work email address?

Scott Wright: There's a lot of different pieces on that. Unfortunately what we see a lot of is humans, people in the companies are off times using their work email addresses for personal things and when you do that, you introduce a level of risk to the company that just creates significant financial risk.

Patrick Westerhaus: And we often tell companies what's the first thing that a company does when or a person gets when they come into the company, what do they do? They provision an email address

Scott Wright: For you, right? Email? Well they provision an email address, they turn your email address on and when you leave a company, the first thing they do usually is turn your email address off. So really the question is who owns that email address? Is it the employee or is it the firm? And how do you, go ahead please.

Patrick Westerhaus: No, I was going to say how do you enforce discipline, right? And so how do we think about what is that blind spot that is walking around an organization and enforcing this discipline and how do you do that?

Scott Wright: Yeah, that's tough. I mean I think it's the mindset. I think it's the mindset. What people need to understand is there's two elements here that have to go hand in hand in order to make things effective. First is there's got to be significant network defense. But secondly, and the most, I hate to say ignored aspect, but an aspect that hasn't gotten enough of a showcase is the human risk and the things that people do that they're simply not supposed to do

Patrick Westerhaus: In terms of that aspect, that human piece of it. What do we, we're spending a lot of time talking to companies about insider threat and really what that means. So when you hear the term insider threat, it has a bad connotation. But from your

Scott Wright: Opinion, Scott,

Patrick Westerhaus How would you describe insider threat within the context of what we're looking at here?

Scott Wright: The context of this, we're talking a lot about theft and fraud, but unfortunately what people don't focus on enough is the insider threat or insider risk element of operating on a system. When I talk about insider risk, there's a lot of different meanings to it, certainly from my past when you're thinking about an insider threat, it's somebody who's in your network who is wittingly collaborating with bad people. That is something that we find through this breach data from time to time. But typically using the terminology insider risk, typically what we find are people who are susceptible to being manipulated by a criminal. So when a criminal develops a dossier on someone and determines that they bank here and they shop there, they're going to be susceptible perhaps to a scam and they're going to be susceptible potentially to manipulation. Ultimately what we see is people provide access to criminals as a result of their lack of education. Does that help expand on it, Patrick?

Patrick Westerhaus: Definitely. So why does that matter? Right. We're going to give you three hard hitting examples why this data matters and the numbers prove itself out. I mean these are CFO problems. Make no mistake about it. The cyber risk is financial risk. And so we've picked out three breaches. Some of 'em are older, some you may not have heard of, but I think if you're on the east coast, you heard of the colonial pipeline, I'm sure most people have heard of the MGM resort attack, which shut the casino down and then the change healthcare attack, I'm almost certain everybody's heard about, but these are the estimated losses that each of these organizations, I think the colonial pipeline is very under-reported. That was an older compromise and I think there was a less of a drive to get the exact stats on how much business interruption and money was lost.

MGM losses, again, this is business interruption, this is getting the network back up. Part of this is the ransom, but these are true numbers. And so we look at the change healthcare attack, 2.4 billion in the way they got compromised is exactly what Scott was talking about in impersonation, social engineering, where do they get that information? They get it from the breach, they get it from the infections, they get it from the previous stolen stuff. So how do you level folks up to really understand, and as he said, it's training, it's awareness, but it's also discipline and some things we're going to talk about here at the end of the presentation. Scott, what else would you say on this and what's fresh in the news?

Scott Wright: There's two things actually on the colonial pipeline piece that unfortunately was executed based on the company not shutting off a couple of legacy VPNs. There had been a previous breach in which a former employee's passwords were taken and the criminals simply logged in. So that's certainly something that folks need to take a close look at. It goes back to Patrick's earlier point about you get an email when you start, the email has to be shut down when you leave and all those accesses need to be closed off. That unfortunately was the problem with Colonial pipeline. In terms of a little bit more fresh examples, we've got two that occurred recently. One involving a retailer and another involving a manufacturer. In roughly March of 25, Marx and Spencer suffered a significant cyber attack. The attack took a lot of their stores offline. It took all of their online shopping completely off and unfortunately the toll of the attack is estimated right now at about 446, I think in counting $446 million marks.

And Spencer was their IT system was outsourced. They had a managed service provider and I believe if not mistaken, that the vector of the attack came from that MSP. So not only did it cost marks and Spencer an awful lot in terms of revenue on sales, they probably won't fully recover until about March of 2026. So that's nearly a year of business interruption. In addition, they wound up firing their MSP and they had to bring all of their IT source work in-house, all of their IT work. So that's a major change with Jaguar Land Rover. They were just recently attacked in August and two months in they estimate about an $896 million hit to revenue. It is proving to be the largest cyber attack in UK history. The attack itself took all of their computer networks offline and as a consequence is shut down all of their internal production as well as vendor production. So they produced, if I remember correctly, they produced less vehicles than they ever had dating back to 1953 and fewer sales in that two month period. So it was devastating.

Patrick Westerhaus: That's amazing and horribly devastating. So as an enterprise, you're probably asking yourself as the CFO or if you're in a private equity firm, what are some things you can do either in the pre-investment due diligence or how do I manage this problem going forward? To translate for me from your technical and IT and your CSO and security team to really quantify for me where we're at in our cyber journey and what dollars do I really have at risk. So we're spending a lot of time with clients and helping 'em in this journey with the tool set that we use to really focus, understand, we evaluate where they're at in their journey. We help them understand essentially what are the particular impact and losses that you're going to potentially suffer given the different threats and what the next slide is going to highlight. And then we talk about, okay, where are you in your ability to essentially transfer the risk, which is generally in the cyber insurance market.

One of the things I'm going to foot stop on here that every CFO on the phone should really think about is we are finding time and again that companies that, and this is pretty evident in the publicly traded space too and their 10 K, they're disclosing that they've got these very elite cyber programs. They've got the best of the best and they generally do, the talent is phenomenal and they're doing everything it possibly can, but inevitably they breached. And then when they pull back and look at what was the actual risk transfer market that I was in, what was I really buying down my risk and the losses and things like that, they're getting pennies on the dollar. They're woefully underinsured. I'm not here telling you that cyber insurance is the way out of this and it clearly is not. But you really got to have an ability to understand what was the ROI that I'm getting from all the investment that's going on.

And this is what Scott was talking about, which is robust technical controls, which is what we can help quantify. Now when you look at the next aspect of it, which is what we're also foot stomping on, which is the human risk element, which there's a couple of dashboards up, what can we do to manage that problem as well, which inevitably is driving the breach, the interruption, and the ransomware and the e crime. And a lot of companies are starting to find out that insurance companies, even if you transferred the risk, like all insurance companies do, they're going to look for an out and a lot of times they're looking for an out. If employees haven't been properly trained and training is no longer good for just your annual phishing exercise, you have to document that you're doing more to mitigate the threats that are coming your way.

Social engineering attacks, the overuse of the data, the data breach, and what are you doing to protect your executives? So claims are being denied because companies are just not doing much to manage that piece of risk. It's clearly a blind spot that a lot of CFOs are not thinking through. But if you can evaluate your network risk, have an ability to talk to your technical and your CISO teams financial terms, which is where having great success doing, then you layer up and start asking questions about how we're addressing the human factor of it, then you're overcoming the two biggest blind spots that we see in the industry going on. But you've got to get proactive. You cannot sit back and wait and think about, okay, we'll get to that later, or I'm just going to trust my general counsel that we've got everything we need. And cyber insurance, unfortunately I found multiple general counsels in their shops don't even read the terms and conditions that their broker essentially negotiated for them. So ask hard questions and if you can do it from an ROI and what is all this investment, getting all the better and that's what this is demonstrating and what we're proactively dealing. Scott, what would you say?

Scott Wright: I would just add, we've seen multiple instances where companies have been underinsured. We talked about the marks and Spencer for instance, they had cyber insurance. Their cyber insurance paid out 25 cents to the dollar in a case of an investigation we were brought in on, we worked with an American medical device company manufacturer and we were asked to help quantify all of the different facets of loss they experienced when they were attacked. All said and done, we helped them prepare an estimate, a claim of around 550 million. Their policy paid out again about a hundred million dollars, so it was 20 cents on the dollar. They weren't insured properly.

Patrick Westerhaus: So definitely a blind spot, definitely something to think through. Alright, so we we're going to a port from the enterprise. We're going to go down to the individual level and I'm going to demonstrate why people on this phone are very juicy targets, obviously, because you can make money move, you can make financial decisions, you own the keys to monetary systems and transactions and deal flow and everything in between. This is a real person, was a client and fast. All things have been protected to protect the innocent if you will. I'm not big on foot stomping on folks to read slides, but I would please take a minute or so to read what happened to this particular individual small business owner, and it'll describe why this was such a devastating attack to this person. But then we're going to go talk about why it was so easy. So I'm going to give folks about a minute or so to read through this and kind of think through and generally react to what you saw happen to Selma.

Okay, so I'm sure most of you're picking up that many a times throughout this entire process that Selma was following the direction of essentially what the bank had told her in order to facilitate money movement was provided one-time passcodes and following all sorts of directions. Unfortunately, she was giving it right to the scammer who every time got the one-time passcode, a new wire went out. So unfortunately she was a victim and a very bad victim and had almost their entire, entire business cleaned out. Despite that, she went forward and said, okay, I never want this to happen again. How did this happen? And so we dug in and by simply her providing us her personal email address, we were able to map out for her every point of vulnerability. Remember I talked about 15, 20 minutes ago about that rocket fuel. We were able to show in specificity exactly every piece of information that's ever been compromised her and where and the likelihood of where that information was leveraged.

And then importantly, we also looked at her social media profile, we looked at how out there she was, how her social media was fully exposed and then knew exactly where to go pop her email account, which is where she did essentially got her banking statements and got her banking instructions. So the criminal did a lot of white work before then they passed it off to the scammer who made a phone call in. So unfortunately our investigation showed a lot of devastation in terms of compromise, but we walked her through a journey and got her to level up so that essentially going forward she could decrease the likelihood of becoming a victim and essentially help her next to kin. Alright, time for next. I think it's our last poll question here, but hopefully as we've gone through this journey, I'm hoping I'm going to get the answer that I want here, but without teaching to the test otherwise, I don't think Scott and I have done our job, but I'm hoping it's the results are going to be positive here. So we'll give it another 30 seconds or so, Scott, and you let me know when the pull results come in and we're going to get the grade on how we did in this presentation.

Scott Wright: It's starting to tick up. I was going to go back one second to say that again to foot stomp what you had pointed out with just a single personal email address. We were able to develop all of those different topic areas where Selma had been breached significantly and put that dossier together. It's mind boggling how breach information informs things, whether it's insider threat programs in a company or some of the frauds that are underway. It's incredible about another.

Patrick Westerhaus: Everybody, we have one more poll question. We got one more poll question.

Scott Wright: We've got one additional. Okay,

Patrick Westerhaus: We're

Scott Wright: Almost

Patrick Westerhaus: Right,

Scott Wright: But another 30 seconds maybe.

Patrick Westerhaus: Alright, well I think we've gone long enough. We'll see what it says. Alright, I love to see 75%, that means we're doing our job here. Hopefully we're not the less people in the 6.7% bucket bucket. That gives us a good grade. We're still at 75% though, Scott, so we're pulling.

Scott Wright: There you go.

Patrick Westerhaus: A good c plus, which is great. Okay, we're going to spend some time here. I really, if there's anything to pay attention to here, if you paid attention to anything at all, it's this because this starts with protecting you, protecting your kids, protecting your family, protecting your parents, protecting everybody that you care about who's either been victimized or could potentially become a victim. So we're going to spend some time on best privacy, best practices. So one of the things I'd like to hammer home here as the concept of username anonymity. I think a lot of people have had the idea of passwords being driven in their head, although the stats still prove that people are very lazy about their passwords and it's still 1, 2, 3, 4, 5, or 1, 2, 3, 4, or variations of is the number one password that people still use, which I just shake my head and I can't believe.

But username and anonymity, what I mean is, is don't use the same username that you have across your email addresses or your online handles or your profiles because it's too easy to get a username off of an email address where you may not have compromised information like a password or other I, but then that username is also used on your Netflix. Great, now I've got that breach and actually have a password while I'm going to potentially understand that that person has reused that password. So now I've connected the two dots together. So think about your username, discipline, username and anonymity, which is a lot easier to remember than just passwords, but rotate them, choose different ones.

Scott Wright: And if I can just add, and consequently with that password, they're also using it for work.

Patrick Westerhaus: Yep, a hundred percent social media outlet audit and online safety. Okay, so here's where I usually go with this one. People are very open on LinkedIn, right? So would you walk down fifth Avenue in New York, walk up to a complete stranger, shake their hands and say, yep, I'm the CFO of this company. This is where I got my graduate degree, this is my undergraduate degree, my graduate degree. Here's exactly who I work. Here's everything that I've accomplished and done and here's the region that I live in and sometimes here's the best place to contact me. You'd be like, you're crazy Patrick. I'm like, yeah, but that's LinkedIn. So why do you accept connections from people that you don't know? Stop doing that. There are techniques and there are tools that constantly scan LinkedIn and look for people to target Bad guys in nation states particularly do this.

Chinese are very good at this. They're constantly scanning LinkedIn and sucking down data to figure out exactly who are the most consequential people even wouldn't believe how many people in that space advertise that they have a clearance information sitting and they advertise that on LinkedIn. It's just insane online safety. I'm going to hammer this one home. I talked about it at the beginning of the presentation, but there's media out today about how devastating and uptick is coming on a scan that's called sex extortion. That's unfortunately going after our teenagers, same scam groups. Nigeria, Cambodia generally in other places are posing sometimes or oftentimes they're going after the males as being influencers and very pretty women. And then they essentially recruit them. And then unfortunately these males ended up sending pictures, inappropriate pictures to this person. And then those inappropriate pictures are then used as an extortion mechanism that basically says, if you don't pay me X amount of money, then I'm going to release this to your family.

I'm going to release this to everybody. And unfortunately the devastating thing that's happening is a lot of these teenagers are committing suicide. They would rather commit suicide than pay money or admit that this happened. It is a well-funded operation. It is about as disgusting as it gets. But I cannot foot stamp this more enough on the social media side. Do not trust only interact with people that keep your friends only go in and create your policy and privacy sessions. Make it hard and trust, but verify. Scott, one of the things I want to throw to you is around this concept. So given your entire background and your world and where you live for collectively 30 some odd years doing overseas operations, what was it like for you when you first came in and said, you know what, I'm going to figure out what do I look like to the criminals?

Scott Wright: Well, I kind of loosely touched on this a second or two ago in my profession, I had to operate, if you will, in the shadows. I was in the director of operations at CIA, I spent 21 of my 33 years overseas. And I was trained to really minimize the amount of digital breadcrumbs I put down, trained at the time not to be on social media, trained to maintain a low digital footprint, if you will. And so I was shocked to see what the capabilities we have at our fingertips now, the different data sets and programs we have at our fingertips now. I was shocked to see how within five minutes I was able to pull together a massive dossier on myself where I had been at x, Y, and Z times, what airplanes I had used, what shops I shopped in, what email addresses I had at that time. I was really stunned to see it all pulled together. And it just really highlighted that no matter how carefully you try to protect yourself on the internet, it's oftentimes never enough. It's oftentimes never enough. So that's what I learned,

Patrick Westerhaus: But being aware, good, aware, really has empowered you, right?

Scott Wright: Totally empowered me, totally empowered me and totally I'm now a devotee of some of these best practices above.

Patrick Westerhaus: Yeah, that's great.

Scott Wright: Absolutely.

Patrick Westerhaus: These are the recommended things here. Some of them are kind of the duh stupid stuff, but it's good reminders. And so we got one last polling question. So if you've hung up the entire time, I appreciate it and it's been a joy visiting with you folks, even though it's been a one way conversation. We hope to pick up the conversation at some point, Scott and I, and help you really think through and really foot stomp the idea of what are these blind spots that you really got to be aware of? And again, human risk. How do you translate cyber to financial risk? How do you ask the right questions? How do you diligence companies before you invest in them? You got to factor these things in. You can no longer just say cyber. It's just something that it is going to manage. Is it strategic risk? Is it a business? Risk is one of the most important risks you have to calibrate and understand. Not only is it an investment risk because we've seen companies that have gone out of business post an attack

After an investment. And we're also seeing the flip side, which is how do use cyber risk, strategic basket as a lift out and an exit. And then importantly, most importantly, how do you protect yourself? How do you protect your family? You're next to kin. How do you become that cybercrime warrior and understand that criminals have a say, flip your mindset, take it back at them and the paradigm shift will change. So hopefully we're not in the A bucket, although I'll get blamed for scaring everybody. Scott will not because my name's on there. That's fine. But hopefully you're walking away feeling better. Want to jump in. You want to empower yourself, empower your families, empower your bosses, empower your teams to really think critically and how to manage this risk and move it forward. Managing risk, managing your risk that is increasing, but at the same time, knowing that you can walk away feeling better about what you can do about it.

So it's been a pleasure. We're going to pull up the story here. You're feeling better informed. Good. We're almost at the 50%. I like to see the 26% and we're going to fully recruit you in and you're going to be a cybercrime warrior. Unfortunately we don't have a challenge coin for that, but that's okay. So with that, I think we've come up on time. I really appreciate everything and folks that are willing to take some time out of your day and hopefully it was a little bit more of an exciting CPE, then your typical tax CPE or your audit CPE. So with that, I appreciate it and I wish everybody a very happy holidays. Scott

Scott Wright: Dito, Dito. I'd say the same. Happy holidays to everybody. Thanks for all your time. We really appreciated it.

Astrid Garcia: Well, thank you both.

Scott Wright: Stay safe out there.

^{Transcribed by Rev.com AI}