On-Demand: Cybersecurity Threats Facing Executives & Private Businesses
November 04, 2021
In this webinar EisnerAmper and Bessemer Trust discuss how financial institutions and professionals can safeguard themselves from potential cyber-attacks.
Vikas Bangia:Thanks, Rahul. Really appreciate it. Really excited to be here and hopefully, everyone can learn something today.
Rahul Mahna:Yeah, I agree. And to just give a little bit of context. For those that know, or don't know, today is the Indian festival of Diwali. What does that mean? I think in our culture, it means you eat a lot of sweet things. You laugh a lot and you have a good time. I think it's interesting in this topic because, because it's not only laughing, but I think we start crying with cybersecurity also a lot. And I often find myself having that conversation with clients, should I laugh or should I cry at what they tell me? As we look at where we are today and what the picture looks like, give us from your perspective, sitting in a financial institution, working with high net worth individual, with many business owners, executives, what does the industry look like and cybersecurity for you today at a macro level?
Vikas Bangia:Yeah. I think it's a great question. It's a difficult one to answer. And the reason I say that is everyone's risk register is different. There's certain industries that are heavily regulated, finance being one of them, pharmaceuticals being another. And what you're seeing in those industries is probably better cyber hygiene, better cybersecurity. The one thing to keep in mind is criminals have to be right one time. As a defender, I have to be right every time. And that's something that I constantly share with my team. I share with technology people at work because it's a difficult concept to get your head around. Again, we have to be right 100% of the time or a criminal has to be right one time to get into an organization and spread so to say. They have a big lead right now. I think we're doing, and we're trying to do all the right things to get better, so to say, but we're losing right now. I think it may get worse before it gets better. So to say,
Rahul Mahna:Yeah. I know. I feel the same way. As we tell our clients, it's not a matter of if you've been hacked, it's a matter of when you are going to get hacked. And I know you and I share that same philosophy that it's probably happened already. And whether you know it or not, your credentials are probably out there. But maybe you can start the conversation more of how it all started. Why don't you walk us through, I know we have a couple slides here, maybe walk us through your perception of it.
Vikas Bangia:Yeah. I think this is a good place to start. Before we actually talk about what's going on today in security, let's start with a little history lesson of what's transpired over the past decade in terms of technology. And believe it or not, it all started with the iPhone. That innovation is still less than 15 years old. And it has changed everything. It was introduced in 2007, which again, it seems like it's always been here. But in the US more than 85% of us now own a smartphone, that's more than double than what we had a decade ago. From a social media perspective, we've just also about doubled our usage, so to say, in the last decade,
The other thing that's driving what we're seeing from a cybersecurity perspective is IoT's devices. In 2020, the estimate was consumers installed 31 billion IoT devices. And these are your Nest Cams, your Alexas, your Google Homes, your automated garage doors, Philips Hue lights. I'm embarrassed to say I can also control my washer dryer and my refrigerator from my phone. The challenge with these devices, while they are great and very convenient, is that most of the time the security is poor. Most of the devices are cheaper. They have hard coded passwords. Most of the time they can't be changed. And the big thing is, it's a rarity that they can be patched. If they have some sort of vulnerability, they can't be updated. And the last point here is, whether we know it or not, 90% of us use some sort of cloud service. And that is up a lot since 2008. Almost 100% of us use Alexa, Google Home, some streaming service like Netflix. Most of us have hailed an Uber. We've used Venmo to pay a buddy, so to say. There's literally, obviously, an app for everything. But what does it all mean?
At a macro level, the seismic shift over the past decade has really been that data that we normally kept stored and secured locally in our homes is not there anymore. It's either at some cloud service provider or some big tech company. And I think this is at a macro level what has transpired to what we're seeing in cybersecurity these days.
Rahul Mahna: Yeah. I don't think people really realize when you order from Uber Eats, your example, order a cab, order a movie on Netflix, your personalities is being tracked, monitored, and built online. And a certain amount of your personal information truly is being given away at that point. Also, that could be used for nefarious reasons later.
Vikas Bangia:Yeah. No doubt. And literally, what's happened over the past decade is the seismic technology shifts have given rise to two new economies. And both of these economies have significantly matured over the past decade. One is surveillance capitalism, similar to what you were just talking about. Everything we do online as a society is tracked, packaged, and then sold to marketers. Surveillance capitalism and the term was coined by Harvard Professor, Shoshana Zuboff, in her 2019 book, The Age of Surveillance Capitalism. And believe me, I could spend the whole hour just talking about that topic because I find it super interesting. But we're going to focus on the other, which is the hacking economy. And this is really where organized crime nation states, they're using social engineering and technical means to commit fraudulent activities. Let me give you just a few-- I guess we got a poll.
Lexi D'Esposito: Poll #1
Rahul Mahna:This one should be pretty easy, everybody. And as you're responding, I didn't mention earlier, but if you have any questions, feel free to put them in the QA box, we'll try to tee them up for the end and, Vikas, and I can go through them, hopefully, towards the end. But yeah, these results are just spot on really. The essence of, I think what, Vikas, was saying is the majority of your life is starting to be, or if not already being tracked online through some type of online database resource. And it's just going to keep growing, it seems like. There's going to be no stop to that. Great. I think that's a good summary of the danger of where this data is basically out there and what people can do with it. What's your thoughts after you see this, Vikas, in where we're going?
Vikas Bangia:What this does is, it centralizes information for attackers to target. And again, just a few basic stats to illustrate my point. Every 11 seconds, a hacker holds someone's information hostage demanding some ransom. By the time this hour webinar is over, more than 350 more organizations will have been affected by ransomware. Nearly half of all Americans said they were victims of cybercrime. And that was two years ago. My feeling is this number is way higher now. And a lot of people like myself always just counted on the fact that, hey, I have a Mac and I'm a Mac user, so I don't have to worry about malware and viruses. A recent report said, attacks on Macs are up 80%. What does this all add up to?
Cybercrime costs us about $6 trillion a year globally. Just think of that number. That is the amount of money equal to the entire economy of the UK and France combined. It's more than the entire global drug trade. Just think about that for a second. And in contrast $10, that's what it actually costs to rent a hacking toolkit on a monthly basis with great support, by the way. And so if you look at it, there's no reason for someone not to get into this business, you don't need a lot of money. And I think the one final note on this slide is that the people who are doing this, specifically organized crime nation states, they're motivated by money. That's what's driving the supply chain. That's what driving the maturity of this hacking economy, so to say.
Rahul Mahna:Yeah. And I'll just make a quick comment, because just in case people don't understand this, you can buy an entire hacking software that will allow you to go and do bad things on people's computers. You have to have no knowledge of programming, no knowledge of how to support it or maintain it. Somebody will do all of the hard lifting for you for $10 a month.
Vikas Bangia:Mm-hmm <affirmative>.
Rahul Mahna:Vikas, is that basically it, you are renting the whole tool and all you got to do is send it out?
Vikas Bangia:That is correct.
Rahul Mahna:If that is correct, and that's the mindset, maybe walk us through, is this why email phishing is still, what I see typically, 90% of our clients have that problem. It's always an email phishing attack led by some type of created ransomware. Is that what you are seeing?
Vikas Bangia:Yeah. That is still very typical. And a little later, we're going to get into what is a typical ransomware attack. How does that work? And phishing works because of two things. One, it's free. Two, it works. Study after study, after study says if you send 100 people a phishing email, 10 people will click on it. 10 people will open the attachment. It's a numbers game. If someone is going to send out a million fishing emails, 10% of people are going to click on that. It's a numbers game for them. And again, it's quite successful obviously.
Rahul Mahna:Kind of funny. I don't want to detract, but I've got a few Q&A folks saying that maybe they should switch jobs and start renting the software for $10 a month and become a hacker.
Vikas Bangia:Well, a lot of people do it.
Vikas Bangia:Let's shift a little bit. Let's talk a little bit about ransomware and what it is. And at the most basic level, it's a piece of malicious software and it locks up your data by making it unusable or encrypting it. And to get the key to unlock it, you need to pay the person or the group that did it. And payment usually is in the form of some cryptocurrency. How bad is it? Well, it's pretty bad. Globally, it's a $20 billion problem. And it's getting worse. Ransomware attacks are up close to 100% in the first half of 2021, versus the first half of last year. And for a business or an organization, how bad can that be? Think about the average number of downtime for a business, which right now is 23 days. How bad is that, you're asking yourself.
Well, we're in the month of November. And if you take out Thanksgiving and the Friday, right after that, that leaves November with only 20 workdays, so to say. And ask yourself, can your business survive not being able to service customers or clients for the month of November? And that's how serious this issue is. And just a little bit of history-- I guess we're going to do a poll.
Lexi D'Esposito: Poll #2
Rahul Mahna:All right. It looks like folks are listening. And they're also reading the news and hearing what's going on in their companies and their company trainings. And this is it. All the data and stats we see comes into the high 90s area still today of where these ransomware activities end up and how they end up happening. It's really important to watch your trainings and do this work to keep the balance there. Vikas, I just want to quickly summarize what you just said in terms of ransomware. We just had a client who had an email phishing attack. They were proposed for about $100,000 ransomware. They decided not to pay for it. And then their cost started.
Here's the cost, is the cost your downtime calculation? Is the cost the hardware and the services installation? Is the cost both? And I would propose the cost just keep increasing as well. Not only is those 20 or so days that you mentioned that they were down before we could really get their offices back together, we couldn't find equipment. And right now, as many of you know, supply chain shortages. It took us a while to just get them equipment, which lengthened that out as well. And the cost of the equipment is rising. I mean, everybody sees the gas prices. You're going to see it in all your equipment as well is slowly rising.
Costs are really going up. I think the data that we're seeing what's the cost of a cyber-attack is, while we lower than what the actual cost ends up being between bringing in consultants, buying new equipment, your downtime cost, and then your customer trust. If it involved your customers, how much did you lose in that process? And what do you have to do to accommodate those customers? There's a lot of tacit costs as well as explicit costs I find when there's a ransomware attack.
Vikas Bangia:Yeah. I tend to agree with you, Rahul, because obviously you'll have downtime. But think of some of the soft side of this, if you are an organization that has some IT staff, some security staff. When something like this happens, all projects come to an end. Everyone is focused on getting back up and running. Everyone wants to keep the lights on, so to say, and get back to restoring critical systems. People are working 24, probably for 15 to 20 days. Even if you have cyber insurance and they cover the cost of the ransom, there's a lot of additional costs. And you mentioned some of them, customer trust, morale, lost time on projects, maybe deadlines are delayed. Maybe you were doing some fund. Maybe your legal team was doing something.
Customer trust is a huge thing. And I think I recently saw some research where they said that if a company was to get attacked and they were found negligent, a lot of people wouldn't use them anymore. And I think when you talk about finance, when you talk about insurance where a lot of the clients are based on relationships, I can certainly feel that. But there are a ton of different costs not only just the ransom, so to say.
Rahul Mahna:And I know this is this warrants a lot of conversation for the gravity, I think. What we're seeing with clients actually is two ransomwares happening now, which maybe you've seen is well where first someone clicks an email, it locks the computer, and it says, to unlock the computer, you need to spend X amount of Bitcoin that will unlock the computer. That's a traditional ransomware people think about is to pay to unlock your systems. The second ransomware we're seeing, Vikas, is sometimes people don't want to pay that. And the one example I gave with the client, they did not want to pay. They decided all new equipment and they wanted a fresh start. But the hackers are taking the data and pulling the data out of the systems and holding it in their hands and saying, okay, you can do what you want with your computers, but now we're going to ransom your data. And if you don't give us money, we're now going to publish this data on the dark web. And that's a whole other level of scariness going on.
Vikas Bangia:Yeah. There's no doubt about it. And one example you gave is basic ransomware. That is so five to seven years ago. That was when these groups were going after individuals and were happy with a couple of $100 on a credit card. What is happening now is attackers are infiltrating organizations. They're moving around, they're collecting the data, they're destroying backups, they're exfiltrating the data. And when they're ready, that's when they encrypt the data. And folks have gotten better. They they've gotten better backing up data. They have a better restore process us. And if you're going to decide that you're not going to pay, that's when they start playing hardball. That's when they say, hey, look, we're going to release the data on the internet. I've also seen where they may contact employees directly, including senior executives stating their personal data is going to be leaked as well. They may contact partners, customers. They may contact members of the media. And really, it's to put pressure on the organization to pay the ransom. We've seen this. I've read a lot of research on this and all those tactic are in play.
Rahul Mahna:Yeah, I agree. And you need to be very skilled these days. I think that's what you and I have to continually keep doing is, how do we keep protecting our clients and our executives and our businesses with these advanced concepts to protect them? Because the hackers keep jumping ahead of us and we have to keep finding alternative ways, like you said, to do backups much more smartly and so forth. All right.
Vikas Bangia:It is definitely a cat and mouse game.
Rahul Mahna:Yeah. It's a cat and mouse.
Vikas Bangia: Just a little bit of history on ransomware. It's been around for more than a decade. And just like we were talking, they've gone from targeting individuals to targeting organizations, whether that's hospitals, whether that's police departments, whether that's entire cities like Baltimore and Atlanta, who were literally over the last couple of years, shut down for weeks. And what's fueled it is two major things. The obvious one is there's more money in targeting organizations and cities versus consumers. The other big thing is the use of Bitcoin. Since Bitcoin started to go mainstream, ransomware has gone the same way. These are just headlines, and again, over the last 18 months. In 2021 over the summer, we had two major organizations that suffered very high profile ransomware attacks. One being Colonial Pipeline, which provides much of the fuel to the Northeast. And JBS, which is the country's largest meat supplier.
Unfortunately, if you look in the bottom left, we've also seen a death that could be related to ransomware. This happened in Germany where an ambulance was transporting a woman to a hospital, and when they got there, they said, hey, look, we're under a ransomware attack. You have got to go to the next hospital. And by the time she got there, she had unfortunately perished. This is a big deal. And again, it is happening literally every minute, so to say.
I want to shift here, and really, walk us through how ransomware works. This is a very typical ransomware attack. And I probably once a week, someone asks me, hey, I hear this stuff about ransomware, how does it happen? If you've ever had that question, this is the slide for you. And it explains at a high level how a basic ransomware attack works. And it literally starts with someone from the outside sending one of your employees an email with an office document. The email appears in the employee's inbox, the employee opens up the email, they double click the attachment, and unbeknownst to the employee, the document usually has some macro in it. And when the macro runs, it executes some code. And what the code does, it just connects to a website. It downloads the ransomware and it installs it on a person's machine. A few minutes later, and it's that fast, it will encrypt the local PC or lock most of the files, any network access or drives the employee has access to, those will also be encrypted.
How do we combat this? What can we do from a controlled perspective to help with this? And to me, it always starts with a strong security awareness program. One thing I've learned in my career is that security is everyone's responsibility. And by enabling this attitude and culture throughout the organization, it gives you the ability to have an extension of your team, so to say. You can react quicker to incidents. Prior to any email entering your corporate environment, it should be passed through some sort of third party where it's scanned for spam, it scanned for malware. You should configure your firewalls to say, hey, look, everything that comes into our environment has to go through this third party. It can't come direct.
The other thing you should keep note is once it gets to the email server, it should be scanned there as well. Again, have multiple checks in place, so to say. The next thing is by default disabled macros on all corporate PCs. You may say, hey, look, the finance team needs them, accounting needs them. I think that's a valid business case, but does everyone need them? Does everyone on the manufacturing team need them? Does everyone on the marketing team need them? Does HR need them? They deal in office documents all day, but they probably don't need macros.
The other thing is, do you allow everything to run on your corporate PCs and laptops? There's a ton of software out there right now that says, hey, look, if it's not on the list, it won't run. Obviously, everyone runs antivirus. If you don't, you're probably already hacked. But the question I would ask is, if you have antivirus, how old is the antivirus? How many times a day you update it? And what happens if a PC is one or two or three days old? Do you isolate the PC or do you allow it to continue being on the network?
The next thing is, do you have a secure web gateway? Do you have some tool that analyzes every site everyone goes to? Is it configured so that if a website is new or uncategorized, you're going to block it regardless. Do you have an intrusion prevention system that's looking at all the downloaded software? It's looking at all the traffic and if it sees something weird, is it going to block? And then finally, are your employees, administrators on their machines? I know I went through a lot very quick. The thing I want everyone to take away from this slide is not the actual controls, but to recognize this is what makes ransomware so hard to protect against.
Recall, this is a basic ransomware attack. Every single one of these controls is an IT/security project. It requires resources, time, money, and a lot of coordination, because it also drastically changes the way your employees are going to do their jobs. And unfortunately, what we've learned is there's not one single thing you can do to protect yourself against ransomware. This is a case of defense in depth. If a salesperson calls you and says, hey, if you buy my software, you're going to be fine with ransomware. You know they're lying. This is a myriad of controls that can stop, hopefully, basic ransomware.
Rahul Mahna:Yeah. This is really a nice outline. And this is the hard stuff that when we deal with our clients and the client's IT departments, or your IT consultants, you've just listed 10 buttons or 12 buttons there of controls that need to be in place. How can one person really know all 12 controls? You almost need a team of experts to help you build the layers of the onion. And then as soon as you get pretty well, you're going to have to almost go back at times after a couple years and redo it again, because some of the controls changes. It's a constant evolution that I think requires more than just one person. That's the other thing, like you said, if somebody calls and says they have a magic switch, or if you have one IT person and he says, hey, I've got it all figured out, I struggle with if that's possible.
Vikas Bangia:Yeah. I would almost say it's not. And again, this is basic. This is what they were doing five to seven years ago. This is what they're doing now. They have gotten to a point where instead of just doing a quick smash and grab, meaning encrypting and demanding ransom, just like we talked about, they're being way more strategic in what they do. If we start on the left hand side, they get into your environment, and we talked about it. They send phishing emails. Sometimes they're looking for vulnerabilities. Sometimes they're buying user passwords. The supply chain is so complex now and mature, instead of trying to get the passwords, they just buy them. Sometimes they just guess. I can guarantee there is someone on this webinar where in their organization, they have someone whose password is Fall2021 with a capital F.
As we move to the center, they do the same thing. They get in the organization. They're looking to steal passwords really of your administrators, of your tech people so they can install their malware tools so they can destroy and corrupt backups. And then when they're ready, just like we talked about, they exfiltrate the data, they encrypt the data. And now all of a sudden, they're at a standoff in terms of, hey, this is what we're going to do. And the goal is, how are we going to put pressure to get paid on the organization? That's literally what they're trying to do.
Let's transition a little bit to the executive. What do they need to worry about? Some of it is similar. Email is critical. Privacy is critical. Their use of technology is way more critical. Something is going around right now called stalkerware. It's a big thing. These are apps that you get from the App Store, Google Play, but they allow you to be monitored. It helps them in terms of tracking where executives or CEOs are going. The other thing I'm seeing is cyber criminals are less quantity, and they're looking for more quality in terms of fraud opportunities. And that's the case, especially for senior executives. They're be being more strategic, they're being more patient. They're waiting for just that right time to inject themselves into a middle of a transaction. That could be a fraudulent wire transfer in the mortgage industry or the realtor industry that could be a large transfer of money on a real estate transaction, such as a down payment. I'm going to go into-- I think we have a poll coming up. There you go.
Lexi D'Esposito:Poll #3
Rahul Mahna:All right. Fantastic. And I think this is a great liaison, Vikas. I know we have about 20 minutes left. I want to make sure we leave all of our attendees with some good examples of what's going on out there.
Rahul Mahna:I know you wanted to share a case study if you may, of someone that you know, again, we have to be careful and sensitive to make sure we don't reveal anything, but I'd love to get your perspective of an actual case study that you could share with folks.
Vikas Bangia:Yeah. I'm going to give you a couple examples here. Here is an example of a very patient attacker. At the top, we have a retired CEO and an investor. He's interested in investing in a medical device startup company, and over the course of months, he had multiple meetings and a conversation with the founder. And after some final cajoling on a phone call, they agreed the CEO would invest $125,000 in the startup. The founder send the CEO an email with wire instructions. The CEO calls his team and confirms the wire transfer and says, "Hey, look, I just spoke to the founder, we're good to go, send over the money."
Fast forward a week, and the calls the CEO and said, "Hey, look, how long before we can expect the investment?" And so the CEO is a little confused because he had seen the money go out and as folks did some investigation, what they found was that attackers had been in the medical device founder email for months. And they were waiting for just the right time to interject themselves. They were the ones who sent the wire instructions to the CEO, not the founder. The money was lost and it was never recovered. We see it, we see it all the time. Email is critical. If you can protect your email, you're going to be better off than most.
Here's another example. And this one uses a little bit of technology, so to say. What happened here was you have a division CFO of a very large global company and she receives a call from the CEO of the conglomerate. And he said, talking to her, look, he just heard from one of his key suppliers that they are very late on a payment. He asked the CFO to send the payment immediately and for the full amount. Obviously, the CFO makes things happen. And within an hour, that payment is sent. A few weeks later, what they realize is that the CEO actually didn't call. It was a fraudster, a criminal group that was using AI and very new technology to sound like the CEO who had a very distinct voice, they called the CFO and made this happen. And again, the money was never recovered, so to say. And everyone may be thinking the chances that this happens to them are slim.
What I would tell you is these types of frauds are continuing to occur every day. With social media, it's become very easy to profile and target someone. Let me demonstrate how easy this is. And I did this, this past Sunday, and it took me about 15 minutes. Using Facebook, LinkedIn, and Twitter, I found a realtor in Morristown, New Jersey, and within 10 or 12 minutes, I knew a lot about her. I knew she went to Rider University. I know she was a realtor at Morristown. I know her husband's name is Chris. I have her email. I have her cell phone. I even know she specializes in relocations. What I did was, I sent her an email on Sunday and I pretty much told her, hey, my family and I are looking to move to the area. We're looking for a realtor and it seems like she knows the area well.
And I asked if she's taking on new clients. She got back to me early the next day on Monday. And said, "Yeah. Great. I am taking clients, can you tell me what you're looking for and more importantly, what your budget number is?" I got back to her a few hours later and I gave her a description of what we want, and I even gave her a link to Realtor.com. This way, several of the saved homes that I have she could view. And I wanted her to tell me what are the areas like in these homes and to get her an example of what we like as a family. And when she clicks on the link, it's going to take her to the Realtor.com Twitter page so she can see my listings, or is it? In actuality, when I created this link, I actually just copied the Realtor.com Twitter page and used the fake domain. This as you can see is Twitter with three Ts and not two. This way, when she logs in, it's going to look and act and feel like a normal webpage, but when she puts her username and password in, I'm going to have it. Again, I didn't do anything with it. But it's just to demonstrate how easy it is to target someone. This is going on, on a daily basis. It's going on daily.
Rahul Mahna:Great example. So easy, because look at that, I mean, it's just a great example of how easy this is.
Rahul Mahna:How about some tips? We got a lot of questions coming in, so I want to make sure we get to them.
Rahul Mahna:Give us some ideas.
Vikas Bangia:Yeah. What I would say is we've, obviously, discussed a lot of scary and maybe even disturbing things. As an individual, as an executive, what are three things you can do immediately to protect yourselves? And to me, that always starts with password management. I can't stress enough how important it is. And the key here is to have longer passwords, and more importantly, have different passwords for all your websites and all your apps. In the example that I just showed you, if I have that one password, and that realtor uses that same password everywhere, I have access to everything. That's why it's so important to have very different passwords for everything. The next thing I would say is to update your devices. And what I really mean here is make sure that on your computer, your Mac, your mobile phone, it's always up to date with the latest versioning.
And the reason is that hackers go after weaknesses in these devices. When updates are put in, it's actually to close all of these weakness or vulnerability. By keeping your system up to date, it makes the hackers work a lot more difficult. And the last thing is multifactor authentication. I know some people probably use it. I think some of us are scared of it, because it sounds scary. But don't be scared about it. All of us have been doing this for years. For example, when you go to the ATM machine, not only do you have to put in your card, but you have to put in your pin. Sometimes when I go fill up my gas tank, I have to put in my credit card, but they also ask me for my zip code. Both of these are examples of multifactor authentication. Just about every app, every website, all financial sites, now offer multifactor. All you need to do is enable it. I think the recent study I read from Google shows that it's 90% safer when you use multifactor. My feeling is, if you can do these three things, you're going to be better off than most. All right.
Lexi D'Esposito:Poll #4
Rahul Mahna:Fantastic people are learning from us, Vikas, a little bit, hopefully.
Vikas Bangia:Yeah. Good, I like it.
Rahul Mahna:We have about 10 minutes. We have a ton of questions. If anybody wants to post more questions, please do. If we don't get to them, we'll have someone on our team reach out to you with answers, for sure. Vikas, maybe you can take a couple minutes and just summarize a little bit, and then we can start our questions after that.
Vikas Bangia:Yeah, sure. What I would say is if you are an executive, if you run a company, or if you are an individual, you have to ask your folks, what are we doing from a ransomware perspective? What are things we can do to make sure that we are prepared prior to an incident? And the recommendation I would give and the first thing, and probably the most critical thing is to do an assessment, do a gap analysis, figure out what your strategy is going to be going forward. And it's not just for you. It's also for critical vendors as well. There's been numerous occasions where an organization has been infected due to a third party outbreak. And talk to your senior IT folks, talk to your security folks. Are you sure the backup systems can restore data? Do you have a mechanism in place to test or restore at least every quarter, if not monthly? I would also ask how long do you think it's going to take to do a full restore of all systems? That timeframe will be key when you're in a room deciding to pay or not pay a ransom.
Do you have a formal security awareness program for employees and consultants? Do you phish them? Do you educate them on what's going on in your specific industry? Does your incident response team or crisis management team have a plan specific for ransomware? If your senior executive team can't communicate, they have no email, their phones are bricked. How are they going to talk? Have you established out a band encrypted channels for them to talk? Have you discussed cyber insurance? Do you have cyber insurance? If so, what does it cover? And lastly, what I would say is, have you conducted a tabletop exercise of ransomware with your executives? This is critically important to put folks in a room and have them engage in these types of conversations. You do not want to be having this conversation under the gun, so to say. I think I'll leave it at that, Rahul.
Rahul Mahna:I think that's really smart. And to summarize, Vikas, and I have known each other for a long time. A little bit of a shameless plug is, we were building our practice over the last five years or so. We realized we have to have a lot of these controls in place, and we ended up building our own proprietary tool called FiR$T Look that does an initial risk assessment. We bounced a lot of the ideas off with, Vikas, when we developed it as is my team. And as a follow up folks, there'll be people that'll give you a free FiR$T Look assessment if you follow up after this. And we're happy to help folks, give you perspective in a roadmap, what are the controls that our team sees and we react to every day and a lot of the ideas, Vikas, talked about here. One other thing to bring in is the multifactor as well as the Password Manager. I want to drive, there's a lot of conversation around Password Manager in our QA.
Rahul Mahna: Again, Vikas, and I know each other for a long time, but it was one of his tips to me, many, many years ago. I never thought I needed it. I would say that a Password Manager is singly the best software tool that I use today as a cybersecurity professional. Thanks to you, Vikas, for dropping that in my ear. And just to give you folks on perspective, when you look at a password manager, it stores every username and password for every site, as Vikas said. And now, just think in your mind, how many websites you think you know, or you think you have usernames and passwords to. And if you just take that number in your head and think about it, I never realized, I'm now approaching 400 websites in my password manager, and almost every one of them are individual.
And it gives me a lot of comfort on the Vikas example there, the realtor, because if I had one of those websites and they get breached, my 390 sites are all secure. If I lose that one site, I did a mistake, but all my 399 are secure, versus me using the same three passwords for all 400 sites. I've got a big problem. With that, Vikas, we've got a lot of questions around password manager. Do you have any thoughts around, like Google offers a password manager, are your Mac, Safari, iPhone offers a password manager? There's last pass and so forth. Do you have any thoughts on any of these? Are they different or what's your perspective?
Vikas Bangia:Yeah. What I would say is it's definitely worthwhile to use a password manager. I don't know how you can possibly manage having long and strong and different passwords for all your websites and apps and what have you, without one. What I would say though is my preference would be a LastPass type thing, KeePass, LastPass. There's five or six of them that are dedicated to just passwords. Obviously, you can store them in Google. You can store them in Chrome, you can store them in IE. What I would hesitate to do that though, is hackers know that too. And if they know exactly where in the file system, those passwords are kept. There's malware, where if I send you an email, if you click on the wrong thing, what that macro, instead of doing ransomware, what it'll do is it'll just go directly to that location. It'll grab everything and just email it to me. I like having that dedicated application where that's all they're focused on. But I would recommend everyone use a password manager.
Rahul Mahna:One question I often get with this is, okay, we centralize in LastPass or Dashlane, can they get hacked? And what if Dashlane gets hacked? Now all my 400 are exposed. How do you prevent that?
Vikas Bangia:The way most of these password managers work is that the software company doesn't have any of your passwords. They're encrypted. Your password, your master password is the actual key. They don't have that. I've run into many people where I've recommended, hey, you should use Dashlane. You should use LastPass. And after a month of trying to get things in there, they lose their master password. They come to me and say, hey, how can I recover it? And I tell them you can't because the company itself doesn't know your master password. They have to start over. The other thing I would say, and this is where things get very strong is if you use a password manager, back that up with two-factor. That's what I use. I have a password manager. Every time I go in there, I get a little prompt on my phone that says, hey, are you really trying to log in the LastPass? If I click? Yes, I'm entered in. When you combine a lot of these methods, that's when you really start getting really secure.
Rahul Mahna:That's fantastic. And I know we only got two minutes, but one quick last question to you is all the ransomware talk we did, what happens if you pay the ransomware, do the bad guys go away in your opinion? Do they come back? What do you think?
Vikas Bangia:Yeah. Paying the ransomware, I don't think there's no right or wrong answer. At the end of the day, it's a business decision. And it's based on your risk register. It's based on, hey, look I'm not going to be able to get my environment up and running. I'm going to be out of business in 30 days, you take the chance and you pay. For the most part what I've seen doing research and whatnot, when you pay the ransomware operators, they'll give you the key, however, that still means there's a lot of work to be done. Sometimes it's slow. Sometimes it doesn't work as well.
The other thing to keep in mind, this is the key point. Once you pay, you're a target now, because they're going to get money, they're going to pass it off and sell your name to some other ransomware operator and say, hey, look, they just paid us, go attack them. We talked about the various costs. What are you going to do now to prevent them from getting in again, a week later, a day later? You have to figure out how they got in and close that hole. It's not always so easy as, hey, I'll just pay and be fine and go on with my life. You have to really stop, assess and make changes. Otherwise, a week later, two weeks later, you're going to be in the same situation.
Rahul Mahna: It's fantastic, Vikas. Thanks for the time. I mean, it always goes fast. Thank you all for attending. I hope we were entertaining a little bit. We didn't convert you to become a hacker, but hopefully, gave you some tips and tricks to help prevent yourself from being hacked.