Assessing and enhancing cybersecurity posture for private companies

0:10
Good morning and good afternoon, everyone.

0:12
Thanks so much for joining our Cybersecurity webcast.

0:16
My name is David Fabian, and I lead EY Private Client Services for Canada Today.

0:25
I'm joined by Tony Ritlop and Akil Garg and I will be moderating the session and and Tony and Akhil will be providing their insights on on the topics at hand.

0:42
A little bit about our panelists.

0:44
Tony Ritlop has more than 30 years of technology risk management, cybersecurity and information technology advisory experience.

0:54
Tony specializes in developing strategies that enhance client value from IT investments, well also managing high risk technologies and projects.

1:04
Welcome, Tony.

1:06
Akhil Garg is our National Cybersecurity Assurance lead as well as our markets and growth leader for technology risk.

1:15
He also specializes in cybersecurity, IT governance, risks and controls.

1:21
Thank you so much, Akhil, for joining us today.

1:26
Today, we will be covering a variety of topics, including the impact of cyber incidents, the type of cyber threats that may affect private and publicly traded companies, and strategies to deal with vulnerabilities.

1:43
You'll note at the bottom of your screen there is AQ and a button or tab.

1:51
We encourage you to post questions throughout the session and both Tony and Akil will do their best to respond to them on a timely basis.

2:01
So no need to wait until the end of the session to ask questions.

2:07
And one other administrative note, we are recording the session and we'll be circulating the recording along with the deck shortly after today's session.

2:20
So let's jump right in.

2:22
And Akhil and Tony, nice of you to join us.

2:28
Thank you.

2:30
Maybe we can start off by getting your insights on the current trends in the cybersecurity landscape.

2:38
Sure thing, Akhil.

2:41
I can lead off once to David's point.

2:44
Good afternoon.

2:45
Good morning, everyone.

2:46
It's a pleasure being here.

2:47
David, good seeing you.

2:49
I think this is a good starting point.

2:50
A lot of data.

2:51
As David said, you're all going to receive the content, so you can kind of go through it at your own leisure, leisure pace.

2:57
But there's a couple of stats here I didn't want to emphasize and there's three in particular.

3:02
And the first one is at the upper left hand, the 42%, 42% of organizations experienced a successful social engineering attack in the past year.

3:13
And I'll couple of things I want to unpack on that one.

3:16
All of these statistics are based primarily with what people report.

3:21
So clearly we at EUI, we've infused our own knowledge into this entire our narrative, like we'll kind of without naming names, of course tell you what we're seeing with our clients on the marketplace and so on and so forth.

3:34
But we're obviously influenced by various externally available statistics.

3:38
This one is from the Global World Economic Forum from January of this past year.

3:43
And again, these are the numbers that people reported, which means the reality is probably it's a little bit higher.

3:49
So that's just something I need you to all kind of reflect on.

3:53
So the 42% social engineering, hold that thought because when we get to protecting your assets, a lot of it is just people's awareness, knowing what to do, what not to do.

4:05
Because for those of you who don't know what social engineering is, it's when someone's pretending to be someone else and they click on something or they think they're getting a call or something from someone whom is not in reality that person.

4:19
So it's still on the rise and something to be aware of.

4:24
The other metric is the 72% right beside 72% of respondents say cyber risks have arisen in the past year.

4:33
All we're trying to emphasize on that one is this is not coming from organizations that are in the business of doing research.

4:41
So our clients don't actively look to see who are trends going up or down like some of them do with very complex or sophisticated cyber intelligence functions.

4:52
But most of them, this is because they're seeing it, which is why they responded at a 72% rate that they either saw more phishing attempts, they, we saw more attacks from on their perimeter.

5:05
So that's a technical kind of observation.

5:09
Unfortunately, the dreaded ransomware, which doesn't really kind of, you know, reveal itself in these stats, but we can tell you with certainty, ransomware in various forms continues to be very, very prevalent.

5:26
So that one's on the increase, but you could see almost 3/4 of respondents have said the world is getting a little more dangerous.

5:35
OK.

5:36
The last statistic is the one on the bottom right at 66%.

5:42
More specifically, 66 or 2/3 of respondents felt AI will affect cyber in the next 12 months.

5:49
So a couple of things on that.

5:51
Number one, that's probably understated twofold because it's probably higher than 6612 months is probably too far out because it's happening sooner than that.

6:01
And then the other metric to consider is the 37% have something in place to address those new emerging risks.

6:09
So you can see kind of bundling things together, it's becoming a little more at risk.

6:18
The ecosystem, the environment is a little more risky.

6:22
The complexity or sophistication of techniques is increasing and the preparedness or the readiness or the posture and those are words we're going to use going forward.

6:32
Now some of those don't meet up to those standards.

6:36
So it's kind of it's becoming a balancing act folks.

6:38
So it's something for you to all to to consider.

6:42
So some high level macro stats, David, I think actually I think we have.

6:50
We did have one more slide, Akhil, if you could go forward.

6:53
I thought there was one more this one.

6:55
That's the right.

6:56
I wanted to emphasize this one for a couple of reasons.

6:58
I don't want to over rotate on the timing nor the amounts even, but you can look at all these things at your leisure of course.

7:06
But the punch line on this one folks is pretty simple.

7:09
Some of these organizations are name brands, they're large organizations, OK?

7:15
And the point of showing this to you is not only is our significant events occurring as a result of all of the information I just shared, at a macro level, these folks all have big budgets.

7:29
They have very, very dedicated security functions.

7:33
They partner with all the large service providers, right?

7:36
Some of them are big service providers.

7:40
But this was just demonstrative of the fact that even when you try really hard, things can still happen.

7:46
So this is an ongoing discussion, an ongoing situation, as it were.

7:56
You can't take your eye off the ball.

7:58
We're going to talk to you about what to look at and how to juggle those balls, of course.

8:02
But this is just to show you even some of the most protected can be compromised.

8:10
So that was a little bit of the punch line on this one, David.

8:13
Yeah.

8:13
And you know, it's interesting you mentioned that even the, even the large multinationals can be compromised because I, I think that kind of gets me right away to the first question that came in from our audience.

8:30
And it, it asks about the fight against cyber threats from Russia.

8:38
And, you know, notwithstanding that the US or, or the new administration seems to be backing away from that fight with Russia, I expect that those those threats will be real.

8:56
And in fact, they may even be more, we may be more vulnerable if the administration truly in fact is, is focusing its efforts elsewhere.

9:05
So, you know, what are your thoughts generally on on what we're seeing geopolitically vis a vis, you know, what's going on in Europe and elsewhere?

9:14
Yeah, no, unfortunately, I wish we could say the world is flat and it's a level playing field.

9:20
It's not.

9:20
OK.

9:21
So couple of things, if I could unpack this very briefly.

9:24
The the the, the hacker kid in the basement doing bad things, that doesn't happen much anymore.

9:31
And when it does, it's of a minor scale and it's very, very, very pinpointed.

9:35
You or your organization did something bad to get targeted, right.

9:39
It's that kind of narrative, the bigger one in the nation, state or nation sponsored type of attacks, especially when the big boys get hit.

9:49
Or to bring it to a smaller scale, you have something other people would want, private or public, be it customer lists, IP, you know, various, you know, a recipe for a technology, for example, a design for a very, very specific widget that goes into an aircraft.

10:11
I can think of a bunch of different things, oil and gas kind of IP that you can process faster than someone else.

10:20
Well, someone else may want that.

10:22
The big four, as we unfortunately refer to them are are China, Russia, Iran and North Korea.

10:29
Dave, to your point about the Russia thing, and I believe I heard and obviously it's kind of take it with a grain of salt, salt, the latest US administration said Russia's no longer a threat.

10:40
I can tell you with absolute certainty that is a false statement.

10:45
It is absolutely 100% false.

10:48
And by the way, for those of you curious, how do we know this?

10:52
Lots of times these organizations take credit for their offensive maneuvers when they do bad things, especially when it comes to things like ransomware.

10:59
They say who they are, so to speak.

11:02
But on a counterintelligence side of the house, we know what they look like.

11:07
They all have various tactics.

11:10
They leave certain level of footprints in the sand.

11:13
And I mean, I dealt with a client last summer and we knew it was from Russia because we knew it was the the footprints that that hacker group uses, right.

11:22
So what may happen, and I'll close out on that because that's a whole different conversation of geopolitical.

11:29
There may be less numbers of challenges coming from these organizations or these nation states, but I'm absolutely convinced that if they still want something, they're going to plan an attack to do it right.

11:42
So look at your crown jewels.

11:45
This is, you know, a word of advice to all our all our attendees.

11:49
If you have something that you think a competitor or a government, if you're in the public sector space or, or something in your ecosystem would have something that you have something they may want.

12:01
Well, this is a pretty quote, UN quote, easy way to kind of try to get it because I'm not even going to get into it.

12:07
But there's, you know, on the dark web you can do hacking as a service.

12:11
You can buy hacking as a service.

12:14
So be aware and speak to the experts if you suspect something.

12:21
But yeah, the Geo thing is real.

12:23
The Geo thing is real.

12:24
Yeah, no, it's, it's, it's upsetting and, and, you know, unfortunately that's the world we're living in right now.

12:30
Let let's shift gears a little bit and, and maybe Akhil, you can shed some light on on sort of the question we always hear which is, you know, So what what it, what is this cost the business, right?

12:43
And it's and, and it's not just dollars, it's, it's opportunity cost.

12:48
It's it's resource time it, it's, it's chaos.

12:51
It's, you know, emotional stress.

12:55
Maybe talk a little bit about that, Akhil.

12:58
Yeah, Thanks, David.

12:59
Good morning, Good afternoon, everybody.

13:00
Very happy to be here with you today.

13:04
Lots of context required when it comes to data because it's extremely important to to also consume this data point with where this is coming from and what it relates to.

13:17
And what I mean by that is you can see on the left hand side a number of breaches haven't freeze drastically over the period of time.

13:24
And hopefully that doesn't come as a surprise to anybody.

13:28
On the right hand side, you will see that those are posted numbers.

13:30
And as Tony briefly mentioned previously, those are usually understated because a lot of times, many a times breaches are not even reported.

13:41
So it's very hard to say how much money or resources would have been lost in that in that process.

13:51
To answer your question, David, you know, this hopefully gives us some importance to the to the cyber incidents and why they are important.

14:02
5.56 million per incident.

14:05
That was a small breach that was that was the number that was posted and for a large like a quote UN quote significant and again that is also in that definition might change as well.

14:16
But for a large breach which defined here as a 50 million to 60 million records that were breached, it would have costed $375,000,000 to a company for each breach.

14:27
So you can see immediately, despite having some of the, you know, most sophisticated operations, security technologies, governance framework in place, organizations are still quite vulnerable, vulnerable to to the incidents.

14:44
And that is very normal to experience for many organizations.

14:48
The terminology we use, it is not a matter of if, it's a matter of when.

14:53
Unfortunately, these are the numbers, they're pretty scary numbers when it comes to smaller organizations may not be to the same size and scale, but even for an incident, it may have a very, very drastic impact given just the lower magnitude of the organization.

15:13
So I would say this is extremely important to to consider with the right context.

15:20
You just briefly, and I want to just highlight that David, you know some of what Tony also covered in his stock track, ransomware and extortion threats continue to evolve.

15:31
They are the top most of everything broadly speaking.

15:35
Hopefully we all can agree to that.

15:38
When it comes to the risks that are relevant to your financial loss, I think that is pretty straightforward and no need no explanation reputational damage, legal implications, but just generally the survival of the organization, especially for smaller private organizations, survival of the organizations sometimes depend on that.

15:59
So it's extremely important to consider all those relevant points.

16:03
David, it's quite important to consider these numbers, but in the right context.

16:09
Gotcha.

16:09
And and just on that point vis a vis cost, you know, we just got a question in from our audience asking about how much cyber insurance a company should be getting.

16:23
And and hey, side comment that that this person said is besides as much as you can get.

16:28
So it is there, you know, thresholds, benchmarks, if you will, that help businesses determine if they can get insurance, how much to get.

16:42
So I can touch that one really, really, really quickly.

16:46
Yeah.

16:46
Thanks Tony.

16:47
Yeah, that one.

16:49
And I again, not to evade the question, but to take it a step back, cyber needs to be considered like the rest of your risk profiling, right?

17:00
You know, how much insurance did you get on your warehouse?

17:03
How much did you get on your vehicle fleet?

17:06
How much did you get on this, that and the other thing, right?

17:09
You looked at it, you looked at it upside down, inside out, thought about the, the controls and the mechanisms you have in place.

17:17
You came up with a level of exposure and said, well, I got to cover that exposure because it's important, right?

17:23
It's, it's a risk analysis.

17:25
You got to kind of think about cyber the same way.

17:28
And we're going to walk through that in terms of assessing and then protecting and simplest simplistic model is as follows.

17:35
David, if you, if you don't know, go for more, right?

17:39
Sounds silly, but that's about it.

17:42
But you should probably know a little bit, know where your posture's at, try to protect, see what it costs to protect.

17:50
And then sometimes, right, like any other insurable risk, you either buy the insurance or you take on the cost of of self insuring, right?

17:58
So do a little math to determine how at risk you are, what is at risk, and go back to that crown jewel narrative, right?

18:07
Or that whole idea of how you got a bunch of stuff that someone would want access to, right?

18:12
If the answer is yes and your posture is poor, try to get a lot of insurance.

18:18
OK, what's a lot of insurance?

18:20
Again, back to Akio's quantitative narrative.

18:23
I mean, honestly I've seen in the realm of the five to 10,000,000, a lot of these things are driven by the insurers.

18:31
So they say we offer plan AB and C kind of thing.

18:34
So this is a look in the mirror kind of conversation, speak to your insurer conversation because we've been seeing a lot of fluctuation in the insurer side of things as well.

18:48
Ten years ago, a lot of people 10 years ago, 15 years ago, not a lot of insurance companies did it.

18:53
Then seven years ago a lot of them did it.

18:56
And now recently, because there's more activity, they don't do it anymore.

19:00
Kind of like getting flood insurance in Florida, right?

19:02
So it, it's kind of a WAVY kind of thing.

19:06
The last statement I would make with regards, it's a sidebar statement on insurance folks to consider is we're seeing more of more of the insurers.

19:13
So ask them the question.

19:15
They have a basic baseline expectation of posture.

19:19
And what I mean by that is they say, David, I'll insure you for X amount of money because you're probably A2 on 10 in terms of maturity.

19:27
I'm making up a number two on five.

19:29
And then what unfortunately happened is something bad happened.

19:32
You made a claim, the insurer came in and said, OK, what happened?

19:35
Let's let's do a postmortem and where were they?

19:38
Where were they?

19:39
What were you protecting from?

19:42
And you demonstrate you really didn't have a lot of controls in place.

19:45
And they go, you know what, null and void, I'm not paying out your policy because you were really ill prepared and we told you in the fine print that you had to be of a certain level.

19:59
So, Tony, just to that point, I'm going to ask you one of my questions and also one that just came in from our audience.

20:08
Is, is this something when, when we, when we contemplate the, the, the quantum of insurance or the type of insurance or the preparedness vis a vis, you know, putting it in place, is that something your team can support clients with in, in terms of providing that type of council?

20:25
We have folks who do that in conjunction with our forensics and investigation services, folks who actually learned a lot about that being on the other side, right?

20:37
Bad stuff happened, they came in and then they kind of back engineer.

20:41
They learn from what they saw and now they're actually pretty good at helping companies assess how much to how much to ask for and how to be prepared so that you get it.

20:54
So that's how I think is the key.

20:57
And then and then similar, not similarly, but just in the whole spirit of, of paying out, you know, we, we all hear the stories, at least, you know, I do through my clients of, of them being attacked.

21:11
And then there's the ransomware requests.

21:15
One of the questions was how often do companies actually pay out on, on these ransom requests?

21:23
And, you know, is there a should you or should that we should follow, IE never pay it out, always pay it out.

21:30
Like what?

21:31
What do you see?

21:33
Oh, look, that one's a tough fee.

21:35
I'll be honest.

21:36
I've seen payouts.

21:37
I've seen.

21:37
Oh, yeah, I'll give you some tough ones.

21:39
Yeah.

21:39
No, Look, the Long story short again, not to avoid the question, it depends what they got right and how bad you need it.

21:48
No, that's a good.

21:49
That's that's a good start.

21:51
Yeah.

21:51
And if you don't a continuity plan to be able to, you know, get back on track, right?

21:59
Because it depends what they're holding for ransom, right?

22:02
If you don't have a Plan B and plan A is all you got and it's worth a lot, then I unfortunately would say you need to consider some level of payout.

22:12
That's what I've seen organizations do.

22:15
Rule of thumb though, our personal preference is that you do not because it also depends on who's asking because again, I hate to say it, we kind of know tactics.

22:25
There are certain organizations that are more threatening than they are action oriented.

22:31
So it that's when you need to consult with legal advisors and other advisors in your ecosystem because it really is situation specific.

22:40
David The other one though, that I kind of leave your audience, the audience to think about though.

22:47
And it's a terrible expression, but I'll use it anyways.

22:49
But whenever you pay, you're feeding the beast.

22:53
Hackers rarely drive around in Ferraris wearing Rolex watches.

22:57
They take the ransomware and they put it back into the tech and they build AI inspired or fuelled, you know, zero day exploit type activities and tools and all this kind of stuff.

23:10
Every time someone pays, it just goes back into the bank.

23:14
So some of our clients have said there's no way I'm actually paying because I know it's going to bad people to do more bad things.

23:21
So I don't want to put, I don't want to be the one in my industry who does it because then people may know and this and that.

23:28
So there's there's some values in philosophical and ethical sort of big picture questions to answer, to answer before you decide to go or no, but do not decide on your own.

23:39
That is my biggest piece of advice.

23:41
Phone a friend, your lawyers, your advisors, your accountants, your third party service providers, the breach companies that specialize in this stuff, right?

23:50
We're agnostic.

23:51
So all name names.

23:52
Mandy Ant is one of those guys.

23:53
You call, right?

23:56
You know, call the call the experts.

24:01
Hey, I'm going to let you.

24:02
I'm going to push forward.

24:03
Yeah, just one, one more maybe perspective to add to that quickly.

24:08
And I promise, I promise won't be more than a minute.

24:14
Last 2-3 questions if I have to summarize it, what Tony was trying to say to kind of bring everything together.

24:20
You have to go through a process to really understand what your crown jewels are.

24:25
And that's the level of formality every organization should get on to at some point, because without knowing what is the most important assets you want to protect, that sets a very bad example in terms of you don't know what you have and you don't know how much to protect.

24:42
So that's the number one, that prioritization and risk assessment is an extremely critical step.

24:48
There were questions around insurance and and the ransomware, how much to pay.

24:54
That ultimately comes back to the risk mitigation strategy.

24:58
Once you know what to protect, how much to protect in the context of your business, in the context of an industry, in the context of your geography, in the context of your regulatory risk landscape, you consider all those factors to bring that knowledge to say how much, what should be a risk mitigation strategy.

25:17
Sometimes risk avoidance is OK.

25:19
Sometimes risk acceptance is OK.

25:22
Insurance is part of that determination, how much insurance you would need and what is the risk and reward if you need a $10 million insurance, but that is not worth taking depending on what you're protecting, clearly the answer is no, right?

25:37
So I would probably say fundamental risk assessment and risk mitigation principles should be applied to determine all of that.

25:45
Goes back to the second question that you asked around the ransomware payments, although it's hard to get benchmarks as to how many percentage, you know, pay versus not.

25:56
I would say it also comes back to what do they have exactly what Tony said, what do they have, how valuable it is to the organization, What is the criticality on the business and operations that should determine or drive the decision making process whether to be or not?

26:15
Yeah.

26:15
And I think you're, you know, you, you're heading right into the, the next question that that came through, which is what steps should we take or should a company take to mitigate the risk?

26:31
Right.

26:32
And, and you started getting added Akil, I think by, by when you, when you commented first we have to figure out what we have and use the term crown jewels.

26:43
And I suppose that will then lead you into your strategy around, you know, assessing vulnerability and then ultimately building out strategy.

26:53
But but I, I think you're going to address that.

26:55
So I'll let you, I'll let you get to it.

26:58
Sure.

26:58
I'm happy to take a first crack at it.

27:00
And Tony, as always, feel free to jump in.

27:04
Your first step in the process for any organization, irrespective of what current security measures you may have in place, it's always good to look at on a continuous basis.

27:15
How does your current landscape, your threat landscape looks like and that doesn't mean you need to do it on a monthly basis, but an annual check to see what has evolved etcetera, keeping an eye on the market as to what is happening that may have a direct impact on our business, our ability to operate, you know increased risk because of geopolitical aspects.

27:36
I think all those relevant considerations are, are, are are quite important on the slide.

27:43
What, what you all are able to see is various type of threats that are out there that will naturally they will change depending on the the business, geography, risk etcetera.

27:53
But some of the internal elements are #1 priority.

27:58
You have to understand what you have, you know, the data theft, your misuse of credentials, your people aspects that are in that are in their disgruntled employees, all those are relevant internal threats that should be considered.

28:14
You complement that with external threats.

28:16
OK, what is happening in the environment, geopolitical threats, geography, your, your industry, If you are in a regulated business, what is happening in the regulatory side, right?

28:27
For example, privacy continues to be one of the biggest when it comes to financial services and healthcare sector, right?

28:35
So how, how privacy is, is evolving?

28:38
Are there new risks to be considered?

28:40
And the last layer is emerging technology.

28:43
Tony touched in his talk track briefly about AI.

28:47
How do you, how do you consider some of those emerging threats that no one either has experienced or they're just evolving at the moment?

28:55
How does that impact our business?

28:58
So that's I would say is number one step.

29:00
Then you consider all of that and look at the value chain.

29:04
This slide summarizes how a typical attack would occur.

29:07
As you know, you know from from bottom to up, you have your technology, you have your relationships with your third party, you have your supply chain, meaning you know that you're jumping the hoops from various organizations to operate the business.

29:23
And then you have your in person which is your people element.

29:27
Then you go upwards.

29:28
What are the channels that that could be used?

29:31
You have your online presence in terms of web.

29:34
You have more sophisticated attacks now through chats as well as voice.

29:40
Then you use what is the actual channel?

29:43
What could what could go wrong?

29:45
You have your e-mail which is a very traditional way of having an A phishing attack or identity theft.

29:51
Those are the channels typically are used.

29:54
I know it is very, very over simplification of this, but those are various channels how attack typically would occur.

30:04
OK.

30:05
Now once you understand that, David, I'll probably just close it off to get a cover on this because this slide is quite critical that I want to kind of quickly touch on how to identify your quote, UN quote crown jewels and go through the process to understand your current posture.

30:24
Extremely important to not emphasize on the importance of this step in the process because it allows organizations to have a very holistic understanding of what do they have, what do they need to protect and how their threat landscape looks like.

30:40
It's a typically a four step process.

30:42
I know it's very simplified.

30:44
More steps may be required as the organizations start to execute on this.

30:49
You start with your threat and risk profiling, you understand what business you are.

30:54
You know you operate in.

30:56
Again, I may be repeating a little bit, but it's very important to understand your geography, your regulatory risk landscape, your geopolitical risk that are relevant.

31:05
OK.

31:06
Then you perform your current state assessment depending on the framework that you want to choose.

31:10
And there are many globally recognized frameworks, for example, NEST, ISO and others.

31:15
You pick one that is most common and easier to digest for the organization because you want to make sure that a framework that is being used it's, it's OK for internal employees and contractors to understand and follow along what is happening.

31:34
OK, then you look at the benchmarking.

31:37
I think that's quite important in the context of where do you want to be.

31:41
Don't use an example.

31:43
You may have two out of five maturity rating for example, but do you really need to get to 5?

31:49
Because that will require a lot of resources and time and investment too, right.

31:53
Maybe it's OK to get to 3.

31:55
And if that's in this industry benchmark, that's the value of benchmarking information as appropriate to determine what your target state should look like.

32:05
OK.

32:07
In terms of the the value that it brings, you know and hand safeguarding, we talked about that briefly, what you have, what you need to protect.

32:15
I think you get a very holistic understanding of that strategic alignment.

32:19
What is important for the business, what is absolutely critical to operate in the, in this business current state assessment allows you to identify that.

32:29
So is your vision, this data, this information that you're going to get from this assessment sets you pretty nicely what your future vision should look like.

32:38
Once you understand your, your benchmarking against industry peers as well as threat landscape, it allows you to start forming a futuristic vision for cyber security for your organization.

32:54
So you know what, Akhil, if you can flip to the next slide, I want to kind of bring it to life to our participants current state assessment.

33:01
There's a lot going on here, folks, but the punch line is as follows.

33:06
These are the elements that the majority of commercially adopted or accepted methodologies to, to Akila's point, right?

33:17
There's a lot of ways to do this, but they all kind of sound like the same song.

33:23
These are the domains that you really should consider from an assessment perspective.

33:31
I will not go through all of that, but you can see there's things like data protection and privacy, as my friend Akil said, right?

33:38
There's things at the bottom like security operations, like how you actually keep an eye out for threats, right?

33:45
There's things like security and architecture and engineering.

33:48
Yes, this is a technical thing.

33:50
This is definitely a technical narrative in many shapes and forms, right?

33:54
But what we want you to kind of take away from this is these are the things that you really need to be considering in your assessment for a couple of reasons, a holistic point of view, because you really want a complete assessment, but you will not likely be able to do everything.

34:13
You will likely be at different levels for different things.

34:18
OK, I've got clients who from a personal information perspective, they lock down all the personal information they handle from their customers.

34:26
So that privacy box in the upper right hand side, they're in good shape.

34:30
They're in good shape, but maybe their security architecture isn't so good, right?

34:36
So this will kind of help you ask all the relevant questions from which you can then decide where do I go?

34:45
Do I want to be a two on five or a three on five?

34:48
OK, And I just want to talk about that benchmark thing for a second.

34:51
This is again, another not great statement to make.

34:54
But you know, when you're being chased by a bear, you just want to be faster than the other guy you're with, right?

35:00
So hackers are relatively lazy and they will go, you know, the path of least resistance.

35:06
So if your maturity is a little higher than all of your industry peers, they may be subjected to a compromise sooner than you.

35:14
But back to this.

35:15
These are the things, the topics you need to consider to evaluate yourself on.

35:21
Then you make the business decision.

35:22
Again, that's strategic alignment.

35:24
Because if you have no personal information, then don't waste any time on privacy.

35:28
Folks.

35:29
Protect your employee data.

35:31
But that's about it, right?

35:32
You don't have customer data, so don't go crazy on privacy and move on.

35:36
But here's the punch line.

35:38
So you look at all of them.

35:40
So you give yourself a rating or with the assistance of a service provider.

35:45
So you look how much money you have in the bank.

35:48
And then you prioritize because I've done this countless times and there's never been a single entity that said, let's do all of them all now, OK?

35:58
You cannot consume that kind of change.

36:01
You cannot.

36:02
There's there's just too much to chew on at that point.

36:06
So that road map narrative or reference that Akil made a road map is by definition do this, this, this, then that, as opposed to do it all.

36:15
That's not a road map, right?

36:19
Doing this with this level of framework will help you say, OK, David, we're going to do IAM first, then we're going to do product security, then we're going to do monitoring, then we're going to finish with compliance or whatever the sequence is, right?

36:34
And by the way, there is some method to the madness that you should do A before B.

36:40
Some things can be done in parallel, but sometimes it's linear.

36:44
Speak to your advisor to help you assess, then road map it and infuse a little bit of linear thinking where necessary and then consider budget because some of these things cost and when to phone a friend.

36:59
Most clients will say I got to call a guy for this.

37:03
The other element, and I apologize for not bringing up sooner and then I'll pause.

37:07
This has got a feel to it of an enterprise network kind of narrative, your e-mail, your windows, you know your ERP, the stuff you log into every single day.

37:19
Folks, for those of you in a much more manufacturing or production based industry, there is a whole concept of OT or operational technology which can also represent a point of failure or an attack vector if you like sexy words for the threat actors or adversaries, the bad guys, they go after the machines because really bad cases of ransomware.

37:50
Some of us have probably heard about this where they affected a grid in the US.

37:54
Well, that was an OT play.

37:56
That was not a network or enterprise computing play.

38:00
So know yourself, know your technology, be it production level, be it Windows laptop, be it other things.

38:12
But anything with a blue cable sticking out of the back has a vulnerability to it.

38:19
I like that last reference is what it is.

38:23
It helps.

38:23
It helps guys like me know where I'm vulnerable.

38:27
But just a couple of things coming out of your comments and I think it, I think it takes us to the next part of the presentation.

38:38
Akio it's it's you know, you mentioned bringing this all together, Tony, the most you know are are we recommending that most clients, you know, Canadian private businesses, be it with revenues of 20 million or 100 million, Are we suggesting that each of those companies should have a person designated to lead this or is there sort of a different way to ensure that you're properly protected?

39:13
And and I'm not sure who's who wants to take that question.

39:18
Happy to take an attempt and I'm sure Tony will have a perspective to share too.

39:23
Great question David.

39:24
There is, there is no single silver bullet that, you know, one-size-fits-all approach.

39:31
That's just the reality.

39:32
What you want to make sure is, and I'll probably just use this slide as a, you know, addressing some of it is you may want to think about from a people process technology lens that just allows the previous framework Tony walked us through to bring everything together.

39:49
And in the context of the business, you may not want to miss anything.

39:54
And what I mean by that is start with the governance, right?

39:57
It touches your, your people aspect as to what is the tone at the top, what is the expected behaviour when it comes to security process?

40:06
Define your policies, define your, your procedures, a standard way of doing things and define technological elements as to how technology is going to be protected.

40:19
But also support the security aspect of your business, right?

40:23
It's quite important from that lens.

40:26
Now, the question that you asked David in this context was more in the context of governance.

40:31
Where should it sit?

40:33
It's a joint effort.

40:35
Certainly I would say organizations that have more mature programs have a shared accountability when it comes to security.

40:45
You always want to have, you know, tone at the top sorted so that you know what is coming from top down, What is the expected tone, what is the expected behavior.

40:55
But then when you have, when you, when you are one or two levels down, it's a shared accountability, shared responsibility with the business, with the IT, with security teams to ensure they understand the security obligations, but they are also part of the solution.

41:11
They're not just being told this is what you need to do, etcetera, etcetera.

41:15
In some occasions you may have to do that in terms of defining policy and procedures.

41:20
But when it comes to responsibility, it is a shared responsibility.

41:25
Our experience suggest clients who have taken that approach are usually more successful, more mature, more sustainable security practices if in comparison to some of the ones that they have set at the top.

41:38
And what have we are going to do and go follow it, Tony.

41:43
Yeah, the the only thing I'd add to that is I'd bring it down again.

41:46
I'd simplify it to the earlier comparative I made with regards to other business risks.

41:52
If you have a lady at your shop that manages all your real estate because you're you got a lot of footprint real estate wise, that's a big deal.

42:01
That's a big risk.

42:01
So you have her doing that.

42:04
If you have someone who manages other elements of your business and you basically sat around the table and said, this is important to us and it represents a risk, right?

42:15
So it's not only a volume play, it's a volume and importance play.

42:20
If you think you may have something, again, I go back to that same analogy.

42:23
I've been kind of transcending throughout the talk, throughout the, the, the discussion.

42:28
If you think you got stuff that could be of value to someone, then you got a lot of it and you think it's worth protecting.

42:36
You probably need someone who kinda is a little more savvy around it.

42:41
I think the bigger question is that I get a lot is a buy it or build it, buy it or build it, right?

42:48
And what I mean by that is do I go hire a security person who will build a team and so on and so forth, which ultimately is one of the worst jobs in the world folks, because you get paid to make nothing happen.

42:59
Think about that, right?

43:00
You will be compensated if nothing happens.

43:03
So, you know, or do you partner with the experts?

43:10
I think that's a personal cultural enterprise thing.

43:14
If you don't work with any third parties, but now you want to work with a third party to do something as important as cyber, that'll be tough.

43:21
But if you're used to playing well with others, maybe this is an area where you defer to the experts.

43:26
Notwithstanding that, Akil used a very keyword accountability.

43:33
I don't care if you, I tell clients this all the time.

43:35
I don't care if you bought it, you're still on the hook for it.

43:39
Good news is, most private organizations, that sense of ownership is there.

43:44
Someone feels like it's theirs, so that's not as big a deal.

43:49
But don't let it slip between your fingers, folks.

43:52
You need someone who kind of knows a little bit about this to be able to play well with others.

43:59
Or if it's super important to you because you're of a interesting nature, you have something interesting, maybe you'd be you'd be in good shape building some of it yourself.

44:13
And then it becomes a secondary conversation.

44:15
Do we take the IT lady and make her phone up or text her cyber skills?

44:20
Because it's two different things, right?

44:22
Folks, let's be very, very clear.

44:23
Your Windows admin cannot necessarily wake up tomorrow morning and become your cyber expert.

44:29
That is one thing I do want to say transcends private in public people trying to just retool overnight was a massive mistake many organizations made 1015 years ago.

44:39
This is a separate profession.

44:41
This is a separate set of skills.

44:43
These are differently talented thinking people right.

44:48
So you it's doable, but it isn't happening overnight folks.

44:55
OK, thanks Tony.

44:56
No, I, I love that last comments because you know, we also always see the CFO somehow takes responsibility for the IT and I always wonder to myself if I was in, she can do it maybe, but maybe she can't, right.

45:12
So, so a couple of things, bunch of people asking whether the slide deck will be shared and the answer is yes.

45:21
So thank you for those questions.

45:24
Second logistical piece, we're at 46 minutes after the hour, so we're going to need to to start thinking about how we move towards the end of the presentation.

45:38
But I think, I think we're on track and let's let's keep going because my next question, and again, I kind of ask this question all the time when I, when I hear about a client being attacked is so you had all these controls in place.

45:57
You, you, you thought you were protecting the jewels as you called them, but you got attacked.

46:03
What do you do?

46:04
How do you respond?

46:05
Maybe help us understand that process in a couple of minutes.

46:09
Tony or Akhil, I can take probably first attempt at that.

46:14
David and Tony chime in.

46:18
Do not emphasize enough on the importance of having a written incident response plan on paper.

46:24
And you know, I just can't put more emphasis to that because the the first step in the process to respond to something that is going to happen and you're responding today.

46:36
But I think it's very important to recognize you're responding to an unknown because you never expected this would happen.

46:43
And the sophistication of the attack could also be an incident could also be unknown to the to to the people dealing with it, right.

46:52
So it's very important to how do you plan, how do you write an incident response plan that accommodate for that unknown nature of the attack that might be coming?

47:01
OK, so number number one step is really develop or if you have already a properly documented and most up to date incident response plan.

47:11
OK.

47:12
The second one is continuous monitoring really, but that that means you know what is happening through the technology, what is happening through the business, have a mechanism to monitor what might be coming your way and how to detect a particular incident that needs that merit some attention very important to do that.

47:33
And last thing I would probably say is to bring it together, practice, because you may have a very fancy looking plan on paper, but your business organization, if people part of the business are not aware of their roles and responsibilities, are not aware of what actions to take when a phone is not working and e-mail isn't working, how do they need to do those those steps?

48:00
What do they need to do to be able to create that awareness and knowledge in the organization?

48:05
Continuous exercises, drills are very, very important.

48:09
Your executives need to be part of that.

48:11
Not in every, every, every drill, but at least on an annual basis.

48:15
That's the leading practice we have.

48:17
We have seen organizations, executives need to be part of those drills.

48:22
And going back to continuous improvement, you take the feedback from those drills and then update your incident response plans accordingly.

48:30
Because there would be learning.

48:31
There always be learnings where you could do things differently.

48:34
So I would say to be able to respond to something that is unexpected, you write the plan, you practice it and make sure everybody understand their roles and responsibilities.

48:46
Thanks.

48:47
Thank you.

48:47
Thank you, Akhil, Tony, any any other thoughts on that point before we move on?

48:52
Honestly, absolutely not.

48:53
It was perfectly summarized.

48:55
Perfectly summarized.

48:56
Awesome.

48:57
One one other admin comment, we had a couple of light late joiners.

49:03
I think a couple folks were struggling to get on on the line.

49:07
So apologies for that.

49:09
But as a reminder to those of you who joined late, we will share the slides shortly after the the webcast.

49:18
So notwithstanding you missed a chunk of the the presentation, you will get the documents.

49:24
And certainly I know that Tony or Akio would be happy to chat offline with any of you who wanted to dig in to some of the topics that we were discussing today.

49:36
We're kind of we're, we're, I think we're, we're towards the end.

49:41
Akil, maybe what you could do, which would be great, I think for our audience is kind of bring this all together, right?

49:47
Like you guys covered tremendous amount of material.

49:51
I'm probably only retaining about 10% of it.

49:54
How would you like our folks to or would you like them to remember?

49:58
And, and where do they go from here?

50:00
True.

50:01
Let let me run with that one quickly left to right, very simple.

50:06
Assess it, protect what you need to protect because you assessed it, but be ready to respond when there's a hiccup, OK.

50:14
The assessment includes identifying those vulnerabilities and potential threats.

50:18
We talked about that the internal, external along those multiple domains and 20 ish domains, right?

50:24
Make sure they're aligned with your business goals also.

50:27
That's another little nuance.

50:28
We want to align it or emphasize what that means is if you have no online presence, for example, anything external perimeter connectivity less of an issue, the privacy narrative or I used less applicable so on and so forth.

50:43
Conversely or opposingly to that is if you know you want to build AB to B later in six months, well, you better prep for now from a people process technology perspective.

50:55
OK, so you've assessed, you've kind of set up a road map, then you got to protect it, OK.

51:03
The key point here is that any type of protection needs to be multi layered, OK?

51:08
We have an expression called a single point of failure, OK.

51:12
Even the thickest wall, but thickest and highest wall, if there is only one of it, if someone gets through it or over it, well then that's not a good situation.

51:23
It is been much more effective to build less thick walls, but more of them.

51:32
The other consideration to the expression or the mindset of multi layered is that as most of us know, there's lots of pieces to the technology puzzle.

51:43
You got the network stuff on the outside, you've got connectivity, right?

51:47
How you actually exchange files, for example, FTP stuff, you got your servers, you got your application, your great planes, your dynamics, your whatever, a small SAP, whatever you've got, you got a database.

52:00
All of these different things operate differently.

52:05
They speak to one another and they can be a bridge from 1:00 to the other, of course, but they're different beasts and need to be protected differentially.

52:14
And some of them don't have a lot of details.

52:16
For example, certain databases have got all the details.

52:19
So that's what you want to protect more than the application to the application, whatever, it just queries the database, right?

52:26
So you got to think of the layers and protect across the layers.

52:32
And the other reason to do that is also it's a lot more cost beneficial because if you try to protect everything, you're going to blow your brains up, right?

52:39
It's as simple as that.

52:40
Be it budgetary, be it brain space wise, talent availability, size, like any mid to large sized private company says I want to do everything all at once.

52:51
Good luck finding all the talent you need and liberating the people inside to actually help navigate.

52:57
Right.

52:58
The other one in the protect element is a key enabler and Akil mentioned it before People people are and I'm not a huge fan of the expression but I'll use it anyways.

53:09
People are your greatest firewall from fishing social engineering.

53:14
Now, will they all call the 911 helpline and say this is it and it's coming from China?

53:22
No.

53:23
Do they need to?

53:24
No.

53:25
But they do know.

53:26
They should know when something is weird and again, fishy.

53:32
There's a reason we call it fishing, right?

53:33
It looks fishy.

53:34
It's just kind of weird.

53:36
Why would I get a deal on Apple products, a 27% discount on Apple products if I buy today, Where would that come from?

53:44
Don't click on that e-mail, folks.

53:46
Right.

53:46
So people need to be educated continuous basis, another expression we used.

53:53
Things change, people change, people get lazy, people forget.

53:58
Make them do this every now and again.

54:00
OK, Quarterly fishing assessments are what we see as leading practice minimum twice a year, if not it per year.

54:08
You have to, it's a no brainer.

54:09
You got to do minimum once a year, even if it's a cheap fish test, right?

54:13
That anybody can do, right?

54:15
The last one is in the event of hiccups, you need that cyber response plan.

54:19
We talked about it and again, multi layered, so to speak, a response strategy needs to have multiple layers.

54:28
You need a team, you need the plan, you need to make sure you're monitoring.

54:33
And Akhil referenced that a little bit, but I had a client fantastic IR or incident response plan, right?

54:41
They didn't enact it fast enough, believe it or not, they didn't have the part of the plan that was missing was when do you flip the switch, pull the ring the bell, pull the trigger, pick your expression of, oh, now let's go get that really good plan.

54:59
And things happened and too much happened because lots of times I won't say the the value of an IR is based solely on its content, but sometimes it's on how quickly you implement it because the best laid out plans the day after ain't going to help you folks.

55:21
So trigger events.

55:22
And that comes through practice because usually when you do these simulations and practices, the people around the table, usually the business people go, when do I have to do this?

55:30
When do I have to call?

55:31
When do I call Akil and knowing that is I won't say half the battle, but it puts you on the right path because if you miss your flight, folks, you're missing your flight.

55:40
It's simple as that.

55:43
Thank you, Tony, and I'm going to make the executive decision to to to end the presentation here.

55:53
You know, I got, I've received a number of comments in the last couple of minutes thanking both you gentlemen for giving us, sharing with us, you know, your expertise, your counsel, and that's been great.

56:11
I want to thank our audience for tuning in.

56:13
We know everybody's busy.

56:14
We know the world we live in is moving at a very rapid pace and so we appreciate your time.

56:22
We would love to talk offline with any of you who have interest in either sharing your experiences or if you need assistance, please reach out.

56:32
We will share the deck and have a great rest of your day.

56:36
Bye everyone.

56:37
Thank you.

56:39
Thanks everyone.