Back to videos
We Stop Ransomware
Ransomware attacks are at an all time high leaving businesses in ruins. Join us to learn how we stop ransomware and what you can do to better protect your business.
Prefer to read? (Transcription)
TOM: The title of the webinar is “We Stop Ransomware.” That’s your number one worry. That’s everybody’s number one threat. It’s a highly lucrative, highly scalable criminal business, and we stop it. It’s that simple. We have never had a successful significant ransomware attack for any of our clients, ever. And I’m going to tell you why we can do that.
First, though, I want to talk a little bit about the book. It’s coming out Q1, hopefully January-ish. We’re working really hard on it. We’re winding things up. It’s coming together really good. If you want to get notified when the book is actually out, just send us an email, sales@irontechsecuirty.com. We’ll get you on the mailing list for the book. I forgot I animated that.
Now we have a polling question. Have you or someone you personally know ever had a ransomware attack? A successful one. I think that would be more important. Let’s see how many people we have here. Looks like 40% of you say “neither.” “Someone I know” is 40%, and “I have” is 20%.
That’s about what we’re seeing every time we ask this question – which actually, I’m really surprised. I didn’t realize the extent of people, or people that you know, who have had these ransomware attacks. We just don’t see them anymore, obviously, because we stop them. We don’t have them. Now, the attempts, golly, I’d have to run some numbers on that and see what the attempts are. But I’m sure it’s at least once a week out of our 1,000+ endpoints. But thanks for answering that question.
All right, let’s start off with the myths and bust them. My polling box keeps popping up on me.
KINDSEY: It should be gone now.
TOM: Most of these, especially this one – I’ve actually heard IT professionals say to me, “Well, they’re too small. They don’t have anything to worry about. Why would somebody attack a rural nursing home in Podunk, Arkansas?” Well, the reason why that’s a myth is because the vast majority of ransomware attacks are done at scale. They are automated. They’re bot-automated. These bots just fire things off.
One of the most common, or the most common way it’s done is they just blast out emails. Maybe they want to attack a particular sector, like maybe water utilities, or maybe they want to attack all of the licensed accountants say in New York State. They get the list, and they acquire from another criminal organization a clean email server. They buy a software kit to construct the attack. They acquire help desk services from another criminal organization to actually aid the victims if they have trouble or don’t know how to get bitcoin or there’s a technical issue with unencrypting the files if they pay the ransom. 800 number, a help desk.
They also download other payloads, like server backdoors, keyloggers for all computers on the network, that steal credentials to websites, bank accounts, credit card accounts. If you’re in the medical business, they’re going to steal HIPAA records, which basically is identify theft. They don’t care about the medical issues; they just want to get all the patients’ identification.
So the actual ransomware attacker takes the software kit that builds the attack. It’s point and click. It’s no-code. A ransomware attacker’s number one job, their actual specialty, is a confidence scheme, a con job, a scam. They carefully craft the emails, and usually the “From” address – so if you’re an attorney, maybe you have to have Westlaw for research. So they will make it appear like it’s from a common vendor with say all the New York State attorneys and get the email list.
They start the software construction kit up, the attack construction kit. They launch the application. It’s point and click. They hit Start, Next, “Where’s your email list?” They upload the CSV or Excel spreadsheet. It says, “What’s your email server?” They type in the address of that email server that’s clean, but it’s coming from a criminal – because once they blast these emails out, that server’s going to get blacklisted.
Then it says, “What other payloads do you want?” He says, “I want to put server backdoors, I want to put a variation of the Stuxnet virus that was stolen from the NSA a couple years ago, and let’s put some keyloggers on every device it can find on the network.” Then they click Next and the software says, “What do you want your initial ransom to be?” “I want it to be $5,000. But if I see 10 devices on the network, I want it to be $20,000. If I see 100 devices on the network, I want it to be $500,000. And if I see more than that, I want the ransom to be $2.5 million.”
It’s all automated. It’s done at scale. He clicks Next on the hacker construction kit, the ransomware construction kit. “When do you want to send it?” And then finally, Next, and then he crafts the email. Makes it appear urgent. Uses psychological manipulation. It’s no different than a street con, although he doesn’t really have to be as good of an actor. But he creates a sense of urgency. There’s many other tactics that go into it. Maybe drop a logo on it. The English is impeccable. The days of broken English and bad grammar and bad graphics are long gone. It’s a novelty when I see one anymore. I kind of get a chuckle out of it, back to the good old days, 30 years ago.
Next on the application, goes through a few more questions – oh, the 800 help desk, “What’s your help desk phone number? What’s the text message for that pop-up once all the files are encrypted, demanding the ransom?” And then finally it’s finished. He’s already set the date and time. It’s going to be 5 days that the victims have to pay, or their files are permanently lost.
And then it fires off. It’s all automated. It’s done at scale. It’s done at volume. 100,000 emails, a million emails. It doesn’t matter. The whole process is automated, beginning to end. That’s just the beginning of the automation. The ransomware payment. All of that’s automated with the server that handles all the encryption and un-encryption. It handles the encryption keys. The bitcoin payment just simply flows into his bitcoin wallet, or someone’s bitcoin wallet. Sit back and relax.
Once the 5 days are up and he’s collected all the ransom he’s going to have, he had a conversion rate let’s say of 1% out of 100,000 accountants in New York or attorneys in New York or the 160,000 water utilities around the country. He has a 1% conversion rate. Let’s say it’s 100,000. That’s 1,000 people paying an average ransom of $10,000 apiece.
These don’t make the headlines on CNN. We all know about Colonial Pipeline. We all know about JBS Meat Supply or whatever their name is. These are multi-million dollar ransoms. It interrupts you fueling your car up; if you were on the East Coast at that time, they didn’t have gas in a lot of places and other petroleum products. It interrupted our meat supply. That JBS headquarters was somewhere up in North Dakota, I believe. There was a temporary shortage of meat. That’s what we hear about, so we have a tendency to think it only happens to these big, large companies, but in reality, it’s the ones you never hear about. It’s the ones that you know, the 40% of you that know someone that got hit. I’d be curious to know how many of those paid the ransom because they weren’t properly protected.
Let’s look at another myth. “Good cybersecurity is expensive.” Let’s just say this. First of all, if you’ve got cybersecurity insurance, if you haven’t already received how much your premium is going to go up and what they require you to do, you will. If you’ve already bought cybersecurity insurance, there’s a good chance that you can buy really good protection and pay for itself off the upcoming premium increase, or even the simple requirements. We’re seeing a lot of insurance companies say, “If you don’t do this, you don’t do this, you don’t do this, we’re not writing a policy.”
But suffice it to say there’s not a person on this webinar that can’t afford to get enterprise grade cybersecurity defense in place. It’s not that expensive. The kicker is, where do you get it? That’s the kicker, and that’s why you’re on here. We’re a great place to get it.
I’ve heard IT pros say this: “Antivirus is good enough. That’s all there is.” Both of those are totally untrue. Antivirus is not good enough. It’s useless, as far as I’m concerned. That’s not all there is. There’s an entirely different class of products that you can only get from infosec specialists that will stop ransomware. That’s what you’ve got to do, and we’re going to talk more about that as we go on.
“We already have cybersecurity insurance.” Furthermore on the insurance topic, cybersecurity insurance, like all other insurance, is the last thing you want to have to rely on to make you whole – if it can even be done. You total a car out, assuming no one’s injured, it’s a material thing. You can replace a car. That’s easy. Your home burns down, you’re probably going to lose some memories and some photos and some other very important stuff, but it’s replaceable.
If your law firm, your accounting firm, your engineering firm, your architectural firm – even if you’re a water utility that everybody still has to buy from you – it’s very, very difficult to restore a reputation. Insurance will not make that whole. And then you’ve got to worry about the actual data that’s lost from those clients, the information that’s been exposed to the public. Maybe it goes to Wikileaks. If you’re an attorney that deals with high-profile clients, there’s no telling where that information may lead.
What price do you put on that reputation, that trust? Even if they have to buy water from you, are they going to trust you with a credit card now? Are you going to have to have more staff so you can manually take payments over the phone instead of automating those? What dollar value is that worth?
But reputationally, insurance is not going to make that whole. It’s not going to make a lot of things whole. Not to mention the fact that you may be liable for lawsuits. If you’re an attorney or an accountant, you have ethical things that you’ve sworn an oath to that you’ve got to consider, that require you to make reasonable effort to secure that information. And I’m here to say that antivirus is not reasonable effort. It’s that simple. Not anymore. Not since the NSA was breached and all their tools are out available.
The world’s premiere hacking tools can be downloaded off the Dark Web for free, along with the source code, so they can modify them, and they can take that Stuxnet virus that Israel and the United States used to damage all the centrifuges in Iran’s nuclear facility – that’s being used against us today, especially against water utilities and electric utilities, because they have industrial control systems. The NSA went out of their way to engineer that to only work in that environment, but now with the source code available to the hackers, they’re taking that and other offensive weapons from arguably the world’s premiere offensive cyberattack, cyber warfare unit on the planet, and now they’re all being used against us. Every day, all day long, 24/7.
In fact, not only do they work on holidays, but that’s when they like to attack. This upcoming Christmas holiday, not only is it Christmas, but it’s on a weekend. We saw a dramatic increase over Thanksgiving. They love to attack on weekends because they know that a lot of IT people, a lot of infosec people, are off work. A good infosec security company doesn’t rest. It’s a 24/7 job, 365. We’re going to talk more about that later.
If any of you, or the friends of the 40% that answered that they know somebody, have suffered a ransomware attack and it was stopped or maybe you paid the ransom – it doesn’t matter to me; I have no qualms either way. We can debate whether you should or should not pay ransoms all day long. I would prefer to vaccinate everybody and go on with our lives. But if you’ve had one and your network was not forensically examined with advanced, enterprise-grade tools by an infosec specialist, you’re not all good.
Remember those server backdoors, those keyloggers. We have never gone to a new client that is using our services because they had a ransomware attack – never gone into one and not found server backdoors, keyloggers, bootloaders, root kits. I can go on and on and on and on. And these are things that are undetectable. Their IT guy said, “Bitdefender is the best,” or their IT guy or gal said, “McAfee is really great this year” or whatever it is. If you can buy it off the shelf, it’s not worth the money. It’s not going to protect you. You’re really better off with Windows Defender that’s built into Windows if we’re talking about Windows. You’re better off with nothing if you have a Mac. You’re not all good if you’ve had a ransomware attack, it’s that simple, if it hasn’t been forensically examined by a professional – a security professional. It’s not IT.
Which brings me to the last myth. And I understand why this is. A long time ago, I didn’t really know the difference between a neurologist and a neurosurgeon. Unfortunately, I got up close and personal with it, and I found out that there’s a significant difference in the specialties. The neurosurgeon is mechanic. The neurologist is a clinician. They study patients in a clinic for the most part. They’re going to read radiology reports, they’re going to talk to the surgeon, but they really have two entirely different specialties.
And so it is with infosec, or as the mainstream refers to it, cybersecurity. They have a common tendency to think “I could just talk to my IT person about it.” These are two different specialties. It would be very similar to mistakenly believe that just because you love your heart surgeon – put a bunch of stents in, you’re like a whole new person all of a sudden – if you break your leg, or maybe you get a spinal infection, and you go, “I want to go to my heart surgeon.” That’s obvious. It’s not obvious to most people, but cybersecurity or infosec is a totally different thing. Let’s take a look at that a little bit more.
When you look at the objectives of these two different specialties, they are obviously different. IT, or information technology, from 40 or 50 years ago when personal computers really put computers into offices, and even before that with mini computers and mainframes and all of these others – it’s all about productivity, increasing efficiency. It’s a bottom-line focused objective for well over 50 years from a business perspective. I would argue also from a personal perspective, that’s what it’s all about. Who keeps encyclopedias anymore in their house? I grew up with three sets. I voraciously consumed the information in all of them. But now I’ve got the world at my fingertips, knowledge at my fingertips.
But getting back to a business objective, IT, their number one job is to make sure you do not go down. Everything just works, technology fades into the background. It allows you to get your job done because that’s what you bought and invested in the technology for. That’s their number one job: minimize help desk calls. Minimize user frustration. Just fade into the background.
Those of you that are using an MSP, a managed services provider, you pay one price and they take care of everything and everything just runs – great. That’s a great way to run your business. We do MSP, too. I chuckle whenever a customer calls us up and says, “I don’t know why we’re paying you so much money. We don’t have any problems.” Well, that’s why you are. We’re proactively preempting any downtime or any glitches as best we can. That’s what a good MSP does, and that’s what you want them to do. That’s their objective. That means that technology investment, that services investment, is paying exponentially more dividends than it costs. That’s what it’s all about. That’s what IT is all about.
But when you look at information security, companies like IronTech, their job’s all about understanding the risk – who’s a threat to the organization? What threat actor is a threat to this organization? What technology is a threat? Where is the company’s knowledge? Where’s the data? What type of clients does the company deal with? If you’re a patent attorney, you may be handling intellectual property in your office. You probably are. In fact, I guess you kind of have to. Well, you may be surprised to know that China would be very interested in that.
If you follow the change in China going from a third-world country to, in many ways, more advanced than any Western democracy, European, United States, any advanced country – and there are some cities in China that are more advanced – that’s occurred over a period of roughly 30 to 40 years. They did that through theft of intellectual property, primarily from the United States, but of course Europe as well.
There are some experts out there, a lot smarter than I am, that say that the amount of intellectual property that China has stolen over the past couple or three decades is the greatest transfer of wealth in human history. And you can see it in Shanghai, Beijing, Wuhan. So we have to understand the risk from IronTech’s perspective: what kind of data are we dealing with, and who wants it? Everybody’s got to worry about ransomware.
Information security professionals have to monitor continuously and respond quickly. I don’t mean a 4-hour guaranteed response time; I’m talking about a response time in minutes, maybe even seconds. We have literally stopped attacks within seconds of a phone call, within minutes of an email coming in. Something just didn’t look right to an end user and they said, “Hey, can you take a look at this? I opened the spreadsheet.” Immediately, that’s a 911 call to an MSSP.
We have to worry about geopolitical factors. If we accidentally splash a Chinese military jet over in Taiwan airspace, we have to think, what’s the blowback going to be? Because don’t kid yourself; China and Russia and a few other countries’ cyber warfare units are every bit, if not more so, as talented and skilled as our NSA, our U.S. Cybercommand. And they’re a lot less afraid, or a lot less reserved, to use them.
And yes, if you’re a one-person accounting firm, you may be a victim of a geopolitical issue because it’s done at scale. If it’s Russia, maybe we down a Russian jet, we splash a MiG in the Taiwan region or whatever, Putin will probably do an attack on critical infrastructure of some sort. He’s already mapped it out and war gamed it, just like we’ve already mapped out and war gamed all of their stuff that’s vulnerable. But Putin has another tool in his toolbox. He can just post a message on the Dark Web to all of his cyber mercenaries, all the criminals that are protected by Russia. He can just post a message up there and say, “Hey, you guys want to attack the United States? Do whatever you want to do. Free rein.”
Instead of just attacking all the attorneys in New York State, they’re going to attack all the attorneys all over the nation. They’re going to attack all the water utilities, all the electric companies, all the petroleum distribution companies, all the food service, the food industry, the trucking industry, and bring the country to its knees. They’re going to make a lot of money doing that, and they just got the green light from Putin, who’s protecting them.
These are key differences between IT and IS. You don’t go to a divorce attorney if you need a trademark. You don’t go to a personal injury lawyer if you’ve got a contract dispute with another business. You’ve got to go to the specialist. There are a lot more differences. If you want more info, you want to do a deep dive on it, you can go to mssp.irontechsecurity.com. I think there’s a 10-page PDF, and it goes into more detail about these things and what the difference is.
The takeaway is going to IT is not where you need to go. And honestly, we love IT. We want them to do that job. It’s not in our wheelhouse. IronTech is all about security. That’s our number one job. Most of the time when we go into a firm that already has an IT company, either in-house or outsourced, most of the time they’re relieved that they don’t have to do the security. We work really good. They make us better, we make them better. It’s a great tag team relationship.
So, 5 things you’ve got to do to stop ransomware. The White House sent out a letter. President Biden issued an executive order saying you’ve got to do these 5 things: have a skilled security team, use multi-factor authentication, use an EDR, encrypt your data – you’ve got to encrypt your data; don’t wait until the bad guys do it, you want to have access to it – and then you’ve got to continuously incorporate new threat info into defenses, new threat intelligence.
Did the United States just splash a Russian MiG? There’s going to be cyber blowback. They can’t respond kinetically or militarily. They will respond in cyberspace, and that’s what they’re going to do. Iran, Russia, North Korea. North Korea took out 80% of Sony Pictures Corporation’s computers over a movie. I mean took them out completely. I mean damaged them. Not infected them, not ransomware. They damaged them. Destroyed them. Over a movie. Sony Pictures Corporation.
So let’s look at these 5 things. Oh, and that White House letter, by the way, was all about stopping ransomware. I didn’t read the subject: “What We Urge You To Do To Stop Ransomware.”
Number one, multi-factor authentication. Most of you I’m sure are familiar with this. It’s commonly used to sign on to your bank account or your cash manager as a business uses, or I call them “cash mangler.” Basically what it is, it’s a third credential item that’s time sensitive. It’s only valid for a certain period of time. It might be 30 seconds, 60 seconds. If you’re using MFA through email, which I think is a poor idea, but it’s better than not using it at all, it may be good for 5 minutes or an hour or whatever they configure it. But without that third piece, the username and password by itself is useless to hackers.
Now, we require it for remote access, and it should be required in your business or your organization as well. If you’re just relying on username and password, it’s not a matter of if you’ll get hacked; it’s a matter of when. It’s that simple. I’m not overstating it.
But what the White House is saying, and what I’m saying, is you need to use it everywhere that offers it. Turn it on on your Amazon account. Turn it on on your Gmail account. Turn it on on Facebook. Please turn it on on Facebook. How many friends have you had just in the last year, “Sorry, don’t pay any attention to me. My Facebook account got hacked.” Facebook’s business isn’t about protecting their users. It’s about selling their users. Just the fact that they get hacked at least once a year should tell you that they don’t really care. They don’t care about security because that’s not how they make their money.
Just turn it on everywhere that you can.
EDR, the holy grail. This is the thing you’ve got to do. You’ve got to get off of antivirus and you’ve got to put in an EDR. Stands for endpoint detect and respond. It doesn’t rely on virus signatures to respond to anomalies or attacks. It uses a neural net, uses artificial intelligence or machine learning, and it knows, and it looks in real time at what’s going on on the computer. What is the user doing? What is the computer doing?
It’s learned that when the user opens an email and then they open the spreadsheet that’s attached to it, and then the spreadsheet runs a macro that’s built into Excel, and then the macro calls the disk encryption service, EDRs know that that is a storyline – that’s actually an official term in the infosec business – it’s learned that that storyline is going to be a ransomware attack, and it immediately stops the disk encryption service, immediately kills off the macro. In real time. It responds in milliseconds. And it learns this from millions and millions of endpoints all over the planet.
Upon the event of a brand-new threat technology being released into the wild, a good EDR can respond globally within minutes of that brand-new threat being detected because it uses machine learning. It has a neural net. Those of you that have a Tesla, every day you use autopilot, it gets a little better and a little better and a little better. That’s a neural net backing up that technology. Or a Cadillac or whatever car you have that has it.
EDRs are the only product on the market that can stop these. That’s it. Anything that you can buy off the shelf does not stop it. Now, it’s also called MDR, XDR, EPP. These are basically marketing terms for different EDR vendors. While there are some technical differences in those terms – and in fact, if you buy EDR, chances are you’re going to get managed EDR, which is the MeDR and MDR. Certainly from us, that’s the way we do it, 24/7, 365. It’s got to be monitored as well because it’s an intrusion detection system. It’s an intrusion prevention system. You’ve heard IDS and IPS. And it’s a mitigation system. But it doesn’t work 100%. Nothing’s guaranteed. If the NSA can get breached, anyone can get breached. But it’s like 99.999% effective against ransomware.
But in that rare event, it may just slow down the attack. We’ve had a few times where it didn’t kill it, didn’t quarantine it – gosh, I remember one attack ,it was just incredible to watch it. I didn’t think it was going to hold up, one of the EDRs we have with a client. I said, “There’s no way this thing can hold up. This is massive.” It was a massive, massive attack using a lateral strategy. Hundreds of times a second, it was automatically responding. The neural net, just responding, stop, stop, stop, stop. That’s all it could do. It couldn’t kill it, but it slowed down the attack enough for us to get with another EDR vendor and have them custom-code us a way to stop it. Took about 4 to 5 hours to get everything calmed down and a response time of seconds.
That’s the tool you’ve got to have before you can sleep better at night.
Encryption is pretty easy. Just turn it on. Let’s put it this way: some people don’t want to turn it on because it makes your computer run slow. My answer to that is your computer is too old, or you underspecced it when you bought it. You bought something totally inadequate. You bought a Toyota Corolla to go do the Indy 500. If you’re going to invest in technology, invest in security, then keep it up to date. Computers are too cheap. You’ve got a million dollar accounting practice or a $10 million accounting practice or law firm, does it really matter if the computer costs $600 or $900? Just go ahead and buy the $900. That’s why you’re buying a technology in the first place. Don’t get cheap on it. Make sure your computer can run encryption. Encrypt that data at rest.
It’s about required for portable devices, but turn it on on the server. You don’t know where those hard drives are going to end up 5 years from now or 10 years from now. There’s a lucrative business on eBay buying used hard drives and mining data off of it. By doing this and others, it shrinks your attack surface way down. So turn on encryption. I think it’s mostly on by default these days.
This is the White House, the president, saying that you need to use a skilled security team to keep track of these things. They respond instantly. They orchestrate responses. That particular incident I just relayed to you, IronTech orchestrated that response with that multi-vendor team. It wouldn’t have stopped without all of us. We have hundreds and hundreds of people around the globe that that’s their job, to be a member of a dream team. Our job is to orchestrate that.
Our job is also to monitor, investigate, and respond. We’re kind of like the first responders. Sometimes we’re not; sometimes it’s a vendor who says, “Hey, you’ve got a problem over here.” Okay, we’ll look into it. We’ll see if there’s any other anomalies. We’ll start gathering clues, begin our investigation.
The point of it all is cybersecurity is not do-it-yourself anymore. It’s just not. It’s not adequate. Most Fortune 500 companies have a chief information security officer. Whole different role, entirely different role than the CIO, because they know that security has a different objective. And the CEO, the decision-maker, has to be informed and has to make a decision if a new security policy is going to be a pain in the butt or it’s going to increase help desk calls. Because the CIO’s job is to decrease those, to minimize user frustration, not put in multi-factor authentication or turn on disk encryption because of a performance hit. That’s his job. That’s all well and good.
But the boss, the owner, the president, the managing partners, their job is to look at everything holistically, to look at everything from a stakeholder perspective, and security has got to be job one. You need to put that in the hands of a security specialist. It’s not do-it-yourself. It’s not your IT.
Finally, number five is continuous defense improvements. If you’ve got a skilled security company backing you up, they’re going to monitor intelligence. Government, private. They’re going to adjust defense as needed, constantly, because of new threat intel, new technology, new threat actors, new techniques, new scams that are out there.
And this is another thing that differentiates IT from IS: patches. Microsoft is notorious for releasing patches that break stuff. They’re security patches. IT has a tendency not to want to put those on there. They want everybody else to be a guinea pig, let them work out the bugs in these software updates before they put it on their clients’ systems. There’s a big problem with that. Some of these patches are addressing vulnerabilities that have been there for months, that have already been exploited. They’re called zero day threats.
Microsoft exchange servers went through this at the beginning of the year. Microsoft, the FBI, and others sat on the intelligence for months. Presumably Microsoft was using that time to try to patch their systems, but it finally got revealed outside of them. They lost control of the intel, and lo and behold, all of the Microsoft exchange servers were vulnerable that day, that zero day. Come to find out, 20,000 to 30,000 of them had been impacted by it.
Ultimately what ended up happening is the FBI themselves took it upon themselves to go out and fix all of the Microsoft exchange servers without notifying the end users. Yeah. The FBI came in and fixed all the exchange servers without notifying the end users of an issue that they’d known for months. And not only that, the patch wasn’t even ready.
But when that patch is ready for zero day threats, it’s got to be put on, and if it breaks stuff, so be it. A skilled security team is going to look at those patches and make an analysis on the risk that in this particular environment, with this particular client, is it worth the risk to put it on immediately, shut down operations? And sometimes it is. Then you just hope it works.
If you want to go down the rabbit hole, a bunch more – CISA, I think it’s cisa.gov. FBI. Dark Reading is a nice web portal for news on cybersecurity. I love Krebs on Security. He’s a great security consultant. And then, of course, you can subscribe to our threat advisory as well.
I keep saying it’s affordable. This is sample pricing. You’ve got a two-person accounting firm – there’s two people. Maybe you’ve got an assistant and you’re the accountant. You’re a personal injury lawyer and you have a paralegal that functions as a receptionist and jane-of-all-trades. It’s $40 bucks a month to protect your firm with two EDR. Not one, but two. And you get all the 5 things that the White House says you need to do for a little over $40 a month. MFA costs a little bit more. Or you can use free MFA. It just depends on what you’re protecting.
And then if that makes your cybersecurity insurance cheaper, it pays for itself. I don’t know what else to say. This is not brain surgery. It’s really simple.
We talk a little bit about assessments, which I’m running out of time here, but if you want to skip a security assessment and just go “We need to get the 5 things” – and that’s pretty much guaranteed for everybody that’s on the webinar – just give us a call. “Hey, here’s my issues, here’s how many people we’ve got, here’s my clientele.” We’ve done this thousands of times, so within 5 or 10 minutes we’re going to know exactly what you need and how much it’s going to cost. Is it really not worth 10 minutes of your time?
This is our phone number. The meeting.irontechsecurity.com takes you to an appointment page to set an appointment to talk to somebody. Make sure you have time, make sure we have time. Or you can just drop us an email or call us.
All right, let’s look at some statistics. Kindsey, I know you’re sitting there going, “You are not going to make it through all these slides.”
KINDSEY: That’s exactly what I’m thinking.
TOM: [laughs] 20% of all of you will be hacked within the next year. 6% of those 20% that are going to be hacked will not survive longer than two years, other than the water utilities. But it’s going to cost you dearly. And if you’re not monitoring your backups, you don’t have one. It’s got a failure rate of 75%. It doesn’t matter who it is, what it does, when it works. Things go wrong; you have to monitor it each and every day. A good infosec team will do that for you.
As quick as I can, we’re going to talk about NIST Cybersecurity Framework. IronTech Security is a NIST compliant, White House president compliant security company. The NIST Cybersecurity Framework is the gold standard. It’s the best in the world. It’s the framework that’s used by more organizations, by far, than any other security book. This is the book. We do things by the book.
For those of you that aren’t the decision-maker in your organization – you’ve got partners or shareholders or boards or your boss, the manager, president, owner to answer to – doing a security assessment is the best step forward. Even for those of you that are single, if you’re a single or two-person law firm but you do $10 million a year, you should do an assessment. It’s kind of complicated, those that should and those that shouldn’t.
Actually, I don’t care who you are; you need to get an EDR in. I don’t care if you’re Ford Motor Company. If you don’t have EDR, you’re not protected. That’s number one job. But a NIST assessment is going to get you a lot closer, and it’s going to uncover things that may go undiscovered. It’s about identifying the condition of your ship.
On the bottom here is a NIST assessment, and on the top is the actual NIST CSF. This particular client had two critical risks. Number one is the users aren’t informed and trained in how to identify a phishing scam and know now to open the Excel spreadsheet. IronTech identified this as a critical risk. You need to address this. You need security awareness training. But it’s not us saying that. This is part of the NIST, National Institute of Standards and Technologies, from part of the U.S. Department of Commerce, a worldwide gold standard that says, yes, this is part of protecting your organization. All users are informed and trained.
And they reference other standards and specifications and certifications, such as ISO, COBIT, CIS, and their own documentation. Like I said, it’s the gold standard. If you’ve got to justify spending the money and the time and the effort on making security job one for your firm, this is telling it to everybody in your organization.
Other recommendations. We prefer company-owned equipment for remote access. If you’re using a home computer, it’s probably already compromised. Once you do remote in to the company network, it becomes part of that network. It’s like cutting up chicken and then cutting up your salad without washing your hands.
Highly recommend password managers. I’ll say this about password managers. Some of you may have tried one and you didn’t like it. If you just stick with it, I promise you, you’ll quickly get over the hump. They’re all quirky, and that’s not a fault of the product; it’s not really the fault of anything, but it’s just the way they work with websites.
They’re quirky. Accept that. Force yourself to learn how to use it. In a week or so, you’ll have the hang of it, and a month later you’ll wonder how you ever lived without one. I promise you. We see it – when we get a new hire in the company, they have to use a password manager. Most of them have never used one in the past, and they go on with their lives. 10 or 20 years down the road, they will still be using a password manager in their personal life and professionally.
A lot of people overlook their websites. That’s an attack vector. It’s commonly used also to spread ransomware. The last thing you want to have happen reputationally, reality, is attacking someone because your website wasn’t secure. They’re always being hacked.
Many of you – accounting, finance, lawyers especially, but engineers and any people that handle information that needs to be secure – you need to consider using encrypted email. And some of them are a hassle, but there are some that are better. You just have to get a good one.
Having said all of that, if you want to go through the whole assessment – and going back to the 5 steps and the assessment, a smart thing to do is to get EDR and maybe get MFA in place if you need MFA, and then do an assessment later. That’s a really smart way to do it for firms of all sizes. Our NIST assessment, the one I just showed you a couple of slides back, normally costs $795. We spend a minimum of 5 hours on this. You end up with a document that you can hand to anybody you want to to fix your vulnerabilities. It tells you the condition of your ship. You’re the captain of your ship, or at least you’re the first mate. You’ve got to know the condition of the ship and the crew, the cargo, the weather before you set sail. That’s what an assessment does.
Like I said, it’s an investment of minimum of 5 hours of our time, minimum of a couple of hours of your time. It’s very intense – I mean, relatively speaking. It’s not nearly as intense as going through certification processes for certain things. But you can get it for $495 on this webinar.
All you’ve got to do is, once again, just reach out to us. You can simply say, “Hey” – I don’t know who you’re going to talk to. Maybe it’s Brayden. You go, “Hey Brayden, let’s get the EDR. I remote in to my office. I remote in to my desktop with my laptop all the time. Let’s get MFA going.” Just do it. If you do that, we’ll give you the assessment. Because even if you buy the assessment up front, that money is applied to anything you buy from IronTech going forward. But even that $800 investment, or in this case the $500 investment, that document is over 20 pages, usually. It depends. 25 pages.
We actually have a more comprehensive assessment, and we can do vulnerability scans on top of that. Those are other services. If you’re a larger firm – if you’ve got 20 attorneys in your law firm, we need to take that seriously. You’re a serious law firm. You’ve got 20 attorneys, maybe 30 employees, whatever it may be, you’ve got significant stakes at risk. Just hoping it won’t happen to you is not good enough.
So that $500, you can pay it, get the report and hand it to your IT company. But just keep in mind, they’re not security specialists. They don’t know the best of breed technology to put out there. They may just put McAfee’s EDR – and yes, they use those terms, and they’re crap. They’re not even close to being acceptable, in my opinion. Well, anybody that’s in security. It’s just not good enough.
Or you can hand it off to a local MSSP. I just encourage you to make sure you’re dealing with an infosec specialist. Don’t go to your heart surgeon for brain surgery. It’s not their bag. I’ve got a friend of mine who’s a personal injury lawyer. I don’t go to him for my corporate law stuff. Just do it smart.
Do we have any questions, Kindsey?
KINDSEY: We do in the Q&A box, actually.
TOM: I’m sure you’ll be surprised to know that I didn’t have that open.
KINDSEY: That’s cool. Do you want to get them, or do you want me to read them off to you?
TOM: Let’s see. Mary says “How often should we revisit a risk assessment?” That’s a great question, Mary. That is a very great question. I think the recommended deal is annually, but if you’ve already got that skilled security team backing your company up, it’s going to be a formality. Now, if you’re a larger organization that has – say you do what I’m saying. You’ve said, “Oh yeah, I get it now.” Ding, lightbulb went off and you go, “Okay, I’m going to go to this company for my IT and I’m going to go to this company for my infosec, my IS.”
If you’re a larger organization, those teams just naturally aren’t going to communicate on a day to day basis or an hour to hour basis. IT may do a network share out here that the IS department doesn’t know about. That is when you really need to do assessments frequently.
But in many cases, smaller organizations, that’s not going to come up too much anymore. It’s really a case by case basis. I can’t even say that if you’re a two-person law firm or a 20-person law firm or 200 law firm – obviously the 200 and probably the 20 are needing to do those annually. But I would say vulnerability scans are more important if you’ve got an infosec team, a skilled security team that stays up to date on it. So a lot of things go into that, but short answer is once a year.
Now DC is saying, “My insurance provider is requiring me to have cybersecurity. Will you help me meet the requirements?” We’ve actually been discussing this this week, yesterday and today. In fact, it started a week or two ago. We had a new client come to us with some serious security issues, and they were referred to us by a friend of mine that has an insurance company. Pretty good size insurance company in the regional type insurance company. That drove a conversation about 300% increases in premiums. It drove a conversation about 20-49% failure to pay claims, because insurance companies can’t keep up with the threats.
Everyone knows how fast IT changes, technology changes. Add geopolitical dynamics and the criminal, the cops and robbers part, to that pace of change. Nothing in the world changes at the rate of cybersecurity or infosec. That’s another reason why you need to get a specialist. Nothing changes that fast. Even IT can’t keep up with it. It could change in an hour. It could change in 5 minutes. It might’ve changed while I’ve been doing this webinar. IT doesn’t change that fast. It’s pretty slow compared to cybersecurity or infosec.
Anyway, I went off on a tirade there. DC, your question is “Can I start with an EDR and implement the other?” Yes, absolutely. That’s exactly what I’m saying. If it were me, that’s exactly what I would do. Let’s just say I know I’ve got to have an EDR and let’s go ahead and get it on. The one that we provide is the best in the world. It’s best of breed of breed. It’s like the best poodle of the poodles. Best of breed, best of show.
“I also am not very tech-savvy; would this be an issue during the assessment?” Absolutely not. That’s why you’re going to a security specialist. That’s why we’re here. You don’t have to be. I need to pull the numbers, but we stop threats every day for our clients that they don’t even know. Were it not for our tools, they would’ve probably been shut down, and percentage-wise have a high likelihood of going out of business. They don’t even know it.
The assessment, you let us know. We’ve got tools that’ll probe your network and discover shares and everything like that, so I wouldn’t worry about it too much. If you’ve got somebody, maybe a break-fix IT – you call them up when something’s broken, you can’t get on the internet or whatever – just bring them in on the assessment. That’ll help us and help them too.
I’ll keep talking for as long as you guys want to stay on here. I could probably spend at least 20 or 30 minutes on almost every slide on this slide deck. It’s a huge, huge industry – both the white hats and the black hats, and the gray hats. We all have different specialties. I do not do penetration testing or vulnerability assessments. That’s not my specialty.
There’s a lot of specialties. Imagine all the specialties. Let’s say you’re in Cleveland. You’ve got the Cleveland Clinic. It’s a huge hospital. Internationally renowned. Imagine all the specialists that are under the roof of that hospital, all those buildings, all the different specialties. RNs, hematologists, oncologists, heart surgeons, neurosurgeons, orthopedic surgeons – you just go down the list. LPNs, receptionists.
There’s at least that many specialties in the hacking industry, in the black hat hacking industry, in the white hat hacking industry. My specialty is thinking like a criminal. I’m really good at it. That’s what makes a really good security specialist. It’s a natural, is what we call them in the business. And probably 10-20% of the people that are in this business are naturally criminal thinking, like, “Hey, if I was going to rob that bank down the street, how would I do it and get away with it?” I don’t know how to explain it. I’m not going to do it.
Some of you are going, “Ooh, I don’t know if I like this.” Let me ask the attorneys on the webinar. Do you know how to bribe a jury? Of course you do. Have you ever done it? Of course not. That’s what makes you a good attorney. You know how to manipulate the IRS, for those that are accountants? Of course you do. You don’t do it. That’s what makes you a good accountant. Same thing in infosec.
But the rest of it, it’s a formality. It comes natural for some experts, some infosec specialists, but it’s also formalized, it’s proceduralized, and it goes back to this is the procedure, these are the standards that you have to follow. The White House letter, the executive order from President Biden, NIST CSF. Some of you have new regulations in the accounting industry. Those of you that are in the medical business already know that HIPAA came down fast and hard. It started off with recommendations. Those of you that are attorneys, you’ve got it in your Rules of Professional Conduct, RPC. 1.1, 1.6 addresses those. You have a responsibility to your client to protect their data, their information, secure it.
It’s a lot harder with technology because it’s all connected to the internet. 30 years ago, they had to break into your office and steal your files.
But all the industries are going to be regulated. There’s going to be a requirement one day that everybody has an EDR, or it’s going to be unaffordable to do business. It is just the cost of doing business these days.
I don’t want to see anybody on this webinar 6 months later call us up and say, “We got hit with ransomware. What do we do?” We’re not your company. That’s not our specialty. We struggle when we get clients with that. We wonder – actually, a new prospect that comes to us for help in the event of an attack, we consider them a threat to us because they’re a vector now. We can’t just willy-nilly go in and connect to their stuff until we understand what happened. That’s not our job. Now, if we’ve got the tools in place, then our job is much easier, and that’s where our specialty lies: putting those intrusion detection systems in and responding.
It’s not just the technology. The technology is part of it, but what you’re really getting is that skilled security team. That $40 a month covers that for two people, two computers in your office. And if you’ve already got cybersecurity insurance, chances are when the next premium renewal date comes up, it’s going to pay for itself because you’ve already got it in place.
Frank made a comment, “Daily.” I don’t know what context that is.
Well, there’s no other questions. Kindsey, do you have any comments? I did hit the slides, by the way.
KINDSEY: Yeah, I know. I do want to let everybody know that I will be sending out a recording probably this afternoon, so feel free to share that around. It’s there for you to go back and review if you need to. And of course, just reach out to us any time. We would love to help secure your business and help you sleep better at night.
TOM: Well said. All right, thanks, everyone. I know your time is valuable, and I certainly really appreciate your investing and hearing a little bit more about hopefully protecting your business. The last piece of advice I had is every day you wait is another day that you’re at risk. It’s not a lot of money. Get it going. Thanks again. Bye.
KINDSEY: Bye, everybody.