Clinton Larson: Hello and welcome to EB & Flow, I'm your host, Clinton Larson, and today's episode is all about current cybersecurity trends. And joining me to talk about those trends is Director of Cybersecurity at Eide Bailly, Michael Nouguier. Welcome back to the podcast, Michael.
Michael Nouguier: Thanks for having me, Clinton. Appreciate it.
Clinton Larson: We wanted you back on the podcast, Michael, because one cybersecurity is always a critical topic for businesses these days. But two, there has been a lot of news stories recently about a pretty big vulnerability that was discovered. I think people are saying it's the biggest one in a decade. That's being called either Log4J or Log4J, depending on who you talk to. But let's start there. Can you maybe give us a high level summary of what the Log4J vulnerability is?
Michael Nouguier: Yeah, there are actually a handful of vulnerabilities associated with LogJ. And what Log4J is, it's just a support application for a common software for application development called Java. And the vulnerability that existed there allowed for denial of service attacks where you can shut down access relatively easy all the way up to what they call arbitrary code execution and remote code execution.
And what that basically means is that an attacker could run applications in code against one of your devices that had this vulnerability listed on it, doing whatever dubious or nefarious thing they wanted to do, essentially causing damage, stealing data. And basically, the world was their oyster with this vulnerability. And so the reason it was considered the "vulnerability of a decade" is because it was so widely used across every organization in the world essentially right. It had an application or purchased a third party application that utilized this and that vulnerability impacted them in some way, shape or form. There were a handful of people marked safe from Log4J, but for the most part, it was so widely used, that it really sent the cybersecurity and IP realm of business into a tizzy over the last month and a half.
Clinton Larson: Right, and that's part of the reason I wanted to bring it up, because when I was researching it, a couple of things stuck out to me, that were just surprising was one like you just said the ubiquitousness of this software, it was just everywhere. Like, it sounds like if you were on the internet, you like, you said you were using it.
And then related to that, how hidden it was, it was, you know, it's almost even just your high level summary. I mean, you can tell it, this is like the inside baseball of cybersecurity threats, right? So. It just sort of highlights to of these things, you know, like cybersecurity, really one of those areas where like, you really don't know what you don't know, you know, right? Like, it's such a it can be such a complicated thing, which is why it's so important for businesses, I think, to have the right systems in place, the right processes and why it's such an important topic for it for all business leaders in 2022.
Michael Nouguier: We often talk in cybersecurity about the unknown unknown, right? It's easy to protect the known unknowns, right? But in this case, and this particular vulnerability subset, there was a lot of unknown unknown. Organizations and one of the things that I try and preach from a cybersecurity perspective often is if you have a dollar to spend on cybersecurity, spend it on gaining visibility and understanding of your network. If you don't know what you need to protect, you can't protect your environment.
And so the first step in cybersecurity is gaining asset management, understanding where everything is and what everything is inside of your environment, so that when something like this happens, you understand that it does exist and you can easily move forward to mitigate it. You can build programs, policies, procedures to drive the mitigation of this risk across your environment.
And so that was, I think, the greatest issue when this vulnerability, these vulnerabilities were released is that nobody knew if they had it. And so a lot of cybersecurity professionals and IT professionals over the holiday season were scrambling to identify if they had this, if it was being utilized, if it was the right version or the wrong version. A lot of people lost their holiday season because of this vulnerability.
Clinton Larson: Right, like you said, a lot of people lost their holiday season to this, but it also came at a time of the year when we're thinking about the year ahead, we're thinking about what our goals should be, you know, where we should lay our strategic plans. So in terms of cybersecurity, what are you expecting out of 2022?
Michael Nouguier: That's a really, really good question, right? And I don't want to say more of the same, but what I will say is there's going to be some pretty intense focus and growth in the ransomware arena, as that was a very effective cyber attack in 2021. We saw a lot of banner ransomware attacks up to $70 million in ransom with some organizations last year. And so we'll continue to see that trend and growth of ransomware being pushed towards organizations as the cyber attack to gain their financial means.
We also saw a huge increase in business email compromise, which is basically a threat actor gaining credentials to somebody's email account within an organization and then monitoring that and pivoting across other email accounts to then send false emails to customers, vendors, internally to gain some form of data exfiltration or financial exfiltration for them as well. So a very sophisticated targeted attack by having just email. We saw several of those happen this year.
Threat actors got really creative last year and how they were doing this right, and we were seeing just one letter in the name of the company switched. And so it would be CEO at company .com, but instead of being spelled company.com, it would be spelled copmny.com, right? And so most people aren't checking that level of attack or difference inside of their emails. And so definitely going to see a rise in that over the next year as well. So ransomware, business email compromise is probably going to be the two largest attack vectors.
And then as we move out of the small to midsize market, we're going to continue to see attacks on the supply chain when it comes to application and software development, right? We saw this in 2020 with SolarWinds and then Pasea last year, and there have been a handful of other ones where they've infiltrated trusted software. Threat actors have infiltrated trusted software and implemented malicious code into that.
And most people aren't breaking open any software that they're purchasing. They're purchasing it with this trust that the organization has done everything they can, and that has been leading to more sophisticated compromises across hundreds and thousands of organizations, because they alone, I think, impacted 1500 small businesses across the United States.
So supply chain attacks, business email compromise, ransomware is on the rise and I think not talking just about the types of attacks that we're going to see, but also just the trends that we're going to see in the industry. Last year was a banner year for cyber insurance as well. We saw a lot of cyber insurance payouts from a cybersecurity services firm.
We saw a lot of denial of policies for organizations, organizations coming to us saying we didn't get approved for cyber insurance because we are considered too risky. We have not enough security controls or we don't have policies or we haven't done xy and z. We don't have multifactor authentication. And as such, our cyber insurance firm either declined to cover us or increased our deductible and our premiums and lowered our overall payout.
And so we're starting to see the cyber insurance industry catch up with organizations being attacked. Just recently, there is actually a settled, it wasn't actually settled, a lawsuit that came through true to fruition between Merck and their Merck Pharmaceuticals and their cyber insurer, where the cyber insurer refused to pay the $1.4 billion of recovery that Merck needed to recover from WannaCry, I believe, was the attack, which was a ransomware from 2017. They refused to pay for it because it was an act of war. The Russian nation state actors were attacking a lot of large organizations Fortune 500s with this WannaCry, which was a very pervasive attack, probably at its time, the one of the largest attacks ever in cybersecurity.
And cyber insurers were refusing to pay it because they were considering it an act of war. But what we come to find out as this lawsuit is finalized over the last week, is that cyber insurers have not defined their policies and they're realizing losses because of that, they didn't define an act of war as a cyber insurance act of war, but just a physical act of war. And so we're seeing these changes happen now where cyber insurers are saying we've been losing too much money because people keep getting hacked. So we're going to start doing our own risk analysis of organizations similar to how life insurance has worked over the last several decades. Right.
If you if you mark down that you smoke, drink and you skydive on a daily basis, you're probably not going to get life insurance. Similarly, in the cybersecurity market, right, if you are not doing anything to mitigate risk and respond, I think the key there is also respond to an incident, then you will probably either be denied or your premiums will go up dramatically as well as your deductibles. So we are envisioning that 2022 will be a growth in that risk for organizations as cyber insurers are starting to pay more attention to the risk that they are taking on.
The other thing that we'll see over 2022 is this skills gap that is supposedly in the cybersecurity industry, right? There are more positions than there are for cybersecurity specialists to fill, and that is because there are not enough skills out there. And so we are going to see a trend where we are trying to flip the script on hiring experienced cybersecurity professionals and bringing in and training up the industry, which is a necessity at this point. We can't wait. And, you know, steal from this company to hit our needs because that company is going to steal from another company and it's going to be this cyclical process driving into what is considered this great resignation in cybersecurity.
And so if we're only focused on hiring all the experienced people, that is going to lead to a cyclical endgame of continuously pulling people from other organizations, right? We need to be focused on bringing in and training up the future of cybersecurity as we move forward this year. That will help mitigate risk and also bring protection to organizations as we're able to mentor up in that industry.
Clinton Larson: So it sounds like a lot for business owners to think about in terms of cybersecurity for 2022, you know, and it sounds like there's a mix too of some of the old and some of the new in terms of these trends we're talking about. Like ransomware, the email compromises which have been the phishing attacks that have been going on for a long time. So well, what happened last year that sort of led into some of these concerns for 2022?
Michael Nouguier: Yeah, I mean, we talked a little bit about the key ransomware attacks, but realistically, and I've seen statistics around the line, you know, along the lines, the ransomware increased 700 percent from 2020 to 2021. We also saw an increase in the cost of a breach from 2020 to 2021. The latest numbers that we see from the cost of a breach now are that in 2021, the average customer breach was 4.2 $4.3 million and in 2020, the cost of average breach actually dropped year over year from 2019, it was three point eight six million, so we saw over 10 percent increase in the cost of a breach year over year.
We went from three point eight to $4.2 million dollars on what it's costing us to recover and experience an actual data breach and for that is something that really needs to drive organizations to understand, really to drive organizations to focus their budgets on building out proper cybersecurity controls.
Clinton Larson: Does that increase is that something to do with the sophistication of the attacks or is it just like our hackers just getting better at this? Or is it just they're finding the most painful points to hit businesses?
Michael Nouguier: So I think sophistication is a part of that, right? We saw these massive ransomware attacks, these supply chain attacks that were coming in, and those are highly sophisticated attacks. But we're also seeing that organizations are paying ransomware, which is fueling the industry and fueling more and more threat actors to come together and profit off of cyber attacks. Right. Over the last several years, we've seen this emergence of ransomware as a service where there is an organization that exists out there that build ransomware for people to install in their organization or install on organization's computers.
There are groups out there that build ransomware for other hackers to install and they just take a portion of the ransom gain. And so it's becoming a lot easier as a hacker or as a threat actor to attack organizations. And so we're seeing growth from the sophistication perspective and then growth from the ease of entry into the malicious threat actors space.
Clinton Larson: So it sounds like at the cost of cybersecurity is going up year after year for businesses. It's if the sophistication of the attacks is going up, then it sounds like it's even more critical to take a really strong approach to your cybersecurity practices in your organization. So what are some I mean, we could talk basics. We could talk in advanced. What are some of the things businesses should do to make sure that they're not on the wrong end of one of these attacks?
Michael Nouguier: It's a really good question. Well, one of the things that we have to consider from an organizational perspective is what budget do you associate with cybersecurity? And that's a question that I get asked all the time is what percentage of our overall budget should we put into cybersecurity or overall IT budget? And should we put into cybersecurity and realistically right, that's different for every organization. Each organization needs to understand what they have that protects them and get that opinion from their cybersecurity staff, their CSO, the director of security, their security analyst, whatever it is to understand what they have and where they need to focus moving forward, right?
There's the industry that you're in that you have to consider. Governments right now they actually just got a warning from the federal government that utilities sectors need to be on high alert because they are expecting some more advanced attacks in the utility sector right now. So we need to consider what industry we're in, what tools we currently have and get an understanding from the professionals that exist in our organizations or within our trusted partners and where our risks lie and what gaps we have and how to protect those right.
And so, as I stated at the beginning of this podcast, visibility is key. You need to understand what you have to protect and then you need to understand what you have that's protecting it and where the where the risk lies, where those gaps are moving forward. So we always recommend assessing your work environment, whether internally or using a third party to understand those gaps and then building a roadmap. As I stated earlier, you should build a roadmap so that you can be protected as the cybersecurity landscape progresses and as your organization grows.
The other thing to consider from an organizational perspective is you need to be prepared to respond to an incident, whether that is investing in cyber insurance, aligning with an organization to help provide incident response, building incident response organically with inside your environment. There needs to be a focus on preparing your organization and your teams to respond.
We've seen statistic after statistic that you can minimize the impact of a breach. You can recover or even prevent a breach if you are able to have that visibility and see what's happening inside your environment and then respond to the initial attacks from a breach immediately. Having that visibility, having those programs, policies, procedures in place will help you drive a greater posture and response across your organization.
Ponemon Institute releases a cost of the data breach report every year alongside ABM, and they state that just being able to respond to an incident can lower the cost of a breach by one to two million dollars in some cases. We see organizations that aren't prepared for cyber incidents, and so it takes them days or weeks to start responding, at which point they have already had operational downtime or the ransomware has spread or the business email compromise has hit its objective and transferred funds away or sent out phony invoices.
And so there was no policy. There was no procedure to respond to that, to reach out to a trusted partner to start shutting down the right services. Mitigating the risk and that impact proactively. And so over the next year or five years, the two most important things, from my perspective, is to gain that visibility and prepare for an incident and that will set organizations up for hitting their growth goals. becoming the business that they want to be in five years.
Clinton Larson: And bringing it back to this being the start of 2022. You know, it's a good time right now to not only lay the groundwork for this year, but also, you know, those years ahead, like you said, your growth goals, what do you want to see? Where do you want to see your business go in the near future? And there's a lot of complexity, as we just discussed with cybersecurity.
So I think the big takeaway here is, you know, don't be afraid to look. Don't be afraid to ask for help because you're more than likely going to need it with something this complex and this big.
Michael Nouguier: If there are any questions, please feel free to reach out via email or phone call. We're happy to help answer those and drive a greater security posture to your organization.
Clinton Larson: Awesome. Well, thanks again for being on the podcast, Michael. It's always an invigorating conversation.
Michael Nouguier: Absolutely. Thanks for having me again, Clinton. I really appreciate it. I always love doing these.