Mathew Jose: I’m the CISO at Code Blue and I’m just gonna be here with you for the next 30 minutes. And we’re actually do, we are gonna be doing an extremely condensed version of risk management. We’re gonna look into some of the risk basics. We are gonna have an exercise of a risk scenario and then finally have a look at how Code Blue can actually help you with those ones.
So first things first let’s actually look at some of the reporting and what it actually says. Certain new stats, the blue line is the financial loss over a period of time. And the yellow line is the number of reported incidents over the same period of time. And for those of who that doesn’t know Cert New Zealand, it’s the computer emergency response team.
It’s been constituted by our government to help our organizations. Now, one of the main things with search and New Zealand owned legislation is there is no mandatory reporting for cybersecurity incidents. So there is no requirement from the government to businesses like us to actually report us that and said, and the amount that you actually see, which is 20 million in 2022, is is just the table of the iceberg.
So delving a bit more deeper into the reported incidents, these are the top three incidents that actually happened in 2023. And the number of times that actually happened. So phishing and credential harvesting, what does it actually mean? It basically means that everybody is after your username and password. Why do they need usage? Your username and password?
Because they wanted to get access to the data. And so this is the attack and this is a side effect of the attack. People getting access to things that they actually don’t have, which is up 20% as well. And the scam and fraud report it is one of those the age old things of the Nigerian prince.
I’m pretty sure that everybody’s actually heard about the Nigerian Prince scam. It’s been there from Tiny Memorial. So that’s your typical scam and fraud. Things which is still going strong. I. Now, if you look at the cost of cyber crime, the reason why everybody wants to invest in cybersecurity as a business is because you know it, it costs you dearly.
And so what’s the cost of cybercrime across the globe? So if cybercrime were to be a nation, it will be the third largest in terms of GDP. So at the moment, it is sitting around 8 trillion poised to go to $10.5 trillion in 2025. Now, imagine you are a organized group that’s actually moving drugs.
What will you do? Have a think about that. Again a bit more deeper and getting local into the financial impacts of cyber crime, which is the single most recent why, you are actually, interested in cybersecurity altogether. Medibank and Optus, these are from Australia across the dish.
The current Medibank hack costs them $50 million. It is supposed to go to $80 million because the hack also invo involves things like Passport and Medibank is covering the cost of the issue of those ones. So it’s actually supposed to go up to 80 million Optus sitting at 152 million.
The other interesting fact about the Optus breach that actually happened in Australia is their parent company, which is Singapore Telecom Tel. They wrote down almost a billion dollars in goodwill against the company Now. Also mentioned that when we had in-person events in Auckland crisis in Wellington the day before our Auckland event, which is I think the ninth of November if I remember correctly, the day before that HTA also had a message outage for almost 13, 14 hours.
And, the most prominent question that was actually asked was it a cybersecurity attack on Optus? And that is what a cybersecurity incident does to the goodwill of the company. That everything tends to be boiling down to a, Hey, is it a cybersecurity incident? So it’s it carries as a permanent black mark.
Coming to New Zealand. The Reserve Bank had a third party hack, which is well-documented. It is publicly available document. They have a certain, their financial impact as $3.5 million. The Health New Zealand one, this is the Wco DHP one. Now there is limited information about it, but what the six 16.5 million is on public domain is this, is the amount that they’re actually claiming from the cybersecurity insurance provider and probably the high how much they’ve actually covered for.
Take this one with a grain of salt. I think the amount is much higher than this. But it actually gives you the kind of scale or the damage that cyber insurance causes. You might actually also ask, what about small, medium businesses in New Zealand? Back in 2021, HP did a survey of 500 New Zealand SMBs and they reached the consensus that in 2021, it costs an average of almost 160 k per cybersecurity incident.
For a small medium, businesses fast forward to 2020 three the figures are closely to almost a quarter of a million dollars per incident. Again, there is no study or adaptation of the study yet, it is what we actually see in the market that it is going to be. It is quarter of a million bucks now coming into, the typical mentality of, okay. Yeah. I mean they, they’ve been breached, it hasn’t happened to us. And that is the mentality that we are that we all have that it doesn’t happen to us. And there is a concept in risk management, which is actually called the blacks one, which, because, nobody has actually seen a black swan.
So black swans doesn’t exist, but, and black swans are actually extremely rare as well, whereas cybersecurity incidents happen all the almost every day you just need to take turn the pages of the paper to actually know and remember that question that I asked about what would a drug syndicate actually do, and this is what the report by IBM is actually saying is that 80% of the attacks that we’re actually now seeing in the cyber cybersecurity realm is by organized crime syndicates.
And so they’re actually grouping, they don’t actually have to move drugs. They just have to, you get people behind behind computer and then go after, organizations. So now actually laid the, what the landscape is actually looking like. We’ll just move on to sec risk basics.
And you will actually often hear these risk basics. When you want to do risk management, the first thing is a threat actor. The easiest way to explain a threat actor is, a person who wants to swap your house. Obviously we are gonna use a house analogy here. And so the threat is your house getting robbed.
The vulnerability is your inability to stop from you stop your house from getting robbed. And these are things like, have you put a door in place like motion sensors, and what are the things that you are actually putting in place in your house to actually prevent it from getting robbed?
So that brings up down to the definition of risk, which is the likelihood of your house getting robbed. So I just wanted to pause in there and ask the question, what do you guys actually think is the definition for risk appetite?
Since I’m actually not seeing any chat, I’m just gonna carry on. So risk appetite is nothing but your willingness of your house getting robbed. And this is ca this is often the case that when you come across risks, you might actually be willing to actually sign off on it and say that.
Yeah. As a business, we actually accept it. So that is what risk appetite is.
Cool. Now we actually move into the risk management process. So the risk management process is actually quite simple. It actually care is a five step process. Identify all the way to monitor, and what we’re actually gonna do is we are gonna step through an example and then try and all these phases into good use.
The only phase that I’m not gonna cover is the monitor, but what monitor basically means is that risk is actually it is not stationary. Your business change and hence you should revisit your list risk every six months or a year, and then make sure that is actually still accurate. And, risk management, wise, people have actually said it is like the brakes on your car.
It actually allows you to go faster and not slower. And, having proper risk management processes in your organization allows you to go faster. Like I said, we are gonna use as a an example this is an example of a risk statement. Risk that employees within your organization might click on a phishing link.
That could lead to a business email or an endpoint compromise. Now everybody knows what an endpoint compromise is. Endpoint basically means your laptop or a server or whatever. And if malware gets affected on it, then that is what we call as an endpoint compromise. So the first thing is, let’s look at what is a business email compromise.
As the name suggests, business email compromise basically means your username and password gets into the hang hand of an attacker. And what, once your username and password actually gets into the hand of an attacker, what do they have access to? They have access to the same data that you have access to.
They can actually log into your Microsoft 365 tenant. If your documents are actually on SharePoint, they have access to it, they have access to your email and they can actually see what emails you’ve actually got and all those kind of stuff. So how does a typical business email compromise actually work?
So this is the first thing of identify and analyzing the risk. So it all starts with your employees or yourself getting a phishing link and then you enter not knowing that it is a bad link. You might actually enter your credentials and before you know it. You will get, you redirect it to your actual stuff, but the bad people have actually got the, your credentials now.
And so towards the left hand side, what we will actually show you is how the business email compromise progresses. And towards the right hand side, we will show you what are the things that you need to prevent it from happening. In the risk management world, this is actually called existing controls.
So once, once you once you enter these details they now have access to your credentials. So what are the things that is gonna prevent you from getting that phishing email in the first place? That’s things like email filtering. What are the other things that could help you? It is making sure that you have a human shield.
What do I mean by that? Your employees need to be able to spot phishing emails and knowing that you are not logging into Microsoft domains, but some somewhere else. These are things that are existing controls that you need to have in place if you need to stop business email compromise.
So now the the attacker now have access to your email. They go through your email and then they modify, they find that you’ve actually got invoices that you are gonna get paid. They modify the invoice and send it on your behalf. They just change the account number to be attacked us. Account number and the person who’s actually receiving it, they actually liaise with you on a day-to-day basis.
So they wouldn’t actually know that, whether it is by the attacker or you, and, if they don’t have robust processes of spotting a this an account number that is actually changed, then they will wire the money to the attacker. And that is a, very good business model. And that is what business email compromise the primary goal of business email compromise is once they have actually got the money, what they do is they will immediately raise, erase all the logs so that people like us won’t be able to figure out what actually happened.
But some of them will also get greedy and they will leave Trojans and back doors so that they can actually come back again and then get to the same attack. And this is where managed EDR or MDR helps you with stopping those kind of attacks with endpoint compromises. So this is the identify and analyze phase of how a business CML compromise actually works.
So now you know how, what, how it actually works. What are the things that you need to have to actually stop it? So now we actually move into that evaluation phase, and this is where impacts to the organization is actually important. I am giving you an example of a financial impact and a scale from extreme to minor from a hundred less than a hundred k to greater than two 50 K.
But you could have there will be other things like employee impact, customer impact and we are mental impact and so on, on so forth. But for this example if this were to actually happen in Code Blue, for example and let’s say we don’t actually have any of these ones or whether we have these, if this were to happen, I would say that it is an extreme impact even for us greater than two 50 K.
Like if somebody’s able to modify the invoices that we send out to actually get paid and they’re getting paid, then it is of high impact for us. Continuing on the evaluate phase, again, there is the thing which is actually called likelihood. What is the likelihood of such a thing actually happening?
This is where these external these controls will actually help you. So if you have email filtering, you might actually say I do have email filtering, so the chances of it has to happening is rare. But if you don’t have some of those ones, then you might actually say it is possible or certain.
So what I want you to do is imagine your organization and think about what is the risk impact to your organization if one of your employees were to actually click on an email and that would lead to business email compromise. My guess would be it would probably, be in the extreme or major side and, have a think about what is the likelihood of such a thing happening in your organization.
Right?
And once you have. The risk impact and the risk likelihood. You can actually pull it all together and then map what it is. So in my case, the impact was actually high and the likelihood was on, on the possible side. So it immediately gives me a high risk. So this is how you would assess a risk.
You you’ve looked at a statement that you’ve actually reached and determined that it is a high risk. What do you do from there? There is four ways to do what we call as a risk treatment. I’m gonna talk to you about the award and accept first, and then we’ll actually talk about mitigate and share Award basically means that you stop the activity.
So if you as a business were to actually say I am gonna stop all communications via email, I’m gonna just. Except every invoice via paper you’ve, you are avoiding the activity of getting invoices and you can actually say I’ve actually avoided the whole risk, which is true, but you probably don’t wanna do it because you’ll probably be back, going back 10 years.
And I don’t think you will actually find that parties willing to provide you with paper invoices as well. The second thing is you can be a marick and say it is a high risk, but I don’t care. I do have money, so if it happens, I have money to actually shell out. So I’m just, but that is actually up to you, the privacy commissioner, depending on whether the data that you have, privacy, personal information will probably disagree with you, your organization, you can choose to have rules around acceptance, but. If it was actually up to me, like for Code Blue for example, we will have a dual strategy, which is called mitigate and Share.
What share basically means is you can share some of the impacts with the third party. In this instance, we were actually talking about financial impacts, and this is where emergence actually comes in, or cybersecurity insurance actually comes in where they’ll be able to cushion the financial impact part of it but also provide you with more other resources to actually help manage the incident.
Like PR people and other specialists as well. So this is where, you’ll be able to share some of the impacts with a third party, but there is an honest on you to actually mitigate, which is how do you reduce the likelihood or impact? How, what have you done that a prudent person has done to reduce the likelihood and impact?
And that is why having all those things that we discussed, like email filtering, you need to make sure that your staff is actually trained. You need to have MDR in place to actually reduce the likelihood and impact.
We are curious, we don’t wanna spend money. So if you want to have a takeaway tip that will probably put a stop to business email compromises that actually involves invoices, then it is to manually check all new and unusual requests. I’ll also give you some time to scan this QR code.
It’ll take you to a site which is called on your online, which is by set New Zealand which will give you tips and trips for protecting your business. But basically what this one actually talks about is you need to check for unusual requests. You need to make sure that you are actually in the watch out for, changes to bank details.
Always use two communications channels because you never know whether the email that you actually got from the person is actually from that person. So use a mobile phone like a text or something, and then double check payments manually before doing an approval.
Cool. Now, Fraser is actually gonna be talking to you about a ransomware scenario in, in, in greater detail, but I just wanted to give you a homework as well, just like the business email compromise for you to have a think about what are the risks of ransomware in your organization. And it is the same thing.
We will we will show you how the ransomware actually works and on the right hand side are the things that you need to have in you need to have in place solutions that you need to have in place to actually prevent it. So ransomware typically works by when you receive an email and your employee actually clicks on a, not knowing that it is a phishing email or a, having a virus or an employee going into a website that they’re actually not supposed to visit.
And then which initiates a download. And before you know it, your machine is actually affected. So one of the things that will actually prevent you from it, email filtering, UR protection but also if you have users that is actually trained up, who knows how to spot phishing emails and not going to dodgy websites, then you can actually avoid the step hole together.
Once your machine gets affected by a ransomware strain, what actually happens is, at the face of it, you will not see anything until then, unless everything is actually encrypted. By everything, the data is actually encrypted. The data will be exfiltrated to the per person who’s actually, the perpetrator.
And once the data is exfil trade, you will see a ransomware knot, which will sh tell you to actually wire bitcoins and whatnot. And again this place is where MDR plays an important part as well. If you have a legacy antivirus or if you’re using just an antivirus, you are not protected against ransomware.
And this is why Code Blue highly recommends. And if you’re still using antivirus as your endpoint protection, please do talk to your account managers about MDR or managed EDR. And this is because the malware is actually changing. You don’t need a file or a signature, which is what antivirus is actually mainly rely on.
The exploits can actually, it’s again, can come from even a Word file. Live attacks basically means that attacks that is actually coming from things like PowerShell or Command Prompt, which are things that, we use they can actually use as well. So you need. Not an antivirus.
You need a tool that will use behavioral detection and anomaly detection to actually let you know that there is something wrong with your system. And MDR uses machine learning and artificial intelligence to actually pinpoint and highlight anomalies on your endpoint and provide you with the best protection possible.
Cool. I will leave you at that with with a ransomware scenario, have have it think about what the impact is actually going to be and what the likelihood is actually going to be and the risk to your organization and whether you have the tools to actually protect now coming into how Code Blue can actually help.
When I talk to decision makers, these are the kind of things that, everybody tells me they want to know what the risks are so that they can actually take the right decisions for their organizations. They wanna know what the digital footprint is. Sometimes you’ll be surprised as to, what your digital footprint is from time.
I memorial, or from the time your company has been alive, what are the things that you have on the, the internet that you think that you knew but didn’t about your organization? And other thing is, how do I improve the security posture or of my company so that, opportunities hackers would just drive past and not park your organization.
And this is basically like a byproduct which is how do I reduce premiums of, of, of cybersecurity insurance. We’ve been working closely with one of our customers and, they’ve actually given some testimonial which says that, putting cybersecurity and other IT things in actually plays actually resulted in almost 60% reduction in insurance premiums for them.
So again, how can Code Blue help? We are actually launching a pro thing, which is called the Risk Aware, which actually encompasses all these ones. I’m gonna talk to you about what dark web and clear web monitoring means first. Now, when we looked at business email compromised, I talk to you about username and passwords being available in clear web and public web, people getting those ones.
So this service basically looks at dark web and clear web and sees if any one of your employees username, password combination is out for. Anybody to buy to actually launch an attack against you. So that is what this does. And it, we can’t take down the data from the internet because the internet never forgets, but it will allow you to have a a conversation with the people, why they use sending password suddenly end up in dark web, clear web.
And this is your business domain as well. You do have it is really good to know. The next thing is I will walk you through both of these ones as well. So it is about risk assessment. So risk assessment basically means a workshop style where, a code blue person will actually sit with you.
We will walk you through a NIST based cybersecurity questionnaire, and we will actually give you reporting based on what are the things that you should actually be focusing on. What are the top risk areas for your organization? What are the mitigation strategies that you need to have in place?
And so on and so forth. So it’s actually giving you a report of how can we do risk management for your organization. The second thing is actually about external attacks, efforts monitoring, and like the name suggest it is about monitoring what you thought as your digital footprint is.
Now the digital footprint is can be anything. For example, what applications can an accuracy when they look you up? And can they attack it? If they look at your website, are there patches that is actually missing on your website? How is your email security looking like?
Again the fundamental goal of external attacks that this monitoring is to make sure that we give you the monitoring and the alerting that is actually needed so that you are protected against the opportunity stick hacker that wants to poke in your poke on your network and your organization.
And the next thing you know that is actually a an important deliverable for us when it actually comes to risk assessment and external attack. Office monitoring is giving you quantified risk position so that you can actually know what it means or what is your quantified risk position for your organization?
Is it three K? Is it 17 million? Is it 2 million? How do we do it? We actually look at. What what is it that your organization has that is valuable for the hackers? Which the most common answer is data and data always fetes some amount of money in the dark web. And so we will first take a take a stock take of what your exposure outreach is, and then we actually look at things like, what controls do you have in place?
It’s like when we discuss the business, email compromise, email filtering train stuff. All those kind of stuff are controls that you need to have in place. Do you have a, incident response team do? Is your people trained? Do you have things in place to respond? So once we know what we’ll actually know we will know what your loss magnitude is.
Then we look at, the vertical that you’re actually in, for example if you’re in healthcare, the chances of you getting targeted is more versus if you are in manufacturing and so on and so forth. What is the threat, even frequency of your vertical, and then what are the things that an attacker can actually see about you, which is vulnerability?
And once we know both of those ones, we will be able to predict what the loss even frequency is. And once we know both of those, we’ll be able to let you know what the quantified risk position is so that you can actually make better decisions on your cybersecurity. So just to recap on the set risk assessment deliverables and the the risk of our package is we will be able to give you like a cybersecurity rating so that it accesses scorecard from an external attack surface.
We will be able to also give you a. How you are improving the security posture over time, or the technical rating trend. So that you know that there is return on investment on cybersecurity. And we will also be able to tell you, these are these are indicators basically for, data breach based on your external thing.
How likely is it that you are going to have a data breach? Is it, is, are there too many gaping holes on your system? And what is the data breach index looking like? And then finally the annualized, quantified risk position for your organization so that you can actually take better decisions about cyber security to round it all up.
We’re actually launching a risk over package. It’s a bundled pricing. You can’t take one and not all it’s three services all bundled to one, and it is less than a thousand dollars a month. And if you are really interested in this one let your account manager know, or if you are a new customer to Code Blue, let me know and we will be able to have a chat to you. And with that I will pass the presentation to Fraser.
Fraser Walker: Good morning everyone. Thank you very much for that, Matt. Thanks everyone for your precious time. I know that time is of the essence for everyone here. Curiously, I do know that this session is being recorded and there’s gonna, and it’s gonna be transcribed as well, so this will be a great opportunity for teams to really test itself to see if it can transcribe what I’m saying with my accent.
That’ll be a real challenge. We’ll see what interest and stuff comes out in the transcript. But yeah, just before I kinda launch into the doom and gloom world of insurance, which is not, it’s actually very the future’s bright. I’ll tell you a little bit about emergence. So emergence are new Zealand’s only standalone cyber insurer.
We’re relatively new to the market. Although emergence have been trading in Australia successfully since 2015. We are backed by Lloyd’s Security and Lloyd’s Paper in London. And and that’s, that relationship works really well. So the benefit, and I’ll go into this isn’t a timeshare, this isn’t a hard sell for insurance.
This is really me trying my best to support the guys at Code Blue. But we’ll really get into some of the ins and outs of cyber insurance, what it covers, what it doesn’t cover. I’ll run you through some desktop scenarios, some real life ransomware hack breaches and yeah, and we’ll peel back why, if you do buy cyber insurance it’s definitely worth considering emergence or a standalone cyber insurer.
Before I kick off, I see that there’s some questions accumulating in the meeting chat. I think we’ll will touch on those at the end. And, and yeah these sessions are always a bit more difficult. It’s tough to get engagement going. So what I would ask is there’s a raise your hand button there just to get an idea of the people in the room here.
Are any of you guys directly involved in purchasing cyber insurance or part of a board where the cyber insurance is part of the discussion?
Quite a few. Yeah. There we go. Oh, that’s amazing. Yeah. Look, then the next question I normally ask when we went around the country last year with this was that being the case do you know exactly what cyber insurance covers and or doesn’t cover? And to my surprise, there’s quite a few people in the room who said, yes, we are involved in the decision to buy cyber insurance.
We appreciate the seriousness of it, but we’re not actually really sure what it covers. So I. Hopefully this will demystify part of that. So I’m gonna share my screen now.
Okay. And just another little thumbs up here. Can everyone see this attractive attractive man there.
Okay, we’re all good. So I’m just gonna move this across so that I can still field any burning questions that happen to occur. That’s not me. I don’t know who that is, but we’re having him replaced. He doesn’t seem to be getting much traction at the company. No one’s ever seen him turn up.
So yet we’re gonna have to FaceTime out. So before I start what I’d like to do is I’d like to briefly run you through some cyber misconceptions. The point here is that the how well run cyber crime throughout the world is conducted, cannot be understated. It’s extremely well organized industry, and that’s exactly what it is as an industry.
As Matt touched on, we’re approaching $8 trillion worth of criminal proceeds to cyber crime, which is more than that of drugs combined. As Matt correctly said, if you were a cartel boss, I’d be transitioning into cyber crime. It’s exceptionally well organized.
These guys don’t get caught or they rarely get caught and they make a ton of money. It’s not a lone wolf, you’re not looking at a kid sitting in a basement with a hoodie. That, that’s not how cybercriminals work. This is a vast intricate syndicate, and with Matt mentioning the dark web, there’s almost every service for hire available on their ransomware as a service, for example, is available on a dark web.
To understand how our world hangs together, I don’t love the terminology the ambulance at the bottom of the cliff, but that really is insurance and, and world’s right to say that. The more proactive insurers, you’ll certainly get more value for money. And I like to think that emergence as we go through our underwriting process.
We work with guys like Code Blue and highlight to our potential insureds or our renewal insureds that there’s actually a good dozen things that you can do that are low cost or no cost to improve your cybersecurity posture, as we say make you more appealing to an insurance company and less appealing to a cyber criminal.
We’ll briefly touch on how the threat landscape hangs together. Now there’s some common language that you’ll hear coming out here in, in cyber insurance in the cyber world. Some of it is is hilarious to read, and some of it you just kinda wonder what they were thinking when they came up with these names.
But what I do know is that there’s lots of jargon lots of acronyms, and so I’ll try my best to stay clear of those. So as you can see from the five categories of threat actors as an insurance company, we are only really interested in the cyber criminals. They’re motivated by financial gain and through various attack vectors.
But to touch on some of the other ones, nation states, these guys are really country versus country, military espionage, spying and so on so forth. The exception to that would possibly be North Korea. Their Lazarus group are state funded and they’re used exclusively to extort to accumulate funds to forward their military efforts and endeavors.
Cyber criminals. We’ll touch on that in a second. Hacktivists, you might have heard of the group anonymous. They are motivated by political ideology making statements. Donald Trump would climb all over those guys saying that the, they were the guys that rigged the election and all that kinda stuff.
Terrorists speak for itself. Yes, there is a bit, there is a quite a frightening world out there when you think about what cyber criminals could do. Could they get into infrastructure, critical infrastructure? Could they Absolutely. They could look at what they did in Florida. They got in, they were able to poison the water there.
Look at what they’re, could they take control of logistics operations and send vessels into ports? A high speeds? Yeah, absolutely. They could. Not much that we touch on in the insurance world, but was definitely scope for cyber terrorists to become more prevalent. And then script kitty’s, hilarious terminology again.
These guys are often sort of teenagers. They do it for notoriety and thrill. They’re hacking into networks often just to say that they could they’re not really causing all that much problem, although when they get in there they’re a pain in the ass. ’cause they leave doors open and windows open in the digital world.
And that can be a real pain. A lot of the times these guys are hacking into systems and IT infrastructure so that they can mine for crypto or they can mine for Bitcoin. We can talk about what that means later. Instant response. I’ll talk briefly about this. And then we’ll talk about some real live kinda hack scenarios.
It’s important to talk about the life cycle of a claim because unlike any other sort of form of insurance, the way I like to look at cyber is, you are you. It would be like being involved in a car crash and filling out your claim form as the car was crashing. It’s a real high stakes, really intense environment.
We get first response calls because we have digital forensics and incident response teams in-house. We get the calls. We’ve listened to these, we’ve read transcripts and it’s a really highly charged. Environment. You’ve got seasoned professionals in tears watching their business lock out before their very eyes.
They don’t know what to do. They’re being extorted. Their staff have been contacted, pe their family have been going contacted on LinkedIn. The stakes are really high. So every second counts. And literally within minutes if you call the hot the hotline, we could have the necessary stakeholders around the table on, on a teams call to, to get in there and stop the bleeding.
And that’s way before we’ve even considered whether it’s a recoverable claim or not, or whether the policy’s actually gonna respond. The service is free and it’s free until the point where either there’s been a claim and there’s not been a claim. So sometimes it’s really valuable to know that you as a cyber insurance buyer have a look and see service.
You’re not sure. You think perhaps an employee has clicked on a phishing link. There’s some odd system behavior, can someone get in, have a loop? And that’s exactly what we’ll do. So you can follow the bouncing ball through this slide. Now there’s lots of of stakeholders involved.
I mentioned the digital forensics incident response panel vendors, legal accounts, forensics, forensic ip pr. Often we find that when you talk about managing pr, it doesn’t always necessarily mean managing public relations and opinions out with your company. When does a live breach or a live hack, often staff are involved and they don’t really know what’s going on.
So what they tend to do is all good staff like to do around the water cooler is they fill in the blanks themselves. Next thing you know, techs are flying out to relatives. And then yeah, then we end up getting calls from the press wanting to know what’s going on. So it can be really valuable to manage the messaging to your staff more before you would really do anything else.
And that’s sometimes an element that people don’t consider in these high stakes scenarios.
So again, if you’ve got any questions, fi file ’em into the to the q and a box, and we can get there at the end. I think I’ll touch briefly on cyber events here. Now there’s obviously a lot, and I’m not gonna go through them all. Yeah, it’s, the point here is to suggest that there’s lots of other ways that businesses can be duped, not just not just breaches or hacks.
If you look at point of sale intrusions again, really common what will happen is the. The cafe owner or whoever the, operates a small business, will get a shiny new point of sale payment card machine and plug it in and operate straight away. They won’t change the default password. And any competent hacker who can get onto that wifi network, which is very easy, can take control of that point of sale device instantaneously.
So there’s are other ways that businesses can lose money and these are other ways that insurance can pick up the bill. Cyber extortion there on the right hand side and and hacking crime where those are things that we’ll cover off in a moment. All very exciting stuff. Not very exciting. A few of the business that’s been hacked.
Of course we look at denial of service or distributed denial of service. You might have heard DDoS again, this is where. Compromised laptops internet of things, anything could be compromised with malware malicious software or code. And these three actors can actually, buddy all these systems together essentially to put together what’s known as botnet agents. It’s to think of it as, as kinda conducting many minions and drive your bandwidth or your computing power at a URL or at a website and in the hope of bringing it down or even as a precursor to a more serious attack and exposing vulnerabilities.
Does it really do much to you? Are you compromised in any way? Your system is your computing power is, but it’s all part of a bigger fraud payment card scammers as well, really popular, becoming more prevalent, I should say, in Europe. It’s a, it’s basically digital pickpocketing.
These guys are walking around with a machine attached to Giant Battery, and they’re just literally skimming past your wallet and drawing all the information off of the various cards using the RFID feature on the cards. Yeah, that’s other ways. As Matt said, these guys are looking to harvest as much credential information as they can.
You can get, for a valid name and date of birth on a dark web, you could probably get 50 bucks without much hassle credit card details even more. And this is, this is what it’s all about. And web app attacks. Yeah. Re really prevalent. We’re seeing the quality of these web app attacks becoming higher and higher with the event of of AI and machine learning.
What this really is that these things are so sophisticated that some of the traditional antivirus software or monitoring systems in your computer won’t even pick them up. So it will appear as though it’s perhaps a Microsoft update, a security update. It will look, it’ll smell, it’ll taste just like it, you’ll click on it, it’ll prompt you to enter your details just as you would, and then you’ve given away your password, your login, and your password.
And then that’s it. Then they’re in. So if we look now at a ransomware or extortion attempt, this is a screen grab from a group called Royal Ransom. What you find is that these these three actors, these groups, they’re like terrorist organizations. They’re synonymous. They want to be known.
The more that they can the more sort of collateral that they can accumulate, the better chance they’ve got of getting their ransom paid. And I’ll show you what a ransom demand looks like in just a second. So you’ll hear me talk about Royal Ransom. You’ll hear me talk about black car lv lock bit.
You all really prevalent. Hacking syndicates. So in this occasion here, this is what Employee X would’ve walked into in the morning. Great. You’re reading this. You’ll have noticed by now that all of your critical data is. Encrypted. And in some occasions they will not only encrypt the data, but they will exfiltrate the data, the information.
And that means that they’ll actually take some of that on onto a leak page hosted on the dark web, and they’ll basically put a clock or a timer on that and say, if you don’t pay a ransom within 20 hours, this stuff comes live. And then the whole world can get to see, all your juicy data, information, health records, payment information.
If you’re a legal firm, people get to see your juicy secrets, what you should have done, what you shouldn’t have done, all that kinda stuff. So yeah, they, they don’t just stop there. So these guys at Royal will make out or create the impression that they’re doing a, your service. It’s actually, the goal of them is actually quite breathtaking, is that they’ll say, we’ve conducted this free pen test, this free penetration test, and you’ve failed.
And that’s the reason that you’re seeing this. But if you pay as a small fee or royalty or a commission, then we will issue you with a decryption tool and you’ll be able to decrypt all your data once more. And we can talk about questions at the end. Often I get asked what’s the chances that these guys make good on their promise?
And the chances are very high actually. 99.9% of the time they make good and they will, they’ll offer you the dec decryption key. We can talk about that in a second.
So what happens next? They don’t just stop there. They will take control and send all staff emails from reception. They’ll escalate their administrative privileges to super users so they can change basically everything in anything in your system. They’ll go after your backups, they’ll encrypt your backups, or they’ll steal your backups.
Or they’ll bug them. So if you think we’ve got great backups. They’re done every day or every three hours, think again, that’s not gonna work. We’ve often seen them even going after insurance documentation, and the next part of the conversation is don’t try and mess with us. We see that you buy cyber insurance, we see you buy a $2 million cyber insurance limit.
You’ve got it with emergence. So you’re not even having to pay this claim. You know the insurance company’s paying it. So what you worried about they’ll set off printer bombs. That’s not as not as dangerous, explosive as it sounds. What that means is if they’ve got information like usernames, passwords, contracts of employment, bonus letters, things like that, they’ll just use the printers to, to just ream those off.
Every printer in the building, you could have thousands and thousands of pages of very sensitive information and the ransom demand printed out for your employees to get their hands on. Just to highlight that they’re not playing games. Phone calls as well. They’ll actually call you now.
You won’t talk to a machine. You’ll actually talk to the threat actor or someone who’s been hired to conduct that call, and they’ll make it very clear that this is what we want. And don’t, don’t waste any time you’re gonna give us what we want. Or you’re in this, some serious trouble.
This little clip, this little box here on the right hand side, this is one that really just highlights how powerful these guys are. This was, this was Black Cat. As it happens, Western Digital were hacked. And Black Cat hacked into the crisis call that Western Digital had on teams to say, Hey, we are in this call.
And to kinda humiliate them by saying, this is this the best you can do? These, this, they’ve set up these guys to try and catch us. And we’ve managed to hack into their boardroom. Yeah, I think I’ve made that point. And just one more then I’ll take a look at one with a Decryptor price on it.
So this particular variant here was again, the case that X amount of files had been compromised. And what guarantees, some sort of, some sarcastic kinda business jargon there. But ultimately the screen in the middle is split into two. That’s the decrypter price.
They’ve said in this occasion, you’ve got 16 hours and 16 minutes to pay this ransom, or it doubles. Here’s what we want. We want 25 Bitcoin, which at the time is about 200 grand. And if you don’t, then it doubles to 50 Bitcoin. Here’s the wallet address. So that QR code there is where they want you to send the crypto or to move the crypto, and then they’ll offer you a helpline.
Someone will answer, they’ll speak to you in 19 languages. And this really is a business, remember, and if you don’t know how to buy crypto or move crypto, then we’ve put some YouTube videos together to outline how you can do that and so on and so forth. These guys even issued a tax invoice for the ransom payment, which was, it was obviously ridiculous.
I note that they’ve got it GS T free, so there you go. So yeah, I think we’re running a little bit low in time here, so I’m just gonna kinda race through a few of these slides. Ransom payment considerations. We can get into the questions at the end there. Do we never encourage our clients to, to pay ransom or to entertain that, but it really is up to them.
It depends what data you’re sitting on at the end of the day. Sometimes it’s in the interest of the business. And the interest of the business is customers and customer’s data to, to pay a ransom. And other times it could be the difference between a business simply not being able to operate, they’ll lose out to their competition.
But here’s some of the ransom payments and considerations that we have to look at. So it’s not something that we take lightly. We are fully aware that by paying ransom is somehow, potentially fueling the problem. But like I said, I. Every case works on its own merit. So how would, does insurance work real quick then?
Yeah I’ll just take the next couple of minutes to talk about how it really works. It’s actually very straightforward. I don’t cyber insurance is often referred to as cyber liability. I don’t love that terminology because the liability component to cyber insurance is only very small.
That’s that middle section there. Third party losses. This would be, if someone was to sue, your customers, was to sue you or if you had a, some sort of regulatory fine imposed by the privacy commissioner in New Zealand, which the chances that at this stage you’re very slim. Although if you look at what, what’s happening across in Australia it that’s almost certainly gonna change here.
And directors will absolutely be more on the hook for per, for their personal liability as well. I would say first party loss as well. That’s really just the business interruption, and if you have a $200 million business and you are instantly hit. Then you’re triggering millions a month of bus business interruption.
So that’s a impact to your revenue or increased cost of working. So that’s 0.1. Just the same as if your building was to burn down, you wouldn’t be able to operate. The BI would trigger exactly the same. Think of it as a digital fire in the cyberspace, reputational harm as well.
The insurance is designed to pick that up and there’s various ways that our accounts forensics guys can work out what that looks like. And then ransom and extortion, of course, falls into that category. But section C, if you like, incident response costs, that’s really where two thirds of our claims costs are made up.
So that’s managing all of the internal and external noise, right? This is your public relations lawyers, digital forensics, forensic. It accounts forensics. Yeah, you name it. If we have to get injunctions to suppress the press, then you know that all these costs add up. And you know when the insurers are on the hook until one, you’ve exhausted your policy limit or two until your not only trading it systems are trading as normal, but your turnover has normalized as well.
So that picks up that reputational harm. And then just quickly it doesn’t kinda stop there. You can of course tailor your insurance. To with some optional covers in here. These are, we were about to increase some of these as it happens with a latest iteration of our offering. But yeah, contingent business interruption.
If you think about your business is relying on an MSP or someone who’s handling your IT and they were hacked and that somehow impacted your business. IE you were locked out of your own systems and so on, then that would be a contingent business interruption. Not to be confused with normal business interruption if your business was hacked.
Criminal financial loss extensions. Yeah, we talk about social engineer theft. I don’t know if you guys are familiar with that terminology. That’s really defined as. As someone, however they’ve done it, manages to get into the system and they’ll alter or doctor an invoice so that they get paid rather than the intended recipient.
Construction companies paying hundreds of thousands, millions of dollars every week. Threat actor gets in, alters the invoice, and then the threat actor gets paid quite innocently by the person unwittingly in the company. So that’s social engineer theft, similar cyber theft.
They take control of account systems, push payments. There again, payments expected to be received into your business, get get intercepted and diverted the wrong way. And then you look at ID theft, telephone, freaking crypto jacking, things like that. They’re all really stuff systems based where threat actors can get onto a telephone network.
Or crypto jacking actually is another one where. You, a lot of businesses these days will use the computing power or cloud power for computing. Your $5,000 bill to whoever, Amazon or Google or whoever suddenly becomes $50,000. So you could end up accumulating a debt to Google or Amazon or whoever’s, whoever you’re using that, that, that power, that bandwidth and space for, because someone’s got into your system and used that capacity to mine for crypto.
So it uses a lot of electricity and it uses a lot of computing bandwidth. So yeah, that’s, so crypto, crypto jacking, we’re actually starting to see that come alive again because of the debts that AWS and Microsoft Azure and all those guys are kinda. Calling in an intangible property Yeah.
Speaks for itself relief. If a system is bricked or is overwhelmed or stops working, then that can be recovered. So yeah. I’ll just finish off by saying, as I said in the beginning, I don’t like to think that as an insurance company we are un prudent in the sense that, we’ll, we’ll frighten you into these claim scenarios and then offer you the solution with the next hand.
What I like to think is that when we are bringing people onto the cyber insurance journey, is that we’ll advise them. There’s, there are a handful of things that you can do to make your business less appealing to threat actors. And some of these things are really easy to do or to turn on, of Code Blue.
I would expect we’d be doing a lot of these things for you in any case, but a lot don’t. Disabling macros, testing the backups, principle of least privilege, things like that. Does everyone in your business need the access to everything? If you’re only trading within New Zealand or Australia, New Zealand, again, you could employ some geo blocking there.
There’s no, no reason why someone in in Russia should be able to access your URL and so on so forth. Verbose logging, again, that, you turn up the logging on a system. Yeah, it uses a bit more bandwidth, a bit more power, but what it does is it more accurately records every single thing that’s happening in that system so that when an accounts it forensic, it person gets in there, they can quickly verify exactly what’s been taken, stolen, compromised, where the threat actor was, what they’ve done.
Whether it’s bogus or not, so on and so forth. Yeah, those are some of these are, when I’m dealing with insurance brokers, the insurance brokers mostly gravitate towards this slide because, this is an honest sell. This is not really trying to frighten anyone. This is actually saying within the next few years, insurers are gonna be expecting that everyone does all of these things, or you won’t be able to get cyber insurance.
The lo the way that the losses are going and the claims are going, people are gonna need to lift a game and as an obligation to, your customers and your customer’s data. And then finally, as we, as Matthew talked about there as well, then there’s the next level things you can do, which can really.
Which can really enhance your cybersecurity posture as we like to say in the industry. And it’s safe to say that, if I was presented with a risk profile from a broker, you as a customer, how it services of Code Blue, then I would look, I definitely look at that risk profile more favorably because one, you’ve clearly taken steps and taken your cybersecurity more seriously.
And then what does some of those steps look like? MDR managed, EDR yeah, you’re definitely looking at premium relief. There, security, security information and event management. That’s, your outsourcing and making more secure your logging and and your systems information.
Security operations, pen testing, things like that. Yeah, these are all things that are gonna make you much, much less appealing to your average. You average hacker, your average hacking organization. And so yeah, sorry that was a little bit rushed there, but managed to get there under half an hour will, you’ll be pleased.
But yeah, as you can tell, there’s a lot more to the cyber criminal world than meets the eye. And yeah, I’m grateful for you guys taking the time to, to listen to me kinda drone on for a little bit and hopefully make you a bit more cyber security aware. So yeah, with that I’ll pass back to our moderator.
Mr. Will I think
you’re muted. Will,
you’re still mute.
Nope. Nope. You’re still muted. Still muted. Never. Never a great sign. Maybe we’ve been hacked.
Nothing.
Just give us a second, folks.
Nope, nothing. We’ve got any questions that we can work on. In the meantime, Matt?
Yeah, I was actually just looking at it. There is some questions in the chat. Somebody has actually asked for a link. I’ll just paste that link on the chat while we’ll managers to actually get in because some people were not able to scan the QR code.
So I’ve actually just based it the link to the QR code. There are some other questions. Going back to the impact. How do you figure the extreme, major or minor, like those dollar amounts? How do you come to these numbers? So Ben, I don’t know if you’re actually around, but basically the way to arrive at those numbers is up to the organization.
And this is where the risk appetite actually comes into picture. If you are a 200 million organization, then you can actually say the extreme one is 20 million, which is 10%. There is no hard and fast rules. It is basically, you know what the financial impact is extreme for your organization. It might be a million dollars, it might be two 50 K, it might be half a million, but whatever the case might be you need to just sit down and then come up with that numbers of.
Financial impact. It’s not just financial impact as well. There could be other things like, if you have employees actually working in, has conditions death or disability of employees as well, adds into that risk impacting as well. And environmental impacts if you work in such a, such an organization as well.
So all these kind of things you just need to think about what is it that your organization does, what is an extreme impact to your organization? And this just arrive with
those numbers and definitions.
Okay. I’ve got a question here from Louise. So this far phrase, you said hackers would go after your backups. How did they do that? They’re really smart. They’re really switched on. And best practice of course in is that not only do you have backups, but you have backups which are air gapped.
So that means the backups aren’t on your live system. So if that was the case, then the hackers wouldn’t be able to access your backups if they were air gapped. Which is good practice to have. But unfortunately a lot of people who are, just starting to take it more seriously will have backups and think, oh, that’s great.
We’ve got backups. What they’re overlooking is the harsh realities that when a hacker gets into the system, they’re in, they’re into everything. So it doesn’t really matter whether they just treat a backup just the same way as they would treat a suite of credit card information.
It’s all gold for them. It’s all stuff that they can encrypt and use it to as a method to store. So yeah, best practice air gap, your backups and have them backed up every day at least. And and then hopefully you’ll have a fighting chance then of being able to restore your systems from backups.
Like I said though, if they were to exfiltrate some of that data and it was sensitive enough, then it probably really wouldn’t matter how good your backups are because, you’re still on the hook for potential sensitive information being leaked onto dark web or clear web leak hosting pages.
Hopefully that answers your question, Louise.
Mathew Jose: Yeah just to expand on those ones. I think Code Blue has both the backups, so the standard one and the premium ones. The premium ones are actually air gap. In, in case where you’re affected by ransomware and you have the premium one, then all of your backups are actually still all good.
Let me just scan through the q and a. I think we’ve actually answered almost everything in the chat. So I’m just gonna go into the q and a and scanning. So there’s a question from Deepak about some of the impacts of the hack can take time to be realized or occur. What kind of durations do you cover to add up the total losses to be covered?
I think that’s one for you, Fraser.
Fraser Walker: Absolutely. I just got, didn’t realize that. I thought we were gonna be alerted to those. This is great. Some impacts hack could take time. You’re absolutely right. It can take time. I, in a hack environment, so we’ve seen they don’t typically offer you much time. They want smash and grab, they want apply pressure. Like I said, they’ve got printer bombs, they’ve got people phone and they’re contacting your first connections on LinkedIn and things like that. It’s, they tend not to give you a lot of time.
So that’s where, one, if you don’t have cyber insurance, then you know, a executive level, you’re gonna make a call really quickly. Whether you pay that ransom or not, what have you got going on? If you do have secure managed security service providers like Code Blue and the cyber insurer, then.
And concept we can get to the bottom of it really quickly. Yeah, they don’t give you much time for a reason, and that’s so they can get something out of you. We’ve got ransomware negotiators, believe it or not, who are former Australian military intelligence and police.
And so these ransomware negotiators will actually do a fantastic job of getting in there and creating some diversion or decoy noise in the background to have these hacking groups at least think they’re gonna get something. If the hacking groups think I’m gonna get something. I’ll hang in there, I’ll give you a bit, I’ll give you a bit longer.
But I would recommend against negotiating with with a hacking group, unless you are. Qualified and experienced to do that ’cause one wrong move and they’ll just double it and double it. And we’ve seen insureds come to us almost in tears saying, look, we thought we could get, we thought we could get caught with these guys and now they want three times as much.
We’ve really effed this up. First port call, contact your cyber insurer and then and your code blue guys and just kinda stop the bleeding. Hopefully Deepak that answered some of that kind of went on a little bit there. There’s another question here. Would removing cryptocurrencies removing the problem?
Yeah, absolutely it would. But the thing about crypto, just like the dark web is it’s decentralized, so you’ve got no chance. It’s, you can’t remove it. You can bring down trading sites and trading platforms, like Binance or, they’ll just reappear somewhere else.
There’s always somewhere in the world who’s happy to have crypto in the mix. The, that’s one of the reasons why this is so prevalent and can be so easily facilitated is the fact that it’s really difficult to track crypto. You can to a certain extent track, track it on the blockchain, but it’s much like money laundering, these guys will put the crypto through mixers so they’re mixing good with bad.
And and again, very difficult to be able to pinpoint where cryptos went. And even if you do, they don’t use the reputable trading sites or trading platforms, they use the dodgy ones. So even if you could locate it, yeah, what are you gonna do? You’re going to reach out to some dodgy trading site.
You don’t know where they are, you don’t know where they’re based. And you’re gonna tell them that, what you’re law enforcement and can you put a hold on this particular, yeah. It’s just never gonna happen. So yeah, crypto is the part of the problem here. The biggest part of the problem is that it continue to take these payments and, we’ll really get caught.
Mathew Jose: Cool.
I don’t think we have any more questions. Hey guys who those of you are actually attending, if you do have any questions, please pop them onto the q and a.
Fraser Walker: This has been great. Thanks again for your time, guys. If you’ve got any questions, then reach out to any of the guys at Cold Blue and you can get my details. We can have a more detailed chat or if you’d like to involve me in conversations with your insurance broker, I’m happy to do we’ve, as an intermediary we trade with insurance brokers.
We’re like all insurance companies in the commercial space. You can’t buy insurance directly from us yeah. Oh, we got Lisa, we got a question coming in from Lisa. No pressure Lisa.
Yes, we do have a cybersecurity training. We do have a thing which is actually called, security awareness training and phishing triage. So what the service is all about is we will we will send you emails posting as the bad guys and then report on who clicked on what, when, and who viewed the educational content after.
The second part of the same thing is giving you a report button so that you can then start to report actual emails legitimate or even suspecting once to our security operation center. And we will be able to get back to you with the fact that whether it is bad or good email.
So it’s a two solutions bundle into one. It’s called security awareness training and phishing triage.
I think that’s an excellent point to make as well, Lisa. Like the, through all the presentations that I get involved in and through all the horrible loss scenarios and experiences, often the simple things haven’t been adhered to.
And training your staff is paramount. It, it’s an unfortunate reality of the world these days is that, the staff just aren’t aware. And emergence as well, post-loss and part of onboarding as well. We can do some dark web and clear web monitoring to make sure that details aren’t getting out there or aren’t out there available,
Mathew Jose: cool. And thank you Aaron, for those kind words. It’s a, it’s great to hear that in the service is actually helping you with awareness.
I, we can’t hear you well now.
Cool. Hey I don’t think there are any more questions. I’ll just give you a q 10 seconds for anybody who wants to have a last jab at any more questions.
Cool. It looks like there is no more questions. Hey thank you guys all for attending. And thank you for your time and like Fra said if you do have any questions, please do reach out to us. With any follow ups. Reach out to your account managers if you are an existing Code Blue customer or reach out to Will or myself if you want to know more about risk cover package and so on and so forth.
Thank you very much.
