Bjarke Alling, Epical Group, Communicating Cyber Risk, KuppingerCole So yeah, welcome and welcome to all of you also watching online and probably also welcome to you that will see this session taking place at a later point and seeing the recorded session. So yes, correct. I will speak a little bit about how we actually communicate and I will give you some examples of things that I believe we need to change in a world that has a lot of technology, but also at a sense is explaining to our management how do we actually cope with risks. So that's the theme.
So very, and I need someone, the famous, ah, now it's also working. Wonderful. So just very briefly, who am I? I have been in the Danish National Cyber Security Council for four years. I did share that. I worked in that space. I've been with the Danish ICT Business Association also for a range of years, especially co-chairing the Cyber Security Committee, but also working in all sources of advisory levels and interfacing with governments. I've been co-founder and running a cyber security software company.
And now I'm principal advisor with the Swedish-Finnish Consulting Company, where we are focusing on mainly, you know, the big Swedish classic manufacturing companies like, you know, a lot of those, Scania, Volvo, Husqvarna, Sandvik and others. And I've been in the business for, I would say, as you can see from the image, for quite a lot of years. This is in 99. That was when the Internet was invented. It was a funny time actually coming to discussing also cyber security. I think we learned a lot about that. Even that time security was a problem.
And of course, also that the people got defaced and hacked and all that stuff. So, but to the topic of today, I would say that this is a common thing. We believe that cyber security is actually annoying. And no one, you know, when we go to work in the morning, especially when you're in the management layer, you don't think about, could I get a new firewall?
No, you're thinking about, you know, things that can improve your business in a lot of areas. This quote here is only a few months old. It's actually the Danish minister for the area. He is the one that is responsible for the implementation of the NIS2 legislation in Denmark. And he said that in a conference with the Danish standards and discussing NIS2.
So, we are already there addressing one of the main issues on the communication is that this is not something we really want. We want digitization. We want customer satisfaction. We want new EAP systems that can gain efficiency, a web shop. God knows what we want. We want better production management systems. But a firewall, you know, we bought that one last year or two years ago. Can't we continue or we got all that nice network, blah, blah, blah.
So, that's one of the things. That's one of our issues.
But, and even you could say that, what are the management measured on? Are they measured on cybersecurity? Are they measured on the key performance indicators for their business areas?
So, it's kind of where we begin. The problem is, and this is the, I'll just give you a hint when you start the small animation, but this is a tour browser. How many of you is running a tour browser? That's a few. That's good. Because this is the kind of the viewpoint. This is the glass ball in which we can look into the dark net. And what I want to show you here, if you just turn on the animation there. Can I click that cell? Maybe it's running.
Oh, that was not what. Can you click it?
Oh, now it's running. Good. It's only a few minutes.
So, download the tour browser. And what you will do, there it is. Perfect.
So, this is a Wikipedia internally on this, what is called Onion websites. These are the dark net addresses. Immediately, I find, this took me less than an hour to do. Immediately, I find sites where you have all these leak sites. That's where the data, this is the data we're talking about. That is what the risk is.
Well, of course, I could also buy some funny stuff. I don't recommend you doing it, but it took 10 minutes to find.
Ah, maybe a passport. No problem. You get that. Here are all the ransomware groups.
You know, okay, what I'm looking for. I can go on.
Okay, there's a few ones there, probably names that you have heard about. People are always talking about.
So, now we're into one of the ransomware groups. This ransomware group here, they have nice archives.
You know, what kind of stuff do you like to download? No problem. Just go on, whatever website, whatever company, data of all sources. And this goes on. This is a guy from some Swish data.
So, and the guy down here, he says, well, I want to buy that database. That's very convenient.
Going on, there is some Forex, you know, the exchange company. God knows what. It just goes on and on and on. And actually, the next one here, yeah, this is Everest. This is more flashy website, I would say. You will see down here in a second that we, well, there's 14 pages of stuff you can just get. These are leaked. This is data. This is real. This is the real world. This is where things go. Another one. There will be a few more, and then we will just wrap this very short intro into India, China, Thailand, et cetera, et cetera. The good news here is this one.
At least sometimes authorities manage to take down these websites. I just gave you here is that very, very short insight into how easy it is actually to buy data.
So, the question is, 79% of businesses tells us that they could actually have been avoided. So, why don't we do it? What is the foundation of this problem? Why don't we implement stuff that we already knew we could have implemented? I think some of the things comes to, this number, by the way, comes from an open text report.
So, that's the background that I have found. I've been searching for that. Is anyone of you, maybe some of you analysts, have had an insight to where that number could come from? I would be very interested in knowing it. I think it's very relevant. But the thing is, I think we do a lot of that from an IT professional point of view. We do that ourselves. We can blame ourselves.
So, the first thing we're doing is that we're using a rhetoric. I put in here three examples. I think you all know them. Someone clicked the wrong link. It was a very sophisticated attack. Bandits broke into our system.
So, what does these things say? It tells us that we are, more or less, don't take responsibility ourselves. And what is even worse by using these kind of wordings is that we also give our own management a reason to push away the responsibility. Someone clicked the wrong link.
No, the answer should obviously have been someone clicked the link that our protection system did not manage to do because something did not work in the way that we expected. That was very unfortunate.
Of course, things can happen. But telling people, regular users, that 90% of the day they click on the links that they expect to do, and then sometimes they don't click on links. What on earth? How can you blame them for just doing what they are supposed to be doing? Or sophisticated attack that caused that you would automatically say, I had no choice. That was something that just happened to us. Or bandits. I heard that. There was a hotel manager that had been, where their booking system were under ransom attack.
When I hear words like bandits, for me it's an association to a cartoon or a western movie. So, you downplay that role. Think about a conversation with a doctor where you get a serious diagnosis and you were downplayed.
Ah, yeah, yeah, go home and get a painkiller. Your cancer will be gone tomorrow. Fortunately enough, that's not what doctors are doing. They would help us. They would explain to us in a language we understand, but they will be transparent and for the severity. Another area that I have been working on for quite a long time, we are speaking about security. And what is security actually? I think it's very individual.
So, when we go and speak to management and say we have a security issue, how do they receive this kind of wording? I think for people that have families, that have kids, immediately we start thinking about very different things on the world of security. While I would think about communicating and outlining to a board, we are speaking about cyber protection. How do we protect our company? This is a small change, but it can be important. And actually, if you are protected, then you are secure.
And then, of course, comes something even worse. Risk. We heard that many times throughout the last two days. We heard that on panel discussions. The way that risk is conveyed to management. How do we actually convey risk? And with the NIS2 regulation, it is absolutely mandatory component that we work with risk. But I think when we come to discussions, and I don't know, we are the people here. How many of you are working regularly on risk assessments on cyber areas? There's a few, which is good. But I have been in a few engagements with very large clients and asking them for their work.
And not necessarily. So, this is not sizzling stone. But if you don't know the risk, then you don't know how to act.
So, a few things, just sample things of risk. 80% of all breaches related to lost password. We know that it's about €170.
If a data, PII data, confidential data is lost, we know that AI, when we use AI, there's probably in our business, there's a lot of dark data. What is that data containing of? What is the risk there? We can discuss theft, intellectual property. I just show that also the dark net. It's very easy to obtain that information. And we could go and discuss all the industrial network and the supply chain in OT networks.
So, I think we have a lot of areas where we could discuss risk. And we need to measure this risk and put that into perspective and start to understand and cope with that in ways that especially the NIS2 is requiring. I have a few here. These are numbers from Gardner and other Ponemon Institute and other sources. Another area, I think, is also hitting us. This is change. Although we come in an organization, we see issues, we try to drive change, but we also are receiving this fierce opposition that we don't want to have that, we don't want to have these things to happen.
I think that's also a part of the way we can work both with management, but also using management to get the acceptance of what we're trying to achieve. So, it's quite common that we see this.
So, my suggestion here is to think way more about how you internally work on your standards and policies. This is not an IT security policy, but these are also policies for way more. The more you can put into policies and you can get your policies approved upstream by management, then you get the leverage to conduct the change. It's also most often easier for your co-workers and other branches to accept, okay, this is a standard decided in the company, this is how we do it, this is the policy. We work by that policy and policies does not have to be technology detailed.
They can be more agnostic in many, many ways. So, I think for that, it's very important to think about, because you can implement what we see from a technology point of view, a risk point of view, we can implement that by doing our policies. And then we can work with the change that is needed, and therefore we hopefully can avoid the opposition from co-workers and other business areas. Then comes something very different. I mentioned now risk.
But the thing with risk, this is why, when I saw this documentary, this is from a documentary on the US government, mainly working on large foreign policy issues throughout 20 years. But I heard Samantha Power saying this.
So, there's a tendency in government, if you can't provide a principle with a remedy, what good does it do to provide him with the documentation of the nature of the problem? When I heard her saying that, I said, OK, this is something I need to grasp, because this is the traffic light system we all know from ISO. We are only talking about risk potential consequence, but we do not provide sufficient remedy. I know if we look into the standards, they will talk about mitigation also.
But I think it is, we heard that in the panel on Tuesday morning, a board member don't want to have the long story on all the risk problems and all those things. They want to have, OK, what do I do about it? And if you put that in this context, and that guy sitting there, imagining that he just got all the, oh, there's a lot of risk, what on earth should he be doing with that? He has to understand how can I act on it? What could the potential consequences be? What are the pros and cons, scenarios, options, et cetera?
And I think this is something we really have to bring back and start thinking about. When we convey this to a board, we must convey also the remedy.
Yes, so I would say a few things here. Rhetoric, risk, remedy brings us to resilience. And I've seen also that there are resilience talks, other talks here on the agenda also today. I think that's where we want to go. Protection and resilience. We want to be able to do stuff that is not just avoiding things to happen, but really on long term makes us more robust. Cyber robustness is also a word.
Lastly, just a small advertise. You can pick that up in the slide deck. I've done a few blog posts on the same subjects here the last few months. And I would say if we don't act, others will act, but against our interest. And I think that's also what I just showed with the video there, the short dark web stuff. That is what the thing is going on now. It's just not ransom. So we need to protect our environment. Otherwise our stuff would be out there for sale. And I think that's not what we want to do. So with that, I will say just thank you.
And potentially any questions, I will have a few minutes I can see here. First, a big thank you. And please, if there are any questions from the audience, I can come to you with a microphone. Last call for virtual audience members.
If not, then please keep up the conversation with Bjarke afterwards. And thank you very much. Thank you.
