So next up we have a panel. We're gonna be talking about ransomware and our panelists today are Stefan Berger and Florian Juergens. So come on up. And would you like to introduce yourselves? Go ahead and start
Step. Yes.
Hello, my name is Stefan Wittenberg. I'm, I'm the group CIO of Mau Bowings. So we have had a cyber tech 2019, 2021, and a couple times more. And I want to report a little bit about Ransom.
Alright. My name is Florian Youngs. I'm the Chief Information Security Officer for the four wheel group. We are a producer and direct selling company of household appliances like the Kitchen machine, Temo Mix, and our vacuum cleaner series.
Great. Welcome. So happy to take questions from the floor and online.
Also, I've got a few questions to start with. So last year reports of ransomware had dropped a little bit in 2022, but that was expected to come back up this year.
Also, there's been an increase, as we might expect in the average amounts asked for by the ransomware perpetrators, even though many don't pay the ransom, some do as we know. Do you think that the incident cost estimates are about right?
You know, some are saying an average ransom or, or the average cost of recovery is 1.5 to $1.8 million. Does that sound about right for what's going on in industry right now?
I can start, to be honest, I think they are much higher. So I know from a friend of mine who is CSO for a company with around about 5,000 employees with 1 billion revenue and they had a ransomware attack, and including the loss of production costs them 15 to $30 million euros. Sorry. So therefore I think the costs are much higher.
But it depends on how you calculating that if you are including the loss of production and Yeah, or just the, the restoring of the system, including maybe employee costs for overtime or something, something like that. But I think they are higher.
Well, they must be higher.
Yeah, absolutely. So we have had, in 2019 a massive attack, so 95% was down and we have spent, i, I guess three and a half million euros to come back online and the hackers would have had four and a half millions asked for without negotiation. So it's much more higher, I guess.
Yeah, that was part of my second question about the soft costs of ransomware attacks. I mean, I know from, you know, friends and others who've told me, they have seen their companies experience sometimes 4, 6, 8 weeks of employees just being idle, you know, while things are rebuilt. So I think even though sometimes we see these numbers where, you know, a million and a half, I think the costs can be much higher than what are commonly reported.
One of the other questions we were gonna deal with is the double extortion tactic, which is, you know, the encrypting and threatening to leak information. You know, in the, in the olden days of ransomware, it would be just break in, encrypt the data and then try to sell a decryption key to the victim. But now it's becoming more and more common, you know, for the last year or two that they would take the data and then also threaten to leak it. So do you think that that tactic has changed the way defenders respond to that, to the way companies respond to these kinds of threats?
I guess not so many, many companies don't recognize that cyber attack is the most hard thing a company could, could hit. And and many companies are not well prepared for my opinion.
So, and that's not a big thing if they leak data before they, they encrypt the data when you're not prepared for a, a cyber attack, in my opinion.
Yes, exactly. The bigger problem for companies is not the loss of customer data, including reputation and maybe penalties due to the, due to the GDPR, it's that they cannot work any longer. So this is the main problem. So even when some customer data had been been stolen or leaked and the reputation might be going on, it's not, the problem is not that big for a company.
If you have a look back at the famous ransomware attacks, for example, Sony, they have been hacked. Everyone is still playing PlayStation, so they don't care in the end, the customers don't care. Or for example, motel won a very famous hotel company in Germany. They've lost, I don't know how many terabytes of customer data and what happened. I'm booked in, in a motel one. So the customers in the end, they don't really care.
It's, they don't feel that much uncomfortable to not use a service as they still see a benefit. The people are using Instagram, Facebook, and they know, okay, all my personal data are gone. They're installing nearly every smartphone app and giving access to personal data bank accounts, your, your private picks, they don't care if they can still play online games. So in the end, the loss of customer data for most companies is not that relevant compared to the loss of the possibility to, to produce and to sell their products.
Well, you know, one thing I had thought about that is, okay, let's say again the way they used to do it, just encrypt the data, sell a decryption key to the victim. If they take your data and then threaten to leak it.
I mean, can you trust these bad guys to actually delete the data? I mean, I'd also read about some of these ransomware criminal gangs, you know, sharing resources.
So, you know, they, they have the opportunity. A rival gang could potentially read this data and then come back and double ransom you just because one gang says, you know, okay, we'll delete the data, they don't really delete it. And then others have the opportunity to, to blackmail that company.
Again, I mean, in my view that says the best thing you can do is do everything you can to prevent it in the first place because you can't trust these criminals that they're gonna actually honor their word and, and delete the data or give you a working key. So that's, that's what makes this particularly sinister, I think.
Yeah,
Yeah. E everything said there, there's still one point for paying a ransom if you don't have any other possibilities, if your backups had been encrypted and the the alternative is to close down the whole company. Okay? But on the other side, you still have a lot of points why you shouldn't pay. First of all, your people you are talking to are not trustworthy. So maybe they will won't give you the key to decrypt your data. Now maybe someone will say yes, but that's their business model. Okay. And then they'll change their name and we'll come back next week and another name.
So we would recognize that on the other side you will become, or you will be getting on a list of names of companies who are willing to pay. Yes. Which might be interesting for other takers. And last but not least, and this is my major point, you still need to rebuild your whole infrastructure. So even if you get your, your data back, it's not that you just type in the password, decrypt all your data and okay, let's go back to work. They are gone, they won't come back, everything is fine.
No, you still need to rebuild all your infrastructure,
But the, the most common way is that companies who pay or which pay do exactly that. So I know they don't care about
I know, yeah.
Rebuilding and closing, closing the gaps and recap wh why it's happened. So they're going back to business in two days.
Yes, and they're happy. And, and that's, that's the most problem.
So we, we have rebuilt three and a half years, the whole infrastructure and the complete it and security after, after our first attack and the second attack was, was hard again, but in the rebuild phase that we are going to see your trust environment, we had the opportunity to see it and, and we have had at the first time nine weeks without working or not normal working. And the second, the second cyber attack was done in 48 hours completely with, with everything.
And, and that's when you train your people and your organization to be facing a cyber attack, which is taking all of the companies I guess sometimes as much more you prepared, that's then it's not a big deal for a company to to, to face a cyber cyber attack. And yeah, that's then, then you're not have to pay and the costs are not that high.
So you the question
Yes, sure, some, some experts believe that do not pay ransom at any cost and even put it in your policies and publicly announce it and use it as a deterrent action. Like we don't pay ransom at any cost.
Do you support this idea or no?
Yes, absolutely. I think you don't need to put it in policy, but what you need to do is as a person responsible for information security, you need to talk to your top management about that. We did that in a tabletop exercise. There was the question in the room, okay, what are we going to do? And our top management said, we are not going to pay a ransom and of discussion. And this was extremely helpful for us because now we know in a situation which hopefully will never appear, we know we are not going to pay.
You need to think about these things before, there are still some questions you need to think about before and you need to find some, some answers for that. But of course the decision is always related to the respective scenario.
Yeah, you should, you should be. We, we have the same policy as we have been. Hit it. My boss said we don't pay if you're sitting in, in the crisis management team after six days without working and the pressure getting higher and higher, you have a little bit other thoughts about paying ransom or not.
So, and it depends on the company, it depends on the policy situation you have. And if I am the CEO of a hospital and I have to care about lives, then eventually I think about to pay and then rebuild. So it depends a little bit on the situation you have,
But I think you, okay, of course you should pay, but then you should quit your job because you were extremely bad at your job and you should not work any longer because you missed a lot of essential points in your preventive study.
I'm talking about someone who's responsible for lives working in a hospital, not at a company, but therefore you should quit your job and you should not work any longer in this environment
For for the perspective. Absolutely. Right. And you can do a lot of prevention before, but it's not only prevention, I guess, which we should take care about. So detection and response is also a, a critical thing.
No, when, when you are responsible for cybersecurity, you should not only pay attention for, prevent the company and close all gaps and do everything, you should also see when the hackers are coming and they're inside of, of system. So how many zero, zero days at hex stake can, they can use and you should be aware that they're there and they're using that and you should find them and then you should know what to do to close the gaps and and to, and to come back to normal work.
And, and from my point of view, and I speak a lot with my colleagues and some, some colleagues, I say, yeah, all fine, we have firewalls, we have I-D-S-I-P-S and then I say, okay, how your emergency planning is looking and how is documentation of the systems? And then you say, oh, that we don't have, and how many days you have trained a cyber attack in the real world and then you find a lot of people the say never.
And, and that's, that's how often you train a cyber attack in a company. That's then you have routine in that and then you are coming through that point of a cyber attack easily and trained and you don't have then to pay.
Yeah, I
Totally agree, but at least in case of preventing, you should take care of the ransomware resistant backups. You should make sure that your backups are protected and secure again, ransomware.
Absolutely.
Yeah. And then you still have the possibility to restore in a new environment. You can still still work.
So I'll make this point really quickly. I was looking at a Sophos report about 97% of organizations that have had their data encrypted got it back. If they paid the ransom and the same Sophos report said backup use has declined, we're just talking about backups.
Does this sound like organizations are kind of letting their guard down then? It does to me.
I think we already answered that because yeah, they're, from my perspective, they're not trustworthy, they're criminals.
So okay, they get their data back fine, but they still need to rebuild the whole infrastructure. So you pay a lot of money and still have to do the work. Okay. Con congratulation,
Hi, in America, the board of directors very involved in this ransomware related decisions, whether would you pay the ransom or not in Europe, Leal, let's say in your cases here, is your board of director involved in that? And my second question if I could is do you have any budget constraint in terms of what type of tools that you use to protect you for ransomware or mitigate a risk?
And I see it in the United States, the budget doesn't seem to be unusual as long as you can really mitigate a risk because the board is involved and for publicly traded companies you see that there's a company called Clorox, it's a very large Fortune five drug companies. Their revenue was down 20% up because of the disruption of the services that, that are foreign talk about earlier. So I'm curious about how the differences between, you know, in the US and in Europe. Thanks.
I guess it don't depend if it's in US or not.
If you see the Boeing case, so that's a US company, they have also data leakage and the board is involved in a cyber attack. So from my, from my personal opinion, yes, every time if you have a cyber attack in the company, as I have had, I said I reported directly to the CEO and yeah, that in, in a case when you have a a incident then money takes no care. You pay everything that you come, come through afterwards, after we rebuild it. Money also take no place in, in any decision.
So once you have had a cyber tech in my case, but the the question is how many
Money you would spend in, in that case. So also when you prepared and, and you train it and you you discuss emergency planning and do that, then it's all fine. And not every action takes money and cost cost and it's not a tool that you're using.
It's, it's much of organizational things. So how, how departments in your company can work without it of four days or two days or how many days you, you define. And we have defined 10 days without it and we trained it all half a year and then every department has to fill out a checklist that they have everything which we have learned. And so we are prepared for 10 days and after 10 days I should be ready with my IT to be back online.
So, and that trainings that cost no money,
That's good.
We, we don't get it in 10 days.
Does anybody else have any other questions? Any parting thoughts from you guys? Another question. Oh sorry.
You mentioned that you have been, or your company have been victim of cyber attacks. Were you able to figure out the root cause of the attack? Like compromised passwords breached VPN or whatsoever?
Yeah,
The, the fir from each for each cyber attack? Yes. So the first one was a Excel spreadsheet with a Excel macro and you have had local admin rights on the user so that that's the typical case. The second, the second cyber attack was ACVE on a, on a SharePoint EXPLOITATED site, which we don't have done. The patch management and the colleague before said the core is important.
Patching, patching, patching. Which I also say yes that's right. And we have done a lot of mistakes in configuration and and system management and security management before, but I guess we have learned a lot and we are not now much more better than before and we do that in much more automated ways and also using AI and super cool stuff, tools for security. But basically it's a organizational thing. It has to be the major key point in your IT cybersecurity protection.
It's very often a combination of local admin rights and unpatched systems.
99% I guess. Yes.
Yeah, that's another question,
Not too sure if you're able or not to answer, but all of curiosity, everyone says like cyber cybersecurity budget after breach is much larger than before breach. And you just mentioned that you did a lot of mistakes inside the company before the breach and times in terms of system configuration and so on. Do you think that's true in your case as well? Like the budget was much larger than before and you were able to basically significantly improve security also based on that?
Yeah, so we have now 30% more IT security budget, but we, we do a lot of artificial intelligence stuff and so, and that's really expensive software and yeah, the the, we have had before a lot of cybersecurity tools and, and configurations, but nobody take care about the control of the, the settings and, and do pen testing and, and so yes. And it's really hard to follow that. And you're not only to install a firewall and you have your parameters and you have the settings and then take that for years and everything is fine. Cybersecurity does need action every week.
So, and that many forget. So they install a firewall, they install a defender or or XDR tool and then everything is fine. You have to control everything. You have to reorganize the security every week and every day, every hour.
And, and that's, that's the the point you have not installing tools and everything is fine. You have to configure and to control it. And that's a circle of security matter come up every day.
And this is such an important point. The companies don't need additional tools. Definitely not. They need to use the tools they already have. Correct.
They need to check the configuration, they need to involve the experts for the tool to check, they need to have a look at audit findings, but they don't need any additional cybersecurity, whatever tool, use the tools you already have in place and use it like the vendor Yeah. Wants you to use it.
I I would say if you have too many tool, then it's also too yeah, complex to manage it, strip it down to the basic stuff. Take care 100% of your tools you have, they're working fine but not overtaking tools and tools and tools and tools. Nobody can control the tools.
Yeah.
You don't need three or four dashboards. Nobody will, will look at it and you don't need lock files and lists of findings and stuff like that. No one can control that. Yep.
Correct.
Well great.
Thank you.
