Smart Talks With IBM: A Changing Cybersecurity Landscape

since two thousand and six. So a data breach that would set a company back three point five to four million dollars in two thousand and six would cost eight point one nine million dollars in twenty nineteen. A single compromised record costs one hundred and fifty dollars on average, and that's just the average. For some companies, like those in healthcare, the cost can be much higher due to the nature of the data. The report found that more than half of data breaches come as the result of

a malicious attack. And one important thing to keep in mind about this report is that it was for twenty nineteen. We are in a different environment today with more potential attack vectors, and while the tricks of the trade haven't changed much over the years, the number of opportunities for

attack are on the rise now. With all that in mind, I sat down virtually speaking, we were all remotely isolated, with Wendy Whitmore, VP IBM Security X Force Threat Intelligence, and Alison Ritter, program leader at IBM Security Command Center. We talked about the challenges that companies face today as our concept of the workplace is changing, and how companies can best prepare themselves for the worst day. Ever, here's our conversation. I think we can get the obvious out

of the way. We can state that a priority for any business in the twenty first century needs to be on cybersecurity. That is pretty obvious. But what has become more complicated, I would think, would be this shift we're seeing now that we're in an era of let's say, momentous events where we've seen a real move to decentralization. A lot of people are working from home and that's kind of changed the nature of business. Has that impacted sort of the focus of cyber threats as well? Are

we seeing changes in that realm? Wendy, yes, I would say we absolutely are. You know. The good news, though, is it hasn't shifted in terms of such new and novel types of attack techniques. But I think what's really shifted is the volume of attacks as well as the frequency,

and then the attack surface. So when I say attack surface, you know what I mean is there are millions of more computers that are now connecting from remote locations into devices and applications and systems that previously were within the same network. So that gives the attackers a bigger attack surface from the external side of that, right, all these new systems that were online that are no longer behind

these firewalls. But then also it opens the corporate entities to potentially more of an attack surface because of the fact that they might have overnight, you know, enabled the ability for their workers to work remotely, and perhaps they don't have the right types of authentication or enough authentication on their systems where these attackers can take advantage of, but ultimately where their users need to connect to do business and to do their work on a daily basis.

And we've definitely seen issues in the past where even within these well protected systems, we can see failures. Often I argue in tech stuff that the weakest link in a company's cybersecurity process often isn't necessarily the technology It can be the implementation of that technology, but it often falls to a weak link in the the use of

that technology. So user error, you could argue, I think leads to a lot of those I imagine that that this decentralized approach has created enormous opportunities to exploit that because people are having to navigate a new workspace, they're having to access systems in ways that they haven't before. That, as you say, are are a little a step outside of the immediate control of a lot of these businesses.

So can you talk a bit about sort of the nature of that, Like this attack surface, what are the sort of attacks that you typically see, what's kind of the nature of it? Well, okay, so let's take that question from a couple of different angles, right. So, one is just the ability to exploit human error, which we are all going to be prone to do. Right, So, if you're looking at it from the attacker perspective, they're kind of saying, hey, great, look at this. There's all

this chaos going on in the world right now. There's new ways of working. But people who are now working remotely that maybe didn't before are also doing things like checking their email more regularly and they're checking social media sources and news sources because they want to know what are the local regulations where I live, what's the current counts in terms of how many people are being infected. And so since March we have seen a six thousand

percent increase in spam related to COVID nineteen. So that's coming into users directly, so maybe your personal email accounts, but it's also coming into work email accounts unfortunately. And each one of those systems that I mentioned that previously used to be inside of a network and is now not may or may not have the same types of personal protections on it, right in forms of firewalls and antivirus and endpoint detection that it had when it was

on the interior of their network. And so from that perspective, human error and humans are always going to be a huge part of the attack surface, right, So we've all got that, you know, as if we don't have enough things to be concerned about right now, we're going to

add that to the list. And then as the pandemic has shifted and as it continues to go on, there is obviously a huge influence on testing, on vaccine research, on the development of a vaccine and processes and procedures that are all going to make all of us more secure, and so now you not only have those. When we talk about spam, we're often talking about cyber criminals, right who are financially motivated looking to steal information, maybe looking

to conduct ransomware attacks. But when we shift over to the vaccine research and the testing, we're then really looking at nation state actors who are looking to capitalize on the theft of intellectual property and make sure that they can protect their citizens and potentially turn that research into financial gain as well. So it's a pretty tumultuous environment

right now. I mentioned that the attacks themselves are not necessarily all that new and novel or exciting, but the volume of them, and combined with the increase of tax surface as well as just the general day to day chaos, has made it a pretty interesting environment to say the least. Yes, I think interesting is a great word for it. It's one of those nice catch alls in your work, Wendy, have you noticed any particular sectors or industries that are

particularly being targeted by cyber attacks in this era? Right now, we're absolutely concerned about critical infrastructure, and when I say that though, that's kind of a big list, right of organizations. So that's everything from the obvious like hospitals who are providing healthcare to people who are sick. It's the medical insures, it's the whole infrastructure and ecosystem on the medical side.

It's also financial services industry, and they're supporting infrastructure and supply chain as well as energy and oil and gas and really any of these organizations. It could also be food supply chain, right, All of those things that we need now to work perfectly more than ever are also potentially at risk. And so what we look at and what we're concerned about most our ransomware attacks to those

type of organizations. We know the continual targeting and theft of intellectual property will go on as it always has. But if we can stop some of these major ransomware breaches from being effective and from stopping business for our clients,

that's really what we're concerned about helping out with. I think one of the things we've learned we being sort of the layman I include myself in this in the wake of this pandemic, is how incredibly interconnected all these different pieces are, and if you do put yourself in the mind of someone who is attempting to exploit the the chaos. Then you can think, well, then you want to target whatever links appear to be the most vulnerable at any given time. And this kind of brings us

over into something that I wanted to speak with Alison about. Alison, you have a pretty cool job in that you help architects scenarios for companies so that they can have a simulated cyber threat attack sort of a worse Day ever scenario. Can you talk a little bit about what that's all about and what goes into planning this sort of thing. Yeah, So having a well tested and really thought out plan is key to any incident response piece that you'd be

working on with in a company. So where I work is really working on creating custom scenarios for organizations to go through and handle. Really a day in the life of a cybersecurity attack, something that would go on. It is really, like you said, your worst day that could possibly happen within an organization. A plan is really only part of the solution, So you also need to find out if your company is ready and able to execute and work through that plan. And that's where my team

comes in. With helping to test out that plan within your organization. We run a fully immersive and gamified cyber range as part of IBM Security Command Centers. Within the command centers, we test and train companies in order to practice their response to a cybersecurity attack. Now, when I say test, it's not just reading through your plan and answering questions. We put your plan into action by throwing your entire response into a full on simulation of a

cyber attack. The most effective response plans that we found are really tested and rehearsed multiple times through different types of attack scenarios. So, for example, you could be testing a ransomware response, DIDOS attack in threats. All of these areas are important to test and train when dealing and

handling a cyber attack. And you know a lot of people think that these are technical responses, that this is something that you know, it's really for your security operation centers, your IT areas, but actually, as cyber response plans are best executed by the whole of business response, So dealing with individuals from human resources, communications, finance, legal, all of those individuals come into play when handling the cyber attack. So we work with all of those within the cyber range.

That's absolutely fascinating. And as you point out, like I think a lot of us think of cyber attacks and the response to them in very Hollywood terms, just because the way the media tends to portray this sort of stuff, where you have the people just furiously typing, maybe two people typing on the same keyboard, which we all know works incredibly well, that clearly is not an accurate representation

of what actually happens. And I'm sure there are a lot of people out there listening who are working in their IT departments, perhaps they are leaders in their IT departments, and maybe they're thinking about this for the first time. So do you have any thoughts about even just the process of getting started and building a response plan? How does someone go about doing that? Yeah, that's a great question.

I think a lot of organizations have, and I think at times they can feel overwhelmed on where do I start? You know, I don't know how to get started. It's this huge thing, and you know, to be honest, what we see is there's still three quarters of organizations that don't actually have a plan in place, so no incident ave response plan, no playbooks on specifically, how do we

respond to a certain kind of attack. So first and foremost, put it on paper, right, start somewhere, Start with names of your personnel, their contact information, their email addresses, and their roles, and literally start there, and then from there start looking to build out different components right of the organization, so cross functional departments, who they're, who those leaders are, what applications are responsible for, and really getting an understanding

of what roles and responsibilities different team members are going to play. Then, as we look at organizations that are more advanced, what we would encourage them to do is certainly to have specific playbooks for certain activities, right, so a ransomware playbook, a thective intellectual property playbook, any type of things along those lines. And then once you have those in place, then we look at testing them. So

increasing the frequency of testing them. If you can be testing quarterly at least one of those scenarios, your organization is going to then identify where the gaps are. And if you can do that in advance of an attack or doing it for you, you're going to be much better prepared to respond effectively to an attack. I imagine part of that also comes into how you communicate this

Both internally and then externally. We've probably I'm sure we could all list off examples in the past of companies that have had a data breach, for example, and kept that quiet for maybe up to a year before news breaks. And honestly, I feel that the longer that goes, the deeper the sense of loss of trust tends to follow. There's almost a sense of betrayal among the various stakeholders, whether it's a customer or a client or whatever. So

is communication a part of that playbook? Is that something that you help develop as well? So communication is absolutely, I would argue the most important part of the whole thing today, and I'll let Allison definitely talk more about how we train that in the range. But what we talk to our clients about in these situations is that

there are components that you can do in advance. So things like having what we call a holding statement, which is some sort of a statement that if press breaks and you're not potentially ready to share information that you've got a canned statement prepared and ready to go. That is going to put you in position where it appears that the organization is on top of things that they're communicating with their clients and that they are investigating the situation.

In so many of these cases today, it's not just about what the response was to the event, but it's the communication of it and the public's perception of that communication as well as your customers and clients' perception of

that that can cause reputational damage. Or on the plus side, even in the wake of some of the worst breaches we've seen in history, we've seen leaders who have come out and done a fantastic job of communicating about it, and they've actually built even more goodwill and trust in their client base as a result of one of these breaches. That's something that Allison and her team share on a daily basis within the range. So Alison, I'd love to

hear your perspective on it. I'd say a great deal about my area is working on how we get the attendees to engage within the scenarios, right breaking you away from your everyday life and now simulating something a cyber attack that could be possibly simulating your worst day in

that organization. So something that you know we think about when creating these we're really testing you and training you to emulate these business and security issues that would be taking place and all of the stories that we work on, and these experiences are based upon real life incidents and stories that are from the field and kind of like

top headlines that we're seeing. So in order to create these simulations, we use a method called really experienced design that creates real life situations that not only pull from real life stories, but also feelings such as like panic and uncertainty. And these areas are really kind of this experimental learning where in order to fully learn what you

need to do, you have to experience it firsthand. So we want to drop you into a scenario and have you go through that so you know, for example, something that you might be dealing with, like Wendy said, is going through a holding statement, having to actually put that out, test you and put you firsthand into what we call the hot seat. It's a live broadcast studio where we drop you in full green screen lights and we turn that camera on and ask you questions from a real reporter.

It's up to you to answer and how do you deal with that? You know, many people find out once they go through I need to go back and take some time to learn how do you answer some of these questions? How are ways that you would go through that, because again, the brand and reputation of your company is really, you know, a big piece of this, so keeping that up is something that we work on. And all of this comes through these kind of emulating and you know,

simulating these scenario pieces. Allison, one of the things that you and I share is a background in theater and as someone who is in theater and who has participated in various theatrical events where you are simulating something. To me, one of the magic parts of theater is that people actually will experience those reactions even in a simulation. You know, you have removed yourself from any real danger, you are not in a legit dangerous situation, but your your body

and your mind still goes through those reactions. Do you witness that in these simulations. Do you actually see people having those kind of emotional responses and that's a big part of learning how to respond appropriately when this happens in real life? Yes, exactly, You're spot on having that we you know, the whole piece is really creating that adrenaline rush, seeing your heart rate go up, you know, as soon as you see your headline, you know, splashed

across you know, front page and in the news. That's creating something really for you internally, and so what we're doing is creating it in a safe space. Right, this is a space where you know, we want you to fail in here versus out in the real world. We want you to understand what you would need to do if you did have something that took place and now you need to respond to that. So in order to do that, we use lighting, sound design, interactive apps to

create and evoke this emotion. You know, we have an individual come through and they said it almost created like a level of PTSD from a previous tyber attack. They came through and said like, wow, this is like really, I know that I'm in a simulation, but my heart and mind sort of take me to this other place where now I'm really feeling what it's like. And that's the whole thing of practicing and having this muscle memory

of going through it. Right, you're just rehearsing and rehearsing and understanding, and like Wendy said, you know, doing these every quarter can really help for you to really understand what you would need to do in order to deal with that, and that pressure might then go down because now you know how you work with you know, the attack and the next steps of what you need to

do to process it. Yes, I think it's much better to have that visceral reaction when you're in a practice stage than to have it when you're having to deal with a real world intrusion or a data breach or something along those lines. You definitely want to be able to look back on that training you've had and rely upon that muscle memory, as you say, rather than have to to soldier on and put that response plan to

test without ever having actually done it. It's that's I would love to actually be a fly on the wall on one of these It sounds truly amazing to me, and and the sort of stuff that I've seen in in like hacker movies, but never thought that anyone actually did it, So that's phenomenal. Wendy, can you talk a little bit. Are there any common traits that you see among companies that are really good at recovering from these

sort of of threats of these sort of attacks. Are there certain things that you can identify and say these are our markers sort of best practices that are common across different industries. Well, I think, first and foremost it's because they have access to an incident response team. Right, So, whether that's an internal team or whether they choose to

use and leverage an external team. The reason that you want people there is actually right along the lines of what you two are talking about, which is you want people who have had a lot of practice in this,

right who have responded to events. I will say, you know, I've been doing this almost twenty years, and I still when I get the first phone call from a client it's a new client that we know there's a situation going on, I get the adrenaline rush, you know, because I want to know, Okay, what are the details that are going to share with me? Who's the potential attacker? What do we need to do? In my mind is racing of all of these different things and actions we

need to take. But because I've been through it so many times, I'm able to then really harness that and channel it into a productive, credible discussion. Right, here's what we need to do, Here's the actions we need to take. Here the things not to do right now, here's the evidence to preserve. So the more that organizations have access to personnel like that and those skills, the more successful they're going to be because they're going to reduce time

that it takes to get answers. And when you talk about, you know the age old verbiage that time is money, that is extremely true in attacks because the more time that you can save, right, or the less time you take to get answers, the more money you're ultimately going to save because you're exposing your organization to less risk throughout that entire time. And so, first and foremost, if we want to look at who's successful, it's they have a team of people who can respond to the incident.

That said, then those team of people also have things like technology in place that gives them the visibility to answer questions. Because if you can answer questions really quickly, again, then we can make decisions for the business. Whether that's taking a system offline, whether it's taking an entire part of the network offline because of the risk that is exposed. Those are all decisions we can make. So the quicker that we can do that based on visibility, the better

I like that. That answer goes back to what you were saying earlier, Wendy, about that first step of building a response at all involves getting that list of names and their contact information and the roles that they play drives home that when you have something like this happen, obviously your first response is oh no, and your second response is what do I do? And having that list of people who have very specific job roles and ways

of reacting to this is absolutely of critical importance. You reduce the amount of time it takes to even know who you're going to turn to. It's one of the worst feelings in the world is receiving information and literally not knowing where you need to go in order to resolve it. So having that in place, I think, as you point out, is absolutely critical. Alison, do you have any specific sort of lessons that the companies tend to learn in this simulation, apart from the fact that a

simulation can be almost as terrifying as the real thing. Yeah, I mean one of them, i'd say, is just a lot of organizations realize that they need to test their plan and go through it. That's i'd say, like the first piece. But one of the things that you were just mentioning about, you know, the types of people that go through and the response and pieces like that. One thing that we've found is those with military or first responder training have responded very well within these types of

response challenges, you know. And a thing I think we look at from that is those are the ones that are really trained in incidents that have taken place for them, and they're not really shying away or pushing it away onto someone else's issue. They're taking it on and leaning into that situation and really you know, moving forward quickly with it. We tend to see those are the ones that get up, answer the phone and handle the situation. So taking kind of a lesson from that, you know.

And another piece that we'd say is just that many learn to understand that cybersecurity is a whole of business response. It's not just that it. We need to see everyone within your organization taking part and understanding that there's now a cybersecurity culture that needs to go you know, take

place and go within you know. Another thing is looking at it from a you know, a top down approach, looking at cybersecurity awareness, this idea of good cybersecurity culture that comes from the top of your organization and can trickle down within the rest and just making sure that your teams have are empowered to take steps to immediately react without hesitation right, giving them that power to say,

you know what you need to do. You've practiced and rehearse, and these are your steps that you would need to take out of curiosity, Alison, do you have a particular type of threat that you've seen where the response has been frequently lacking? Is there a place that people really need to focus on? I guess is what I'm trying to get at. Yeah, I would say a big piece that you know where people lack is the response to

media and communications. That side of it isn't always thought about, right. Yeah, you're dealing with the technical you have teams that are trained in that, but then when it comes to putting out that holding statement, even communicating internally to your teams so that they're not sending out messages or putting things out you know they're wondering what's going on. You can put these sort of hold statements internally within your organization.

And something that we also practice is called a leader's intent, where we have the team write out a leader's intent for your entire organization. And this gives you like a purpose and an end state of what you would need to do. If there was some sort of piece that took place, So it gives them everyone in your company that right and that kind of goal of what they would need to do. As a member of the media,

I can certainly understand how we can be intimidating. So, I mean, our job is to spread information and sometimes you really need to contain it for the moment so that you can do the right thing. So I certainly can appreciate that from my perspective. Oh, yes, we use you as the bad guys all the time. I mean, it's fine, it's fine, wen They your team recently released a threat Landscape report on cloud environments. Now, obviously, over the last two decades, we have seen an incredible migration

to cloud services. There's so many companies out there that are dependent upon either a hybrid cloud strategy or a lot have even moved almost all of their processes to the cloud. What were some of the things that you learned in that and that you released in that threat landscape report. Yeah, you know, I think they're pretty consistent with the things that we've seen in the field with

our investigations. And you know I mentioned earlier about time being money and not being never truer than in the case of a data breach and data breaches in the cloud are not any different actually, right, They are primarily motivated around financial gain. So that's really the most common motivation for the threat actors that we see targeting those and you know, I think the it relates primarily to data theft, right, So data that's hosted in the cloud.

One of the things we consistently see is that organizations who move data to the cloud will kind of have this false idea that you know, Okay, well, now it's someone else's responsibility and so I'm kind of absolved from the responsibility of protecting that data. And unfortunately that's not the case, right, And so we see a huge amount

of misconfigurations. About forty three percent of attacks that we see in the clouds in the cloud, excuse me, our result of misconfigurations of that And you know, oftentimes, again it's kind of unclear as to whether it's the hosting provider or the actual data owner who felt like, you know, maybe they were pointing fingers about who was actually responsible

for those attacks. But you know, I think the reality is that we are going to continue to see more and more of those types of attacks as more organizations move to hosting data in the cloud. That to me is incredibly interesting Wendy, because I the first thing I think of when I think of the possibility of moving things to the cloud is a reticence of letting go of something in that I think about the old days

when everything is self contained. But it is interesting to think of it from the other perspective of the idea that you're absolving yourself of responsibility by putting it onto

potentially a cloud provider. And in either case it's a destructive way of thinking, and I think it does point back to your earlier point about this is another example of how a response plan is absolutely critical to any business that whether you are overseeing your systems internally or whether it's on the cloud, you have to have that plan in place. It isn't enough to just say, oh, well it's in safe hands. I can just brush my

hands and walk the other way and never have to worry. So, Allison, does your team work on creating scenarios that involve things like cloud environments. Yes, very much. So. You know that's a big area. You know that we're seeing companies go towards, and that's something that we're highlighting and working on within the range. Yes, we have organizations that test and train

within the space. And something that we look at is we put you in this a fictitious company right that you're going through, and we put it now as a cloud first environment, and we give participants best practices on

manning managing those cloud attacks and the response to them. So, you know, we look at the you know, migrating to the cloud, which introduces new security risks and different challenges, and we take participants through really a fictitious multi cloud organization that is about to experience a cyber attack and what you would need to do in order to support that, What do you need to do in order to kind of stop and you know, what are those responses to

dealing with it now that it's in the cloud, and this gives you still a chance to deal with it protecting your customers, your employees, your brand, but all of that within the cloud, and how your organization would be handling it with these cloud environments. Out of curiosity, do you have members of your team who are essentially filling in the role of people who are working for this fictional cloud service provider and do they have to interact

with the people going through the simulation. Yeah, so we have they're kind of like our actors in a way, but they're trained experts in cloud, cloud resources, open shift, all of this sort of area, you know, when you're dealing with it. So we definitely are you know, have these experts that are there and they're interacting and putting

in those pieces. So when you know a client or an attendee in that is asking questions and going through it, there are sort of these real life in a way actors that come in and ask these questions and have these real life scenarios that would come out and play through.

That's fascinating. So but it is it's incredibly valuable, right because other than that, you would just have people talking through their response plan and if there's no one that they can bounce off of, and if the control is outside of the company, it really would be a frustrating experience. So having that where you have that extra piece in there and you can figure out what the resolution is to one stop the attack and then to move on

to your next phase, that's absolutely important and critical. Obviously, I have another question for for really for both of you, but Wendy, maybe you can take first crack at this. This is where we put on prognosticator hats. It's where we look into the future, which we all know is dangerous. And yes, and often we have to we have to

couch things, which is perfectly fine. But how do you see the cyber landscape evolving now, especially given this decentralized approach, which I imagine for a lot of companies is going to become the normal mode of operations, even once we emerge from the pandemic. Right, you know, I think we're going to see write a prolonged period of a little bit of instability. Right, how do people work from home? Does part of the workforce work from home? Park go

back to the office. There's going to be just a continued kind of dynamic shift, and I think that's going to make a lot of people uneasy. Right, So from that perspective, I think we're going to continue to see attackers take advantage of that. I think are some things that organizations can do to be much more successful at that, things like implementing multi factor authentication for remotely accessible devices

and systems and applications. That's going to be critical. Right, regardless of whom you have working in an office or not, you'll be able to then secure that data a little bit more because attackers will continue to take advantage of that, I think will continue to see more online scams. As the election season within the US is coming up, you're

going to continue to see more related to that. And then once vaccines are available and once more testing is readily available, we're going to continue to see a lot more scams related to that. So individual users will need to really, I think, learn to protect themselves a little

bit more effectively. And that multi factor authentication I mentioned for example, is also great for you to implement personally, So things like on your online banking accounts, on your personal email accounts, your social media accounts, having multi factor authentication most of those now most applications have that built

in that people can take advantage of. And then also doing things like having a password manager, so using that there's lots of free ones you can use, so that one you don't have to memorize your passwords and that you're not using the same ones over and over again.

We know that the number of breaches is going to continue to increase, the number of compromise networks and systems and accounts will continue to increase, and at this point, over sixty percent of the breaches that we see are leveraging data that's already been stolen somewhere else or a vulnerability that's already been exploited and is out there and

known to the public. So if we can all do our best to kind of take our part and our actions that are going to help secure our own environments, then the better off that that's going to translate to

our corporate environments and just to overall security. Yeah, I can't tell you how many times I've rolled my eyes at reports of a data breach where passwords were shared, and you see that the most common passwords are things like password or one, two, three, four, five six or whatever, or password one so that you have the one numeral

in there. And I think a big part of cybersecurity from an individual standpoint, and please correct me if I am off base, because you're the experts, but I think a large part of it is the idea of you're trying to just reduce the number of opportunities an attacker has to take advantage of you, and the more opportunities you eliminate, the less valuable you are to the typical attacker. Because,

as you had mentioned, earlier. Time is money, even on the attack side, and an attacker is far more likely to go after a target that they view as being vulnerable than to waste time on targets are that appear to be more savvy from a security perspective? Am I more or less on track there? I think you're ready to be an incident response consultant because that's one of the things that we say. Basically taking the language you

just use, shifting that to a corporate environment. The fundamentals are, we want to increase the amount of time it takes for the attacker to meet their objective right to accomplish their goal, whatever that may be, to steal information, to break in, etc. So we increase the time it takes them to do it, and we decrease the time it takes your organization or the good guys right to be

able to identify it. So if we can marry those two together, then we tend to make your organization less of a target than other locations because the attackers are going to have to work harder, they're going to use more resources, they're going to have to spend more money to get the job done, and more than likely they're going to move to somewhere else where they can accomplish

that much faster. I'm glad I got something right. Well, let me ask this also, Are there are there tips or strategies that you think companies and individuals should be following beyond making a response plan. I think one of the big ones is finding a way to unicate policies and processes and good security behaviors to people in a way that is really instructive. I know that almost every company out there now has the mandatory video or presentation

on security. What do you think are things that really people need to focus on, our companies need to focus on in general to help improve security overall. Well, something Allison I'm sure is going to talk further about is about building a security culture right and building that into really the fabric of your operations. I think and tell people at all levels of an organization feel like security is their responsibility and they're empowered to make decisions on it.

Until they do that, an organization is always going to struggle right to make decisions effectively. So that's a huge part of it. The communications, having them planned and prepared in advance so that you're ready to go once an attack actually occurs is also critical, and then shifting to some of the more technical components, things like I mentioned multi factor authentication on remote devices. That's absolutely critical, but also making sure that you have backups of your most

sensitive data and that you've tested those backups. We have an organization we're working with right now, major ransomware outbreak. They had all the best technology in place and all of the best procedures for having backups, making sure they were offline and not connected to the network at all times, but they had never tested them. And whence they did, they realized they couldn't actually restore them because the data

wasn't replicating correctly. So, you know, we talk about testing our incident response plan, also test your most sensitive data in those backups, because if you have access to that and you are attacked and you are the victim of a ransomware attack, you don't even have to engage in any of those discussions. You can say, Okay, it's going to take us six hours, twelve hours, twenty four, whatever the case may be, to get access to that data.

But we have it, and it's just a matter of getting access to it and restoring it and then certainly securing the ability for the attackers to successfully do that. Again, we want to prevent that as well. I feel like a lot of those lessons can be applied not just in the corporate culture, but in our personal day to day operations as well. This thought of taking security seriously, it's interesting to me because I'm old enough to remember when no one wanted to use the internet to buy

anything because everyone was worried about security. They're thinking, I don't want to put the numbers that are on my card onto this computer thing and have it sent out to everybody. And oddly enough, now we're in a world where a lot of things that would drastically improve security are either an afterthought for some people. They never consider it,

or they think of it as an annoyance. I know people who find multi factor authentication to be irritated, Oh I have to type in my that six digit code that just got sent to my smartphone. And explaining to them that this is a way in order to make it harder for an attacker to find that exploit, whether it's in a company or it's in your personal information.

I think that is incredibly valuable, and I want to see that culture adopted at large, not just in companies but beyond as well, Alison, any other little tips or tricks or any any fun ways to terrify people that you would like to share before we wrap up. Yeah, I mean just you know, for my area, it's where can we get you? What are those things we like to almost think really like a hacker in a way, and what are those areas that we can take advantage of and then show you what those are? And that's

really what we're you know, working on within that. But you know, like when you said all of these areas to you know, to stay cyber safe, working on that as you know, a security culture, even having those security culture pieces at homes, staying cyber safe at home with your family and kids, that can kind of just penetrate that within your you know, entire self and bring that

into your organization. I'd say, you know, those are areas and just practice, practice, practice, keep those plans going, keep going with those tests, you know, emulating those experiences and making sure that you're really taking those plans into action. Out of curiosity, Allison, does your team look at a response plan in advance and then look to see if there are any potential holes in that response plan? So that you can demonstrate that this is something that they

the client really needs to focus on in order to improve. Definitely, we'll take the response plans, study them, and then create scenarios that are specifically designed to possibly you know, go around or you know, penetrate certain areas that they might be missing. We also take it where we might not have any insight and show that there are you know,

openings and holes that might you know, appear. A lot of it has to do with human human interaction, things that we might miss, things that are happening, So it's kind of taking all those in and then showing where you need to add those within your plan. So definitely that's an area. Yeah. I think of that a lot in terms of things like learning a martial art where you practice practice, practice, practice, and then you're ready to show off to someone and say, all right, i'll show

you how you get out of it. Here, grab me from behind. Someone grabs you from behind. Oh no, no, not like that. You need to grab me from behind this way so I can get out of it. And you think, well, that's not how the bad guys are going to do it. They're not going to attack you at your strongest point. Just because you really practice that. So I think that again, the service you're providing is

incredibly valuable. And as we're seeing the landscape change, I think it's going to be important for more and more companies to really focus on this, to continue to focus on it. You don't want your story to become the next big scandal. You want your story to be a success story of how you were able to respond in a in an agile way, an effective way, and a way that was responsible both to your company, to your customers, to your clients. That those are the stories we want

to see. We want to see because we know the bad guys aren't going away. We know that they're not going to just stop, but we do know that we can work better at responding to it and make sure that the actions we take are more effective and that people don't feel like they are left out in the lurch and there's nowhere to turn to and you're just you're just going through the absolute worst feeling of your life. We want to prevent that as much as possible. You can.

You can save that for the stage, and then in real life you can have the actionable plan. Do you have any other last thoughts you would like to share before we conclude. I think I've learned a lot in this conversation. First of all, I mean I've learned I definitely want to see one of these simulations because I think it would be incredibly informative. And also I've learned that I probably need to update my password manager. Yeah. My last thoughts would be, do not be part of

the people that believe they don't need to change their passwords? Right. We mentioned that, you know, we hear about breaches happening on a daily basis, and then so many people just kind of think, oh, well, now they happen all the time, so it's no big deal. Just keep my passwords the same. Don't do that. Please change your passwords, Please use a

password manager. And if you've got questions on other things related to things we talked about, you can also visit ibmsecurity dot com and read more about all of the services that we have to offer. We'd love to chat. I again want to thank Wendy and Allison for their time and their expertise. I am convinced that companies absolutely need to have an incident response team and a response

plan in place to deal with cyber threats. Reducing the attack surface is important, but making sure you've got the right plan and people ready to go should the worst happen is absolutely critical. It reduces the cost of an attack dramatically, and when you consider the cost we're talking about isn't just the significant financial cost, it's also how others perceive your company. It's an imperative. We've seen companies large and small take massive hits to their credibility as

a result of attacks. I hope one day I get to see Alison and her team at work, and her description of people going through real world emotions even in a simulated event reminded me of how we can experience stuff like fear and trepidation even when we're in a virtual environment. But it's better to have that experience in a test run than the real thing. That's all from this episode of Smart Talks. To learn more about IBM's cyber security services, visit IBM dot com, slash Security Slash Solutions.

Tex Stuff is an iHeartRadio production. For more podcasts from iHeartRadio, visit the iHeartRadio app, Apple Podcasts, or wherever you listen to your favorite shows.