Skip to main content
Right of Boom
January 30, 2025

Ransomware TaskForce (RTF) Blueprint for Defense

In this video, Jen Ellis and Phyllis discuss the blueprint for ransomware defense and its impact on small to medium enterprises. They explore how organizations can effectively implement cybersecurity measures despite resource constraints, emphasizing the need for collective government and industry efforts to drive adoption. The discussion highlights the necessity for clear communication, consistent guidance, and capacity building to enhance cyber resilience across all sectors.<ul><li>The Ransomware Task Force (RTF) aims to provide a clear and actionable framework for ransomware defense, focusing on how governments can protect organizations at scale rather than individual organizational advice.</li><li>A significant challenge in cybersecurity is driving the adoption of existing guidance; many small to medium-sized businesses (SMBs) struggle with understanding and implementing cybersecurity measures.</li><li>The RTF collaborates with multiple entities to push for uniform cybersecurity guidance across different sectors and governments, emphasizing the importance of consistent messaging to prevent confusion in cybersecurity practices.</li></ul>

Guests

Andrew Morgan

Video Transcript

All right. Welcome everybody. It is Cyber Call one 12. Just real quick housekeeping. I'll do in a minute. Jen, if you take a look, I sent it on Saturday. I think the agenda will be in your mailbox. Um, so welcome everybody, um, from Tampa, Florida. We, um, are very fortunate, um, and grateful for what happened with Hurricane Ian. Our hearts and thoughts go out to folks south of us who weren't as fortunate. Um, and, uh, it, it was a devastating, uh, hurricane there.

So, um, if you're in that area, um, again, please let us know if there is anything we can do. Um, and uh, anyway, so let me just do a few announcements real quick. So I put way up top. There's been some good chat already. Um, way up top we're gonna be talking about the blueprint. Blueprint. I'm not gonna say that. 10 times Blueprint for ransomware Defense, um, from the ransomware task force. Um, we're gonna get into that today and talk about that.

Uh, Phyllis, we have obviously Jen Ellis with us who you'll learn about and her awesomeness. Um, Ryan Weeks was involved with this as well. And CIS controls go figure, are something that we're called out, uh, in this as well. I also put in, we, we, we, uh, pushed out, um, CIS Control 13 in the cyber cast that is available for, um, your viewing and listening. I shouldn't say viewing listening pleasure on any major podcast.

Um, I also wanna let everybody know, just lastly, write a boom now is live registration is live. I'm putting the URL in. I just want to share this with everybody. This is a really interesting stat that we weren't expecting. 80% Gary of registrants are registering and there's been a ton already are registering for the pre-day with John Strand and John Hammond. Not that I'm surprised, I'm just letting everybody know that it's already 50% sold out.

So I know I'm gonna get these calls and emails based on last year. Is there any space available? I'm just telling you right now, there's only so much room that the, the venue can hold. So Those dang fire marshals. Yeah, exactly. Hey, Andrew, there's in chat, there's a few folks asking do they have to be an MSP to attend, write a boom. Like can an individual person, an IT person come, a IT company come, or uh, how does that work? Yeah, it is for Ms.

P and MSS p only email me andrew@thecybernation.com so I can chat with you offline, um, as well. Thanks for pointing that out, Wes. Yep. Um, okay. Garrett, anything I might be missing? 'cause I know you, you know, you love my announcements and precursors here, so No, just excited. And like I said, if you want to come to write a boom register ASAP because it will sell out. Yeah. And there's gonna be a lot of cool, if I could just say this, Gary, I know you guys are gonna have a pre-day event.

Um, all of the platinum sponsors are gonna have pre-day, and these are gonna be enablement type things. Like I know Roost is gonna be doing an automation pre-day. Um, I still have To get Yeah, listen, it's gonna be the second best event of the year. I thought yours was sunset. No, we're launching registration this week. Are you doing It again? Smith Fest. Really? 2023, third week of January in Phoenix. Oh, wow. Very cool. I didn't realize that. That's awesome, Gary. Congrats.

Okay, let's get on into it here. Before I in, in introduce our special guest, Jen. Um, Phyllis has been telling me, Andrew, we have got to get Jen Ellis on the cyber call. We have to talk about, you know, the blueprint for ransomware defense. And so I got intrigued and started reading a little bit about it and the work that you know, Jen and your team Phyllis, you guys did is, is awesome.

I'm just gonna, I'm just gonna have to kinda read just a little bit here, so forgive me everybody, but, um, what I don't have to read is the, the, you'll see in the blueprint that it, you know, calls on Accentures, um, cost us cyber crime. And again, we've talked about these stats before, and again, you don't want to go overboard on stats. Everybody's sick of stats, but it's really interesting when you see that SMBs are, and SMEs, as they call 'em, are 99.9% of all businesses.

And that, that, when you look at that staggering statistic and that 43% of those, uh, of, of, of cyber incidents were pointed at those organizations and 14% of those organizations, only 14%, you know, felt they were truly prepared to handle a cyber attack. Probably the 14% service by MSPs on this call, which was about 4.5 million companies. So, um, the ransomware task force was developed and, and to develop a kind of an actionable plan to help these organizations.

Jen, at a high level, do I have it correct, and obviously we're gonna get into the details and introduce you, but is that a high level way in which we could, you know, talk about the blueprint, something actionable that can help people in these? Yeah. Awesome. Mm-Hmm. Fun and Really awesome and really cool. Lo and behold, you know, the CIS controls gets pulled in again, um, and the essential cyber hygiene, which again, we haven't stressed enough, Gary, on this show have we?

Alright, so Jen, uh, um, welcome. Remind me to tell you a funny thing about that. A joke. Yeah, that's not a joke. It's real life, but, well, Why don't you go now? No, so we're doing, um, we're doing like a compliance special project for PR peer meetings during two weeks. And one of our program managers said they're trying, you know, making sure everybody's doing what they're supposed to do. And so one of our members said, well, I'm, I'm not gonna do it.

Like I have, you know, I have better things to do. So I emailed him and said, please give me a list of what better things you have to do so I can check it and decide. I'll let you know if they're better things or I have better things than compliance and security to women to worry about. Right. Very true. So, Jen, welcome.

Um, I know you've spent a considerable amount of time, um, doing, you know, both basically, you know, doing collaboration between, you know, the security community and the, you know, government or, you know, sectors, um, trying to bridge those two together. You have a prolific career at Rapid seven, um, recently moved on and, uh, wanted to welcome you to the show and really thrilled that you were kind enough to join us. So thanks so much. Yeah, no, thank you.

Tell us a little about yourself, what you're up to, and, um, we'll get right on into it. Yeah. Cool. Um, well, as I said, thank you for, for having me on. Um, I, so yes, I was, I was at rep center for a long time, for 11 and a half years, which is a lifetime. Um, and I had a, um, an unusual but, um, incredibly privileged role, uh, where basically, um, I was tasked with thinking about how you advance security on a societal level.

Um, so what do you do to try and basically create a rising tide that benefits everybody? And um, and I think it's a little bit unusual because I think for a long time companies didn't think that way. They thought very much about like, you know, selling a product to a customer. Um, and so to have an employer who was like, we are gonna pay for you to go and try and do this and, and like, you know, rapid seven is relatively speaking. Um, I'm just looking at the comments. Yes. Mm-Hmm, yep.

Um, 11 and a half years is a long time. Um, uh, and, and Rapid seven, relatively speaking in the kind of grand scheme of the world is still a really small company. Right. You know, um, it's, um, two and a half thousand to 3000 people. And so I think most people would consider that an SMB, um, on the, on the M side maybe, but still an smb even though it's a public company.

And so for them to invest in a function that was really about trying to kind of think about how you can, um, serve the, the greater good really and try and move the needle forward to benefit everybody, not just people who are paying us, I think was honestly just like a really extraordinary privilege. And, um, and so yes. Uh, so you might be thinking like, why on earth would you leave then, Jen? Right. Um, I ask myself that question constantly.

Uh, but no, I did, I left, uh, my last day at was August 31st. Um, and I, I am planning on doing much the same work. Um, and, uh, I'm, I'm setting up a company, so, um, I hope you guys like puns 'cause this is a bad one. This is a proper dad joke, but my company is the next gen security company. Oh, I like it. I like it. Yeah.

Um, yeah, and, and so like, I'll be working with governments and nonprofits and, um, and probably sort of, you know, industry leaders trying to do the same thing, trying to figure out how do we sort of move that needle forward. Um, and for me it was just kind of, it was about, um, being able to take that sort of chance and that risk and, and, and invest in myself a little bit and, and take that gamble. Um, and being able to kind of throw myself more into partnering with those entities.

Um, and so I, I think you could say that like rep seven just gave me a phenomenal springboard to be able to do that, Able to do that. Yeah. Sounds it. Well, well again, thanks so much for sharing your story about what you're up to now. Um, Phyllis you've had a lot of interaction with Jen doing this project, so I'm gonna let you kick things off for us. Yeah, sure. Um, uh, Jen has been a great resource and a great contributor to the project, so, and thanks for being here.

Um, so Jen, for those of folks who don't know what the ransomware task force is, can you just share a little bit about, um, what it is, why, all that kind of stuff? Yeah, absolutely. So the ransomware task force is the, the brainchild of Phil Reer who runs the Institute of Security and Technology. Um, if we sort of go back in time, uh, through the midst of time, um, across like what has been a frankly bizarre couple of years that we've all experienced, um, to, uh, sorry.

'cause it has been a bit of a black hole of time. I have to try and think this through. So to the backend of 2020. So we, we'd had a weird year. It was, it was not the best year for anybody. And, um, and ransomware attacks were on the rise, right? And we had had huge reports of ransomware attacks all the way through the pandemic that first year, and particularly hitting healthcare organizations.

And so Phil, who, uh, is ex-US government, he's ex White House and, and, um, I think XDOD before that he had sort of been paying attention to this phenomenon. And he looked at it and he said, ransomware is now at the point, you know, if you are in a situation where you have a global pandemic and you have prolific attacks against healthcare, then that has now elevated to the level of a national security threat.

And so he said, governments need to respond to this, that this is no longer a situation where we can just put out guidance to companies and be like, Hey, do these five things. Don't forget to patch. We have to like actually be looking at government response at this point, a coordinated government response. So what he did is he, um, he reached out to a bunch of people that he knew and he pulled together this, frankly pretty phenomenal task force of, um, more than 60 organizations.

I think there was sort of more than a hundred people who participated in total. And, um, they came from all sorts of places, all sorts of, uh, countries. There were multiple governments involved. Um, they represented organizations that had sort of all different points of view on ransomware, whether it was an organization that had experienced a ransomware attack or if it was a cyber insurer, um, or organizations that helped with different types of response or preparedness.

Um, just all sorts of, of different points of view on it. And he brought these people together and he said, look, uh, in, uh, he said, he basically said like, we've got a new administration coming into the US government, and they've already said that they're interested in doing more on cybersecurity than the previous administration, which admittedly was a very low bar.

Um, and Phil was like, if we get together and we come up with a set of recommendations for them, and we do it in the right timeframe, then we could actually help shape their policy and kind of show them the, the sort of the direction to focus on, right? Because they're, they're figuring out what to do now. So he started this at the beginning of 21, and the report was released, um, on April 29th. So we basically, as Michael Daniel put it, we sprinted a marathon.

Um, we all basically had two jobs for four months. Um, and the thing that's kind of crazy for people who, like the fans of ransomware who are paying attention to dates, um, the report went out April 29th and the colonial pipeline attack was a week later. HSC was a week after that. JBS was two weeks after that.

So we had this like, ridiculous role of thunder and, and, and like, you couldn't ask for, um, attacks that would more showcase exactly the point that we were making about the fact that this is an national security threat. Then those three, which were all critical infrastructure oriented and had huge impact. Right? And I would, you know, I'd like to obviously go on the record and say like, we were nowhere involved in those texts. Um, the timing is entirely coincidental.

Um, but it did sort of like land that message with not just the US government, but various governments around the world that ransomware is a national security issue, it's an economic issue, it is a quality of life issue, and that there really needs to be a coordinated government response. Um, so the report has, uh, 48 recommendations split into four main areas. Um, answer, asking, asking, and answering the question, how do you, uh, deter and disrupt ransomware attackers?

And how do you help organizations prepare and respond for attacks at scale? So this is not, hey, these are the five things you as an organization need to do to protect yourself. These are, hey, government, these are the things that you need to be doing to protect organizations in your country.

That's what it's, So I love that explanation and I love how, um, you know, we brought all the, you know, we, everybody, the collective community brought everybody together because, um, I do believe it has reached the level of a national threat. So, um, I love that he had that, um, thought. Um, and so, you know, we know, uh, and we say it, you know, a recommendation was to, um, develop a clear and actionable framework.

Um, and so that's how we came about to create the blueprint for ransomware defense. And so do you wanna briefly describe that and how we believe, um, small medium enterprises can actually use the blueprint? Yeah, so I mean, so I was one of the co-chairs of the task force. I, I still am the task force and ongoing effort. We continuing to engage and, and working with governments and, and, um, have lines of inquiry and all that kind of stuff.

And, um, the particular group that I co-chaired, uh, so when Phil came to me with this whole idea, uh, he was like, Hey, I'm gonna do a task force on ransomware 'cause it's a real problem. And I was like, hi, Phil. Um, ransomware's been around for a while. I dunno if you've heard of it. Uh, this is not a new problem. What is your task force going to do that's different to every other effort on this topic?

And I was like, look, I'm not real interested in being yet another entity that puts out guidance that says, Hey, you need to have offline backups. And by the way, don't forget to patch your s**t. Um, oh, sorry, I'm a little sorry. We encourage that Your stuff, pat your stuff. Um, so, uh, so Phil said to me, um, well, yeah, no, you're right. I don't have an interest in doing that either, but also, like, if that guidance already exists, why aren't people adopting it?

And I was like, that's exactly the problem, Phil. You tell me how are we gonna fix that problem? And so he went, you should lead a group on that. And I realized that I had made a grave error, uh, and I had dug a hole for myself dramatically. So the, the, um, the, the group that I led was the prepare group, and we basically, that was our question was, if so much guidance exists already, why is it not being adopted? And how do we remove those barriers?

And so we went and we basically like, just interviewed a ton of organizations of all different sizes. And kind of what it came down to is, and this probably is not super surprising, people, people are probably like, oh, door. Um, it came down to either people didn't either really like super understand or have awareness of either the problem or the solutions, um, or they didn't have the capability, the ma the maturity, the capacity, the resources to do something about it.

And quite often it comes down to a little bit of both. Like maybe, um, you have a leadership that doesn't understand the dynamics of the issue, and you have a technical team who doesn't know how to communicate it to them, and therefore they can't get the resources they need. And so like, you know, it, it one feeds the other, right?

So what became really clear is that as you look at these organizations and you sort of break out, like those who lack understanding lack resources, and like, you know, you have those who lack understanding but have resources. Those who have resources but lack understanding. And then those who lack understanding and lack resources.

And you, you kind of get confronted with what we refer to as security poverty line, um, whereby you have organizations that basically cannot afford to invest in cybersecurity. And that typically is SMBs, right? And, and so, you know, we, we see all this guidance go out and like, you know, every security vendor under the sun has put out guidance at some point has said, um, you need offline backups. You need to patch stuff, you need to do user awareness.

You need to have identity and access management, um, uh, uh, policies. You need to, um, segment your stuff and, uh, you need email filtering, right? And they make it sound as if you are gonna come in on a Monday morning and get that stuff done by lunch. And that's just not the reality of where we are. That's not the reality of where any organization is, let alone an SMB that probably doesn't have a, a staff dedicated to cybersecurity.

Or if they do, it's like one person who wears multiple hats or, or a a, a low number of people wearing multiple hats. They probably don't have deep pockets and huge budgets to go buy a bunch of solutions. They probably read this guidance and they go, uh, like, what do I do for that? Like, how do I get started? Which one should I pick to focus on? And so I think, you know, the idea was how do we make it a lot more tangible and a lot more relatable and a lot more digestible and actionable?

And so hence the idea of a blueprint. You know, something that you can look at that is actually detailed enough for you to kind of get into it and go, okay, I can see how I can, like how the pieces go together and how to actually engage in it in a meaningful way. And, um, you know, we wanted to make sure, like CIS was such an obvious, um, home for this and, and sort of leader on this because of the reputation you guys have with the critical controls, right? And the cyber essentials.

Like it made perfect sense for you guys to lead on this. And, um, and so it was great that you sort of stepped up and said, Hey, I think this is an area where we can really, you know, add value and do something. And then the other thing that you guys did that I thought was like super, super valuable and made so much sense, like logically was you went, hang on, we have this framework, right?

We have the NIST cybersecurity framework and it's established and everybody knows it, and there are ISOs that map to it. Like, why don't we take that sort of mapping and like apply it to this, so we're not gonna take the entire framework and dump it on people because like, that's overwhelming again, but we take the relevant parts and we just break them out in a way that feels at least, um, consistent. And like for those who have looked at the framework, it feels resonant, right?

It feels familiar. And I think like those, it's those kinds of things that help connect the dots a little bit. Um, and, and I think then it's just how do you make it really, really bite-sized for people? Jen, quick question. In all these conversations, when you guys realize, hey, when, and look at this rubric, right? They don't have the, the resources and the skill sets to do this, and it was SMB absolute. Did, did MSP come up in any of these conversations? Um, it did.

And if you look at, so in the prepare, um, section of the report, there are some recommendations around whether sm whether MSPs should be regulated a little bit and that kind of thing. That said, one of the things that we were sort of really aware of is that many MSPs are themselves SMBs and so, you know, rate rate, exactly. And so I I mean, I think you have to be, um, like wary and, and aware of that.

Um, I, I think one of the things that I've seen is, um, there are multiple governments that have started to look at the role of digital service providers. And that is such a broad term. You know, if you are talking about AWS on one end of the spectrum and a mom and pop MSP at the other end of the spectrum, ooh, that's quite a spectrum you've got there.

And you can't possibly expect that they're gonna be able to do the same level of, make the same level of investment, take on the same level of challenge. Um, and so the recommendations that we made as a group around MSPs, we kind of wanted to proceed a little, like softly, softly, um, because we didn't wanna just sort of come out with like a, a bold statement of like, you should regulate MSPs when they, when they are SMEs.

But at the same time, there is definitely a feeling amongst governments and also amongst business owners that I've spoken to, that the responsibility for cyber resilience does need to move upstream. That the people who provide technical support for a business should be factoring in cybersecurity and cannot possibly expect their, their customers to do it independently of them. Um, and I think the other thing that plays into this a lot is just the explosion that we've seen in supply chain risk.

You know, the, the, the awareness that people have now of supply chain attacks and the supply chain as, as targets, right?

And I, I don't, I don't wanna bring up a touchy subject, but when the Kaseya attack happened, the, the commentary that everybody heard was, wow, we are gonna see a lot more of this type of attack because it does make such a juicy target because, you know, the, the, the attackers in that situation, they went from, Hey, here's our individual, uh, ransom that we wanna demand to, all of a sudden, I think they asked for $400 million as like a group as a group demand, right? Right.

And they didn't get anywhere near that. But the fact that they were able to ask for it, it kind of like, it's those headlines that draw new attackers into the market, right? That it's those headlines that people see that go, oh, I wanna slice of that pie. And so you have more entrance into the market. And so the supply chain, you know, is we know that it's being targeted. We know that it's, it's, it's, it's valuable and it's, it's exciting to people and it's tempting.

And so I think as business leaders, you know, they, they then have to go, well, okay, but then what's, what are our partners or our suppliers or our vendors, what are they doing to help with this? And and again, if you are looking at that, that end of the market where you're looking at infrastructure as a service and you're looking at the sort of AWS Azures and Googles of the world, they have very deep pockets and they have enormous security teams.

But as soon as you start moving down that line, down that spectrum, you get out of that area pretty quick into organizations that are trying to keep their head above water and have, you know, huge amounts of demands on what they spend their money on just as every other organization does. Right? They're in exactly the same boat trying to find the paddle.

And so I think, you know, yes, we looked at the SMEs, the Ms P role, but we also were like very, very aware that you have to keep it manageable. Yeah. Cool. Phyllis? No, I think, um, Hey, wait a minute. So yeah. And, and so how have we as MSPs responded since the could say incident? Um, eh, pretty much loaded up another half dozen to dozen agents. Yeah, right, right. That's a really good point, Gary. No, I mean, Gary, go ahead. Um, Dan answered all, all my questions, so go ahead, Gary. Awesome.

Uh, well, first question I had was, um, you know, do you have any opinion on the fact that the Philadelphia Eagles are a foreign OI just wanted to get that, I just had to find a way to wedge that in there. My eagles are, I am very, I'm delighted for you. Yeah. Yay. Sports. Uh, so a couple things. One, I wanna talk about metrics for a second. Yeah. Yeah. And like, what kind of metrics do you feel we should be seeing from the blueprint specifically? Like how do we know it's working?

I'm not sure what the trend's saying, it's gross. 'cause you're talking about metrics or if it's about sports ball, I think it's about the eagles. Uh, I'm gonna, I'm gonna see, right. Although, you know, maybe the metrics conversation too. Security people don't often love talking about metrics. Um, but I like data. I'm a fan. I, I would much rather, um, that we had actual supporting evidence of the, of the statements and the assertions that we make. The problem is we don't know anything.

I mean, we talk as if we do a lot, and I'm very guilty of this. I definitely talk as if I know things when I know nothing. Um, but if you look at like, let's look at ransomware, 'cause that's what we're here to talk about. Um, so what data do we actually have today? We have, Hmm. Uh, so we have the data that security vendors put out, which typically comes from two sources. It either comes from work that they do in the dark web where they're uncovering people talking about incidents.

Um, or it comes from them working with customers in some way. So either they have a tool that assists, or they have a services team that assists, or they have an MSSP team that's doing threat hunting. Like it's one of those things that uncovers right. And they are able to build data that way. Okay. And so pretty much every security vendor out there puts out a report, uh, on ransomware, and most of 'em say pretty much the same thing. And that's helpful. Like, it is, it's good.

We learn stuff from that. The problem is we have no idea how to contextualize that data because we don't know how complete or incomplete it is. We don't even know how much that data overlaps with each other. We don't know how much, you know, rapid seven dataset overlaps with CrowdStrike, Palo Altos, you know, and on and on and on, right? And so, um, we don't, we don't know how to think about the size of that data. What other data do we have?

So we have data that comes from blockchain analysis companies who look at wallets and they can track wallets, but again, they can only track what they know of about. And I feel like criminals are trying not to be known. Like they kind of want their wallets not to be known. So they're trying to get away with it. So like, they're only seeing a fragment. They're, they're definitely seeing more than they used to, and it is a growing number, but like, they see a fragment of what's out there, right?

And the data that they have is incomplete. Mm-Hmm. Law enforcement, well, law enforcement only knows about things that get reported to law enforcement. So that's, I mean, it's a, it's a marginal amount. It's, it's so small as to be insignificant, honestly, from a data point of view. Um, so is There any way to know whether we're doing better or worse? That's a great question. There is a fourth category, so I'm just gonna fourth category of cyber insurance.

But if you look at the market adoption stats for cyber and cyber insurance, by the way, because they're insurance companies, they love data. So they actually look after their data, they cherish their data, they like stimulate, you know, the development of data, which is all wonderful, but their market adoption is low. And so their data is massively, massively complete. And if I, if I could add to that, Jen, they also don't share that data very much. Um, no, no.

And it's not because they don't want to, it's because they don't have good mechanisms to do so yet. And so I think when we see that future come out, uh, I think we'll have much more enriched data. I think it can be a little, a little from column A, a little from column B. Like there are, there are cyber insurers who are pro sharing and there are cyber insurers who definitely think it's their secret source and that they do not wanna share.

Um, but actually what we've seen in the past two years is there has been a shift towards more sharing. So like law enforcement started sharing more, some of the, um, DPA, the, the data protection authorities have started sharing more. Um, some of the cyber insurers have started sharing more. So like there is more sharing. What we've created is a patchwork quilt of de data.

And what's interesting is some of it's on the, on the, to use your right of boom, some of it, like a lot of it's right, you know, it's, it's very much response, um, side and some of it's security side, and some of it's sort of like others and, and others. Um, but it's patchwork quilts. And so when, um, you have a situation whereby the NSA, uh, is on a panel, um, I'm just like, I'm sorry, I've had, uh, I, I'm still suffering effects from Covid.

And so every now the brain fog comes in really badly. And I'm like, not now. Not now, not now. Um, so I'm just like having a moment on ma on on names. But, um, Rob, Rob Joyce, Rob Joyce from the NSA was at a panel in the uk and he made this statement about how, um, the number of ransomware incidence is down. And I was like, how does he know?

And so I went and talked to the UK government, and I, I had somebody from, and the National Cybersecurity Center there, and somebody from the National Crime Agency, and I said like, Hey, do you agree with a statement? And they went off and con confirmed, and they came back and they said, we believe that the reports to us have plateaued. And I was like, okay, that's really, really interesting. And so I was like, brilliant. What does that mean? Has it plateaued?

Because bear in mind, we've seen sanctions come in in the past year and a half, right? And so the sanctions have an impact. What I hear from companies is they don't, don't wanna report to law enforcement law because they're afraid of the sanctions. So has the reports to law enforcement gone down because the incidents are down? Or is it that people don't wanna report? And meanwhile, cyber insurers are also saying the data's down, right?

They're saying the reports are down and the claims are down, but they've also made their, um, the claims requirements more stringent in that time because they were losing money. And so is that why they're down, like the, the pro The point is we have like reports of information and we have these data nuggets, but we don't have context to think about how to, what the causation and correlation factors are for them. So we just completely like what we see as the tip of the iceberg.

We don't even have a clue how much the tip represents of the iceberg because we can't see it. And so when you asked me about like, what reporting would we wanna see out of the blueprint, I kind of scratched my head a little bit because before I can even get to like what I'd wanna see, I'm like, how, how would I see it? Like what would that even look like? Because nobody's reporting today.

If the, if the 1% of organizations that are seriously invested in this and doing well are not reporting anything, then how are we gonna get data out of SMBs who frankly don't have time? Um, so like, the kinds of things we could look at is it are incident reports going up. And I saw that somebody posted in the comment about ccia, which is the, um, uh, it's the Cyber Incident Reporting Act, the Cyber right cyber incident, uh, um, yeah.

Um, yeah, cyber incident reporting for Critical Infrastructure Act or something. Um, and basically this was something that Congress passed, um, and they said, Hey, we know that we need incident reporting for critical infrastructure cyber incidents. So we are gonna have SISA figure out what that should look like. And here, let's give them three and a half years to figure it out. Well, we're on seven years I think for CMMC, State government, baby, Right? I was like, oh. So it's an urgent problem.

Then. Um, what we do have, like, so in the, in Europe, they're updating the network and information systems directive, which again, is all about critical infrastructure, and they're putting a bunch more, um, incident reporting requirements in there. And by the way, that conversation we're having about MSPs and digital service providers, they're looking at the role of MSPs and digital service providers. So right, in Europe, we're gonna see stuff happening. The UK's doing the same thing.

They're also, um, they're all about like, uh, hey, we are not in Europe anymore, so now we can do what we like with n let's update it the exact same way. Um, they're probably not gonna do the same exact same way, but, but just enough to, you know, make it feel more British. Jen, Jen, Just a quick question though, for Gary and your, Gary, your thoughts, and Wes, please chime in.

So with cyber insurance, again, getting involved heavily now, and we're seeing stuff like fifth walls doing, and there's others obviously upmarket with telemetry Jen, that are left of boom, right? You know, now they're like, Hey, if you want this, we're gonna have telemetry. Are you doing this control that, control the other? Do, I mean, let me start with Gary. Gary, I mean, do you think we'll start to see different data sets coming, you know, because of this?

Um, you know, I, I think that, um, I think that next gen has, um, kind of laid out like all of the obstacles, you know, to this, right? Like, until we have a way of understanding kind of where we are, it's pretty hard to be definitive about where, about where you're going. And you just mentioned a couple things like CMMC, like really important, right? That's aimed directly at things that are important to, you know, our country, right? And our national security and how difficult it is.

So Wes, you see it from a little different perspective right now. You get to have a different view. Yeah. Well, it's like I was sharing in chat And stuff, We, yeah, it was like I was sharing in chat, we have a what problem, why problem, and a how and a how problem, right? Um, and the, the, like, the why is sort of getting solved. I mean, right? It's problem it's year. Yeah.

Well, years away from, from ccia having the impact, and, and that's even gonna only start in, in the, in the, in the federal and state levels, right? That's not gonna compel and users quite yet. We have a long way to go, but it does kick the ball in motion, which is good. And you see director Easter easterly from CSA even talking about like minimum standards.

She's even been on record saying, I think we need minimum security standards in the us You see the UK already doing that with cyber essentials. So we're going that direction. It's just gonna take more massive breaches to really push us further. And then I reached out to the sticks. So those of you who don't know sticks and taxi are open sh uh, open source, um, threat sharing taxonomies. And I used to have a very deep background, was even on the committee for quite some time.

And, um, I reached out to them recently and I said, Hey, from the insurance perspective, TIC is a perfect mechanism for us to be able to share incident reporting data, but there's no taxonomy for it. It's only threat focused. So how do we adopt that? And they said to me, well, funny, you ask, we're getting ready to, to bring to the group, uh, to ratify a sharing standard for incident data.

And so imagine a day when we can start sharing between incident response, federal government, uh, ISACs insurance, the ability to share anonymized data protected under CSA about incidents like that needs to happen because it does not exist yet. I agree. And it should not take three and a half years to happen. Preach sister. I agree, Jen, how much Gary, back to you. But, but again, you know, I've read a lot on, you know, humans being poor judges of risk.

Like you, you ask any up the food chain in organizations, you know, I didn't think it would, I didn't think it would happen to us. I mean, I'm, I'm paraphrasing, right? So, you know, it it, it, it had, you know, to me it's a mindset thing, right? I mean, we could do all this stuff, but Yeah, I'd love your perspective.

It is, I mean, mean it is like, I think, so one of the things that I think we, we've done in security, uh, look, we, we, for a long time, for 30 years, we told people that security was really complicated and they wouldn't understand it. And now we're all like, why don't people pay more attention to this stuff? Um, and like, uh, we, we kind of did that to ourselves a little bit. Um, and then we do things that we use language that I think doesn't help.

So like if you hear the term ransomware and you are an average Joe has nothing to do with cybersecurity, then the thing that you have probably heard talked about in the past that might be sort of like a little resonant is, you know, what other things have ransom situations, right? Like those kinds of attacks, attacks that involve ransom tend to be targeted like highly targeted events.

Even if it's only targeted in as much as you're a rich person in a country where there's a lot of kidnap that happens, it's still as much targeted in, in, in that you are, there's a context that makes it relevant. And so a lot of people, they see headlines around cybersecurity and ransomware attacks, but they still have this mentality. They still have this, this thought process where they assume that ransomware attacks are targeted.

A lot of people, you know, they see stories about cyber attacks, doesn't have to be a ransomware attack, could be any kind of other one. And they think, well, that won't happen to me. It's not relevant to me because why would I, why would I draw an attacker's notice? Like, my company's not big enough or sexy enough or famous enough, and so why would I draw an attacker's notice? And, and so they don't think it will, it will happen to them.

And I've literally had a conversation, um, with like business leaders who are in the security sector who are like, oh yeah, ransomware a huge threat, but it's not a threat to our organization. And I'm like, because you are not on the internet or what, right? Like, why? And, and then, and then we have these stories as well that are stuff that say things like, attackers target healthcare or attackers promise not to target healthcare.

And then that equally like reinforces this idea that attacks are targeted in ransomware. Almost no attacks are that targeted. It's not like they're like, I'm specifically mad at this entity. I mean, unless you're the Costa Rican government, in which case I'm really sorry, but yes, you were targeted and it was political, but like nine times out of 10, that's not the reality. With a ransomware attack.

With a ransomware attack, the most targeted they get is they're like, I'm gonna build a list of companies that are in the west that are above this level of revenue and that are on the internet. Right? That's it. Right? Uh, 'cause here's the reality is if you are a cyber criminal and you're in it for the payout, why would you ever make it more expensive or more difficult for yourself?

Then you need to, if you can throw spaghetti at the wall and get a guaranteed payday every day of the week, why is that not exactly the thing you would do? Yeah. Gareth, back to you. 'cause Jen, I'm gonna kind of, maybe we go a little more rapid fire so we can get everything in here. Oh Yeah. Sorry. No, it's okay. Yeah. So, well, one thing is, Andrew, you know, you're talking about human nature.

I like, I always say, let's, anything we do, don't ask something to do, some don't ask anything to do something it's not capable of doing. Right. We're not going to change human neighbor nature, right? Whether we're talking about cybersecurity or asset bubbles, it's the reason there's asset bubbles, right? Right. Global warming, you get like, like listen until you know, until it's your house. Right? Right, right. That underwater, and luckily the water only came to my doorstep, uh, this time.

So I'm, I'm, I'm lucky. But, um, but the part I wanna say, the people on this call is that's where our job comes in. Our job is to, first we can't see the world through that lens. And too many MSPs are in the same boat, or they'd be acting differently. If they really understood the risk to them, then your job is to go to every one of your customers and to translate that risk. They're not going to get there on their own.

Because it is like, I like to say, you know, look, cybersecurity, uh, I tell customers is not an issue until it is. Right? Right. And then it's the only issue. It's the biggest issue. So I feel like as a community, that is our responsibility. We can't wait for the SMBs human nature to change because it's not gonna happen. Gary, so do you, I mean, do you feel, Gary, that I'll just say it as bluntly as this, that, you know, we need to get better at sales, you know, just as equally as Security.

Yeah. I guess it's sales in some way. It's sales in some way, Air, whatever. We have to get better in communicating. Yeah. We, we start to learn like we've been doing every week for how many weeks, Andrew, together to better understand what's happening. So it becomes who we are. And we make our teams get to the same place. We have a culture of security. So with every term, when we deal with a customer, they see and feel it and understand it. So it's real to them. Right? That's what we can do.

We can know and understand it better than other people so that we don't overlook those risks and feel like, well, it's gonna happen to somebody else. Every one of us is a house with a wide open door. It's just that there's a lot of houses and, and no burglars might, may have walked in yours yet, but yeah, eventually chances are they'll stroll in. 'cause you're, 'cause all the, our doors are wide open, right? Yeah.

So, um, so Jen, I I I wanted to ask you like, there's all these massive losses around cyber insurance and, and, uh, the, the the, they have massive lobbying power. It's not sustainable. Do you think this could be the thing that would force some regulation around SMBs or MSPs? I dunno. I think it's a good question.

I look, I think that first and foremost, um, the cyber insurers have their hands kind of full with the fact that a lot of governments have kind of given them a really hard look and have thought. Uh, when, when the cyber solarium commission first formed up, one of the things that they thought, and they're not unique in this, a lot of governments thought this was that the cyber insurers would solve the cybersecurity problem.

Um, in the same way that home insurance drove people to, um, you know, having to have certain types of locks on their doors and that kind of thing. They thought this would be the key and, and, and actually that, Well, they came business, well, I mean, in that example, the insurance industry changed building codes like they did. They were able to actually have legislation to change building, Right?

And actually, and you can look at there countless sectors where insurances had that kind of really quite amazing impact. And so I think a lot of government people thought, you know, that's what would happen in cybersecurity. And the reality is maybe it will in another decade, but like, they have to build the models and the in order to do that, they need data. And, and that takes a long time. Right? And it's also not as finite as things in the physical world are. Yeah.

So I think one of the things that actually the cyber insurance industry has been doing has actually been trying to defend themselves from the idea of being regulated because there has been a lot of government interest on the idea of trying to use them in some way and actually trying to force them down some route. Um, and that's why you're seeing now a lot more collaboration between them and a lot more discussion.

Um, the formation of the cyber ACU view was because they were, as you say, they were losing money and, um, they wanted to figure out what better standards or norms might be, but also they wanted to make sure that they, they weren't having the governments leaning on them too much.

Um, so, you know, it's possible that they will turn their light in the direction that you mentioned, um, looking at s uh, MSPs and I think in truth, governments are already looking in that direction, so I don't actually think it requires the cyber insurers to, to, to really be a driving force behind that. Um, but they might recognize that as an opportunity and go after it. Yeah, Ken said it would be nice if we could create our own regulation with teeth like finra.

Yeah, we, we, we could Ken, but we're pretty busy doing tickets. We certainly can't all agree As soon as we empty out our, our boards and queues, man, we are gonna be right on that. Wes, I'm gonna hand it over to you, my friend. Thanks. I appreciate that, Jim. Uh, I'm always asking questions like this one here, just in, in the trail of what Gary had asked, just what you're seeing in the uk.

Are you seeing any sort of like at the, at the government level, any sort of like identification of what an MSP is and any follow on to their approach of potentially regulating an MSP? Yeah, um, I mean, like, as I said, they have this whole idea of digital service providers and, and, um, and they took a bunch of, you know, they got a lot of comments from people saying like, Hey, what's a digital service provider?

And can you be a little bit more clear on exactly what type of entity you're talking about? And so they have, they've done a whole bunch of work to basically like look at what's in that spectrum and figure out how to break it out. I don't think they've actually published that yet, but that, I think it's coming. And I think part of the reason they haven't published it is because they're still on their lines of investigation and inquiry into how they're gonna use it. Right.

But they're, they are very interested in the role of MSPs. Um, they're also very interested in the role of cloud service providers. Okay. Yeah. So I was at, I was, I was in Boise last week and listened to a, uh, like a cyber, uh, attorney speak.

And one of the fo again, follow on to this, one of the things that he said in the states, you know, all the US states have now adopted some kind of like cyber incident reporting requirements, but what's such a mess for them and what compounds a cyber incident drastically is they don't all agree on like what an incident is. There's not clarified language between all of them. And so there's this dubious sort of like approach to Will Florida, uh, constitutes it with this way.

And South Dakota just vaguely talks about it and there's no like precedent at all and there's not really common law between all of this. Right. We, we don't have aligned standards. Yeah. In your experience with the GDPR world, has that sort of standardized some of that in, in, in the EU and the really, the the Yeah. Really across the eu? What are your thoughts on that? Yeah, so I mean, firstly on the, I think there are, I, I switched up sevens and fours.

So there's either 54 or 57 state and territory breach notification laws in the us. Um, and uh, and it took me a while to get my head around that number 'cause I was like, there's only 50 states. Um, but, uh, but, but that's it.

Um, and if you, um, the National Association of State Legislatures, um, website has a really good section where you can look at all of them basically, um, and just not to be like a little miss pedantic, but there's a difference between a breach notification regulation and a cyber incident reporting regulation. And these are breach notification regulation re uh, regulations.

So what that means is if you have a data breach and the data breach involves personally identifiable information above a certain threshold of, um, individuals impacted, then there are requirements for notification to those individuals and also normally to the state Attorney general. And while there are 54 of them, or possibly 57, who could say, um, they do actually have quite a lot of common ground. Um, it, they normally do have this like threshold.

The threshold is normally a sort of relatively equitable number. Somewhere in the 2,500 to three, 3000 kind of, um, individuals level. There is normally a sort of requirement around things like, you know, the types of notification and also the notification to the state attorney general. Um, there is normally also like some sort of carve out for if the data is, um, encrypted to a reasonable standard. Um, but you are completely on the money to say that they are, they are a little bit different.

And that nuance is the kicker and it is what keeps, um, you know, plenty of attorneys in business. Um, because if you have an incident and you do business across the us, navigating that as a pain for sure. And then on top of that, you've also got sector relevant stuff. So you've got, um, GBLA, for example, if you're in the financial services sector that has its own set of recommendations or, or not recommendations. Recommendations, sounds very fuzzy and warm really doesn't it requirements.

Um, and uh, and then there's, you know, multiple other ones in other sectors. Um, GDPR, uh, the problem with GDPR is the language is vague, right? And so it's like, this is the criticism GDPR gets is that it seems kind of open to interpretation and sometimes that really comes down to which, um, DPA or data protection authority you are working with. The basic rule of thumb is that you have to notify if the data taken could be used to cause harm.

Well, there's no room at all for misinterpretation in, in that is there. Um, and, and similarly, you know, GDPR has this whole thing of like, you have to have, um, appropriate levels of security for, you know, to, to protect your customers. And it's not prescriptive, and I completely get why it's not prescriptive. How on earth could you keep something that is prescriptive up to date is the theory that people have. Um, and I think there are ways that you can manage that in, in legislation.

You can, you know, you, you can have, you can have mechanisms for it. Um, but the, the, that's the biggest criticism they get. And there is talk that the EU is going to revisit GDPR and we'll do an update to it and we'll look at sort of maybe addressing some of these issues, whether that will happen or not. I dunno who could say. Um, but certainly like those are the criticisms that GDPR has. What I think GDPR did exceptionally well is it raised the profile and the awareness, right?

Every company in Europe, regardless of size or sector, is impacted. If you are dealing with, you know, data to do with EU persons, you are impacted and they pushed so much awareness and education around it that everybody's aware of it. And so I think that upleveled a conversation or for, or created a conversation that just didn't exist in certain areas and pockets at all. And so I think it's been very effective from that point of view.

Um, I mean, and, and yes, even companies in the US are impacted by it and have heard of it. And so, you know, that creates, uh, an impact that like the California state, um, you know, C-C-P-C-C-P-A-C CPAs, um, that, that isn't, that hasn't necessarily been achieved just by, by California having a thing. Um, yeah, sorry, uh, again, the brain fog is, is annoying. Um, so yeah. Yeah. Okay. Uh, yeah, it's, it's, um, that's great commentary because we have our work cut out for us for sure.

With, with unifying an approach to all of this. Um, it's gonna take a long time. It just, it's Well, and I mean, you know, the, the state versus federal thing is a really hard thing in the US and there's been a push for there to be a cyber hygiene, a federal cyber hygiene requirement. There's been a push for there to be a federal cyber incident report, uh, requirement. And it's worth noting that CCIA would only impact critical infrastructure.

Now, admittedly, the US has 16 different critical infrastructure sectors. It's quite broad, but it's still only critical infrastructure, right? It's not, it's not broad for everybody. So it is, it's worth noting that even the efforts that are happening, like Australia already passed one, right? A report, a cyber incident reporting, again, just for critical infrastructure, which I think is absolutely the right place to start. But then where do we go from there?

And will we see it go broader over time? So last question for you. Um, I want to bring this home to ransomware task force. So how, how or where does, does the RTF help for someone that's wanting to get across and start working on adopting the blueprint for ransomware defense? Do you have help place like resources? And, and Wes, can I add to that Jen, too, as you answer this?

'cause the MSPs on the call, when I look at that ransomware, the, you know, the defense blueprint to me it's like, you know, Wes has done this and a lot of the MSPs like lunch and learns. Like, to me, that's a really nicely laid out document. So how did they get involved to kind of, to Wes' point? Yeah, I will say in cybersecurity, I think the biggest problem that we face is how you drive adoption.

You know, it's, it's actually, in many ways, it's much easier to build a thing than it is drive adoption. Oh, that's shocking. I know, right? Well, who the thunk. Um, and the, and you know, the reality is people have too many demands on their time and they hit pummeled by too much noise. Um, I think that this is a, an example of, of where we will find the same challenge, right?

And, and so like, what I would love to see is I would love to see small business entities, you know, those entities that sort of represent small businesses and communicate with small businesses regularly. So people like, um, regional chambers of commerce or the, and I'm gonna get this wrong, between the UK one and the US one, the small business administration, is that the US one or the UK one? The US one, yeah.

So I would love to see like those kinds of entities engaging on this and trying to help drive a little bit more awareness and doing those lunch and learns or doing, you know, exercises or, or, or whatever. Um, CISA has the blueprint on their website, which I think is great and is looking at ways that they can help, particularly in the organizations that they have a roommate to help, I think, you know, can Isec do more? Um, but again, SMBs really members of isec. No. Yeah, exactly.

So I think it's really hard to reach into those communities and I think this is something that CIS has done really, really well, has driven that sort of awareness piece around critical, uh, controls for a long time. So you guys know firsthand how bloom and hard that is. Um, and I think you're doing a really good job job of banging the drum on the blueprint stuff.

And I think the RTF is trying to do the same thing, but the reality is the RTF is really much more of an entity that is designed to bring together points of view so that we can harness that experience that people have and that expertise that they have so that we can put out advocacy things rather than necessarily having reach to drive adoption of a thing. Right? I, I just, I think that's not, 'cause the RTF is a volunteer effort of, of volunteers all from different entities.

It's, it's not really gonna be the organization that is driving capacity building. And so, you know, the question that I've had for the US government and not just the US government, the UK government, various governments, is what are they doing to invest in building capacity for SMBs and those below the cybersecurity poverty line? Because that's gonna be an enduring problem. And ultimately for the economy's sake, they need to solve it.

I I just have to be a little sarcastic when you ask that question rhetorically, Jen, and it's, it's of course the n uh, small business corner for, Hmm. That Was, I, I spent, and the reason I have a little bit of a, a grudge there is I spent three years I went to Gaithersburg at the N-C-C-O-E. We took 14 MSPs there, spent tons of time and the whole project was shelved. And that's our government's answer is here's a website with a little bit of stuff too. 99% of all small businesses.

So that's how I, I would like To, I would like to make one commentary. I I think Jen is absolutely right and what the RTF is trying to do. Um, uh, you know, we are, we are going to like have these webinars starting in October to Oh, good. To kind of these help webinars and then you'll be able to replay those. But we are trying to, I think which is, um, equally important is, um, try to get government on the same page.

You know, we worked with cis, a hey, let's not have different guidance, please, SSA don't have your own framework. Just use this framework, right? Yeah. Like, Jen, so poignantly, poignantly said in the beginning, do we need another paper that says patch? Do we need another da? We need, what we do need is everyone to point to the same thing, right? Yeah. So that everyone is getting the same messaging and the same guidance, um, so that there is no confusion.

Um, because the problem is every sector, every vendor, everybody, like Jen said, has a report. Yeah. Everyone has top five, top 10. And so what is it that we can do, um, to be consistent in our messaging, um, with, with that.

And so I think that's so important and the RTF is trying to, to do that, um, through the different tentacles that everyone on the RTF actually has Tentacles 10, those, you know, and I'll, so I know we're at the top of the hour, so a few things, uh, Phyllis, Jen Ann asked you a question. Phyllis, I wanna thank you again for all your involvement in the MSP, which is, you know, obviously the legs or tentacles to SMB. Um, Jen, wonderful having you on with us. I really appreciate you taking time.

I know it's late there for you. Um, but it was awesome having you with us. Thank you very much. Yeah, absolutely. Wes, always great to see you back from Boise. And, and Gary, any kind of wrapping things up as you always do here? No, I think we uh, we set it all. Yeah. Okay bud. Alright, everybody, look forward to seeing you all next Monday. Until then, make it a great day, everyone. Take care Everyone. Thanks Jen. Thanks everyone. Thank you. Thanks Very much.

Related Videos