Production and distribution of City Club forums and ideastream public media are made possible by PNC and the United Black, fond of greater Cleveland, Inc.. Good afternoon and welcome to the City Club of Cleveland, where we are devoted to creating conversations of consequence to help democracy thrive.

It's Friday, July 26th.

And I'm Michelle Tomallo, one of the co-founders of Fit Technologies.

Fit is a proud new corporate member, and I have been a city club member for decades.

And I'm also delighted to be a guardian of free speech that day and mentioned working with the staff and hopefully many of you to ensure that we can continue that.

The City Club hosts these conversations of consequence for generations to come.

So I invite invite you all to join us in those efforts.

And as Dan said, we're very close to this amazing goal.

And so hope that you will join us in that.

So back to our regularly scheduled program.

Fit Technologies is an IT services provider that works with our clients to manage their entire tech environment.

That could be everything from help desk to onsite field, support to cloud and network services to strategic I.T.

consulting, as well as cybersecurity.

So it's why today's conversation is so important, and it's top of mind for our team every day, some of whom are here with us today.

Today, we're going to focus on cyber crime.

And as you know, much of our daily lives now live in the digital realm.

So protecting our sensitive information from unauthorized access, theft and hacking has never been more important.

And still, every month, major corporations as school districts, health systems and even massive palaces, as Dan also mentioned, have become targets to increasingly sophisticated cyber threats.

This puts not only our personal information at risk, but also raises questions about the significant economic impact as well as national security.

What trends do we need to be aware of in cyber crime?

And what actionable insights can help safeguard our digital realm?

These questions and more will be answered as we hear from the group of industry experts.

Joining us today is Chris Prewitt, chief technology officer at Inversions six.

Steve Stransky, partner at Thomson Hine.

And Jess Walpole, chief technology officer at Fortress Security Risk Management.

Today's session will be moderated by Jeff St. Clair, the midday host at IDEO Public Ideastream Public Media.

If you have questions for our speakers, as Dan shared, you can text it to 3305415794.

And to repeat that for our listeners.

3305415794.

And our city club staff will try to work those into the second half of the program.

So members and friends of the City Club of Cleveland, please join me in welcoming our guests.

Thanks, Michel, and thank you, everyone, here for this city club forum.

Before I started researching this topic, I really didn't think much about, you know, cyber risk.

Now I'm scared.

You know, every email, anything that you get, any email, text could be someone trying to extort you or your company.

You know, this is a risk we all face in this age.

Last year, cyber criminals extracted $1.1 billion from victims worldwide.

Experts predict this will grow exponentially over the next few years.

Cyber criminals are attacking hospitals, schools, city governments, private businesses.

Recently, an attack on car dealer inventory.

Software company CDK shut down computers to 15,000 new car dealerships across the US, including here in northeast Ohio.

Service at the city of Columbus is currently curtailed one week after a cyber attack hit that city.

They're not talking much about that, but they did say it was someone in the city who clicked on an email that launched this whole thing.

Last month, the city of Cleveland was closed for a couple of weeks after a ransomware attack.

Chris Pruitt was part of the cavalry response.

You know, they called in the heroes from the Ohio cyber Reserve.

Chris led that response.

What can you tell us about what happened and and what we need to do to prevent that sort of thing?

Yeah.

So, you know, first, just a little background.

I got a day job Monday through Friday, CTO of a cybersecurity company.

But in 2017, 2018, Governor DeWine put into law creating an organization called the Ohio Cyber Reserve.

It's essentially a volunteer firefighter force for cyber incidents.

I've been a member now almost three years.

I run the northern region, Cleveland region.

Three regions in the state.

Cleveland, Columbus.

Cincinnati.

We have three missions educate, assist and respond.

Assist is really kind of left of incident, you know, prior to trying to get school districts, cities to improve their security standing so that they don't have an issue.

And then the response is really right of incident.

And that's where the city had an issue, had reached out through a one foresman to Department of Homeland Security, CSA.

And that went to the state of Ohio.

State of Ohio.

Contacted the Cyber Reserve to see if we had members who were able to help.

We that day came on site, had a kind of a SWAT team of individuals who were there to learn what was going on, how how big was the impact and begin to investigate.

The next morning we had about 15 people, all volunteers, who have stepped away from their job, their families for about six days to assist in the process.

So, you know, the details are are what they are at this point.

We are going through a process of investigation.

Still, the cyber reserve is kind of finished, but the city is kind of going through the the investigation part of it before they come out with all of the information on what had happened, who the threat actors were, how much the ransom was.

But really, it's been a great story to be associated with and to tell.

You know, the city of Atlanta, the city of Dallas, the city of Baltimore, large cities have all experienced similar issues and been down for a month or longer.

The city of Cleveland was back up and operational in 11 days.

Being able to serve the public and that kind of thing is why we do what we do.

Why the volunteers were there to assist.

Steve, I want to talk to you a bit about this.

Chris mentioned that there was a ransom issued.

I guess we don't have details.

He's not at liberty to talk about this.

And hopefully we'll get some of the details of what information was compromised in Cleveland.

But part of your job is negotiating with these ransomware people.

You know, tell us what that's like, what you know, how how do you negotiate with these criminals?

And, you know, what can we expect?

Certainly.

So just as background, Thompson Hine generally represents corporations who are subject to a data breach or ransomware attack.

And when a threat actor has an intrusion into a company's I.T.

environment and they encrypt their data, they would leave a ransom note.

This says, this is how you can get a hole.

Cut out of like a magazine.

It's it's a screenshot that appears on a lot of different screens that when your workers try to log in and it's a link to a Tor browser, basically a platform on the darknet that is owned and.

Operated tor.

By by the threat actor.

Yes.

And ideally, you don't want to negotiate with the threat actor It's not it's not a good experience.

The reason you negotiate with them is primarily for five reasons or three or four or five, depending on how you're looking at it.

The first is to get a decryption key.

Right.

So if the threat actor has encrypted your environment, it prevents you from engaging in operations.

And that's where Chris and just come in and try to get you operational again without having to pay millions of dollars in order to get that decryption key.

A lot of times these threat actors, they steal your data too.

Particularly they're looking for sensitive information, personal data on your employees, maybe confidential proprietary information, trade secrets, and they will steal that from you.

And so you're paying not just for the decryption key.

Now you're also paying for them to return your data to you or alter alternatively destroying that data and giving you a proof of deletion.

Right?

That they would take screenshots of them deleting your data, which we know they don't really do, but they'll, they'll, they'll argue that they do.

And then you'll also get as part of these negotiations, you'll also get usually a security report from them.

A lot of these threat actors, they consider themselves to be consultants who are doing you a favor.

Right.

They're actually they encrypted your environment and they're going to tell you how they did it so it doesn't happen again.

And they'll get a security report describing how they intruded into your government, whether it is a business email compromise, stolen credentials, things like that.

And then last, you want a commitment of confidentiality that they will not disclose this incident.

They will not make it public.

Public excuse me that your company's name will not show up on their leak site in any way.

So that's what you're you're paying for when negotiating with the threat actors.

Again, it's all done usually on a chat site in which you write a message to them about how much you're willing to pay.

They counter their offer.

It's usually done through poor translations in Russian and Mandarin, but it's just a back and forth negotiation on what the client's willing to pay in order to get this these assets back, to get the decryption, to get the confidentiality.

I was surprised how much ransom money is paid in these negotiations.

Around an average of half a million dollars.

Yeah, absolutely.

I mean, the price is constantly going up.

We obviously the idea to not pay the ransom is when you don't need a decryption key, you're not paying for the ransom.

Whether or not you're going to pay a ransom in order to get a commitment of confidentiality or proof of them destroying the data that was in your custody and control, those are become really difficult issues for companies who are subject to a ransomware, because once the data has already been stolen, you're you've triggered a lot of legal obligations to reporting to maybe the SCC, to regulatory authorities, to state attorney generals.

So really the only reason for paying a ransom after you triggered your legal obligations is for moral purposes, customer relations purposes, to kind of show individuals, your customers or employees that you've taken every step possible to minimize risk to them by paying millions of dollars to have the threat actors delete the data.

And I'm sure Chris and Jess have thoughts on this, too, but we really see that when there is a ransom paid, that's a threat.

Actors generally do not attack you again, do not engage in extortion and do not leak your data or try to sell it.

On the darknet.

We would hope, for example, the software company CDK paid $25 million in the recent ransomware attack, just as as the city of Columbus is is told people that their current cyber incident was caused by one of their employees clicking on an email.

How common is this?

How vulnerable are businesses and individuals and what can we do about it?

Yes, just give a little background on myself.

So just one pull of the CTO of Fortress Security Management, we are similar in nature.

Luckily, we all know each other very well.

So we we do a lot of risk management activities as it pertains to cyber and helping in more preventive aspects of things.

But we focus also on getting organizations back up and functional after they've had these types of incidents.

I think what's most interesting is this although it may take 11 weeks or 11 days to get the city of Cleveland back up, they will still be focusing on this for six to 8 to 12 months because of the impact associated with it across the organization.

And yes, most of these types of issues come in through an email compromise or some sort of nature.

It's about 90% today.

So I think it's amazing that we focused so much energy on protecting our perimeter around our organization, whether that's in cloud or hybrid or getting into more of that traditional aspects of fun things on prem.

But still, a matter of the weakest link comes down to human behavior and our eagerness to respond to things and be helpful in a lot of cases.

And that's what I think we have to make sure that we're aware of, that these threat actors are definitely trying to take advantage of that emotional aspect of how we respond.

What's the what's the acronym of the problem between the chair and the keyboard?

Is the Pepco or whatever?

Do you think companies really need to spend more time educating employees about this risk?

I do.

And I think it's interesting that we're starting to see even insurance firms are asking more questions around that.

So what traditionally was you did an education awareness program once in October because that's Education Awareness Month.

It's really become more of a situation of you've got to start sprinkling that in through really the fabric of the organizations that they understand how this is part of your critical nature as part of your safety of the organization.

Now, I think most recommendations are that you need to be doing some sort of phishing attempt exercise at least once, once a month.

We do it once every two weeks just because we want to make sure that we're hypersensitive and thinking of these types of things.

Additionally, I think a sense of the matter of understanding the types of individuals you have in your organization and thinking about the seasonality of what's going on in the world as well, and making sure that you're taking those things into consideration as you're educating the members of what they should be looking at, whether it's Christmas or it's getting close to school season, and people are buying a lot of things online that naturally starts getting into more of attacks around FedEx, types of things, Amazon impersonations, and just those aspects that people need to think about.

Yeah, or if the state has launched a new E-ZPass Turnpike.

Yeah, we were talking about that in the green room that, you know, before I came here, I had seen a text basically stating that I needed to go and check my Ohio Turnpike account, and it absolutely was not accurate.

And there's nothing wrong with my E-Z Pass.

And it was trying to take advantage of a situation.

Chris When Cleveland was attacked, they said it was a cyber gang.

Steve mentioned, you know, these people are speaking Russian or Mandarin.

Do we know who it was who who came in in Cleveland?

Yes.

A Russian affiliated ransomware group.

Was the name.

The non-delivery to disclose, yet the it's not one of the big ones.

I will say that.

They all have the name black something in black hat, black box black something.

Yeah, yeah, yeah.

And that that that could be the case.

Okay.

You know, oftentimes and it's interesting because it is an industry, it is a market.

There are a lot of and it may sound crazy to a lot of people.

It's not someone in their parents basement.

It's not someone, you know, in some far off place kind of working by themselves.

It is an industry there are ransomware service that you can subscribe to.

So you, for instance, if you wanted to, if you were incredibly busy, you could contract with a call center to support your functions.

If you were looking for a ransomware kit, you can go somewhere else and buy that.

You can buy credentials to get into large organizations.

So it really has become a multi, multi billion dollar industry that is global in nature.

So a lot of times we may say, you know what, maybe this group or that group or Russian affiliated, you know, it is part of a larger ecosystem.

It's not oftentimes two or three or four or five threat actors that are kind of working in conjunction together in the same room.

This is something that is become an incredibly complex solution.

I think earlier this year, one of the cockpit principles was kind of fingered and I think even arrested within a couple of months like bit 3.0 came out.

So there are it continues to function much like a business when a CEO gets ousted or arrested.

Yeah.

I'll go ahead.

Yes, Steve, go ahead.

So the larger threat actors that we deal with like they have silly names, like you said, the black suit is the one we most often see in another group called Akira and Locksmith 3.0.

They've had some issues with the FBI and the NSA in the UK intelligence services, but it really is a business in which that part of the business is is responsible for actually doing the offensive cyber operation that causes the intrusion into your environment.

And then another part of the business would engage in the negotiations.

That's their specialty.

And then once you get a decryption key, there's another part of their agency that does the Help Desk credit.

The decryption key is not working.

They will try to help you essentially remediate your own environment.

But that part of the organization is different than the one that actually did the threat actor negotiations or the initial intrusion.

So it really is a well-run, well-financed machine from governments and from criminal organizations.

Well, you worked for the Department of Homeland Security for a while and sort of this there's talk recently of creating a new branch of military focused on cyber security.

What do you what do you think about that?

Do we really need a more national stance against this?

So the federal government has so many different agencies involved in cyber security because just the way that we're structured in terms of oversight.

So you have for health care, for example, you have the Health and Human Services organization that provides oversight to the cyber operations, cybersecurity of hospitals and business associates and everybody involved in that.

You have the Department of Treasury and Commerce responsible for more financial related organizations.

CSA focuses more on private sector who don't fall into another regulated column.

And so what I think the government's trying to do is recognize that you have all these different agencies that have different oversight responsibilities and really trying to consolidate that right now that the lead agencies are primarily on the domestic side.

It's going to be the sexy for publicly traded organizations and they're trying to get more involved in this space.

Or do you have seen the Department of Homeland Security to try to be that face between the intelligence community and private sector organizations and the Department of Justice?

From a prosecutorial standpoint?

And as we know in government, the agencies don't always play nice because they're always looking for their own type of funding.

And so trying to create oversight or at least a lead agency to have oversight over all cyber and cyber insurance and services, cyber security operations.

It's logical, but it's it's very difficult to do.

And I'm not sure we're going to see that.

I think we're just going to see more agencies be stood up and whether or not that's going to lead to a more, you know, conflict within the government, it's probably going to happen.

CSA is the Cybersecurity and Infrastructure Security Agency under Department of Homeland Security.

Just what you know, what do you see in this realm of, I guess, dealing with these, you know, cyber gangs?

But then a lot of this stuff is more domestic risks that we're facing.

Yeah, we've seen even some situations is, as they mentioned about this is a business that you're now seeing interns and apprentices.

So it's very interesting to see that, you know, you've got this group of or this organized crime that it can be at any level.

We recently had had a client who actually had a situation where, you know, they they absolutely fell victim to a ransomware attack.

And with that, it was definitely a very junior individual who had been given a new zero day type of malware that was asked to just exploit and see what they could take their job.

And here it came.

But it was very interesting to get in and go through the negotiations with that.

Individuals clearly didn't understand what he was doing.

And, you know, having those regular dialogs back and forth and different time zones associated with things, too.

So it's to the point very much a business.

And I think that as it is a business and there's version control and they're getting into this much broader aspects of things, every single company has a real business to do, which is not cyber, it is revenue generation that they need to focus on.

So I think it's really interesting that we're seeing so much activity happening from a government standpoint and all these different agencies to try to provide some guidance in these areas.

But it still comes down to basic fundamentals that we need to have inside the organizations, the same structures, the actual frameworks that have been established around protecting organizations really has not materially changed in 20 years.

It's really more of a situation of it's modifying and evolving based off the type of technologies and getting more engaged and understanding what those risk factors are associated with.

I guess it's the cost of doing business as part of your overhead.

As a business, is there a recommended percentage of your, you know, you know, costs that should go into cybersecurity for your average business?

Oh, that's a Gartner question.

Are any of you?

I think what you generally find is that's probably very interesting based off of the type of industry that you're going into.

Industrial manufacturing, generally speaking, is much lower than what you'll see in high tech organizations and financial organizations specifically, I think there's still some room to be made, and most organizations in this aspect, I don't think that everything that is required is actually needs to have a dollar figure associated with it too.

There are some basic fundamentals that can be done without spending a dime, and that's where I think we think throwing money at it is going to fix it, bringing on individuals to help in the conversation and understand the risk factors of the organization and then developing an actual program is much more beneficial than just going and buying the latest and greatest technology.

I'll just follow up on that point, too, that it's becoming much more difficult to get cyber insurance these days because as Jess mentioned, the carriers are scrutinizing the technical and administrative physical security controls that organizations have and really looking at the risk before doing it, before going through the underwriting process and guaranteeing a company five, ten or $15 million in cyber insurance, which could go out the window in 24 hours through a negotiation.

So is becoming much more difficult and much more expensive, too.

But that's just another cost that businesses have to incur just by doing business.

Today, a.

Lot of businesses thought they were safe when they had CrowdStrike as their vendor.

Right?

Eight and a half million or however many computers wiped out still.

You know, a lot of companies trying to deal with that.

Delta Airlines famously having a problem.

So we with even if you think you have it solved, there can still be problems, right?

Chris Yeah, and I think a bit of that's nature of technology, right?

You know, things don't always go the the way we expect.

Things break in the middle of the night on weekends, you know, laptops break, you know, when we need them the most.

You know, it is the unfortunate part about being so tied to digital infrastructure, right.

You know, when when you think about your company or the organization you work at, you know, imagine going there on any given Wednesday or Thursday in the morning and none of the technology works.

How do you do your job?

Right.

Can you communicate to suppliers, partners, customers?

Probably not.

Can you build your widget?

Can you put it in a box?

Can you ship it?

Can you invoice?

Can you collect cash?

Can you make payroll?

Right.

The the dependance on technology is incredibly great personally and as an employee, as an employer.

And a lot of times we just don't really anticipate some of the risks where if this thing breaks and takes all of this infrastructure down, what do we do?

A lot of cybersecurity is really turned to how do you respond to these types of things?

Right.

Are are you prepared, are you organized and are you disciplined enough to be able to know what to do?

You know who to call?

Do you know how to respond?

You know who your partners are.

Do you have this information right?

Are you going to be able to call Jess and have her fly out there?

Incident Response Team.

Do you know that one of your first calls should be to your attorney?

You may have an in-house counsel.

Are they a cybersecurity expert?

Unlikely.

Do they have contacts like Steve that they occasionally get to go play golf with?

Right.

There are in entirety of relationships that you should be aware of and kind of thoughtful on.

Right.

Most organizations are kind of thinking informally about these, you know, could happen to us.

It happened to CDK, it happened in CrowdStrike.

These things happen.

What are you going to do on that fateful day?

I want to throw this question out to all of you and see what you think about it.

But when it comes to being the target of cyber crime for any business or individual, it's is it a matter of if or is it a matter of when is it going to happen?

Are we all going to face this?

It's a matter of when.

I mean, it really is.

It may not be so much that you're going to be a target due to the fact that you don't house a tremendous amount of privacy information or you may not have a bunch of secrets that are or require the the Russia or China is interest to them.

But everybody is after a dollar and everybody has an opportunity to have a business email compromise of some sort.

So even if you have all these great tools and technologies inside of your environment, like CrowdStrike, for example, or Sentinel one or multifactor authentication or any of those types of situations, those are just helping to reduce the attack vector that can actually occur and how widespread it's actually going to happen in versus a business.

Email compromise attack can easily happen by any one individual and just taking advantage of somebody because they may have the ability to make a change in a payroll system or in accounts payable system or even a purchasing aspect, and cause something to be shipped someplace that wasn't intended or funds being diverted in a way that wasn't intended as well.

Steve, what do you tell your clients?

It's just a quick story that we were dealing with.

Two separate clients in one week were both subject to a lockout, 3.0 attack one was a dentistry in New York that had four Dennis and two staff.

Six person shop and lockout.

3.0 was one of the largest cybersecurity threat actors in the world targeted this organization.

The same week I had a client whose a $6 billion revenue global manufacturer was also taken down by lack but 3.0 it tells.

I am not familiar with that locked at three four.

It's just a threat actor organization that was I think roughly affiliated with the Russian government.

And they're taking on Dennis offices.

They were so and we're not sure why this F because they were recently their operations were hindered by an FBI, NSA and international community law enforcement operations and but that impact they still are operational they still have the ability to engage in offensive operations against you, against our clients, against your companies.

And so it's not just that.

It's not a matter of if, it's when.

And I'm actually surprised when somebody hasn't been hit by a cyber attack yet.

And maybe they just don't know that they have.

So what we say to the clients is get a hold of just get a hold of Chris, focus on your your administrator, your technical, physical, administrative, security controls and test what you're doing.

Right.

Nothing is like going through a real event, but the closest you can get to it, doing a tabletop exercise as if your company was subject to a data breach really helps you prepare for what those difficult conversations are going to be like after the incident.

Those conversations, not just internally with your employees, but externally with your customers and your clients.

The regulatory authorities there practicing that on for that unfortunate day in which you will be subject to a cyber incident is really important.

And I think for you know, that for those that think like, you know, not my company, we're not big enough.

Six people, dentist office $6 billion a year company and why right.

It's a matter of crimes of opportunity.

I would likely even say the it would be my guess, you know, just working in this industry for as long as I have the $6 billion a year company also kind of offer to a crime of opportunity where wrong place, wrong time, right attack vector.

Somebody clicked on a link, something happened and bang very they walk through the front door, you know, and that response side kind of the discipline that Steve was talking about with tabletop exercises and and being prepared for when it happens, not if it happens is incredibly important.

Right.

And when I talked to Amir Bibb and his administration said, you know, it's really about, you know, how are you going to respond to this?

Right.

Are you I'm going to kind of rush through an investigation to get things back up and operational.

Are you going to let the investigation ensue?

You know, and it's incredibly important to just allow the process to happen as much is is pressure there is to kind of return to normal that timeframe that just talked about that that, you know, six months, nine months, 12 months, you know, it's a bit of trauma, right?

Something bad happened in the organization.

They are forever going to be changed.

You know, I, I, you know, the mayor and his team, you know, incredible leadership behind the scenes.

You know, supporting what needed to be done, you know, to allow recovery to happen, you know, not kind of stomping all over evidence.

But those are the important things that you need to be disciplined for.

You need to be prepared for and respond appropriately.

You need to be thoughtful about when that day occurs.

Well, I want to turn things over to you, the audience right now for our Q&A session.

We have a live stream and radio audience on WSU.

I'm Jeff Sinclair, midday host at Ideastream and moderator for today's conversation.

And we are taking an exclusive in-depth look at the cyber threat landscape.

And once again, joining.

Joining me on stage, Chris Prewitt is chief technology officer at Inversion six.

Steve Stransky, a partner at Thompson Hine, and Jess Walpole, the chief technology officer at Fortress Security Risk Management.

We welcome questions from all of you, city club members, guests and those joining us at City Club dot org or on the radio 80 97w KSU If you'd like to text a question, you can text it to 330541 5790 4541 5794 City club staff will try to work it into the program.

And we have our first question.

Yes, what is a few pieces of advice?

So this an individual doesn't get hacked in your own personal computer or smartphone at a company, just an individual person to prevent being hacked?

Yeah.

You know, I I've used this analogy for more than a decade, and it's really fitting to protect your own home.

What do you do?

Right.

You don't need armed guards.

You don't need a SWAT team that sits in your yard overnight.

It really amounts to discipline and consistency.

Can you shut your doors and windows every night?

Not six nights a week, not three nights a week.

Every night, right.

Can you put your car in the garage?

Close your garage door.

It is the simple things.

It's this discipline.

It's doing the things that may not cost a lot of money because it's opportunities of crime.

One of your neighbors is going to leave their car in the driveway with the keys in it.

So in order.

Right.

And this doesn't mean a nation state threat actor can't get into my home.

Right.

And this is where a kind of compensating controls come in.

You know, in my monitoring for things, too, I have, you know, cameras to see comings and goings and be able to kind of alert police on what happened.

It's incredibly familiar to to think about like how to protect yourself, your organization.

It's doing the simple things.

It's, you know, when you get a pop up on your phone to update applications or update your Apple iOS or Android phones, the I am a green daughter.

I've got an Android, but it's it's doing those simple things that you don't want to take the time to do.

Uninstalling applications that you no longer need, not being too hasty in clicking on links or seeing emails.

Taking a pause to look at this and analyze it.

I don't have an easy pass.

Why am I going to click on this link and?

Maybe I should let my wife know if she gets something.

We don't have an easy pass and she should not click on this link.

Right?

It's going that extra step, but doing the small things routinely and in a short timeframe.

I think it's also a matter of your point just being cautious.

But if you're not expecting something from somebody, then it probably isn't real.

Right?

I think a lot of times that we have this tendency that we get and it happens a lot.

I mean, I think I feel like I'm always helped us support for my family, for my parents, working through those aspects.

Why did I get this?

Because it just happens like you're going to get a bunch of spam, you're going to get a bunch of things coming into your inbox.

You don't need to respond to probably 95% of the stuff that you actually get.

It's just that need.

It's that mentality that we have today of, I got something I've got to be responsive, associated with it.

Now just take that time to to expect whether it's it's really something real for you.

And if it is, then respond appropriate with it.

If it's not, then ignore it.

One of the easiest things you can do is don't reuse your password.

Write whatever your password is for your bank.

Make sure that's not your password to get into your email.

Make sure that's not the same password used to log into your work account.

You could just go to, you know, there's websites available.

I've gotten porn and things like that where you could put in your email address and see how many times that email has been compromised.

Let's say that again.

It's I think it's called Have I Been.

Pawned on.

That.

Same.

P.w I need?

They spell it a little weird and it will tell you how many times that email address that you insert into that platform has been compromised and and what different leaks.

And so you could put it in, I'm sure it'll come up a lot and just make sure that because the threat actors will to those leak sites and try to associate that email address their password with you, with your business, with your corporation, your VPN, your remote access.

And that's what causes a lot of problems for us.

My defense has always been, I don't have anything worth stealing.

I guess I keep thinking that, you know, like, what's my identity worth?

But I suppose eventually everyone's identity will be.

Your your email accounts, your gateway and everything.

Right?

Could they find your email account?

Could I withdraw from your for one k, could I get to reset your bank's password?

Oh, yeah.

Right.

Okay, now everyone on the radio knows that.

Okay, next question.

Yeah, right.

I'll be busy.

I read an article, said that the chances of being a bad, bad guy who gets caught doing this are something like one in 2000.

Do you see any reason for hope that the tide might be turning law enforcement getting a better, better handle on things or companies somehow becoming more aware and focused on the problem?

I mean, that's seems like a losing battle.

In a word, now, right.

You know, there are a lot of countries that don't extradite.

You know, I think Russia in and of itself is fairly interesting.

A lot of Eastern European countries that choose not to extradite look the other way.

And if you're the Russian government, why would you look the other way?

Well, maybe you go to war with a neighboring nation state and you need some digital mercenaries that you are going to tap on the shoulder and say, come with us, we want to shut down power power systems in the middle of January.

That affects 600 apartment buildings.

Right.

So these are essentially mercenaries who are left to do what they do in their free time.

And occasionally the government may need to utilize them for government type operations.

Many governments operate like this around the globe and it's, you know, kind of a matter of how things are.

I would frankly believe one in 2000 might be low.

You know, there are a lot of a lot of individuals that are fingered or identified as being an issue and nothing ever happens to them.

Yeah, right.

I'll say that every year the director of national intelligence with the intelligence czar of the US government, they releases they release an unclassified report called Global Threats to the United States.

And in that report they identify all the cybersecurity threats that businesses, individuals the government is facing in the name the four, the top four actors every single time Russia, China, Iran in North Korea, the United States government.

We know who's behind these cyber operations, but what's the how to resolve it?

Right.

We can't resolve it through prosecutorial reasons for the reasons that Chrystia said.

Right.

We're not going to be able to extradite individuals who are actually responsible for the day to day cyber operations.

We're not going to escalate operations through military response.

So then you're left with sanctions in diplomacy.

And the international community has certainly gotten better at those, too, but not to the extent that has deterred really any significant cyber operations.

I'll say that the one time I think we did see a decline, that was back in 2015, 2016, in which the Obama administration was negotiating a treaty, essentially executive agreement with the Chinese government in order to limit cyber operations.

And the director of national intelligence the year after issued a report saying that they did see a decline in offensive cyber cyber operations that were intended to steal intellectual property from companies based on this international agreement between the two governments.

But then you had change in administrations, change of approaches, Chinese, obviously their interest changed at the same time.

So there's a lot of factors that go into whether or not we're going to see a deterrent effect in the future.

But I'm with Chris that I'm not optimistic that it's going to actually occur.

Well, it's a multitrillion dollar business, right.

So, I mean, if we think about the fact as a multitrillion dollar business that continues to grow, it's going to be impossible really to get it to a point that you're going to be able to thwart, that it's going to it's going to take way more activity of dedicated resources inside of the space.

So that's why I think it is interesting to see what governments are doing.

But those governments are here in the United States.

That's not a natal activity.

That's not getting into a global aspect of it.

And so I think the geopolitical aspect of this is very interesting.

I think, you know, just to add on that to attribution, incredibly hard.

You know, the it may look like it's coming from a grandmother's computer in Michigan.

It could look like it's coming from, you know, some public state school in Kentucky.

You never know where these things are really emanating from to three channels down the line either.

By the way, just being involved in the local I.T.

community, you guys are definitely as leaders.

So it's really been great to have you guys joined us here.

Got to hear you speak.

My question goes to kind of what what Steve mentioned about when you're negotiating with some of these threat actors and some of the things that they they help you with or give you, you know, like proof of deletion and things like that.

Maybe those are things that just help you feel better.

But are there any real remediation that you can do if you've been attacked, like from the inside to ensure that you know, that stuff that that.

It's very difficult, right?

So the only way that you could guarantee that the data that was stolen from you was essentially deleted and removed and the threat actor was to do it yourself.

Right, or have actual be a part of their organization in which you can verify it.

And that doesn't really happen.

The only time that happens is if you get involved with law enforcement and they are already planning an offensive cyber operation against one of these threat actors.

Just to be clear, though, even if you would like to do that right, if you would like to launch your own cyber operation against Blackbeard or Black Master or Black Suit, that's a crime to it.

So not only is your company, you're a victim of a crime because a third party has infiltrated your IT environment that violates the Computer Fraud and Abuse Act, Store Communications Act, a lot of state laws, if that's a crime.

And then to do that, back to the threat actor, even though it's your data, it's still a crime under under U.S. law.

So the FBI has been very strong in encouraging companies not to do this, not to hack back, because they're afraid of creating the Wild West in which Microsoft and large U.S. corporations certainly have the technical capabilities to hack back.

Right.

And then once they start selling that to companies as a method to help guarantee that their data has been deleted, again, we're going to end up in the Wild West there.

So the commitments again to confidentiality, the commitments, the deletion of your data by the threat actor, they make you feel good, the things that we could.

But again, we also have metrics supporting the fact that the threat actors aren't misusing the data after you pay them $20 million, $5 billion, whatever it may be.

So we do have that, I would say analytical evidence to support that the data being making those commitments does provide some guarantees.

Your company and without paying, you know I think it it can be difficult.

Right.

You may be able to have some kind of intelligence.

That data was harvested or taken out of your environment.

But if all of your systems are encrypted, maybe you're able to recover what was taken, what we don't know.

Right.

And if you come out and are trying, you know, in trying to be transparent and say, you know, we you know, this was taken or this definitely wasn't taken and then that data's published.

Well, I meant in this context, right.

It's it's hard to take those words back.

And this is why I think a lot of the big investigations are fairly hush hush on what was taken.

You know, even with paying ransom, you don't know if that data was deleted.

Was it recovered?

Is it going to be found online in a couple of years because someone quit that threat actor group?

You just never know.

You don't you don't have high confidence that this isn't going to come back.

So it's an incredibly complex problem.

Paying doesn't necessarily make it go away.

So it's you know, I think the three of us have seen things go sideways, you know, paying or not paying.

And I think I get more concerned about what's still left inside of the environment.

So although you may have gotten back up and functional in 11 days or two weeks or whatever the time is, what confidence do you have that there's not still something resonant or more importantly, that that information has been provided to another threat actor that they're going to take advantage of?

And so I think as we go through these pieces, it's a matter of also just taking in that betterment aspect of now that I've been through this environment, now it's time for me really to get an assessment done over the organization and over the infrastructure to make sure that I don't have any other configuration issues, you know, seeds that need to be addressed, different types of things that just to make sure I'm locking the environment down.

Additionally, I think that you have to start being offensive in the aspect of what potentially could be out leaked of your own personal information, email addresses, those components because probably in 6 to 8 months you're going to see a higher level of business email compromise attacks or phishing phishing attacks specifically that were going to be coming your way.

It's beneficial to make sure you're educating the the employees about what they should expect so that as it's coming back through, they're not going to fall victim to it.

Our question is a text question.

It says, Can you talk about hacking and cyber crime that occurs on social media?

What is the goal for threat actors?

How can we in particular protect our teams and kids who might be on social accounts or hiding accounts like Instagram?

So I told a terrifying story earlier in the in the green room that this is happening more and more it's more and more common to hear these types of things.

So about two years ago, a good friend of mine calls me and his stepson, who's senior in high school, about to graduate, about to go to Ohio State.

Someone broke into his Instagram account and he in parallel was catfished and sent some inappropriate photos of himself to someone else.

So now having access to essentially friends and family in the public social media of this young man and pictures, the threat actor had asked for a couple hundred dollars.

Right.

And there have been kids who have committed suicide over this type of thing.

This is very serious.

You know, I, for one, think, you know, phones for kids are terrible.

Social media for for kids is awful as well.

You know, I hopefully people are doing something about this but the he took some of his own money didn't tell his parents paid paid the threat actor a couple hundred dollars for this to go away threat actor came back and said 200 it's great.

We want 500 more.

Clearly, this problem wasn't going away.

He went to a stepfather, embarrassingly told the story, and thankfully he did.

What I had suggested was regain access to his Instagram account, burned down all of the social media accounts that he has the threat actor oftentimes.

And you kind of have to put yourself in this mindset of a threat actor.

They're throwing a net in a pond, trying to catch as many fish as they can.

Did they take the opportunity to back up all the names and email addresses and Instagram accounts or other social media accounts that are that are kind of connected to this young man's account?

No.

So by burning all the social media down, really kind of reduced the value of that picture by itself.

Right?

And I said, burn it all to the ground.

Don't do anything for six, nine, 12 months.

Just wait.

You don't need it.

You may be better off emotionally and anyway.

Right.

And he did just that and the problem went away.

I've had three or four other people contact me about similar situations, maybe not as embarrassing or graphic, but these things happen.

And you know, we need to know how to deal with them and how to prepare.

You know, I think abstinence is often probably the best way, you know, my I am going to go as long as I can without trying to give phones to my kids and social media as long as I can as well.

I think there's good value to that.

I think there's also an aspect of staying on the professional side as well.

So my organization has 51 people inside of it, right?

So if I see a new LinkedIn profile for an administrative assistant to our CEO and I don't know about it, a new hire, there's probably a good aspect of that not being real.

And we see those things pop up all the time inside of organizations and they're trying to figure out the structure of what that organization really looks like.

So you have to start being more conscientious fully aware of even these profiles, as if they're real.

And if you can shut them down, go through that process to actually denote that they're not real, getting them in place.

You know, we're moving them and ensuring that the organization is aware that there's this new type of aspect out there for you.

And don't use your work email for any personal things that you're involved in.

Right.

What advice do you have for the non cyber or I.T.

savvy folks in them that is trying to run their business?

Where do I invest?

How do I make cyber quarterly investment to help mitigate the risk associated with a ransomware event?

Thank you.

Yeah.

So Chris and I both had the luxury of working in corporate America, and return on investment was always a great question.

As it became to i.t and cybersecurity risk mitigation activities, i think there's always a great opportunity that as you're looking at your organization, you're starting to invest in technology in whatever form or fashion it is that you have to take the principles that you're baking in that security that on the onset.

And I think there's a huge opportunity, or at least I've seen that there's been huge opportunity.

And as you go through and you're making those investments in technologies, whether it's every three years or five years or seven years, that you're always thinking about incorporating what's new in that technology that brings on new security functionality.

And I think that's the beauty of what we're seeing with all these technology solutions today, is they all have something that you can add to the mix.

Now, does that mean that you're going to be able to bring on an EDR solution immediately?

Because the fact that you made the decision to go with Microsoft Product Solution said or your decision to go with something else, no, you have to make that decision.

Those are generally speaking, higher term investments that are required.

But I think this gets into more of a fashion of trying to figure out how you do it in the most cost effective manner and looking at where you may want to partner with other organizations to make it the most cost effective way.

It's not always the best thing to bring it inside of the organization because you may not have the manpower, the resources also to do it.

So working with organizations to figure out the most optimal aspect of your panel obviously gets in that.

But there is an investment required.

And I think the question just becomes, I think we're seeing more of this happening as the insurance requirements continue to grow.

It's going to be more of an aspect.

This is a bench level that you have to have in place in order to even get that additional risk mitigation factor.

I'll just say that we're very fortunate in Cleveland to have organizations like in version six and Fortress.

When people think about I.T.

Security and larger corporations, they're always thinking about the big players.

Like we mentioned, CrowdStrike, Palo Alto, a unit 42 that they have, the secureworks is another one.

All these California based tech organizations that cost a ton of money.

But you have great resources here in Cleveland with these two with these two organizations here with Fortress and PC in four, in version six.

And so they take advantage of the the Midwest cost effectiveness of using these great cybersecurity resources here.

I think for a lot of business owners, they may think like, you know, a security officer or a security function cost center, right.

I hope to see the kind of environment changing a little bit where it's not just a an AI function, it's not just a security function, but more of a risk management function inside of a company.

You know, I talked about all the business processes that are impacted through digital, having a risk officer or someone someone responsible for risk, whether it's, you know, finance or I.T or hiring or this or that, you know, I think is important.

And having someone that kind of understands digital risks, right?

They could be a security officer taking over a broader function across the business of, you know, what is what does it look like if we don't come out with new products?

What does it look like if we, you know, get get sued about some intellectual property or trademark someone who has a broader risk view and understanding while our reliance on it is important, not necessarily how do we manage a firewall or this or that, but really broadly speaking, about our business, how it's operating.

So yeah, Chris and I always have this great debate of whether Starbucks is a coffee company or a technology company.

When one of us still says.

And I think that he may be swaying me slightly because I think as we're starting to see, more and more organizations are getting into embedding technology into their product and service offerings, then it becomes more of a question of what do you need to do?

So even with the introduction of age of AI and the different aspects, it's interesting that we get a lot more clients are asking those questions of What do I need to do to protect my data?

Which we should have been asking that question for decades.

But what do I need to do to protect my data?

And nine times out of ten, again, you have to go back and say, well, they're cyber security technologies.

Investments require to really think about this.

But it generally comes back to having a good governance risk and compliance program and understanding what that really means.

So some great questions from everyone.

Thank you so much.

Thanks to our panel, Chris Pruitt, Steven, Steve Stransky and Walpole for joining us today.

Thanks.

Forums like this are made possible thanks to generous support from individuals like you.

You can learn more about how to become a guardian of free speech at City Club dot org.

The City Club would like to thank Fortress Security Risk Management for their partnership to make today's forum possible.

Also, big thanks to guess tables hosted by Fit Technologies.

Friends of Dave Nash, Northeast Ohio's Cyber Cancer issue and the Northeast Ohio Medical University.

Up next on the city club.

As the nation prepares for the Democratic National Convention in Chicago, Friday, August 2nd, we will hear from a panel of political insiders about the newly remade landscape of presidential politics.

Jenny Hamel, host of Sound of Ideas at Ideastream, will moderate that discussion on Friday, August 9th.

We'll be joined by Jeff Opperman, global freshwater lead scientist at the World Wildlife Fund for the 2024 State of the Great Lakes.

He'll discuss the values of freshwater systems to people, cities and economies and what the world can learn from our Great Lakes.

You can learn more about these forums and others at City Club dot org.

So that brings us to the end of today's forum.

Thank you again to our speakers and to our members and friends of City Club.

I'm Jeff Sinclair.

This forum is now adjourned.

For information on upcoming speakers or for podcasts of the City Club.

Go to City Club dot org.

Production and distribution of City Club forums and ideastream public media are made possible by PNC and the United Black.

Fond of Greater Cleveland, Inc..