The Real Cost of a Ransomware Attack: The Ransom Is the Least of Your Problems

You found the backup wrap up your go-to podcast for all things

backup recovery and cyber recovery.

In this episode, we look at something that most people completely miss

when they think about ransomware, and that's the cost of a ransomware attack.

Is way beyond the cost of the ransom itself.

Join me and my co-host persona as we talk to Dr.

Mike Saylor, who's the co-author on my latest book Learning

Ransomware Response and Recovery.

We walked through real cases like the UVM Health Network attack that ran up a $63

million tab without paying the ransom lost revenue, regulatory fines, staff burnout,

reputational damage, supply chain chaos.

And cyber insurance fine print that I think might surprise you if you think the

ransom is the biggest part of the bill.

Stick around.

I think you ear in for shock.

Just a quick note about me.

I'm w Curtis Preston, AKA Mr. Backup, and I've been obsessing over backup

recovery and now cyber recovery.

For over 30 years.

If that's your bag, then I'm your guy.

You're not gonna find anybody that cares about it more than me.

Ever since 1993 when I had to tell my boss that there were no backups

of that database that we just lost.

Now I've written five books, a blog and a podcast.

Here we turn unappreciated admins into Cyber Recovery Heroes.

This is the backup wrap up.

Hi, and welcome to the backup wrap up.

I'm your host, w Curtis Preston, AKA, Mr. Backup, and I have with me a guy

who just confessed his love for me.

Prasanna, Molly.

Andy, how's it going?

Prasanna.

Why do you sound so shocked?

That's what I wanna know.

The, the mutual, it's a mutual admiration society.

You doing all right over there

with your branded shirt, which I still can't find.

I, swear I've looked everywhere.

if you're doing swag

or doing things, you need to buy four for yourself.

Well, clearly more than one.

Yes.

looked all over this house.

I've

And honest.

to clean.

Yeah.

And two is not enough for you Curtis, I

have to say.

Yeah.

Yeah.

Well, you know, what are we gonna do?

Uh, and then also with us, we have somebody who I swear I'm,

I'm sure would not lose a branded piece of swag if I send it to him.

Doctor Mike Sailor, how's it going, Mike?

It is going great guys, and just to be, uh, upfront, I will probably ask for four.

So you, you got CRS as well, can't remember stuff.

Um,

I would, I would probably wear one each day and,

uh, you know, uh, it,

it's, uh,

the Einstein, the Einstein, uh, approach.

Right.

yep.

It simplify my wardrobe.

That's right.

Right.

Right.

but if you are wearing the same thing every day, do you technically need

for, can you just wear one and wear it four days and no one will ever notice?

As

long as it doesn't smell.

well, and there there's more to it.

In my, in my thinking, I, it's, it's, it's about efficiency and economy.

And so if I, if I only had one, then I would have to wash it the next day.

Well, I'm not just gonna wash one shirt, so

after four days, I've probably got a decent amount of laundry to do,

Hmm.

days,

smart man.

Smart man.

Yeah.

All right.

Well, we are not gonna be talking about wardrobes anymore

Can

we talk about laundry?

Uh, we're gonna talk about the hidden cost of a breach and, uh, I, you know,

I was looking around for some stories.

terms of, you know, ones that talk about that show how much more cost of

a breach, how much more of it has to do with things that aren't the ransom.

We, we, when we talk about ransomware, we talk about how

expensive that ransom can be.

But this episode we want you to think about what else might, uh,

a ransomware attack cost you.

And I'm gonna start with this attack from the UVM Health Network in October of 2020.

It crippled their IT systems for nearly a month, costing over $63 million.

Started from, uh, initially via a phishing email.

And, uh, they had to use, if you can get this, I, by the way, I, I'm a fan.

Um, what, shoot, I did it again.

Alright.

The, so it forced the staff to use paper records.

Uh, obviously delayed patient care, uh, shutting down over 1300 servers.

I'm a fan of this TV show called The Pit.

And In the Pit they are currently experiencing this exact, uh, outage

and they are, uh, switching to.

Paper records and, uh, you know, it, it, if you're not a fan of the

show, it's a huge, huge, uh, uh, hit.

And, um, if, if you're arf fan, make sure that you watch it and you look at this

because it really gives you an idea of the impact to the rest of the business.

You're, we're so.

Tied to, uh, technology that we don't know.

And imagine when you think about the degree to which technology

has impacted healthcare, right?

So they talked about how it impacted radiology, uh, laboratory services,

and they used something called the MyChart portal, with, uh, imagine if

My, my, my, my healthcare provider uses that.

Do they MyChart?

Um, imagine if that's how everybody finds out about their

healthcare then suddenly it's gone.

Right?

Um, and, um, um, so they're

Wait,

computers and 1300 servers were encrypted.

Uh, you have any other, uh, details on this story, Mike?

Uh, just a few.

I mean, I think it was, uh, it's interesting how it actually happened.

Uh, the, uh, an employee took their work laptop with 'em on vacation,

opened a phishing email, laptop, got compromised, brought it back into the

environment, and then, uh, the, the malware spread once, uh, it reconnected

to the, the company's network.

So that was interesting.

Um, and then the, the other part about that is it's not very

often that we catch the bad guys.

Um, not that it, it, it offered any, um, any latitude here other than, you know,

you've got, uh, from a, from a victim perspective, you've got some damages you

could probably collect from this guy.

Pounding rocks in jail.

Uh, but they did catch him.

Uh, it was a Ukrainian, uh, hacker.

Um.

But, you know, we'll, we'll jump into some of the, the other things to think

about from a damages perspective.

It's not just financial, uh, you know, directly related to

ransom or directly even related to, uh, your recovery efforts.

There's a lot of other things to think about.

Yeah.

Um.

Uh, Prasanna, you think about like, what would be, like, what would be

like the first thing that you would think to, obviously the ransom, right?

What would you think would be like the first thing that we would talk about when

Well,

we lost revenue or, uh,

yeah.

Well, well, even with the, the,

the question, but,

no, I'm not, I'm, I'm not even thinking about that stuff.

Right.

What I, what went to my mind, right.

You pay a ransom.

Great.

There's a cost of sort of like recovering your environment.

Mm-hmm.

Mm-hmm.

Be it people going around re-imaging systems, trying to recover data,

getting things back up and running in.

Probably, it's all the stuff that Mike, we've talked about

on the podcast before, right?

It's like that process of just recovering your environment,

Right.

right?

Which might take weeks or months, and there is a cost associated

with that beyond just sort of the, Hey, I paid the ransom.

Let's talk about that.

Like what type of costs are we talking about?

Like, um, are we talking about like, we talking about overtime?

Um,

Well, it's like people,

well yeah.

People, right?

yeah.

Mike, I, I, uh, I was just thinking about whether or not

overtime would, would happen.

That's probably not, not a lot of it.

People, they're, they're, they're generally staffed, right?

They're generally sorry, exempt IT people.

Um, it, it depends on their role.

Uh,

so to, in order to be exempt, you have to be in a leadership,

you know, independent role.

A

lot of lower level IT and cyber people are not.

So they

would be eligible for, for overtime.

So that'd be, that'd be a big cost.

Right?

So,

or hiring people like Mike to come in to help them.

Well, yeah, that's, that was definitely the next, right?

So, so.

So hopefully you are going, you know, one of the things that we make in, uh,

one of the points that I know we make in this lovely book here, uh, learning

Ransomware Response and Recovery.

Yeah.

For people who don't know, we have video you can watch us describe things.

You can see Curtis Point at the book right behind him.

If you go to YouTube and search for this channel, we are there.

By the way, none of us have the actual book Do.

Have you ever received your books yet, Mike?

I have

not.

Yep.

it's gonna happen.

Just at some point then you'd be able to like hold it up.

You know, I was looking at some of my, my other books up there on the shelf.

It's very, it's very cool once you finally have it in your hot little hands.

But yeah.

So one of the things that we recommend is that before all of this happens,

because Mike, what, what, what position did we take in the book

as to whether or not the odds that this would eventually happen to you?

It is pretty high.

Pretty high.

Pretty

An understatement.

Damn near a hundred percent right?

Uh, so before this happens to you, one of the things we talk about is to establish

a relationship with a company like Mike's.

Uh, Mike, you wanna talk about, like, when we say a company like

yours, what, what do we mean?

A company like Black Swan Cybersecurity, uh, you know, we're not just a security

managed security services firm from a protection, monitoring perspective.

We're also an incident response and litigation support firm.

So, uh, kind of that trusted advisor that you can call for, you

know, the entire spectrum of it.

Cyber issues or, or questions or, or services.

Um, and, and that perspective that we bring to the table

regarding, regardless of where we.

Or how we work with a particular organization, we're able to, to expand

the, the value of that conversation based on all the other things we do.

Uh, so we're not just talking about, uh, keeping you from, uh,

getting attacked or mitigating what that attack might look like.

We can also talk about, well, if you do get attacked, uh, depending on what

controls or services or capabilities you have, this is what you can expect.

Uh, on the back end of, of an attack and, and how that's gonna go.

Um, and so even if you have all the great, you know, greatest tools and, and brand

names, uh, deployed in your environment, uh, odds are it's gonna happen.

Uh, and we saw that with CrowdStrike, right?

It, it wasn't a cyber attack on you, it was an outage on CrowdStrike.

With that left your environment vulnerable and then you get attacked.

'cause bad guys watch the news also.

Um, alright, so now what, uh, I had CrowdStrike, but I got attacked.

Who do I call now?

I'm probably not gonna call CrowdStrike 'cause they're busy putting out their own

fire and I'm a little upset at them now.

Uh, so, so who am I gonna call instead?

Um, and so having those, uh, those resources in your pocket and,

and having gotten to know them.

Before an incident, you know, call 'em today, uh, when things are nice

and calm and you can have a good conversation or cup of coffee, um,

and not when the house is on fire and you're emotional and you're not sure

what to say or, or what to do next.

Yeah, so I like that idea of having basically, you know, you, the thing is

that the good news is that most people.

Uh, don't have a lot of experience in cyber recovery.

And, and by that I mean, if they did, then that would really suck, because that

means that they're doing it all the time.

And so this is definitely one of those things where I think a professional

can come in, uh, you know, uh, come in handy, uh, quite a bit, right?

Um, I, I did, while you were talking, I, I, I got this image

of you standing between, uh, the fan and the feces, um, uh,

and fighting it off.

Um, so, we talked about lost revenue, or we didn't talk about we, so

the first thing we talked about lost wages, and we talked about

bringing in third party services.

What were you about to say?

Prasanna?

But also along the recovery aspect before we get to the

revenue piece, right?

It's, you might need hardware.

Right.

Maybe you need to buy more servers or maybe you need to spin up services

in AWS or pick your cloud service in order to recover or start to recover

while you're still remediating other systems in the environment.

Maybe you're gonna need all of those things, right?

Yeah.

you know, and it's gonna be in this category of spare no expense, right?

Um, you know, you're not gonna be able to, uh.

You know, order your servers on Amazon Prime away for free two day delivery.

Uh, you know, you're, you're gonna be, you're gonna be calling your

server company of choice and going, I need 1300 new, you know, Dell, 9,500.

I don't know, I don't, I don't know any server volume numbers or uh,

And, and really I'll, I'll tell you, even even the US government

would have trouble getting a one day turnaround on 1300 servers.

Yeah.

Yeah.

Um.

The, uh, and, and then the, I think the, perhaps the thing that we're getting to

Atlas in terms of some of these costs is the lost business revenue, right?

So we live in a very connected world, and when, uh, you go to do business

with some sort of entity, right?

Obviously this is.

speaks more to commercial businesses rather than governmental entities.

it's not like we can go, oh well the city of San Diego is down.

I will go give my money to Irvine.

Uh, it doesn't quite work like that.

But, um, but with a business, when you go to interact with that

business and you see that it is down.

It's not like your need goes away, so you as a consumer goes and spends

your money elsewhere, and that's money that you're never gonna get back.

And your reputation.

So it, it's not just that direct client that you lost, it's everybody

they know also, uh, that might have potentially, either, either

they were or could potentially be a client of yours in the future.

It.

Do you know Mike?

Just, sorry.

I like to ask stats questions 'cause you seem to have so many of them.

Do you know what percentage of businesses that get hit with ransomware go under?

Oh, it's over half.

So if,

if you don't have, if you don't have a solid, well, it's over half.

For those that don't have a solid response plan.

Hmm.

So more than 50% of the companies that get hit with ransomware or any significant

cyber incident and they don't have an incident response plan can't survive.

But incident, uh, ransomware, especially the double extortion one, very hard

on on businesses that, that aren't prepared for that for two reasons.

One, they've gotta pay for the, the recovery, uh, from the event itself.

And then because it's double extortion, a lot of those, uh, organizations

can't afford the regulatory fines.

Uh, for the, uh, PII or consumer related data that they're gonna get

fined, especially if it's California with, what is it, $25 a record?

Uh, yeah.

It's, it's, it's crazy.

I think we should get that money, don't you think?

Prasanna, you and I live in California, why don't we get this money when our

records, why do they get more money?

Because our data was, was hurt.

That's all I'm saying.

Um, $25

Yeah.

$25 is not gonna be, um,

I.

not gonna be much.

But um,

And I guess that's a third category, right?

We talked about revenue, but then there are the fines.

Yeah, the re the Reg regulatory fines.

It is true.

Uh, GDPR is huge, right?

If you're, if you're in that world, because that's, they start talking about

a percentage of annual turnover, right?

Which is, and that semi analogous to revenue, it's a different term, but

I've never quite fully understood the difference between annual.

Do you know, Mike?

Are you a revenue annual turnover person?

Yeah, just stick with US terms,

Yeah.

Okay.

Okay.

It is like 4% though, I believe right

up to 4%

of the annual turnover.

Yeah.

Um, the, um, so yeah, so we talked about lost revenue.

And Mike, you talked about the reputation effect because it's.

I can, I can think back companies that have lost my data, a company that have

had in, you know, incidents with my data and I haven't forgotten that.

Right.

Uh, you know, I can think literally, um.

Of like the first cyber incident that I remember that had that involved my data.

Um, it goes, you know, all the way back to 2005 and I remember that incident

and I know exactly which company that was and I will never forget it.

Right now in, now in that particular company, I don't get a

choice of not working with them.

Right.

It's, uh, it's, um, the, um, regulatory, I'm not regulatory,

um, credit reporting agency.

Right.

Um, but the, I, I wish we had the choice of not working with, with

But,

but here's a question though, Curtis, do you remember that first one

clearly?

Do you remember the next 25 or 50 that have come up?

Just given how many of those notices that you get every

month?

I mean there, there is a, that is a good point, right?

That, that we are starting to get, um, somewhat, it's sort of like, um, Mike, you

don't live in California, but you know, in California, we, um, um, of, uh, over

here we have this like thing about, um, this thing has been shown to cause cancer.

Literally everywhere

I see them on all the labels, but I tear.

I'm able to tear that one off.

Yeah.

Yeah.

Um, but, uh, with every, every business that you go in there, it's

like, uh, so it's like, there is, there's certainly, uh, alert fatigue.

That's a good point, Prasanna.

Um, but I will say that I definitely remember the ones that

definitely inconvenienced me.

Definitely.

I definitely do.

Um, you know, where if, if, if I was significantly inconvenienced,

I definitely remember that.

And my point, my point is that I, I will never forgive that.

I will never forget that.

I can also remember, and again, I'm not gonna throw their name out because

I don't want to get sued, but I also know the, the one backup company that

I know lost people's data, right.

and I, I won't ever forget that, right?

So the, the, the damage to your reputation, I don't

think you can ever get back.

And another thing that you're never gonna get back, we talked about lost revenue.

There's lost revenue of what happens during the outage.

But what happens if during the outage your, your customer goes to your

competitor and they go, oh, this company's not as bad as I thought it was.

You know, I, I guess we could, we could continue doing

business with them over here.

Now, not only did you lose.

Revenue during that outage.

You have lost the future revenue from that customer.

Um, and the, you know, the reputational damage that you talked about

Mike, that does damage to future revenue from future customers.

They're going around, Googling whether or not they should do business with

you, and this is the story that pops up.

Yeah.

And,

and Curtis, I know we've done podcast episodes last

year, right?

If I look at Rackspace

and their exchange outage,

which caused them to shut down a huge business for them, right?

Hosted exchange, we also talked about LastPass.

Yep.

And their breach.

And you could just imagine like all those fines and penalties.

I think they even started getting sued like years later, right

after the incident happened.

Because sometimes it takes that long before activities, criminal

activities start to show up based on, uh, the data that was stolen.

Yeah, you know, I actually know somebody, by the way, that went to go do marketing

at LastPass, and I was like, Good

Hmm.

with that.

Well, there's a couple other things to consider too.

Uh, we talked about overtime and, and the staff, internal staff that

are addressing a particular incident.

You may actually lose that staff.

You know, they, they, they're used to their eight to five or shift job,

and now you've got 'em working three hour, you know, three days straight

with, with, you know, sleeping on the floor at their desk and eating.

You know, carry out food or pizza, which, you know, I wouldn't mind for three days.

But, uh, at the end of that, you know, they're exhausted and that's,

that's not what they signed up for.

Or maybe even they were getting, you know, a little bit of attitude

from, from other employees or executives and they, they quit.

Uh, and, and it's probably the ones that quit are probably the ones that have been

telling you that there's this problem that hasn't been addressed for some period of

time.

And that's what led to this breach.

And

they're like, I told you so, and you know, I'll help you get through this, but

I'm gonna, uh, I'll be out after that.

The other thing, uh, so the, the human impact, um, and whether

they quit or not, they, they're not gonna be the same person.

It's like going into war, like you, you come out the other side

and, and, and you're just, you don't see things the same way.

You're, you're not the same person.

Uh, so people that have been through a significant incident are, are,

uh, they're changed in a way.

Alright?

So there's the human person, uh, the human perspective or the impact supply

chain and, um, supply chain's one.

So now you're going to, you're probably gonna burn some bridges trying to get,

you know, equipment or, or, or support.

Uh, and by that I mean you're, you're gonna approach this, uh, this

incident with a little bit of, uh.

Um, uh, emotion and, and, um, aggressiveness that some

people may not appreciate.

Uh, and then the other part of that is, uh, if, if you are heavily

involved in financing stuff, right?

Like maybe you're building a new facility or you need, you need, you need credit

to buy equipment that you then resell.

Uh, this incident could, could impact your credit rating as a company, uh, your

bond rating, uh, things like that, that may, so maybe you're a

construction company and you build hospitals and military bases, and

now all of a sudden you've got this cyber attack that puts you down.

Uh, those, those, uh, financial funding vehicles may, may have

a different perspective of working with you in the future.

Also.

Yeah, no.

When you were talking about that, Mike, I was thinking about the reputation comment

you made earlier where you've now impacted not only the reputation of your customers,

but even your vendors and suppliers too, who are like, Nope, we don't quite trust

what you're doing, or maybe you don't get preferred rates or other things like

that

Mm-hmm.

potentially as well.

And, and, and it's weird.

Uh, it's not just the inputs, it's also the outputs, uh, from a, from a vendor

or relationship or system perspective.

Um.

We worked with a company.

It was a, it was a dental, a dental practice.

Their payment processor shut off when, when they had an incident,

they notified everybody, uh, very diligent and responsible.

The payment processor shut off access, and even after they said we fixed

all the problems, uh, the payment processor required a third party

objective review of that environment before they turned that access back on.

So this, it wasn't just.

You know, paper records and, and operating the way we used to, they were, they

were literally also taking, having to take, uh, credit card, you know, the

carbon copy swipes of credit cards to, to, uh, to take payment so that

they could process it later when their payment processor came back online.

That's crazy.

I don't even remember the last time I had to do that,

Well, and, and to that point, I mean, these are, these are all things

you've gotta think about today.

All right?

So if our payment, whatever, all our critical things, well payment

processing's a critical thing.

Well, what happens if that goes away?

How are we gonna process

our.

yeah, that's interesting that you mention that because I just, just, uh, I don't

know, a week or two, a week or two ago, I set up a new, um, you know, a new minute,

my new, uh, LLCI set it up in, uh, Stripe to be able to accept, you know, to be

able to send a, a payment leak that took.

A few days, Because there's, there's an authentication process.

And, um, so e even if you let, let's say if you're able to quickly go over to

another payment processor, it, it's not like that's gonna just start processing

payments, uh, immediately for you.

They,

they did not pay the ransom.

So even, even with $30 million in, in insurance coverage,

not even paying the ransom.

Their, Their, recovery cost was almost 65

million.

right.

Um, and then of course they're gonna end up with, uh, probably increased,

um, insurance rates after this and possible cancellation of the policy.

Right.

I wonder, Mike, have you ever seen that?

Where that, where people file a claim and then they get their

cyber insurance policy canceled?

It.

Yes.

Uh, but it's, it's less common than the insurance company giving

them a very long list of things.

They've gotta remediate and prove that they've remediated that, uh, to keep

their policy, their premium will go up.

'cause their risk went up.

Uh, but that's usually just in the following year.

So let's say, you know, every year there's a 3% increase

after an incident, having, having satisfied the insurance company's

remediation list, if you do all that, you may get a five and a

half percent or 6% increase in your premium for the next year.

Well then subsequent years, uh, you know, that may go back down to just

the, the standard 3% or whatever it is.

Uh, if you maintain your.

Your, uh, hygiene and, and, and control effectiveness according to,

and, and that insurance company may ask for, you know, multiple years

of, of, of third party assessments

to, to keep your policy.

And, and we're gonna cover this on a later episode, but that's definitely something

you should be doing upfront, again, where you can talk to your insurance company,

uh, you know, what are the things that we should be doing already, right?

Again, talk to a company like yours, right?

A blue team company, uh, that, that will help you defend yourself.

So let's talk about, um,

I have one.

Yep.

So as Mike was talking about that, uh, one thing popped to my mind, which was,

so you get hit with ransomware.

You're like, okay, X, Y, and Z all needs to change.

There's the cost of updating and changing processes

that may be significant depending on how you are operating today.

I think, and I don't know how to quantify that.

I'm sure it depends on what the risk is, or like Mike, what you were saying.

If your insurance company tells you to remediate a bunch of issues that

might involve significant restructuring of your organization processes in

order to be able to handle this.

Here's a good example.

Let's say, let's say you're a, a, a, a medium sized company.

You probably have some things documented like, how do I restore a computer?

How do we revert to a, a manual process in the absence of

our systems being available?

You probably have some of that documented.

It's probably old.

Uh, it maybe some of it's tribal knowledge, uh, but at, as a result

of an incident, the insurance company may come and do an audit and they

may say, you've, you've got some or nothing, but this is what we expect.

And

so in a lot of cases, you can't just update something that's been

in place for a long time because it's obviously not effective.

And in order for a control to be effective, it has to be designed well.

In order to design well, you've gotta.

Get good information, current information from all the stakeholders.

Uh, and so a control is this thing that operates, and most controls

have inputs and outputs and so those are other stakeholders and controls.

So you've got this kind of enterprise exercise that you have to go through.

Um, and if you haven't gone through a business impact analysis, this

exercise would be very similar.

So you essentially go and look for all the critical things in our company that,

that keep the lights on and pay the bills, and, you know, sustain our, our

revenue and our reputation and our client base and whatever those things are.

And in that assessment, you then determine what are the, the

critical people, processes, and technologies required to function,

and then what are the alternatives?

So if that thing goes away, I can do it, I can do it this

other way for a period of time.

But what is that?

What's that pain point?

Is it an hour?

Is it a day?

And, and what's, how do I quantify that?

Is that a million dollars an hour?

Is it a million dollars a day?

Is it a million dollars a week?

Uh, and so now we we're, we've got all of this stuff laid out and current

so that I know if that department or that process breaks, this is how much

time and what is required to recover.

And in that time, this is my financial impact or these other impacts.

It could be, you know, if it's a hospital and the intensive care

unit goes down, that could be human life, it could be regulatory,

you know, whatever the case is.

But I have all this stuff lined out now and then from this body of knowledge

that I've, I've just created, that translates directly into business

continuity, disaster recovery, incident response, and how I categorize all

my, you know, the criticality of all these things that could happen.

You know, ransomware on a print server, probably not really high unless

that print server is what's creating checks, uh, or, or shipping orders.

And I, you know, and I'm, I'm, I'm shipping million dollar things.

Uh, and so that's, that's a perspective a lot of people think, well, ransomware

on a print server, that's nothing.

Well, it is if that's how you make money.

Uh, and so going through an exercise like that really puts some

gravity, uh, and awareness in your environment that you can share with.

Leadership.

Executive leadership.

And that's very important because when we go to leadership and say, I need

budget to keep the lights on to make sure this stuff doesn't happen, and they're

like, yeah, we're not gonna pay that.

'cause we we're, we've got this new marketing advertising campaign

to, you know, for whatever.

And, and they don't, they don't always realize that where they're focused, um.

Oftentimes leaves a huge gap in, in risk.

Uh, and, and maybe there's some kind of middle ground that we can come

to, uh, or roadmap we can build.

Maybe we don't have to do it all at the same time, uh, but you know, this month

we need to do something and six months we need to do something and so on.

Um, but that business impact analysis and that that huge analysis of all

those different criticalities and risks will help you have that conversation.

Um, and by the way, leadership, uh, executive leadership is often

included in those, those workshops, in that process, that exercise.

Uh, so they get to, uh, they get to participate in and have some, some

introspection, uh, of their, of their business and their, and their

responsibility during that exercise, so that sometimes that, that helps

facilitate a better discussion.

Well, that, that whole thing that you just described, it's one of those things where.

It's the, you know, the phrase, you know, uh, never time to do it, right.

Always time to do it over, right.

It falls into that category of like, it's, it's activities that you need

to do that are best done upfront, and they're kind of a pain, like everything

you just described sounds really, really important, but it's a pain right?

To,

But you know what?

I think there's, there's some misconception there.

Yeah, there's, it's gonna take time away from your, your job.

But to your point, you know, if, if I'm, if I'm busy doing something and,

and my daughter calls me, I'm gonna stop what I'm doing and I may have

an hour phone call with my daughter,

30 minutes, whatever the case is, because I can prioritize that

over this spreadsheet I'm created.

Yeah.

If, if you can.

Set aside an hour to talk to an advisor or a consultant about

this business impact analysis.

You, you, sometimes you just have to have it on your calendar

and you're just gonna do it.

And I think the mis, there's a misconception that this business impact

analysis is this huge, cumbersome, you know, 90 day, 120 day thing.

And yeah, I'm sure there's some large enterprises where it, it would take

that long, but for the most part, small to medium sized businesses can

get a BIA done in one to three weeks.

And

that's like one person talking with, you know, one-on-one with

different, we did a city government, um, 14, 15 different departments.

We did it in two weeks.

Yeah.

Uh, well, I, I think that that's a really good point, Mike.

I, I like, I, I, the point, I, you made a different point, which is a great point.

The point I was making was whatever level of pain it is, whether

it's a day, weeks, or months.

The point is that by doing this work upfront, it gives you the power

that you need to make, the changes that you need to your environment

from a recovery perspective, from a cybersecurity perspective.

And also when the feces sits, the rotary oscillator, you know where you need to be.

Right.

You know, like you said, you, you, you know that your daughter

calling is, is important.

Right.

You will know.

Well, I know that this thing, like, you know, you, you

talked about the print server.

know, we're, let, let's say I immediately thought of, uh,

what we used to call Kinko's.

You remember Kinko's?

Uh, now it's called the FedEx Print Center, uh, which I was, I was in a

FedEx Print Center just a few days ago.

In

the middle there, it was called FedEx Kinkos.

Yes, it wa There was, there was, that was a FedEx Kinko's.

Yeah.

Uh, but in the, their print server going down, that is a direct, um,

you know, revenue generator, right?

So if you know that, you know the different parts of your business and you

know the, the cost that your business is going to experience when a ransomware

attack hits, it just empowers you with the ability to make the right decisions.

To minimize the impact on your, on your business.

So

Knowledge is power.

And my other favorite saying from GI Joe is knowing is half the battle.

Love it.

is that from GI Joe?

The movie?

It's GI Joe.

Well, it

the TV

cartoons.

It's like the, at the, very end it's uh, you know,

knowing is

half the battle.

would always say that at the end.

Uh, I, for the record, not familiar with GI I, Joe, beyond the

Oh, it's amazing.

Cobra and.

Yeah.

Yeah.

Um, so the, the next thing, another, uh, action.

I, so we talked about doing a BIA, right?

The next thing that we have is action items, is to review again,

now review your insurance coverage.

You, you want to talk about that, Mike?

Like what kind of, what kind of stuff?

Well, it's, it's critical because a lot there, I think there's a lot of companies

that, that just Google cyber insurance and they get quotes and they go with the

lowest quote and they figure they're, you know, they're the lowest premium

and they, they figure they're covered.

Well, you're covered based on all that fine print, and I've got

a, a pretty interesting example.

Uh, so in addition to, to helping companies, uh, on the defensive side.

Uh, we also do litigation support.

And, and in one case we were, we were working for the insurance company,

uh, who didn't wanna pay a claim.

And so they sent us all this data and our, our objective was to determine if,

where, where did the attack originate?

Was it a domestic attack?

Was it, was it international?

It turned out to be international.

And they declined the, they, they declined the claim because the

policy only covered domestic attacks.

Wow.

So

it is important, uh, you know, go with a reputable insurance carrier,

make sure you read the fine print, get an advisor or a broker to help you.

Um, and then, you know, a lot of those, uh, a lot of that process

stems from a questionnaire that the insurance company is gonna send you.

And a lot of organizations, especially the small ones, don't know how to.

Fill out that questionnaire.

A lot of times

it's yes, no, they don't give you the opportunity to add context.

Uh, like there's no maybe, uh, it's either yes or no.

Uh, and so I think a lot of organizations on in the maybe category

will still say yes, even though they're not sure, or maybe it's not

fully implemented.

Well, the insurance company's gonna hold you to those answers if

there's an incident or a breach.

And they're gonna go, well, you said yes and you, it's actually no.

So we're not gonna cover your claim 'cause you lied to us.

Uh, when,

when we establish this, this policy.

The other thing to think about too is you can have more than one policy, uh,

just make sure that you maintain and are fully aware of, of both of them and, you

know, any, any attributes or requirements or stipulations in either one.

Um.

You know, that brings up a story.

Do you remember Tony Curtis from Spectral Logic when he

came on the podcast?

Yeah.

And so this was a company Mike that got hit with, uh, ransomware, shut down

their entire environment.

be in the backup industry.

By the way,

Yeah.

tape library manufacturer, right?

And he was, I think he was like head of it or something, some position like that.

And he found out that just a week before they had signed up

for a cyber insurance policy.

Yeah,

Yeah.

was like a week or two before he was like, oh my gosh, thank God.

well.

they brought in all the experts and all the rest.

I am glad it worked out for him because a lot of those, uh, a

lot of a, a lot of policies will have a, a cooling off period.

So you sign up today, but it's really not effective for 30 days.

Yeah.

So I guess the last action item is you've sort of gone

through, you've created a BIA.

You've done all these things and making sure that you understand

what needs to be recovered first.

It's kinda like Mike was talking about the prioritization.

Right.

So making sure you understand what is critical to your

business, have that listed down.

So those are the things that you focus on first, rather than say,

Curtis's home directory, which isn't the highest priority to recover from

a ransomware attack.

it is to me,

Well, it's not the first thing.

I know it's important to you, Curtis, all the cat videos that you have, but.

cat fitting.

I think that those are great points.

And so in your BIA one of the, one of the outputs of your BIA as far as

prioritization goes, it's not just the criticality of a particular system.

But it's also the recovery point objective.

So is is the, does that system have a lot of journaling that

would allow us to do manual input or manual uh, uh, transactions?

Uh, and so

just as an example, we had a, a, a ransomware incident with a client who got

hit on a Thursday night, uh, 10 o'clock.

And we knew exactly what servers they hit and how it happened.

Um.

We were comf, we were comfortable thinking that Thursday night

is when the attack happened.

It wasn't some time in the past.

Well, we still needed to have that conversation with the client.

Well, how far back, how many days or weeks back should we target to recover from?

Because we don't wanna just do earlier today or yesterday.

'cause that may also have.

The, you know, the attack, uh, artifacts in it, malware, whatever it was.

And so having a good understanding of, of their backup strategy and

their capabilities, we were able to say, all right, well, let's,

because of, and in this case, it was a heavily virtualized environment.

Well, let's go with Tuesday.

And let's, let's run all our, all, all of our analysis against

Tuesday's, uh, restored systems before they, we put 'em back online.

If they're clean, then we'll go with Tuesday.

If not, then we can go with Monday or whatever.

Uh, a lot of organizations, uh, still have this full incremental,

you know, weekly that kind of, uh, backup schedule because they're, they,

they haven't adopted virtualization or whatever the case might be.

Uh, and so if, if a, a system was compromised between those fulls.

Then you've gotta do fulls plus the incrementals to get you

back to some restore point.

Well, your BIA is going to help you determine how far back can I go before it

hurts, and if I have to go back further, do I have transaction, you know, logs,

journaling to help me fill in the gaps?

Uh, and if not, then, you know, here's the impact, uh, that I can expect.

Um, one of the other things I was gonna add, uh, and I, I

lost my train of thought a bit.

Um.

And what was it?

Let's see.

You were,

Uh, it was a good point.

It's a good point.

Oh, here's a, here's another funny example.

Funny for now that it's, it's years later, but, uh,

plus time equals comedy.

it was a telecom, $5 billion telecom.

Uh, and they had an outage, and the outage, uh, sat on top of a legacy server.

That legacy server continued to be backed up every day, but it was backed up, uh,

initially to nine track backup tape.

Give,

The backup, the backup technology was, was in, in current day was the, um, DLT tapes.

Yep.

But they didn't create a base system backup, a bare metal backup on DLT tape.

It was the, the only bare metal backup was on nine track.

So when they had to recover this server, they couldn't, because

they couldn't find a nine track tape to recover the tape from.

So yeah, they were down hard for over a month until we

know what?

on eBay.

Yep.

Not uncommon.

yeah.

You know what, uh, when you were talking about, um.

Just like, you know, switching to alternative methods.

Remind me there, I think it was a, a Xerox commercial.

When they go, if your printers go down, do your people go, it's okay.

We'll just use carbon paper.

It's like, no, no, they're not gonna do.

Well, yeah, I think, I think we've given, uh, people enough to think

about and to, um, you know, some action items where they can go work.

Uh, it sounds like, uh, they'll do their BIA in a day or two,

and then, uh, they'll be good.

So, uh,

the way.

knock it out.

Just, you know, it's like a lot of things.

Just, uh, do it sooner than later.

Doesn't matter when.

The only thing that I know is it doesn't matter when you invent a time machine.

All right.

And with that, uh, that is a wrap.