The Human Cost of Cyber Attacks: Beyond the Financial Impact

Quick shout out to the diamond sponsor USAA and St. Mary's for helping to make this event possible. Uh we are also grateful for support of Highland Toyota and Spec Ops. Uh I'll turn the attention to over to our speaker Jacob Wnets as they discuss the human cost of cyber attacks. Please help me welcome Jacob.

>> Hello everybody. Um anybody in here an incident responder? Okay, I don't see any hands going up. Okay, so um I usually when I give talks I give a really uh like technical talks. I talk about like deep dive into incident stuff. Um I decided to take a different t this go around. I want to talk more about the human side of things. Um we had a pretty trash Q4 in terms of incidents. It was uh very busy. I'll put it that way. Uh, I work for a company called Beasley Security. Um, we're a wholly owned subsidiary of Beasley Insurance, which is one of the world's largest cyber insurance providers. So, we get literally hundreds

of incidents a year and Q4 actually was way more than what is normal. Um, and so I want to talk a little bit more about like the human side of incidents because we seem to miss that a lot. Uh, we go to conferences and we talk about all this nerdy technical stuff. We talk about governance. We don't actually talk about the people that are dealing with uh with all of this. Um I try not to be make it doomfest. Um so I don't want to I don't want you leaving here feeling like, you know, it's all burning down and we're all going to die. Um though sometimes I feel like that in the course of my job.

Uh but all of us have a shared mission. Um, and I'm hoping that this will be a call to action for everybody in this room to look out for, not just your fellow responders, but also the people that you are doing all these services for, uh, to make sure that the people are actually the center of everything. So, why listen to me? Uh, I'm a senior in responder, like I said. Um, I do cyber security consulting. Uh, usually around resilience, that sort of thing. Um, I have almost 20 years in technology. I know I look kind of young. I started way early. Uh back when uh the internet was kind of new. Um I was

hosting uh web servers on a DSL connection out of my mom's bedroom uh for folks. Uh so I did want to talk about the fact that I did burn out on a ransomware case. Uh burnout is real. It hurts a lot. Um and that'll be a central theme of uh this presentation. Uh I'm also advocate for resilient critical infrastructure. So I've done some uh uh consulting around election systems not related to my job on the side. I've done some around like energy especially uh uh battery energy storage systems which are all the rage right now in Texas if you've paid attention anything with the power grid. Um and kind of the dangers around that and the critical

infrastructure. Uh and so that's who I am. So let's get into it. So uh beyond the wallet, right? So we talk about money all the time. I work for an insurance company. I'm part of a subsidiary of an insurance company. We talk about the cost of an incident all the time. You get these headlines, you know, millions of dollars, right? Uh cyber security is costing us millions, threat actors are stealing millions of dollars. We don't ever really talk about the people that get impacted by these things. like they're just a statistic. Like we stole 100,000 people's information. Okay. But what about those people? Like what how has that impacted them? Um we have a tangible effect on

everybody's lives, health, safety, and livelihood such as like delayed surgeries, blackouts, uh potentially poisoned water, uh savings that are destroyed. So, if your bank gets hit and you can't pull money out, what happens to you then? If your your guy who owns your rental doesn't care, if your bank isn't working right now, you're suddenly in a position where maybe you get evicted. Um, so I want to kind of shift cyber security from an IT or cyber security problem to kind of a public safety issue. All of this is public safety. Uh, Ed, so cyber is now also a weapon of war. Um, I I don't know if you all saw um there was some uh wipers that

recently got discovered that Iran's using against Israel actually this past week uh that are designed to destroy file systems and such. Um but we don't have any blast crater. There's no sirens. Um for the normies out there, I don't know if you saw that article this week about the 16 billion credentials or whatever that got leaked. That was a bunch of garbage, right? It was just a bunch of old old breaches that somebody bundled up together. But the normie folks, the folks folks that aren't doing this for a living get scared and suddenly they don't trust this. My mother doesn't hardly trust computer at all. Um she'd go back to a flip phone if she didn't have, you know, the need of

the huge screen because her eyes are so bad, right? Uh and responders like me, like some of y'all may end up being are on the front lines. We have no armor. We have nobody protecting us. We don't get much rest because it's constant. So I wanted to talk about a couple case studies. Uh so um some of this will be fictionalized obviously. Um many y'all are probably familiar with the NHS breach uh that happened with Water Cry. Um believed to be possibly a Russian cyber weapon um that kind of got out of hand and knocked out a bunch of hospitals. But the real human impact is things like chemotherapy that got postponed for cancer patients. How many

patients that chemotherapy is keeping that cancer under control and now they don't get their dose and they got to wait another month and then you know maybe they were stage three or stage four and it was pr prolonging their life. Um what we do know from the NHS uh is there were over 600 sites impacted. 34 hospitals were locked out of their systems. uh 13,500 appointments and 139 cancer consults were cancelled. Okay. And as somebody whose mother went through cancer, early detection saved her life, right? If you don't get into a console because the hospital can't take you and you wait a month or two, what happens? Maybe it's metastasized. Um, even more dangerous as doctors were

back to pen and paper and ambulances had to be diverted to facilities that were kind of still functioning, right? Um, think about children that needed surgery for various issues. There are pediatric surgeries that were deferred. So, you've got parents that basically are told, "Hey, like I know your kid was scheduled for surgery this day. Not going to happen now, right?" You've got cardiac patients that maybe have a heart attack and the ER can't take them because they can't dispense medication because that system's locked out. And so you're triaging with pen and paper. You're missing allergies, drug interactions. People die due to cyber attacks. Uh phone lines get flooded because people are panicking. They don't know

what to do. And yeah, of course, we have financial losses. um in this case estimates five to six million pounds, but that's completely trivial compared to the thousands and thousands of people that are impacted. So, I've actually got a personal uh story uh involving a hospital uh that I worked uh we'll say relatively recently. Um they experienced a ransomware attack. Uh systems got locked out. Um the the main system that everybody here knows is the central core among many of these legacy systems is active directory. While somewhere along the way uh whoever designed the medicine dispensary system tied that to their active directory for authentication. Okay, it's a system called Pixis. It wasn't Pixus' fault. Like this is just

how these systems are designed. Uh and so all these medicine carts and all these different wards are required to validate that the person dispensing drugs is dispensing it for the correct patient and that they are an employee of the hospital. Right? Well, if your authentication mechanism's down, how do you validate that that person is supposed to be dispensing that medication? The cart won't identify you. And if the servers that backended all of those carts are down, how do you put all those carts into bypass mode? You can't. And so you're completely locked out of being able to dispense medication short of an angle grinder or running down to the pharmacy every time you need something. And as you can imagine, in a

in a hospital system, in this case, it was a hospital system, not just a single hospital. You got clinics all over the place, and it was very rural. Uh nearest hospital was a couple hours away. You can't just run to the pharmacy all the time, right? And you've got all these regulatory requirements as well that are put in place um that basically mean like I can't just open the box and just take pills out and hand it to somebody. I have to track all of that. And if I don't track all of that, now I'm on the hook for fines from a regulatory body because there was medication that's a controlled substance that was dispensed

to a patient and now the government comes in doesn't care whether or not you experience a cyber attack. You dispense medication without tracking it. So, uh, in this particular case, um, we had some serious conversations. Obviously, it's always a business decision. I come in from the outside. Uh but like does this hospital keep the ER open? They couldn't have gotten the medication that a heart attack patient needed in a timely manner. So what do you do? You can't really take the medication out of the med vault and have it on hand for people to just grab because again you have to track all of it. So now people are imminently put in a position of

death because of a cyber attack. So the way we got out of that obviously is we rebuilt a minimal AD domain right in a couple hours. Um had some backups that were okay. Uh and then restored the Pixus services from backup. But if we didn't have those backups, that hospital could have been on deferment for hours or days. Um it still took us 6 hours to restore access to those carts. So that's 6 hours where people are having to run to the pharmacy or get in a car or drive to a different location to pick up meds because they can't open the cart. The cart is locked up. And so rural hospitals are already operating very thin. Um they don't

really have after hoursies very often. Um they definitely have limited staff. Uh transport times are a killer. Um those folks that live in the city, ambulance could be there in 5 minutes. Uh, for those that live in a rural area like me, it's going to be half an hour before an ambulance shows up. In fact, it's usually faster to land a helicopter and take you to the hospital. So, number two, power. So, um, how many of you all are familiar with the Ukraine blackout in 2015? Okay, few of you. Um, so, uh, think Wintertorm Yuri, but hackers instead of a, you know, bomb cyclone, right? Uh, so, uh, 225,000 residents didn't have power for hours in the

middle of winter. Um, Ukraine, Russia, they're very cold. Uh, yeah, it got cold here, but they're very cold. Um, and, uh, you've got manual switching have having to be restored. So you've got these electrical automated distribution systems that are flipping off power automatically due to this attack and now you've got to go manually flip those back and that's not a small process. Um that requires linemen that requires people knowing having documentation about where these things are. Um and I don't know about Ukraine but here in the US there's not a lot of like organizations that have their infrastructure figured out. I mean, just look at the state of your electric poles in many places where they're just

garbageed up with lines. Um, so you had families that were hudd huddled under every blanket they own. Your breath was visible indoors, right? You're we all live through it if you if you were in Texas during Yuri. This was caused by a hacker. Um, there were even reports of like people burning furniture, right? Just to keep warm. running generators inside of apartment buildings even though the carbon monoxide could potentially kill you. Uh having to ration food because if there's no power, you can't even buy groceries because now there's no ATM so you can't get cash. You can't use your card. Uh you nothing's transporting. Computers are down. I can't even check you out. Point of sale doesn't work anymore.

Right? Um you also have water pressure. Everything relies on the electric grid. So now you don't have water coming into your home because the water pressures dropped because the pumps are offline because they don't have electricity and not every pumping station has a generator. Um you've got uh frozen treatment plants, right? They can't operate without power and they're big power uh um they require lots of power to operate. um sewer, sewage, a lot of those rely on pumps to at lift stations to remove it from your home. So eventually that all backs up. And then of course back to the hospital example, hospital only has as much power as their generator has fuel. If the outage is

long enough, hospital goes dark. So I actually personally uh responded to an energy uh um provider situation. In this case, it was oil and gas. Um it was a refinery. Um, and we don't usually think about it, but most of the gasoline that you have was refined not that, you know, far distant from when you bought it in terms of time, right? It's refined. It's thrown on a truck and it's transported. It's very short timelines. The the the beginning of the pulling the crude out of the ground takes a long time, but once the refining's done, that stuff, they don't store it for extended periods. You just transport it and it gets burned, right? Um, in this case, it

was a refinery. So uh and it was Iranian threat actors. They had actually accessed the corporate network of uh actually it was a couple refineries that were connected together. They weren't properly uh uh segmented uh and then managed to start uh doing reconnaissance on the OT network which was not airgapped. So the operational technology network was exposed. Um, had the thread actors managed to get into the OT network, all of the refinery operations are computerized basically at this point, right? So, all of your valves, all of your switches, everything that tells it, okay, I need this chemical at this particular time uh to go into the refining process, that's all released by a computer. Yeah, there's a

human operator, but that human operator is basically just overseeing the process. Um, if you mix the wrong chemicals at the wrong time, you might get a fire, you might get an explosion. And then the tail end of that is if a refinery goes down, suddenly there's no fuel. What happens if you take a refinery down in the middle of winter, people freeze to death? Can't run a generator without fuel. Um, you can't even pump gas if there's no gas to be had. And here uh we we import a lot of oil here in the United States and but our refining hasn't really we haven't increased refining capacity. It's not like another refinery could just pick up the slack. So we lose a

couple of refineries due to a cyber attack. We don't have fuel. Uh another case study um involves water. Um so uh kind of relevant now given what's happened geopolitically in the last couple weeks. Um it's believed that Iran uh initiated a coordinated attack to get into the water system in Israel. Uh the targets were rule pumping stations and treatment plants. Uh and the systems were told to raise chlorine levels to 250 parts per million. Um that is 10 times what's considered safe. Um, any of y'all ever run like a tub, like a water in your tub, and you smelled the chlorine from the city water supply? Okay, now imagine that 10 times, right? It's literally deadly. Chlorine

gas is hazardous to life. Um, that's why we put it in water because it kills bacteria. Uh, and so they cranked up those uh chlorine levels 250 parts per million. The only reason why this didn't kill people or shut down the water system is an operator at the ESHO site noticed pumps were cycling erratically. The SCADA screens were not showing what they were supposed to be showing. And so one operator noticed the problem. One person is the reason why that water system wasn't wrecked. Because can you imagine if all that chlorine had been pumped in the water supply, not just the immediate effects, but now you got to flush the whole system. That takes days, maybe

weeks. And I don't know about y'all, but I can't go much more than a couple days without water. So the way they solved that problem is overnight crews literally drove to each remote station with a laptop and physically disconnected the programmable logic controllers to verify that the gauges within these systems were not lying to them. Uh residents of a nearby town uh actually woke up to text alerts advising them to store bottled water in case uh treatment systems had to be shut down. Hospital sterilization units were briefed to switch to reserve tanks. Fortunately, many hospitals have reserved water. Uh but local radio was broadcasting public service announcements. Um can you imagine what that would be

like here in the states? Israel's used to being attacked. They deal with it all the time. What if we had say the city of San Antonio now has a PSA out that the water supply is tainted. Don't drink the water. can't go to a restaurant. They use water. I mean, we have bottled water, but that only lasts as long. If you've ever seen the response to a hurricane and try to pull water out of the store there, it's all gone by the time you get there. There's not enough to go around. So, if the uh 250 part per million command had stuck for even 30 minutes, hundreds could have suffered chemical burns or respiratory distress. Automated

safeguards would have forced a regionwide water cut off for days or weeks. Again, human impact of a cyber attack. Without water, people die. Let's move into finance a little bit. So, um, in 2024, there was a credit union in California called Patelco that experienced a cyber attack. Uh, it was two weeks of an outage. No online banking, no ATMs, none of the branches could operate. Uh basically they were writing uh like cashier checks to people on faith that the money was actually in the account so that people could maybe go buy groceries or pay rent, right? Um over 500,000 people couldn't access their money. That's a huge amount of people. And then of course we have records stolen. And if

you know what your financial institution keeps as a record on you, it's basically all of your personal information. They also have every transaction you've pretty much ever made, too. It's a great resource for somebody who wants to uh figure out everything about you. And so, we have 500,000 people that potentially couldn't pay rent, couldn't pay their mortgage, they don't know if the money is even there anymore. You have an old fashioned run on the bank because nobody can access it via their app. And so they're showing up in branches and people are frustrated, upset. If you only had one financial institution, that's where literally all your money was. Your paycheck was supposed to come in. It's 2 weeks. I get

my paycheck every 2 weeks. Some people get it monthly, but I couldn't probably go 2 weeks without being able to pay for something. I've got a little bit of cash saved up, but a lot of people don't. So for the human impact, we're talking critical services are disrupted, right? Health, power, water, money, all sorts of things. So but beyond the initial impact of life-threatening or initial financial problems, we also have collateral damage. There's people that don't trust technology anymore because they've seen cyber attacks happen. you have fear, anxiety, a loss of trust. Um, and then you've got those of us that are in the industry that are trying to keep this all together, that are facing

burnout, are dealing with events at home, that maybe perhaps you don't show up to that soccer game because you got a call that said, "Hey, uh, XYZ client experienced a cyber attack. you're going to have to spend the next 15 hours trying to sort out what happened. So cyber incidents are not just technology problems. They are humanitarian crises in disguise. Every single cyber attack has people that are harmed behind it. Every single one. Whether it's stolen data or even the time it takes to sort it out. Even if it's a non-production system with garbage data, somebody still has to spend a bunch of time to figure out what happened and deal with it. So cyber security is now public safety

and we must protect people first, system second. So, for those of us in the room, right, we're not soldiers, we're not firefighters, we're not medics. Um, but we're not untouched by this either. Um, for responders particularly, we're pulled into chaos sometimes alone, uh, expected to triage and not really complain about it, right? Um, we deal with this fight every single day. For people like me who aren't part of an internal security team, I might be working three or four incidents a week. And so, and it's across the gamut, all sorts of industries, everything from retail to healthcare to finance. Deal with it all day, every day. Um, and then you start to realize, oh, like these are

actual people that are being harmed. And I don't know, like you could be a soulless like psychopath or something and not care, but I I'm not. I feel it every time. What if it was my electricity provider that experienced a cyber attack, right? Suddenly my home and my children and my wife don't have electricity at home. So it it kind of weighs on you. Um and so we feel it. Uh and it just kind of goes on in the background. It's not when a cyber attack happens. It's not police that show up. It's not the FBI. You know, CISA doesn't come riding in to save you. It's those of us that are in this room. It's kind of regular cyber

security people that show up to sort these things out. There's no magical entity that comes in and and rescues you. Yeah. FBI will say, "Hey, I want whatever TTPs or IC's you have," but they take those and wander off and eventually you might see an advisory in 6 months to 9 months. Uh it's not really uh conducive to dealing with the problems now and if we start failing and falling and burning out, we fail everybody else. So to talk about the emotional toll on responders, 67% of security teams report chronic stress. Okay, that's an IBM study. 51% of responders, that's SOCK and incident responders have been prescribed mental health meds. Times did that research. Um

that number is actually higher than the national average for first responders and military personnel. We have a mental health epidemic in our industry. A 2024 Microsoft study said 45% of cyber pros are at high burnout risk and 30% report disrupted sleep for weeks after a major incident. I get disrupted sleep all the time. The workday doesn't end at 5 when you're dealing with an incident. So what this o overall does is it cascades, right? You get stress. Stress leads to mistakes. Mistakes lead to slower containment. Slower containment leads to greater public harm, greater human impact. So, I want to talk about a personal story um involving a college that I responded to. Um it was a small liberal

arts college, probably about 1500ish students. So, not very big. Um I don't know how big St. Mary's is, but probably same idea, right? Um, but the entire team was tied up and I have my background some CIS admin experience at a university. So, anytime an educational institution comes along, I'm the guy that gets stuck with it, right? Uh, you've dealt with a with a student information system before, you've dealt with an LMS before, so you get to be the guy that deals with all these educational institutions that have an incident, right? Um, but I ended up being the sole responder. Everybody else was working other things. Um thing to understand about a college is if it's in the middle of the school

year, it's not just education. It is a power plant, electricity provider. It is a water provider. It is a mini city. They provide food. It is everything to make that little mini city operate. And so if they experience a cyber attack, all of those things could potentially be disrupted. Right? The HVAC system gets hit. Suddenly there's no AC. Now this particular uh college was up north. It didn't doesn't get as hot. But imagine if it was middle of August, you know, just started the semester here in Texas and you don't have AC. You can't really pursue your mission of teaching students, can you? Um so I was a sole responder. I had no search team, no vendor help. Um I had a

CIS admin on their end and a network admin on their end that were middling. Um, and I was in pure investigation mode. Excuse me. So, log dives, forensics triage, containment advice. Um, wasn't doing hands-on recovery work, but when you do IR, you kind of get pulled into those conversations anyway. Um, what's a safe way to bring this system up? This went on for several weeks. Lots of systems impacted. Um, and I already hadn't had a break for several weeks. It's constant. Uh, and so my home office is my bedroom. Um, hopefully that'll be changing sometime this summer. Uh, but I basically never left that room except for quick breaks to run to the bathroom or like grab a snack. Okay, so imagine

several weeks in the exact same room, 16 hour days. It kind of kind of gets to you after a little while, right? If you're working, sleeping, operating in the exact same room constantly. To add to that, college networks are hostile by design. So, um, if any of y'all have worked on a college network or advised on a college network, uh, they are the worst networks to possibly try to secure ever. You have transient devices that come and go that potentially are infected with all manner of nastiness. students generally don't have good cyber security hygiene. Sorry if there's any students in here, but it's true. Uh, and so you're playing whack-a-ole because you don't know if

that weird network traffic you see in part of your incident is due to the bad guy having a C2 or if it's, you know, this random laptop that's on the network that, you know, some student installed some dodgy video game on that was cracked, right? Um, and so you're also dealing with years of poor hygiene. Most educational institutions are not cutting edge in terms of technology. Um, they kind of just, oh, we built a building, but we forgot to, you know, budget some network equipment, so we're going to go pull that stuff off the stack that's been there for 5 years and throw it in here, right? Um, and so as I'm going through this network,

literally every pivot was another vulnerable system. It was another system that could have been used by our threat actor. Could have had C2 on it. Could have had all sorts of things. In fact, even in this case, we found a uh potential security incident that went back several years. So, they'd already had somebody in there doing something. Um, and so my day-to-day is obviously collecting evidence, drafting timelines, briefing the leadership of the client, chasing down the next indicator. By day 10, I was exhausted. Um, I kept rechecking various systems that I already check out of paranoia because you're in an environment that's just overtly hostile. Uh, when we fin when I finally got a handle on it, um, and the investigation

wrapped, all the systems were kind of up and working, I was hollow, irritable, exhausted, in a bad mood constantly. Um, my wife was not too happy with me. Uh those of you all that are in a serious relationship or married, um you ever have several weeks where you just do nothing but fight? It was like that. And it was entirely my fault. Um I lashed out at friends um even actually my boss um at one point um to the point where he and I got really heated and had we not had the relationship we had, he probably would have fired me. I was that burned out. I was that mad at everything. Um, ended up assigning me temporarily to

an advisory group. That way I could just step away from working incidents for a little while. Uh, um, definitely ended up probably saving my career. Um, but the moral of this is even a successful hunt can break the person that's responding or the people that are responding. If there's no staffing depth, if there's no downtime, if there's no consideration for mental health for the responder, it will break your responders. It will break the teams around your responders. Add to that, I kind of touched on it, you have emotional toll on your families. So, there's an always on culture in IR and security in general. Um for those of us that are actually delivering services and not maybe um

doing code reviews or something, it's always on constantly. You're always under attack. Um that destroys family time. Um 90% of sock and responders uh check work during vacations. 32% get interrupted nightly. I get interrupted all the time. I get a text message. Hey, this case came in. 45% of CISOs miss key family events. This chronic stress leads to strain marriages. Emotional distancing destroys families, destroys children's futures. I don't know if you've seen the statistics on what happens to children in a divorced family. They are much less likely to do better than their parents going forward. Um 40% of us say that job stress hurts family relationships. I can definitely say that. Uh kids, my children are

really young, so they don't quite get it yet. All they understand is the doors closed. can't talk to dad. Um my wife on the other hand um definitely has told me that she felt secondary to the job. I've had to make changes. Uh and then you just get emotionally exhausted to the point where it's like okay whatever, right? You don't want to live like that because it's not just your emotions involving your job. It impacts your emotions involving everything in your life. You aren't as happy. You aren't celebrating milestones with family anymore. Like you just show up to a family event, you're just kind of there, right? You're fried. Um, yeah. So, I've got a paraphrase

quote from my wife, right? You're always working. Even when you're not here, you're not. I I was constantly having to check the phone. I was constantly trying to keep up with what our threat actors are doing again, right? And this burnout spreads beyond just the security responder, just the sock agent. Um, it causes vicarious trauma for spouses and if your children are old enough to understand, uh, hurts them too. Um, you get irritable. It causes conflict, fear. Uh, in extreme cases, people get abusive when they're stressed out. Um, twothirds of responders have sought counseling due to job stress. Uh, it's not just the stress, it's the missed events. It's the missed bedtime stories, emotional withdrawal. There's

fear constantly that that phone's going to ring from your family. And so, family stress becomes a security risk. Maybe not for your company, though it will eventually. Maybe not for your clients, eventually it will. But it becomes a security risk for you and your family. So, after having reflected on all of this, having burned out and trying to deal and manage my time better, you don't have to burn out to prove that you actually care for your job and care for the people that you work for. Um, you don't have to measure commitment and collapse. Uh, you're allowed to set boundaries. I know this is all things that you hear all the time. I'm telling you, you got

to do it. Um, burnout isn't noble. It is corrosive. It is not just corrosive to you. It's corrosive to your family. It's corrosive to your teammates at work. Uh, we need responders that can last. Uh, not just sprint. Um, we we use through the uh the old adage like it's a not a it's not a sprint's marathon, right? It's marathon, not a sprint. Um, and this mission doesn't require your health as collateral. So what can I do? I am just. So all of us have a responsibility to deal with this problem. Um if you're leadership uh need to fund some more resilience for your organizations if you haven't already. I cannot tell you how many

organizations I go into that don't even have a simple incident response plan. They don't even have an asset inventory. That adds unneeded stress to the situation. Um have some offline contingencies. So if you are a power provider, make sure that your linemen are aware of your distribution automation outage processes. Zark scrambling. We need to fund wellness and recovery time like we fund tech stacks. Um and this isn't as simple as like giving the people a day off every once in a while. It's also like okay like maybe your responders shouldn't be working three or four incidents at a time. Maybe they should be getting a week off in between cases. I know that hurts the bottom line, but

maybe we need to make this adjustment so that we don't lose all of our responders. Um, if you're in education, we need to teach ethics, communication, stress management alongside the tech. It can't all be about tech. You have an ethical and moral responsibility to step in if your coworker is starting to burn out and try and prevent it from happening. You may not be able to prevent it, but you have a moral and ethical obligation to try and save them. Um, we need to teach students that cyber has human costs, not just technical or financial ones. Um, and we need to build empathy into training. If you're a responder, we need reasonable boundaries and need to not

feel guilty about setting them. Um, if you have PTO and you're not contract, use it for sure, but you also need to take breaks beyond just that PTO. Shouldn't be working incidents back to back. Um, you should always debrief with your team. That helps a lot. It's kind of like a counseling session after an incident. Uh, and don't just close the case. Try to track what's gone wrong. I know that we talk about it a lot in the incident response life cycle, like we have an afteraction. Um, but that doesn't happen all the time. You got to make it happen because you might find something that stressed you out that maybe somebody else has a better idea

how to handle it and then it's no longer a stressor on you. Uh and then any impact that leads to burnout needs to be documented and it needs to be shared. Um if you're a student, you need to learn the human side of cyber, not just the technical skills, not just the various technologies that we use. Uh don't get hung up on tools and tactics. Uh and if you're course of study is ignoring the human side of things, you need to speak up about that. Um it's extremely necessary. So, as a final thought, we build technical systems to be resilient under stress. We don't really build personnel systems in this industry that I've noticed, and I've worked at several

organizations to do the same for the people that actually run those systems. We're expected to have 100% uptime for the systems, but and we're also expected to have 100% uptime for the people, and that's not humanly possible. So, we spend all this time and all this money making resilient systems. How do we make resilient people? I think what we need to do as an industry is step back and realize that this is unsustainable. Um, and we need to start focusing on resolving the problems and the stressors that burn everybody up. If you want true resilience and cyber security, we need to stop thinking about only technology. We need to start protecting the people that are defending

these systems. With that, uh, happy to answer any questions.

Hello. >> Yeah. >> Yeah. I I just want to say that um in this industry, none of people um have the empathy that you're displaying today and take the risk that you're taking right now by admitting on a personal level to all the stress that this causes us and and how it impacts our family. >> This was a very uncomfortable presentation to put together. Yeah, I can tell. >> Very very >> um so if that Yeah, like very uncomfortable because it's not it's not something that like I don't want to go to my boss and say, "Hey, like you're messing me up, man." Right. Um um and at a certain level, like ultimately the company doesn't care. Oh, this guy

burned out. Okay, we'll just go put out a job ad and try to go hire somebody else. But like we need to not be that way. There's not enough of us. Yeah. >> If you're a company that doesn't talk about quality of life, you're in a bad company. >> Yeah. So, um, some of that has shifted a little bit. Um, we we went through a huge management structure change up and we just did not have any quality of life like Q4, Q3, um, just because of the amount of people that we had on hand. Um it's not directly management's fault because we we can forecast incidents generally like we're a subsidiary of a huge insurance company. we know how many

approximate incidents add a few percentage, right? We ended up way way above target. And so, um, and we don't really get the luxury of saying no, we won't help them. Uh, and so to to my management's credit, they immediately put out job ads, right? That was the first thing they did. Like the second we saw the forecast was going to be crazy. But you know how long it takes to hire an incident responder to find somebody that can actually do that job, especially as an outside consultant that's dealing with clients. It takes months. And they've hired some people since then, but that doesn't help during, you know, that 3 month period where you're trying to find people,

right? You can't just put bodies in seats, unfortunately. You got to have people that have that skill set. >> Everything's time, money, and effort. Like you said, we're in a crisis now. >> You can't go out and hire people cuz even if you hire the most skilled person, it takes them four to 6 months to learn how we do it. >> That's right. >> And so Yeah. >> Yeah. And then in our instance, um obviously we've got some proprietary systems uh that you got to learn and that's just the way it is. Um we got processes that we have to follow contractually. Uh, and I can't just sit, you know, somebody fresh out of college,

unfortunately, in a seat and say, "Go be an incident responder." I just can't do it. >> I have to have a team that's actually knows what they're doing. Yeah. >> Um, are people or companies paying out more these days or less? What's that looking like now? >> Are you talking about like ransoms? >> Yeah. >> Yeah. So, um, I don't have a hard number on it. Um, and that number is not really ever shared. Uh, I would estimate it's probably about 20 to 25% of companies end up paying the ransom. Uh, based on what I've seen, um, that's ultimately not a me or my team decision. It's ultimately a decision of the legal council that's assigned to the case. Um,

simply because there's a point at which if this company can't recover, like business losses are way more than the incident response, right? An incident response may cost you $100,000, $200,000, depending on how big your organization is, but the loss of continuity of business is millions of dollars. And there comes a point where there has to be a hard discussion around like, okay, well, maybe we do pay the ransom because we need to unlock these systems. Uh maybe you don't unlock them and then immediately put them back in production, but at least you have access to your data. Yeah, I would say it's probably about a quarter of the cases that I deal with that get paid out. Um, and it's

unfortunate because we're just incentivizing this over and over and over again. Um, on the other hand, uh, we have some states, I think it's North Carolina, where it's illegal to pay a ransom. Um, and so if you I think it's North Carolina, don't quote me on that. U, but, uh, if you do pay the ransom, um, you're subject to, you know, the state coming in and dealing with you, right? Uh, and so and the idea is to disincentivize these threat actors, but unless everybody doesn't pay and you're never going to have 100% compliance, it's not going to end. >> Yeah. So, uh, what what strategies have you seen or would you recommend even just personally based on your experience

on uh maintaining and improving the culture of incident response to mitigate the risk of of burnout? >> Sure. Um, for us, uh, we usually operate in teams of like three or four people. Um, and so it's kind of the responsibility of whoever the case lead is to keep an eye on their kind of junior responders and make sure that they're not burning out. But it's also incumbent on the junior responders to make sure their case lead's not going off the track, right? It really comes down to that human connection. Um, as there's no way to like technically measure burnout, right? Um, if somebody's not responding to Slack messages and isn't hasn't been responding to Slack messages for hours,

you should probably give them a call, right? We get so used to interacting over a screen. Like, I don't see my team. My team's all over the country, you know? I see him maybe once per year when we get together for a company meeting. Uh, but you got to have that human connection. Um my um partner uh that I worked with IR partner um he and I connected really well. We actually like I stayed at his house, right? Uh and so that helps a lot because he knows when I'm, you know, not, you know, starting to kind of get that way and I know when he is and so we have this accountability between each other um in

that interpersonal relationship. Hey, Jacob, you're starting to kind of get a little like like you're starting to burn out. Okay, well, thanks for giving me that warning sign because you don't generally notice it yourself. Everybody else does, right? And so, you got to have the guts to stand up and say, "Hey, this is happening. We need to address it." Not as a way to like punish or shame somebody, but as a way to help make sure that they don't go to that dark place. >> Want to answer that last one right there? then we'll call. >> First of all, thank you so much for sharing your experience. That was really really great and it really helps to get

the dialogue going and normalizing this this topic. Um, so I'm curious, is there some sort of greater open forum for discussion on this with your community support groups to help align with that? If not, I think to start with >> I don't know any um other than kind of informally, right? So, I try to get out to other groups. This helps actually a lot. This is like a therapy session for me. Um because it's been weighing on me forever. Um uh informally, it's personal relationships, right? Uh my wife's gotten really good at spotting when I'm going that way. Um she's like, "Hey, you should take Friday off. Like, step away for for a weekend. uh tell tell

everybody at work like they're going to have to handle stuff because I'm in the unfortunate situation that I'm one of the more experienced people on my team and so inevitably you know everything rolls to me right um I'm not in the hierarchy yet I'm not really that way I'm not a supervisor but like when you've touched a lot of systems and dealt with a lot of incidents all your junior folks end up coming to you and So, you're having to deal with that. Um, and so you're getting the stress of not only your own incidents that you're working, but also everybody else's. Um, and so I've had to be better about noticing that and better about

talking about it. I've got a buddy who's not in security. He is in technology. Uh, but he but like a phone call every couple weeks of like, hey, what's going on at work? I mean, obviously don't break an NDA, but like I really struggled with this. Like this is hard. and he may not have a solution, but I've now been able to kind of vent all that frustration and stress and everything else. I feel a lot better. It's like having a therapist, right? Okay, I know we're at time. Um, lunch just started, so thank you for skipping at least half of lunch for me.

Thank you. Happy to talk to whomever uh wants to talk after.