Aftermath: The Human Cost Of Ransomware

Imagine for a minute you're a doctor. In half an hour you're going to be doing a life-saving operation on a patient. You're about to dial into the computers to get some files down to get ready. or you're a factory manager having to make some changes to your factory line just before you have to go live with a new run of toys ready for Christmas or maybe you work in HR or accounts and it's coming to the end of the month, right? and you've got to run payroll and you got to push that out because otherwise you're going to get it in the neck. Or you're an IR team member and it's Friday afternoon. You got a weekend off.

You're not on call

and then you see something like this. Now, if you're that user, factory manager doctor uh what did I click on something? Was that me? I don't know what what what do I do now? I know. I'll just switch off, switch on, right? That's what I have to do. Yeah. Okay, cool. That'll work. Oh, no, it didn't. Um. Uh. What do I do now? I don't know. Who am I going to call? Anyone? Come on. Can we fix this now, please? I literally have to get payroll out. [ __ ] [ __ ] What's going to happen? Uh-oh. The payroll. Oh, you're working in IR, right? Oo, ransomware. Juicy one. This could be fun. Yeah. Uh, yeah. Yeah. Hang on. You as well.

And you? >> Yeah. Yeah. Hang on. No. No. Can you stop shouting, please? Yeah. Yeah. I'm trying my best. Oh, [Music] this is going to be a big one. Okay. But it's bigger than this, right? That payroll might not go out. people might not got paid. That doctor might be doing a life-saving operation and that's impacted. Kids might not get presents for Christmas. And that's what I want to talk about today. My name's Adrian Taylor. I work for an organization called Unit 42 at the moment. Oh, somebody else work there? Yeah, there we go. Oh, you've heard. Um, we do threat intelligence, incident response, and a number of other things. But um my passion is talking

about the human side of cyber security outside of culture and awareness about the impacts of it. Um I do coaching with Lego and empathy hacking and trying to get in the minds of our users and our teams and our board. Uh so that's what this conversation is about. It's a bit of a personal passion for me and I want to be talking about the human side of ransomware and the impact it has on the organizations and those around them. You're probably familiar with people talking about the cost of a data breach, the cost of ransomware, right? What do you feel when you see these stats? >> Do you >> anything? Somebody was just like, >> yeah,

>> probably. I don't really feel much about that number, dear. I don't I see it come up, but I'm like, well, I'm not going to be paying that as an individual. I work in cyber security. I don't feel much about that. So I want to explore a little bit about what people are feeling and what's going on around incidents and why it matters and what you can do about it and why it's important. That's what today's talk is going to be about. I'm just realizing didn't start my time here so no idea. All right. So when we see these stats, typically people are talking about things like regulatory fines, loss of productivity, profit, reputation damage, customers

being lost. They don't really talk about what's happening to the humans behind that. Your users, your customers, your IR team. Okay? So I want to explore a little bit about that today. So what we see when we with ransomware a number of different trends right it's not all just about encryption a lot of customers and organizations do get hit with encryption but there's a hell of a lot of data theft and the impacts of data being stolen we also see sometimes DOS and we're also seeing a worrying number of harassment cases that are coming up now this quadruple extortion method is all a way of the threat actors making money. It's a business, right? It's all a way of

extorting money and most of that's through fear and shock. They're evoking emotions that are going to drive action. Going to show you a couple of examples, but um I did say it's a personal talk, but just going to slide in a little plug for the unit 42 team and their threat intel reports and everything around this, right? Um they really are golden. I was reading it before I joined the organization. Has anybody else been using Unit 42 threat intel in their sock or anything? Okay, a few hands around there. Um, it's well worth read. But let me bring it home to these impacts. Did anyone hear about this case in Finland a couple of years ago? Yeah,

I I every time I update this slide in my age, it makes me kind of a bit sick on here. Right. So Vastama in Finland 25 uh psychotherapy centers about 30 they had 36,000 customers uh 400 employees and that data was compromised by a threat actor stolen. Now that threat actor had patient records, the notes that were stored about people's therapy appointments, things that they shared about uh adultery, about suicidal thoughts, about criminal intent thoughts. And these were things that were held in utmost confidence, trust, and safety. And then they started to be published. Imagine how that would have felt if you woke up and saw the news and you were one of these people that had had therapy

there. Are you going to be one of them or not? Right? That's going to run through you. What's weird? Well, pretty sick on this one, but this threat actor then started to contact the individuals whose medical records were stolen and ask them for money and personally extort them and ask them for uh what was it? It was about €200 uh euros or 500 if they didn't pay in time. So, not only were people hearing about this threat from the outside, then these criminals or criminal was being making contact and getting in touch with them as an individual and saying, "I've got your data." Imagine what goes through the mind of that individual at that point

and that organization. Um, this particular organization ended up going under. It lost the public trust. It lost the patient trust. Uh, they tried to sell. They tried to get bought out. The CEO ended up being fined and he got a um a sentence. Um the company went into liquidation. Thankfully, the hacker was jailed. Um 21,000 counts of extortion. He got 6 years, 3 months. This is Mike. Okay, I'm getting some feedback. Is it Is it coming out clear? All right. Thank you. So this starts to paint a picture of users being impacted by ransomware and it not just about that big big number right there's an impact that's out there and if we look at it it's a bit like an

onion layer right normally we're looking about the impact here about the organization the users the IR team the IT team if you start to build out from that a little bit then you're looking at the users of your services um within your organization or maybe your your your customers and those that are interfacing with your organization. And if you look even bigger, you start to look at society and economy and the public trust. So I'm going to pick away at these uh these onion layers today. So if you look at society and economy first, right, let's start from the outside in. ransomware, if it starts to undermine public trust, if things like the health service and police start to get hit by

incidents, what are we going to do as users of those services? We're going to not trust that they're looking after us. If they're not looking after our data, what else might they not be looking after? So, we lose trust of things like government services, of the police, perhaps of of people holding our data. We become more paranoid. It starts on another way of normalizing it. If we're seeing it in the news the whole time, it normalizes cyber crime and we start to forget to do the basics or we just ah it's only data isn't it and we ourselves may change our risk tolerance. So these little things to start pondering but from an economic point of

view it can have huge impacts on people outside of the the the incident itself. The blast radius might be massive. So for example, DP Worldwide or World Hack back uh I think it's can't see down there. It was about 3 years ago. Um this company shipping company looked after about 40% of the goods going in and out of Australia, right? Which as an island that's quite a significant um amount of control. They had to shut off the internet for a number of days. Okay. There was a lack of service that prevented goods coming in and out of the country completely. There were probably companies that were in Australia and outside relying on those goods for trade,

probably losing money, losing faith in that company, but also broader. So you start to bring that down and look at the supply chain and that impact of goods not being able to move around. you start thinking about what would happen if our OT was impacted and then we couldn't get water or or the uh fuel lines could get impacted. That then starts to have an impact on us as individuals. But as us as IT professionals, right, unless you're working in the public sector, which probably some of us are here, there's not a lot we can do about that other than hope and have faith. But we start moving in a little bit more. we start to look at those indirect impacts

on the blast radius of the the things that we probably can impact our customers, our users. Start thinking a little bit about that. So the impacts of ransomware then start to look at things like um actual physical harm. So if you look at public health, you look at patients that are in hospitals, you look at um energy over winter, right? If we suddenly start to have impact on on our energy supply over winter, it's bad enough with uh many people living below the poverty line trying to heat their houses. What if then power supply started to go down or or be limited at that point or oil and gas? But it goes beyond that because benefit

systems can be disrupted. There's also some cases where housing prices fluctuations happened as a a knock-on impact of of ransomware. These economic harms are real and small business disruption. Just an example like um Rackspace a few years back um they got hit uh there was an exchange vulnerability they got nailed by and then a whole bunch of their email accounts got stolen PST files um and they had to shut down services for ages and those businesses would have been impacted. that was a hosting service that was probably hosting a you know a hairdresser a building company or a lawyer or something like that those that would have been wiping out their ability to trade. So when you look at the headlines you

see something like oh Rackspace has been here oh big company just think of the customers that might be impacted within that company and what it means to them. It means anxiety it means stress it means probably a lack of control. These people can't do much about it. And that's why it's so important for us within the cyber security teams to be doing what we can to limit this blast radius and have empathy of the people that are impacted. So when we're sending out media coms, when we're starting to work with controlling that narrative, we've got them in mind a little bit and thinking actually it's not just us trying to save our bacon and our share

prices. It's us thinking about the people that are impacted by this incident. And what we put out publicly really will drive or lose trust of those around. And that blast radius is huge um but it can be controlled with proper planning. So let's come back in um as we get nearer to what we can do in our instant response team, right? So think of the financial harm I mentioned about like payroll systems being impacted, disruptions of services that might lose you customers and you think, oh yeah, cost of crime, financial loss, profit loss. It does cause no names to just disappear over time. Like Travel X, massive breach a couple of years back, right? Big name. You'd see them in

places like sainsburs and others and and and their offices in airports. They had a huge breach. They were connected to a number of other networks where they were placed that lost trust in them. Whilst it wasn't directly attributed to the ransomware, that loss of confidence led to buyout not happening and they ended up closing down code spaces back in 2014. I mean, I know that's quite a long time ago, but um there's an example of a company who had uh DOS. They started to try and restore and recover. Nice little example of of like doing instant response, right? If you're not sure you've got rid of the threat actor, don't start trying to restore from

backup and other things cuz that threat actor saw that and then just deleted they' got access to their uh Amazon account. It just started to delete all their data and backups and everything and that just was like oh well basically just wiped out that company so they don't exist literally. So this does have an impact and it has an impact of those 1300 employees of that company. So, when we bring it down to us, let's think about what's going on in our organization. Have we got any instant responders in the house? I know there's two in here, right? Anyone else that's worked in instant response? Anybody else want to admit to being in one of these

big horrible gnarly incidents that that kind of Okay, a few of you either as a user or a defender, right? It's great fun, right? For the first couple of seconds that adrenaline kicks in, then the phone starts ringing. So this initial week, it's all about trying to gather data, trying to understand what's going on. That first week can be fun. It's a mixture of emotions. Absolute cocktail. It really is like that cocktail that you make at university. It doesn't look pretty by the time you finished it, right? And it doesn't really taste that nice, but you have to do it anyway. I don't know where that metaphor came from. I'm in a university must just have come

back to me. So the the thing in the first week, right, it's about understanding what's going on. It's about trying to rally the team together. It's about realizing, oh [ __ ] the person that has the key and knows everything that's going on is currently on paternity leave or they left pissed off and not picking up the phone, right? And they're the one that knows how that system works. We can't even remember who runs our system. Oh [ __ ] we've not got the logs we needed. Yes, we have. No, but only two days. This happened a week ago. Oh [ __ ] So that's what's happening for us in the instant response team. What about the

user? I think it might have been me who clicked that. Yeah, it probably was. I think so. I've got proof in these logs. Yeah, I can see you clicking on that. Well, I bought the whole company down. Uh, excuse me. Who else knows about this? Oh, [ __ ] Instant responders. This is awesome. Let's call in the pizza. Yeah, let's get in. War room up and running. We're in this together, gang. Pizza. Yeah, late nights. 20 hours. I'm on it. In it together. Oh, tomorrow as well. Yeah. Oh, bloody hell. This is hard, isn't it? IT teams coming in. It's good fun and exhausting. It's scary. It's painful. There's a lot of shame that's coming in

there. Should we phone the regulators? Should we not? Oh, hang on. CEO is breathing down your neck. CFO, everybody else, the users are on your back. Cocktail of emotions. A lot of fear, a lot of blame and guilt. Was that me? Did I not patch that server? Somebody going to have a go at me? Oh, I'm the CISO. I've got to get control of this. How many? Yeah. Okay. So, all this is happening in the first week and more. People start taking up smoking. People eat a lot of junk food. People are not phoning home. They're busy. Your dog's waiting for you at this point wondering where on earth you are. There's an impact there as well on your

pets and you. Big impact to all that pizza. So then as it rolls on a little bit more >> more than 15. >> More than 15. All right. Good. Um then you start rolling into a month. It's not as much fun. Actually, let's just go back one more. That initial week you're working with a threat actor, right? I forgot to mention that. If you've got an instant response team that know what they're doing, they've got a plan. and they know how to talk to a threat actor with a hacker. If you haven't, I'm talking to Do I talk to a criminal? Hang on. What if I talk to them? They're going to know who I am. Bloody

criminal. Yeah. No, [ __ ] you. Hacking my organization. They're going to start making mistakes. They're going to feel the pressure. Should we? Shouldn't we? That's a hard situation at that point. There's cases where people have felt physically dirty and traumatized by the experience that they are talking to criminals at this point. They're not sure what to do. The criminal, the threat actor is pushing pressure saying, "Don't tell anybody." It's like those films saying, "You've got to turn up at the car park at midnight. Don't tell a soul, not the police. I will know." the threat actors doing that to try and extort money and make sure you don't bring in the incident response team.

If you're there as a small and medium business, you don't have an IR team that that that knows this stuff. So there you don't know what to do. There's confusion, there's fear, there's doubt. Not very pleasant emotions, right? The fund's worn off. You've also been working goodness knows how many hours to try and rebuild those critical systems to try and get the payroll out to try and get that customer order done. But you've been working 20 hours. Hang on a minute. Did I see that in the logs or was that was that you now? Where do I put it? A damn it. I've got to go to them all again. Let me reset this. Oh

no. Probably shouldn't have done that. Mistakes start to happen because you're tired. The adrenaline starts to wear off. The exhaustion comes, your dog starts crying. So, as that rolls on into the month, you might start looking at restoring systems. Well, hopefully you do. You've got an idea. You start to rebuild things. You might start shifting from panic to organized chaos to projects. You've contained a threat actor. Maybe you've decided whether to pay or not. You've done the regulatory uh breach notification, but maybe there's somebody out there that's still working out where they're going to sue you at this point. There's still systems that haven't been brought up online. You're still not necessarily back up to where you need to be.

So, it's not stopped, but you're exhausted. Your family at home are they're really their head's been done in by the fact that you're not available for them right now. You're being ratty. You're being angry. You're tired. You're not looking after them. You've not been exercising. You've been eating too much bloody pizza. Your brain's not working. Your mind's not health healthy. Your mental health is dipping. This is real. Study said the average weight gain on some of these larger instance is 8.5 kilos. That's a lot of bloody pizza, which seems nice at the time, I must admit. Divorces happen, depression happens. One in seven people said the trauma was so large they wanted to seek medical,

psychotherapy, and uh counseling as a result of this. One in five people considered leaving their jobs as a result of ransomware. It's not nice. It's not nice. And it doesn't stop there. As you move on in the year, it's still continuing. That regulatory decision making is still going on. Potentially the CEO is working out whether they quit. The CFO is still trying to work out what budget. Yes, programs and programs and projects start kicking in, but as you as the IT team or the IR team, you're exhausted. You're still going on. You're like, can I take this anymore? And this is typically where I work in this space. I give people a lot of massages, right? There's

there's okay, you're exhausted. What do we do next? And that's that's my personal kind of uh fit in life. I've got some friends that do the uh the first bit. I love my pizza. I don't want to eat so much that I don't enjoy it anymore. So, I've now moved on to this next bit. But the emotions are still there. The after effects, the trauma, the anxiety, the fatigue is still there. When will this finish? The users are still moaning at you because their systems are still not operating as they should. The customers are still complaining. You're still getting the pressure, but you're trying your very best. There's a thing about us in security and in IT, a lot of us in

tech, we want to do right. We really are trying hard. We really want to try hard and look after our organization and our users. So we shoulder a lot of this responsibility and in that comes quite a lot of a lot of pressure personal pressure we put on ourselves and blame and risk. So what do we do about it? [Music] Well there's quite a few things actually. I want to give you hope. I've just painted this really horrible story. So please patch please use MFA. Do the basics. We all know that. But this is why anyone that works in incident response knows why it's so important. Weight loss. That's why we say patch. Okay. There's some things you can do. So

first of all, if you think about the initial week, let's think about looking ahead. Let's get an instant response plan. Let's think about if a big incident happens, how do you make sure people take breaks? How do you make sure you don't just eat pizza? How do you know who's on holiday and who's not and who to call? How do you take some of that pressure out of those first few moments of knowing who knows what systems? How do you make sure you've tested your instant response plan so that first little bit a little bit more chilled? How do you as an incident commander or a leader or a manager check in on other people's mental health?

How do you spot when somebody else is losing their their patience? What do you do in that situation? How do you just suggest they take a walk? You look out for each other, right? It's there's something about instant response in those situations. You come together as a team, right? And you can come out of that so much stronger. You got to look out for each other. You got to come together and you've got to be encouraging others to take breaks, to look out for each other, to check in with their family. You got to create space. You can plan ahead for that. Of course, you can create a rotor. You can create a system where you don't

have single points of failure. That's why it's important in those moments. Then in the first month as that rolls out, you've got to manage the workload. You got to start rolling people off. You got to realize who's been doing all the work and working hard and subbing somebody's else in. Yeah, they know everything. They've been deep in all the logs. If they keel over exhausted or stressed or leave, you're back to square one. You got that single point of failure again, right? You got to and if you're a leader here leading these teams or or or just somebody that cares about others in your team, create that safe space to talk about mental health. If you're seeing

people acting different and that could be extra quiet not it could be withdrawn it could be not coming on camera as much just go just notice the change and either reach out to them direct or somebody else within your team super important and if you have this type of conversation about mental health across your cyber security team normally then in those moments it's easy for that person going yeah I'm really struggling actually this has been a bit too much and actually my wife has been having a right go at me and I don't know what to do. That conversation becomes a lot easier. But that guilt and that fear, right? You don't want to be saying that stuff if

you're worried about the organization going, "No, but we've got to get the systems back up." That's why we've got to be talking about things like that early as we move through. You got to be monitoring weight. No. Okay. I mean, yeah, changes. If somebody does look like they put on 8 and a half kilos and maybe you start making offers on the salad bar in your corporate canteen or something but start to move towards looking at the retros, looking back at the incidents, looking about that bigger picture um way of building your instant response plan to adapt to these incidents. What did you learn? What can you do better? How do you change? You go back and look

at your instant response plan and go, "That was a pile of crap, wasn't it? We didn't do any of that." Right? What did we do? What do we need to do differently? And you do it then. I think somebody said, "Yeah, we all suggest do an instant response plan." How many people actually end up pulling it off the shelf and doing it? No, you do what's in your muscles and your brain. So that's why you do tabletops and you have your plan and you practice it. This is great. You should walk on and just be like, "Okay." Um the other thing you can start looking at when you're out the pressure of the incident. Um

at Param I don't know because we've got uh we've got some various different benefits and one of them is like a health line uh helpline. You can get uh I think correct me if I'm wrong you get like 10 therapy sessions a year, 10 coaching sessions. There's a there's a crisis line. That's great. We're encouraging all of our own team to use that so they can get coaching through the year or in those situations. You start thinking about whether or not you've got access to that within your own teams. You start thinking about how yeah, we didn't put mental health in the instant response plan. Maybe is now a good time to do it. You get a little bit more

space. So, I'm going to wrap up because I want to have a bit of a discussion if we get a couple of minutes, maybe some questions. Start thinking about that. What can you do now? Well, start preparing. Start thinking ahead to that. start wondering whether or not there was something I said today that made you think, "Yeah, that might that might save my dog's mental health if I put that in instant response plan. I'm going to go away and do it for Photo." If that's there, go back and put it in your instant response plan. Not about looking after your dog, but something similar. Practice, practice, practice. work with somebody else to do an instant

response tabletop if that helps you to get objectivity. If you don't have the budget, there's games, there's people that do it. You, you know, it's the best way of doing it when it's outside of um a live incident. If you do have an incident, make sure you've not got single points of failure. Easier said than done, I know, but just make sure multiple different people know where the keys to your main systems are. And most important of all, build trust. Build a safe environment. Start having chats about what can go wrong and how to prevent it. Bring your team together somehow. Look out for people that are working remotely. Do all this stuff and you stand a chance of building your

resilience within an incident and minimizing that blast radius for yourself, for your team, your users, and even society as a whole. That's why this is super important. So, if you want to talk about any of this, I'd be delighted if you connect with me. Please, for those of you paranoid about QR codes, there's the actual URL underneath. Connect with me on LinkedIn. Um, if you go on to the unit 42 page, this is not a a work presentation, but if you go on to there, there's some strategies on how to do instant response planning. There's threat intel, there's also a number there if you do really end up in the in the um mess and you need help. Um, also

a couple of colleagues here today that are the instant response folks. I think Jack's doing a talk later. Um, that'll be fun. I think it's about recovery from an incident, so maybe some different themes. Um, but yeah, thanks very much for your time. If you've got any questions or or points, if anything I said resonated, love to hear.

Stunned in the silence, waiting for the mic. That's Is there one?

really good point before about restoring confidence after an incident. In your experience, >> how do you think it is or what's probably the most important things that you can do or most important steps that you can take to rebuild confidence in an organization after a security incident >> within an organization? I think that's a big question. If it's to the outside world, then that's got to be around accuracy of communications, timeliness and accur accuracy of communications outwards. Have a comm's plan. That always helps to start with so you're not bluffing and making stuff up. That keeps your customers and users more confident on the way through. Internally, it's internal communication plan as well. often what people forget when they're

worrying about what to put out on the website, they forgot they've not thought about the users there, about what's happening, right? All those internal systems about payroll and bonuses or or just being able to do your work, that's forgotten sometimes. So I think if you are I think actually here going back to if you're thinking and caring about your users, your customers, they'll feel it. If you're thinking about them and not just your share price, you go back to your values of your organization, you stand a better chance of keeping that confidence, I think. >> Anybody else? >> Thank you. >> Uh, great talk. Thank you very much. Um, thinking I guess best laid plans could

all fall apart during an incident. How do you ensure that scope creep doesn't start to come in in terms of people's roles and responsibilities? because everybody wants to do the most they can, do the best they can and pitch in. How do you ensure or how do you try to help reduce the chances of burnout and that sort of scope creep in people and teams responsibilities? >> Great question. Actually, one of the worst things of scope creep is when you get friendly IT people or infrastructure people around there trying to do IR. Sorry if we've got infrastructure people down there, but when they start rebooting systems, playing around, having a hunt around and destroying the

very stuff that you need to see, that's tricky. And then, yeah, during an incident, you get people overlapping and and burnout. So, a couple of things, tabletops and incident response plan. I'm going to keep saying that cuz but it does make sense. I have seen um organizations that have created cards that say this is your role in this incident. I want you to do this, this, and this. and they just literally pull people in around the room. They're like, "Okay, this is your job. This is yours. By the way, the moment you get the notetaker job, your job is this. Here's the links that you put in. You are the uh decision tracker. You're the blah

blah blah blah." And somebody What if somebody was then the workload observer, manager, and mental health sort of advocate in an IR? Never seen anyone put that in an IR report. But what if that was the scope group and burnout observer? That'd be a great thing to put. So yeah, why not? Thanks. Good question. Um there's another one. put your hand up high if anyone wants to say

>> um sort of a comment rather than a question but uh yeah very interesting and it's something this is something I've had quite a concern about um for a while um I think there's a lot you could probably learn from the emergency services um in my last job I used to do trauma risk management with the fire service and uh so much you like you say, scope creep. Well, u firefighters have a very rigid command structure and everyone knows their job once they're told what they're doing. um and trauma risk management. That thing of the initial debrief um followed by uh an initial uh trauma checkup which is a mental health sort of thing where

we look at all these sort of blame and shame um and those sort of aspects and also tell people of the things to watch out for uh that they might turn to drink and all that sort of thing. Um, and then a later followup just to make sure is anyone setting off down that path so that you can pick up those that need referral. But yeah, I do worry that in this industry that we're a risk of people ending up with PTSD um because they haven't had that initial um counseling when they needed it. >> Yeah, that's and and what else do those teams do? The fire service, the military, they practice, practice, practice, don't they? until it becomes

muscle memory that that is their role. This is how they work together as a team. So when they are deployed, it's just a it's taken an edge off. It's not to say that there isn't still stress and trauma. But then like you say, there's checks and balances afterwards just to reflect, look back, and yeah, I think I'm also a bit of a geek of neurodiversity and the mind and character types and stuff. If if we if we were to do a a disk profile of MyersBriggs of the majority of cyber security, not many of us are on the the people and empathy side of things. A lot of us more on the analytical side. So

sometimes we forget to think people cuz we're so worried about the tech side. So I do find the structures we put in place because me personally like a structure and a process to follow if it's in there to think about people or to have a check-in and to be done in a particular way then we codify empathy and that's why I started to think about like empathy hacking right there's a process to remember to do all these other things that's important. So, putting it in your incident response plan and practicing those check-ins and having these things as a role will maximize the chances of them happening and not being forgotten when we're worrying more about geeking

away in our basement trying to get that server back up and running. But thanks, great question. Good point. >> Any more questions?

Uh, good talk. Thanks. Uh, one of the things I often notice in incident response industry and things is that MSPs seem to be the ones that often get hit the most and it's just a calamity in those situations. What do you think makes OSPs want to change that sort of perspect perception of them being the the reason or cause of a lot of IRS? What would make them want to change? >> Well, what how can they ch how should they change? And why and and how can they change? >> There's a couple of ways. I mean, first of all, it's got to be about competitiveness, right? So, there's got to be an edge. And are you talking about

managed security service providers or just service providers as a whole? >> Not MSSP, it's just MSP. >> Thank you. All right. Good. Um, yeah. Well, it's I think it's the nature of smaller margins and organizations like that trying to cut as many corners as possible to bring cost down, right? It's got to be like that's a commercial model. It's like, okay, take on 10 customers and try and do as cheaply as possible and and then the individuals that are working in there then have to try and support those 10 customers in different environments and accidents start to happen. So, I think those organizations have got to start to think better about using AI and and assuring their services

from a security point of view. So, Is that me? Oh, that's my own bell. Sorry. >> Hello. All right. Sorry. Downloaded a new timer. >> Yeah. >> But that is the time. >> Yes. Look at >> that. Um, yeah. So, I think driving we as customers in cyber security need to be using things like AI in a way to assure and manage those. Um if we're in organizations buying from those providers, we need to be pushing more to them to say we want you to be doing this minimum baseline of cyber security and to test. We also need to be driving to them through our procurement, please everybody, access to log sources, transparency, and and being able to

operate in in a world where we can see if they're doing what they're saying they're doing. We got to hold them to account. And like at UD42, we do a whole bunch of purple teams and red teams. So yeah, put something in your contract that you're going to do a red team on them. If they don't want to do that, go with somebody else, right? Very quickly, those organizations will change and shift to become more secure because that's how they win customers. But yeah, good question. Really good question. Okay, thanks very much everybody. I hope that was interesting any look forward to chatting later. Thank you.