WEBVTT - ‘We were shocked when we found out about Quadriga’ 0:00:09.420 --> 0:00:12.390 Welcome to be Ivy. Today the Daily Business podcast from 0:00:12.440 --> 0:00:15.930 business in Vancouver newspaper and by the dot com. I'm 0:00:15.930 --> 0:00:19.680 Hayley wood. Today on the show crypto currencies and cyber 0:00:19.680 --> 0:00:24.480 security we'll get a cryptocurrency exchange executive's perspective on the 0:00:24.510 --> 0:00:28.410 Quadriga sex scandal and 440. 0:00:28.440 --> 0:00:33.309 That's the average number of cyber attacks organizations in Canada experience. 0:00:33.360 --> 0:00:38.190 Each year we'll speak to scalar decisions about how to 0:00:38.190 --> 0:00:42.360 remain cyber resilient at your company. Coming up on Thursday 0:00:42.360 --> 0:00:45.419 February 21st we're going to be exploring the due diligence 0:00:45.479 --> 0:00:48.839 and valuation involved with buying a business. If you ever 0:00:48.840 --> 0:00:51.659 considered selling a business this is the best place to 0:00:51.659 --> 0:00:53.610 be we're going to walk through all of the elements 0:00:53.610 --> 0:00:57.630 that buyers take into account when looking for acquisitions. Our 0:00:57.630 --> 0:01:00.300 panel will also share insights into what can make or 0:01:00.300 --> 0:01:02.700 break a deal. I'll be moderating and I hope to 0:01:02.700 --> 0:01:05.220 see some of you there and once you've mastered how 0:01:05.220 --> 0:01:07.380 to buy a business you can join us on February 0:01:07.380 --> 0:01:10.860 28 to learn how to successfully exit business. This is 0:01:10.860 --> 0:01:13.710 our annual retirement ready. Panel will walk through how to 0:01:13.709 --> 0:01:17.100 retire well wealthy and healthy. Both events are in the 0:01:17.100 --> 0:01:20.130 afternoon at the Shangri-La Hotel. More information on those events 0:01:20.160 --> 0:01:23.070 and our other events is available at BBB dot com 0:01:23.069 --> 0:01:36.130 slash events. You're listening to VIP today. Quadriga C X 0:01:36.130 --> 0:01:38.710 is a Vancouver based company that says it's out of 0:01:38.709 --> 0:01:42.180 money where the money went to why it has disappeared 0:01:42.190 --> 0:01:45.130 is being debated in court this week. Some one hundred 0:01:45.130 --> 0:01:48.760 and fifteen thousand traders though are asking where and how 0:01:48.760 --> 0:01:53.110 they can get back 260 million dollars. This is a 0:01:53.110 --> 0:01:55.990 big story that's developing by the day. I'm joined this 0:01:55.990 --> 0:01:59.170 morning by Michael Vogel founder of net coins which is 0:01:59.170 --> 0:02:01.960 a Vancouver based cryptocurrency exchange to talk a little bit 0:02:01.960 --> 0:02:04.390 more about this. Michael thanks for coming on the show. 0:02:04.710 --> 0:02:06.430 Oh good morning. Thanks for having me. I think everyone's 0:02:06.430 --> 0:02:08.830 wondering what happened here but maybe you could shed some 0:02:08.830 --> 0:02:12.150 light on how something like this could happen. 0:02:12.169 --> 0:02:15.880 Yeah. So it's an extremely bizarre story. So avid encrypted 0:02:16.040 --> 0:02:19.030 crypto currency euros that have been using Quadriga over the 0:02:19.030 --> 0:02:22.960 last year have noted issues with slow withdrawal times not 0:02:22.960 --> 0:02:25.450 being able to take five years out or taking a 0:02:25.450 --> 0:02:29.110 long time for deposits to be credited but to make 0:02:29.110 --> 0:02:33.760 things even more complicated and confusing this new story emerged 0:02:33.760 --> 0:02:38.650 about their founder mysteriously dying in India and apparently along 0:02:38.650 --> 0:02:42.970 with that access to his laptop and passwords and private 0:02:42.970 --> 0:02:46.780 keys which apparently contained the keys to the kingdom which 0:02:47.139 --> 0:02:50.290 is about 190 million dollars of funds that were stored 0:02:50.290 --> 0:02:56.070 on Quadriga FCX. So very bizarre indeed unusual that a 0:02:56.080 --> 0:02:58.540 company of that size would that would only have one 0:02:58.540 --> 0:03:03.280 person to two to manage that that amount of funds. 0:03:03.340 --> 0:03:05.650 So it's left a lot of people wondering is this 0:03:05.650 --> 0:03:10.090 a scam. Is this real. And more importantly not as 0:03:10.090 --> 0:03:11.930 a customer how can we get our funds back. 0:03:12.070 --> 0:03:14.650 Exactly. A lot of people waiting for answers. And to 0:03:14.650 --> 0:03:18.940 me this really highlights the regulatory environment or maybe the 0:03:18.940 --> 0:03:22.360 lack of regulations around products like this. Tell me a 0:03:22.360 --> 0:03:26.230 little bit about how a cryptocurrency exchange and the regulations 0:03:26.230 --> 0:03:30.320 around that differs from say a more traditional exchange. 0:03:30.320 --> 0:03:34.120 Yes. So essentially a cryptocurrency exchange allows users to buy 0:03:34.120 --> 0:03:37.390 sell and then trade Bitcoin. It's a lot like a 0:03:37.390 --> 0:03:40.870 stock exchange or like an online banking account where you 0:03:40.870 --> 0:03:45.550 trade stocks and bonds and whatnot. But with the added 0:03:45.550 --> 0:03:48.940 difference that you can then withdraw the bitcoins from that 0:03:48.940 --> 0:03:51.550 exchange as opposed to a stock exchange you can't really 0:03:51.550 --> 0:03:56.650 withdraw from there. So the problem is that when you 0:03:56.650 --> 0:03:59.980 have one of those on an exchange you're essentially giving 0:03:59.980 --> 0:04:03.700 control of your bitcoins to that exchange. So if if 0:04:03.700 --> 0:04:05.800 you and I were to download a what's called a 0:04:05.800 --> 0:04:09.010 bitcoin wallet like an app on our phone and store 0:04:09.010 --> 0:04:13.210 bitcoins there we're essentially in total control of those coins. 0:04:13.600 --> 0:04:15.760 But when you're using a third party like an exchange 0:04:16.180 --> 0:04:19.029 when coins are stored there you're essentially giving them control. 0:04:19.120 --> 0:04:22.510 And so you have no real way to access funds 0:04:22.510 --> 0:04:26.140 without their permission. And so what would have happened here 0:04:26.140 --> 0:04:30.669 is obviously when the company essentially loses access to those 0:04:30.670 --> 0:04:33.880 coins you as a user have no way to reach 0:04:33.880 --> 0:04:37.000 them either. So what is what this story has really 0:04:37.000 --> 0:04:41.710 done is given us another reminder of how different Bitcoin 0:04:41.710 --> 0:04:45.100 is compared to traditional stocks and other investment tools where 0:04:46.029 --> 0:04:48.789 this is where bitcoin you become your own bank you're 0:04:48.790 --> 0:04:52.150 responsible for controlling your bitcoins and so if you are 0:04:52.150 --> 0:04:55.060 going to use an exchange the best practice really is 0:04:55.540 --> 0:04:58.359 just to use it for a purpose of buying and selling. 0:04:58.540 --> 0:05:02.859 Don't store coins there long term. Although you would hope 0:05:02.860 --> 0:05:05.770 to think that a company like Quadriga was one hundred 0:05:05.779 --> 0:05:09.070 ninety million in assets would would have had better protection. 0:05:09.220 --> 0:05:14.580 But clearly they did. So what what you recommend if 0:05:14.620 --> 0:05:17.830 they say don't store things with a third party long term. 0:05:17.980 --> 0:05:20.800 Right. That sounds like good advice and also as you 0:05:20.800 --> 0:05:23.830 pointed out I mean it framing it like becoming your 0:05:23.830 --> 0:05:26.469 own bank puts a lot of onus and responsibility on 0:05:26.470 --> 0:05:29.410 an individual to really understand what they're buying and how 0:05:29.410 --> 0:05:31.630 those systems work. Tell me a little bit about how 0:05:31.630 --> 0:05:36.670 the regulatory frameworks in countries is evolving around products like 0:05:36.670 --> 0:05:40.000 bitcoin because governments and securities commissions to some extent have 0:05:40.000 --> 0:05:42.130 been scrambling a little bit to catch up it seems 0:05:42.800 --> 0:05:43.390 no for sure. 0:05:43.390 --> 0:05:46.900 I mean so in Canada the government has essentially taking 0:05:46.900 --> 0:05:49.990 a wait and see approach in terms of regulation that's 0:05:49.990 --> 0:05:52.750 been the policy for many years. There may be some 0:05:52.750 --> 0:05:56.650 some future of regulation coming just in terms of how 0:05:56.650 --> 0:06:03.730 customers are identified and record keeping. But in general Bitcoin 0:06:03.960 --> 0:06:08.680 is a very different animal. It's designed separate from traditional 0:06:08.680 --> 0:06:14.710 banking frameworks and financial regulation. You know countries like China 0:06:14.740 --> 0:06:18.100 and other countries around the world at various times tempted 0:06:18.100 --> 0:06:22.479 to quote unquote ban bitcoin but really because it's just 0:06:22.560 --> 0:06:27.510 an internet token it's not really feasible to ban or 0:06:27.520 --> 0:06:30.860 control it because it's not really controlled by a one 0:06:31.029 --> 0:06:33.190 on one company like bitcoin itself. 0:06:33.510 --> 0:06:37.080 Owned by Microsoft or like a standalone company that could 0:06:37.080 --> 0:06:41.580 be shut down. That's what that's what's called a decentralized currency. 0:06:41.680 --> 0:06:46.350 So attempts to regulate it may simply be futile and 0:06:46.350 --> 0:06:49.620 may not even be necessary. And then in the traditional 0:06:49.620 --> 0:06:54.859 way that we think of regulation. But yeah so that's 0:06:54.870 --> 0:06:56.490 sort of my initial thought on it. 0:06:56.600 --> 0:06:58.919 Yes that's an interesting way of looking at it. I'm 0:06:59.010 --> 0:07:01.049 curious do you think a case like this where it's 0:07:01.050 --> 0:07:03.120 affected a large number of people there's a lot of 0:07:03.120 --> 0:07:07.169 money at stake. Might it turn some heads in government 0:07:07.170 --> 0:07:09.600 offices to say well you know maybe it's difficult to 0:07:09.600 --> 0:07:12.540 regulate but this wait and see approach maybe we've waited 0:07:12.540 --> 0:07:15.400 and now we're going to see what we can do. 0:07:15.400 --> 0:07:17.580 Yeah I know for sure and you know stories like 0:07:17.580 --> 0:07:20.590 this definitely aren't aren't good for bitcoin in general they don't. 0:07:20.760 --> 0:07:25.710 They don't boost confidence although Bitcoin itself wasn't actually compromised 0:07:25.830 --> 0:07:30.060 in the story. Bitcoin was was not packed or or 0:07:30.210 --> 0:07:33.660 or stolen or disappeared. 0:07:33.660 --> 0:07:36.510 It was dismissed as a result of Puerto Rico's intervention. 0:07:36.510 --> 0:07:39.720 So Bitcoin itself is still robust but what it does 0:07:39.720 --> 0:07:44.040 really bring up is you know if a crypto currency 0:07:44.040 --> 0:07:46.320 exchange is going to operate in a country like Canada 0:07:46.320 --> 0:07:49.950 or the United States troops there should be more clearly 0:07:49.950 --> 0:07:54.870 defined rules about how funds are stored or insurance policies 0:07:55.710 --> 0:07:59.170 actually banks personal bank accounts are insured by CIC up 0:07:59.170 --> 0:08:02.100 to a hundred thousand dollars so yes the bank disappears 0:08:02.100 --> 0:08:04.739 or goes bankrupt and then mostly some insurance coverage there 0:08:05.390 --> 0:08:07.710 poorly supported like that might be interesting. We may see 0:08:07.710 --> 0:08:12.000 stuff like that happening in the year going forward but 0:08:12.050 --> 0:08:15.300 you know the flipside is any type of new technology 0:08:15.870 --> 0:08:18.780 you don't naturally want to overregulate because you sort of 0:08:18.780 --> 0:08:21.420 run the risk of stifling innovation. Right. 0:08:21.420 --> 0:08:23.250 So I mean think about the Internet when it came 0:08:23.250 --> 0:08:28.860 out there actually were were periods of controversy around things 0:08:28.860 --> 0:08:33.270 like encryption and you know who gets to control the 0:08:34.290 --> 0:08:37.290 encryption algorithms. There was big surprise was with the bill 0:08:37.290 --> 0:08:40.800 clinton government back in the 90s about control of the 0:08:40.800 --> 0:08:42.990 Internet and you know if we think about it the 0:08:42.990 --> 0:08:45.840 Internet was over regulated way back in the day then 0:08:45.900 --> 0:08:49.770 the Internet today probably wouldn't exist. And so hardcore bitcoin 0:08:49.770 --> 0:08:54.600 fanatics have that same feeling right. Bitcoin is a very 0:08:54.600 --> 0:08:59.740 very revolutionary technology. It's fundamental. So if we overregulate it 0:08:59.800 --> 0:09:05.010 we do we ruin the potential future of what it promises. 0:09:05.010 --> 0:09:08.100 Where do we find ourselves at the start of 2019 0:09:08.100 --> 0:09:12.090 when it comes to the cryptocurrency craze and the bitcoin 0:09:12.179 --> 0:09:14.610 craze that we saw over the last couple of years 0:09:14.610 --> 0:09:16.710 it seems like there are so many companies popping up 0:09:16.710 --> 0:09:19.260 so many exchanges a ways to buy and sell and 0:09:19.260 --> 0:09:21.240 trade and do whatever you want. It seems to have 0:09:21.240 --> 0:09:23.309 died down a little bit. What's your take on what's 0:09:23.309 --> 0:09:25.059 happened in the industry. 0:09:25.090 --> 0:09:27.630 Yeah it's very interesting. So I've been in this space 0:09:27.750 --> 0:09:32.140 since late 2013 or early 2014 when I founded neck wide. 0:09:32.470 --> 0:09:36.569 And yeah the history has gone through many phases. So 0:09:36.960 --> 0:09:40.679 when I started in Bitcoin is really thought of as 0:09:40.679 --> 0:09:43.560 this obscure weird nerd money it was trading for around 0:09:43.559 --> 0:09:47.729 200 dollars or. People thought that there was no real 0:09:47.730 --> 0:09:51.890 application here it's just a very very niche audience but 0:09:51.900 --> 0:09:55.590 you get different different types of users entering that ecosystem 0:09:55.590 --> 0:09:58.280 over the years and over the last year or so 0:09:58.309 --> 0:10:03.229 the year before 2017 we saw Bitcoin cross 1000 dollars U.S. 0:10:03.280 --> 0:10:04.920 for one point and then later on in the year 0:10:05.220 --> 0:10:08.070 it crossed ten thousand dollars for one point and it 0:10:08.070 --> 0:10:12.250 almost reached twenty thousand dollars for one point. So 2017 0:10:12.260 --> 0:10:15.390 is probably the first year that it really entered quote 0:10:15.390 --> 0:10:19.530 unquote the mainstream. The initial wave of that and obviously 0:10:19.890 --> 0:10:22.020 people watch the price of bitcoin and when it's up 0:10:22.020 --> 0:10:26.420 and down because big emotional stars but I mean it's 0:10:27.010 --> 0:10:29.250 still a very new assets right I mean if we 0:10:29.250 --> 0:10:32.339 look at the daily volume of big ones that are 0:10:32.340 --> 0:10:36.000 traded in vs. the daily volume of MasterCard payments or 0:10:36.000 --> 0:10:37.190 visa payment. 0:10:37.320 --> 0:10:40.339 Bitcoin is still an emerging industry. 0:10:40.500 --> 0:10:44.520 So I think we'll see hiccups like this along the 0:10:44.520 --> 0:10:47.130 way as the industry figured itself out. The stories like 0:10:47.130 --> 0:10:49.939 the quite the quandary because of the world and Quadriga 0:10:50.020 --> 0:10:53.300 in the first exchange to go down will be hacked etc.. 0:10:53.330 --> 0:10:56.910 So I think these types of stories while they're bad 0:10:57.360 --> 0:11:00.329 there are learning outcomes from this. You know it helps 0:11:00.330 --> 0:11:02.760 customers learn better ways to store their bitcoins and it 0:11:02.760 --> 0:11:06.510 helps the industry grow up in general. Of best practices 0:11:06.510 --> 0:11:09.600 right I mean every currency crypto currency exchange doesn't want 0:11:09.600 --> 0:11:11.700 to end up like what we got. If they want 0:11:11.700 --> 0:11:17.750 to have better protection better controls and even internally at 0:11:17.760 --> 0:11:20.459 not going to to the session that we've had many 0:11:20.460 --> 0:11:22.110 times it was you know we were shocked when we 0:11:22.110 --> 0:11:25.110 learned about the Puerto rigging story because obviously you know 0:11:25.110 --> 0:11:27.630 our company was set up that way and other large 0:11:27.630 --> 0:11:31.020 companies like coin square Coinbase etc aren't set up that 0:11:31.020 --> 0:11:34.410 way either. So yeah I think the industry definitely has 0:11:34.410 --> 0:11:37.680 to mature and I think it's only good good thing 0:11:37.679 --> 0:11:39.510 that has I think for anyone investing in Bitcoin or 0:11:39.510 --> 0:11:42.930 Britain related companies. I think you know we started very 0:11:42.929 --> 0:11:44.969 very blue sky future ahead of us. 0:11:44.970 --> 0:11:46.500 Michael I want to thank you for coming on the 0:11:46.500 --> 0:11:48.390 show to shed some light on what's going on here 0:11:48.390 --> 0:11:49.830 we may have to have you back in a week 0:11:49.830 --> 0:11:51.569 or so when we find out more what's going on 0:11:51.570 --> 0:11:53.730 with this case. But for now really appreciate your insight. 0:11:53.760 --> 0:11:54.120 Thank you. 0:11:54.540 --> 0:11:57.630 Oh for sure. Anytime. As Michael Vogel founder of net 0:11:57.630 --> 0:12:10.630 coins based here in Vancouver. Canadian organizations on average experienced 0:12:10.700 --> 0:12:15.189 440 cyber attacks over the last year. That and recovery 0:12:15.190 --> 0:12:18.890 costs after those attacks has reached an all time high. 0:12:18.940 --> 0:12:22.630 The 2019 scalar security study is out it's its fifth 0:12:22.660 --> 0:12:26.200 annual iteration and Theo van Wick the company's chief technology 0:12:26.200 --> 0:12:28.809 officer of security joins me now on the line from 0:12:28.809 --> 0:12:33.309 Toronto to discuss how companies can build a greater cyber resilience. 0:12:33.309 --> 0:12:35.710 Theo thanks so much for coming on the show. 0:12:35.710 --> 0:12:37.630 You're very welcome. Thank you for having me on the show. 0:12:37.640 --> 0:12:40.000 So looking at this survey you you surveyed more than 0:12:40.000 --> 0:12:45.859 400 I.T. professionals across industries and small through enterprise organizations. 0:12:45.890 --> 0:12:48.339 I found one hundred percent of them had experienced a 0:12:48.340 --> 0:12:51.010 cyber attack over the last year. Is this the new 0:12:51.010 --> 0:12:53.060 normal is this to be expected. 0:12:53.080 --> 0:12:55.660 You know what it is it's actually it's actually very 0:12:55.660 --> 0:12:58.060 interesting to your point. You know this is the fifth 0:12:58.059 --> 0:13:01.300 iteration of us doing the annual study and every year 0:13:01.300 --> 0:13:04.420 we've seen high percentages of reports in terms of numbers 0:13:04.660 --> 0:13:08.740 of organizations attacked and breach but this period actually astounded 0:13:08.740 --> 0:13:10.570 us when we found for the first time that 100 0:13:10.570 --> 0:13:13.810 percent of our respondents reported being attacked and in some 0:13:13.809 --> 0:13:19.150 form impacted with an incident. We believe unfortunately this is 0:13:19.150 --> 0:13:22.059 the new norm. At the same time I don't think 0:13:22.540 --> 0:13:25.719 this is as new I think we're becoming more whereas 0:13:25.720 --> 0:13:28.719 organizations and we're becoming better at detecting and tracing this 0:13:29.110 --> 0:13:32.260 but it is definitely setting the tone that cyber resilience 0:13:32.500 --> 0:13:35.910 is becoming more and more important and critical for Canadian organizations. 0:13:35.920 --> 0:13:38.800 And how would you define the term cyber resilience. What 0:13:38.800 --> 0:13:40.330 does that mean. 0:13:40.400 --> 0:13:43.600 You know it's not traditionally in our field. We tend 0:13:43.600 --> 0:13:47.800 to talk about cybersecurity and it's been historically the theme 0:13:47.800 --> 0:13:49.930 of a lot of study. The challenge for us was 0:13:49.929 --> 0:13:54.880 cyber security because it places customers and employees in the 0:13:54.880 --> 0:13:58.240 concept of a pure defensive strategy where they're just thinking 0:13:58.240 --> 0:14:01.089 about strategies to prevent and once that fails in the 0:14:01.090 --> 0:14:06.100 cybersecurity program effectively fails. The reality is as we see 0:14:06.100 --> 0:14:08.650 here companies are breached all the time. And so cyber 0:14:08.650 --> 0:14:10.990 resilience for us becomes a frame of mind. It becomes 0:14:10.990 --> 0:14:14.740 a state of readiness where defense is very important and 0:14:14.740 --> 0:14:18.370 critical part of that strategy. But ultimately it's about thinking 0:14:18.370 --> 0:14:21.190 holistically about how do we deal with the toxic situations 0:14:21.550 --> 0:14:23.380 so that we can survive that attack and that it's 0:14:23.380 --> 0:14:26.290 business as usual and we can carry on we always 0:14:26.300 --> 0:14:29.380 use the cold the cold or flu analogy if you 0:14:29.380 --> 0:14:31.900 will where we tell people that at some stage in 0:14:31.900 --> 0:14:34.430 your life you will get a cold or flu. It's 0:14:34.450 --> 0:14:37.060 really critical is how you prevent that right. There's a 0:14:37.060 --> 0:14:39.700 preventative element to that. But if you do then get 0:14:39.700 --> 0:14:42.460 sick you're not sitting well is detecting it it's understanding 0:14:42.460 --> 0:14:45.790 where where the issue lies and identifying it and then 0:14:45.910 --> 0:14:48.850 having a response plans understanding how you treat yourself and 0:14:48.850 --> 0:14:50.030 how you overcome that. 0:14:50.050 --> 0:14:52.060 And while that might be a simple analogy the point 0:14:52.060 --> 0:14:54.730 that's very applicable as you start thinking about cyber resilience 0:14:54.730 --> 0:14:57.970 for companies sticking with that analogy this study points out 0:14:57.970 --> 0:15:01.810 that the costs of carrying these calls are rising year 0:15:01.810 --> 0:15:04.420 over year it looks like it costs companies on average 0:15:04.420 --> 0:15:06.910 between four point eight and five point eight million dollars 0:15:07.240 --> 0:15:10.870 after a cyber breach has occurred. Tell me why these 0:15:10.870 --> 0:15:14.440 costs are rising and very typically how companies respond to 0:15:14.440 --> 0:15:17.140 maybe what some of the challenges are too in responding 0:15:17.140 --> 0:15:18.040 to these attacks. 0:15:18.490 --> 0:15:21.790 Absolutely. You're correct. We have noticed a rise in the 0:15:21.880 --> 0:15:24.280 and numbers. Now the one thing to be very honest 0:15:24.280 --> 0:15:27.220 and upfront about is there's a great variation in how 0:15:27.550 --> 0:15:30.640 companies calculate these costs but the reality is what we're 0:15:30.640 --> 0:15:33.910 seeing is attackers are getting more effective at getting into 0:15:33.910 --> 0:15:36.040 the networks they're getting more effective at getting at the 0:15:36.040 --> 0:15:40.030 data so and then just companies are becoming more aware 0:15:40.030 --> 0:15:42.970 of the impact that this is actually having under on 0:15:42.970 --> 0:15:46.300 their networks and on their services. So I think it's 0:15:46.300 --> 0:15:49.200 a combination of the attacks are increasing in effectiveness but 0:15:49.780 --> 0:15:52.210 as a whole as an audit as a as an 0:15:52.210 --> 0:15:55.540 industry we're becoming better at defining it and realizing what 0:15:55.540 --> 0:15:58.479 the challenges are. We actually have on hand one of 0:15:58.480 --> 0:16:00.550 the interesting figures that we tried to drive out because 0:16:00.580 --> 0:16:03.250 personally I always struggle with these large numbers to see 0:16:03.250 --> 0:16:05.410 this in the study. So what we try to do 0:16:05.410 --> 0:16:08.380 is we drive a number that highlights the per employee 0:16:08.380 --> 0:16:11.470 cost for a breach average. So this year we found 0:16:11.470 --> 0:16:13.810 it to be around two thousand six hundred seventy seven 0:16:13.810 --> 0:16:16.630 dollars or about twenty seven hundred dollars an employee. And 0:16:16.630 --> 0:16:19.140 that's important because if you're a smaller company or you 0:16:19.130 --> 0:16:21.010 know depending on how you picture your company you can 0:16:21.010 --> 0:16:22.930 do a quick bit of mental math and plug those 0:16:22.930 --> 0:16:24.930 numbers in there. And I have a number that perhaps 0:16:24.930 --> 0:16:27.520 is a little bit more relevant to you. But the 0:16:27.520 --> 0:16:29.710 reality is it doesn't matter how you slice or dice 0:16:29.710 --> 0:16:33.220 it it's the downtime and the impact are significant to 0:16:33.220 --> 0:16:37.250 companies in terms of asking what companies can do. You 0:16:37.250 --> 0:16:39.760 know there's the security basics. And one of the key 0:16:39.760 --> 0:16:42.400 finding recommendations that we drive here is work on your 0:16:42.400 --> 0:16:45.310 cyber resilience program. And that just means that thinking through 0:16:45.310 --> 0:16:49.150 things like incident response plan just having a response ready 0:16:49.660 --> 0:16:52.600 so that you're not caught off guard and so you 0:16:52.600 --> 0:16:54.400 walk through that step you think how do I prepare. 0:16:54.400 --> 0:16:57.190 How do I respond whereas my important assets and then 0:16:57.200 --> 0:16:59.560 have that response plan ready so that you can jump 0:16:59.560 --> 0:17:02.950 in and address it and minimize the impact that the 0:17:02.950 --> 0:17:05.350 actual breach has on your organization. 0:17:05.350 --> 0:17:07.990 So it would be just like having a crisis communications 0:17:07.990 --> 0:17:11.590 plan or an emergency preparedness preparedness plan except you would 0:17:11.590 --> 0:17:14.560 have that in the case of cyber threats correct. 0:17:14.590 --> 0:17:16.219 Yes. So this is something where a lot of our 0:17:16.270 --> 0:17:19.990 customers work with either ourselves or their security partners and 0:17:19.990 --> 0:17:21.919 what they're doing here is they're building that up and 0:17:21.920 --> 0:17:24.980 it's a little bit all encompassing program. So this includes 0:17:25.000 --> 0:17:27.790 things like your PR response like how does your public 0:17:27.790 --> 0:17:31.210 relations response. What's the legal aspect. So it goes further 0:17:31.210 --> 0:17:34.119 than just the technology. But then obviously a very integral 0:17:34.119 --> 0:17:35.980 part is how do I keep seeing that threat. From 0:17:35.980 --> 0:17:39.670 a technology perspective. And who are the correct key key 0:17:39.940 --> 0:17:42.609 stakeholders that I have to bring in very quickly and 0:17:42.609 --> 0:17:46.000 effectively to contain that breach and to return to a 0:17:46.000 --> 0:17:47.310 trusted normal state. 0:17:47.470 --> 0:17:50.740 On that point of containment the report points out that 0:17:50.740 --> 0:17:54.010 one potential vulnerability when it comes to issues like this 0:17:54.430 --> 0:17:57.850 is third party security. So even if you yourself tend 0:17:57.850 --> 0:18:02.109 to be a very cyber secure or resilient organization if 0:18:02.109 --> 0:18:04.359 you're dealing with companies that aren't that could be a risk. 0:18:04.390 --> 0:18:07.239 What kind of recommendations do you have for companies in 0:18:07.240 --> 0:18:09.040 terms of how they work with their partners. 0:18:10.290 --> 0:18:14.180 So absolutely right. It's a massive issue and you look 0:18:14.290 --> 0:18:16.010 for to to further your point. 0:18:16.010 --> 0:18:18.470 If we think about some of the large breaches that's 0:18:18.470 --> 0:18:21.290 occurred in the last little while we think of the 0:18:21.290 --> 0:18:24.050 best buys in the home because the brand names but 0:18:24.170 --> 0:18:27.020 very few people can actually name the third party organization 0:18:27.020 --> 0:18:30.020 that caused the breach behind the big label if you will. 0:18:30.080 --> 0:18:32.600 So it's definitely something to be aware of. What we 0:18:32.600 --> 0:18:36.139 recommend there is understand your partners. It becomes part of 0:18:36.140 --> 0:18:39.590 that cyber resilience and that security strategy. Right. And it's 0:18:39.590 --> 0:18:42.370 looking at things like does the third party vendors or 0:18:42.369 --> 0:18:45.980 organization have access only to the data that they really 0:18:45.980 --> 0:18:51.050 need access to. What are their internal security controls. Do 0:18:51.050 --> 0:18:53.719 they have a good security posture. Because obviously if you're 0:18:53.720 --> 0:18:55.800 working with somebody and you're giving them access to it's 0:18:56.150 --> 0:18:58.820 deep into your network or security or trust it's basis 0:18:58.910 --> 0:19:01.430 and they do not have a good posture that's something 0:19:01.430 --> 0:19:03.620 to be concerned about. And as part of that there's 0:19:03.619 --> 0:19:07.280 a number of governance frameworks and security frameworks that companies 0:19:07.280 --> 0:19:09.770 these days will adhere to and get certified again. And 0:19:09.770 --> 0:19:12.359 that really becomes to some extent approved you just so 0:19:12.440 --> 0:19:17.450 show that they have security in mind when they're structuring 0:19:17.450 --> 0:19:21.480 their services. And then when they interact with you as well. 0:19:22.010 --> 0:19:24.470 One of the recommendations in the report as well is 0:19:24.470 --> 0:19:28.340 identifying and classifying data assets in the study found that 0:19:28.609 --> 0:19:31.129 some of the attacks are quite significant on companies. They 0:19:31.130 --> 0:19:34.820 either had their data stolen deleted encrypted. I mean these 0:19:34.820 --> 0:19:38.740 can be very very serious privacy issues and operational issues. 0:19:38.780 --> 0:19:41.810 What does it mean to identify and classify assets and 0:19:41.810 --> 0:19:44.899 how can that actually help in situations like this. 0:19:44.930 --> 0:19:47.300 So when we work with our customers we would typically 0:19:47.300 --> 0:19:51.139 recommend a thread risk assessment as a first step. And 0:19:51.140 --> 0:19:54.109 that's a risk assessment does exactly that. So it identifies 0:19:54.109 --> 0:19:56.619 the upside and it ties the business function to it. 0:19:56.650 --> 0:19:59.219 So then you can start understanding if this computer or 0:19:59.300 --> 0:20:01.820 the server or this device or the area of the 0:20:01.820 --> 0:20:04.940 network gets compromised. What does that translate to in a 0:20:04.940 --> 0:20:08.980 business process for me is it impacting actual customer facing services. 0:20:09.020 --> 0:20:12.889 Is this where complex sensitive data lives. And so the 0:20:12.890 --> 0:20:16.219 first step in that is just it's really difficult to 0:20:16.220 --> 0:20:18.290 protect what you don't understand or if you don't know 0:20:18.290 --> 0:20:20.090 that you have it and you don't have a disability. 0:20:20.390 --> 0:20:22.670 So that first step is understand your business and how 0:20:22.670 --> 0:20:25.910 your business is using data and services. And then we 0:20:25.910 --> 0:20:29.510 design your security plan around that so that you you 0:20:29.510 --> 0:20:32.899 secure the critical assets in the different areas. But it 0:20:32.900 --> 0:20:35.930 also becomes very important in your response plan and understanding 0:20:36.470 --> 0:20:40.580 when and how quickly you should respond and how you 0:20:40.580 --> 0:20:43.790 should apply your tactic. The other item where it becomes 0:20:43.790 --> 0:20:46.350 really important is it helps you prioritize your security spend 0:20:46.400 --> 0:20:48.530 because let's face it we're not we do not have 0:20:48.560 --> 0:20:51.320 unlimited pockets at some stage you have to decide where 0:20:51.320 --> 0:20:53.750 and how you place your dollars so that you actually 0:20:53.750 --> 0:20:56.740 improve that security posture. And this is really key. And 0:20:56.760 --> 0:20:58.489 you know how do you apply those dollars if you 0:20:58.490 --> 0:21:01.640 don't understand where the proverbial crown jewels or important information 0:21:01.640 --> 0:21:02.500 is reside. 0:21:02.500 --> 0:21:07.410 All right. That's the challenge they're having unlimited funds. Correct. Yes. 0:21:07.740 --> 0:21:11.570 I think of small businesses who are often going to 0:21:11.570 --> 0:21:15.080 be takers of technology and services working with companies that 0:21:15.080 --> 0:21:17.389 are much larger than them relying on their services and 0:21:17.390 --> 0:21:21.410 products that kind of then means that they're assuming these 0:21:21.410 --> 0:21:24.680 companies are doing their own due diligence and taking steps 0:21:24.680 --> 0:21:27.820 necessary to be cyber resilient in the shoes of a 0:21:27.830 --> 0:21:32.060 small company or entrepreneur what can they do to make 0:21:32.060 --> 0:21:34.070 sure that the partners they work with are secure and 0:21:34.070 --> 0:21:37.580 that they're doing everything they can to keep their operations safe. 0:21:39.530 --> 0:21:42.879 So I think you know develop a relationship to ask 0:21:42.890 --> 0:21:47.330 the question. I understand sometimes being a smaller firm that's 0:21:47.330 --> 0:21:49.699 not always possible is not always possible to have the 0:21:49.700 --> 0:21:53.270