0:01

AI there's a huge race going on

0:04

as to who's going to meet the

0:06

new technological frontier who's going to be

0:08

able to lead there and there's going

0:10

to be huge ramifications for all of

0:12

our economies around the world and there

0:14

is a rush to acquire any semblance

0:17

of advantage from corporate espionage

0:19

standpoint so there's countries

0:21

and individual groups that are

0:23

targeting the theft of this technology

0:26

space in particular. Welcome

0:38

to another episode of Mandiance Defenders

0:40

Advantage podcast. I'm your host, Luke

0:43

McNamara. Today, I have the pleasure

0:45

of being joined by Emrin Ahmed,

0:47

the senior partner and Canadian head

0:50

of technology, and Canadian co-head of

0:52

cybersecurity and data privacy at Norton

0:54

Rose Fulbright. Emrin, how are you doing today?

0:56

I'm doing well, Luke. Thanks for having

0:59

me. I'm looking forward to this conversation

1:01

we're going to have. As am I, and I think

1:03

to kind of... provide some background prior

1:05

to I guess when we get into

1:07

to what we're going to discuss today,

1:10

maybe talk a little bit about your

1:12

role and how you engage with customers

1:14

and your clients at Norton Rose Fulbright.

1:16

Yeah, no for sure. I actually did

1:19

a great intro there for for me.

1:21

I head up our technology law practice

1:23

and just for your listeners. About 20

1:25

years ago when I started practicing law,

1:28

I was primarily focused on technology work.

1:30

So this was your traditional commercial contracting

1:32

of technology agreements. So think of large

1:34

outsourcing agreements. cloud computing agreements, you know,

1:36

those kind of things. And that morphed

1:39

over time about 15 years ago to

1:41

more privacy work and then cyber. So

1:43

the work I started doing here at

1:45

the firm and even at my prior

1:47

firm was really on what we call

1:49

incident response, which I'm sure we'll talk

1:51

about a bit more in detail, really

1:54

helping clients, you know, focusing on dealing

1:56

with breaches and making sure that they're

1:58

either. responding it to effectively or as

2:00

prepared as they can be before an

2:02

incident occurs to respond to it effectively.

2:04

So in my role at the firm.

2:07

Head up our tech group for sure

2:09

as we still do the technology contracting

2:11

piece I talked about, but also a

2:13

big chunk of the work is helping

2:15

clients be ready and responding in real

2:17

time. I co-chair the group for cyber

2:20

with my very good partner John Castle

2:22

who's based in Calgary. I myself split

2:24

my time between our Toronto and Montreal

2:26

office and supported by a fantastic group

2:28

of lawyers here in Canada and globally.

2:30

What are some of the typical roles

2:33

you're engaging with either on the preparatory

2:35

side or during a breach response? The

2:37

sort of roles on the other side

2:39

of the customer. Yeah, no, it's a

2:41

great question. I mean, on the pre-breach

2:43

side, it's more, I'll say, it is

2:45

much more relaxed in some respects because

2:47

you're not dealing with an active threat.

2:50

You can work with a client to do

2:52

what we call tabletop exercises, which is basically

2:54

running through a hypothetical scenario and seeing how

2:56

they respond. They can be as basic or

2:58

as complex as the organization would like to

3:00

test it out at level. That makes sense

3:03

to them. We do a lot of contract

3:05

reviews for them to make sure that they

3:07

understand what their legal obligations are in the

3:09

event of a breach, but also more importantly,

3:11

what should they be putting in? before they

3:14

sign an agreement with a third-party vendor

3:16

who may be holding or touching their

3:18

data or their systems. We do a

3:21

lot of work, especially post SEC rules

3:23

on disclosure requirements on cyber oversight and

3:25

governance, work with the boards. What is

3:28

their fiduciary obligation? We often sit as

3:30

ongoing advisors, which I know also a

3:32

mandian does quite a bit in terms

3:35

of tracking KPIs, seeing what they're doing,

3:37

how can they improve because the threat

3:39

is always evolving. So that's... at a

3:41

very high level on the pre-breach side

3:44

of things and like I said it's less

3:46

stressful in some respect because you're preparing for

3:48

the worst case but you're not dealing with

3:50

the worst case at that point necessarily. The

3:52

second piece is the response side the IR

3:54

part the incident responsible component that one is

3:57

pretty intense you know I often talk to

3:59

some younger lawyers or people who want

4:01

to develop a career in cyber

4:03

security. And I often say it's

4:06

like the adrenaline sport portion of

4:08

our practice, clients call typically late

4:10

at night before a weekend or

4:13

a long weekend, porting back that,

4:15

you know, their systems are down,

4:18

they're dealing with a crisis. And

4:20

at that point, it's not just

4:22

all hands on deck, but certainly

4:25

forensics, you may have Christ's communication,

4:27

you may have ransom negotiations, experts

4:29

coming in. So it really is

4:32

pulling the A team together to

4:34

respond to that incident like in

4:36

real time very quickly with extremely

4:38

compressed timelines. Last point on that,

4:40

which is I find it stimulating

4:42

from an intellectual and legal perspective.

4:44

Some people find it a bit

4:46

too stressful, is you are in

4:48

the trenches with the client literally

4:50

talking to their CEO talking to

4:52

their board talking to their general

4:54

counsel on on strategy with very

4:56

imperfect information and it makes it

4:58

for a much more challenging environment

5:00

to give advice in but one which ultimately

5:03

if you if you have experience and you've

5:05

done this a lot of times is very

5:07

satisfying and rewarding for when the client has

5:09

passed through that crisis. And you kind

5:11

of hinted at this a little bit

5:13

already but where, you know, for a

5:15

law firm like Norton Rose Fulbright, would

5:18

you be engaging with an incident response

5:20

other sort of consulting provider like Mandient?

5:22

How do you work with us, you

5:24

know, either of the preparatory side or

5:26

those breach response stage? So I sort of

5:28

alluded to this and it's a great question you

5:30

ask, look, you know, when it comes to cyber,

5:32

it is a team sport and it's not just

5:35

a nice. you know, expression to use in

5:37

these situations, it really is. Because what

5:39

we have in these situations, either during

5:41

a live incident or preparatory site, and

5:44

I'll get into the specifics of what

5:46

we do with the team at Mandian,

5:48

you're pulling this A team together, like

5:50

I said, quickly, and each member of

5:53

that A team, A has an expertise

5:55

and B has a role to play

5:57

within that overall response. So, super important.

5:59

to have the right folks doing the right

6:01

thing. Like for example, we work

6:03

with Mandian on crises, especially on instant

6:06

responses regularly, and they're going to be

6:08

in there to contain the incident, make

6:10

sure that we're restoring appropriately, i.e. as

6:13

securely as possible, and then doing the

6:15

forensic investigation. And literally we are... hand

6:17

in glove working together. We are there

6:20

because I need to be able to

6:22

give real-time advice to the CEO or

6:24

the general counsel based on where Mandian

6:27

may be in their investigation what they're

6:29

finding. I need to talk to the

6:31

Combs people as to what we can

6:33

or cannot say based on what facts we're

6:36

discovering on the ground and so on. So

6:38

very much a partnership kind of

6:40

relationship, not just with Mandian certainly,

6:42

but also with those other... other

6:44

team members I mentioned like Combs

6:46

or for example legal or other

6:48

folks within the organization. So we

6:50

do a ton of that work

6:52

with the with the mandian team

6:54

on the instant response but on

6:56

the pre-breed side again we

6:59

are lawyers our team is

7:01

there to advise on legal

7:03

issues talk about strategy obviously

7:05

minimize risk for the organization.

7:07

Well I mean I'm pretty

7:09

technical so is our team

7:11

but we're not forensic investigators

7:14

investigators. We're not threat intelligence

7:16

gatherers. you guys have that tool or those

7:18

tools available to you to be able to

7:20

feed that to us. So on the pre-breed

7:22

side when we're designing scenarios for example for

7:25

tabletop exercises, now we could do one on

7:27

legal and that's super helpful and plays a

7:29

role, but we could also do one which

7:31

plays a role which involves the information security

7:34

team and for that the scenario has to

7:36

have a technical drill component which is then

7:38

coupled with legal and coupled with the board,

7:41

coupled with comms and a variety of other

7:43

things. So you guys play a very critical

7:45

role even on that's scenario planning on

7:47

the pre-breat side of things as well.

7:49

So one of the things I'm really

7:51

excited to pick your brain around is

7:54

some of the conversations that you've been

7:56

having with your clients over the last

7:58

year and especially in those sorts of

8:00

c-sweet roles at the board level, I'm

8:03

curious to know what are the sorts

8:05

of conversations you've been having, what are

8:07

the things that are top of mind

8:10

for them when it comes to cybersecurity?

8:12

There's always a lot that is continuously

8:14

coming out, either in the news, through,

8:16

you know, private Intel feeds in terms

8:19

of emerging threats, ongoing constant threats. So

8:21

either from a threat perspective or just

8:23

generally areas of kind of cyber risk.

8:25

This is a very very broad question,

8:28

but what are the things that you

8:30

find your most often having in terms

8:32

of topics of conversation? It's a great

8:35

question because I go to conferences, I'm

8:37

sure you do as well, you hear

8:39

about some of the emerging threats, and

8:41

what's interesting is when it comes to

8:44

cyber, every 12 months, 18 months, there's

8:46

a new angle to something that we've

8:48

been dealing with because these hackers, they're

8:51

not static, they're dynamic, so for every

8:53

move that's made. there's a counter move

8:55

and a counter move and then another

8:57

counter move. So we always have to

9:00

adapt and I think that's one of

9:02

the challenges of cyber security is to

9:04

constantly be evolving. So I think there's

9:06

a few things. Some of these may

9:09

be sort of table stakes but others

9:11

which are now emerging which are a

9:13

bit different that I hadn't seen in

9:16

the past and just for your audience

9:18

so they're aware in a prior life

9:20

I did have quite a bit of

9:22

exposure in our national security agency here

9:25

up in Canada and have been typically

9:27

very hawkish in terms of cyber threats

9:29

from a foreign state perspective. What I

9:31

have often seen over the years is

9:34

countries who cannot necessarily fight a typical

9:36

kinetic war like a military war on

9:38

the ground effectively because there's disparity will

9:41

often leverage. cyber as a leveling field.

9:43

So these are happening in the shadows.

9:45

We as typical citizens don't see it

9:47

every single day, but there's a lot

9:50

of things happening in the background that

9:52

I'm sure the Mandian team tracks regularly.

9:54

I know they feed us some Intel

9:57

as well, and we track in terms

9:59

of clients who are in various industries.

10:01

So what's new is. Two things, maybe

10:03

three. One, I've seen a lot more

10:06

activity by state-sponsored threat actors to target

10:08

critical infrastructures, much more than in the

10:10

past, where the vast majority of the

10:12

breaches we had seen for years and

10:15

years was primarily motivated by financial gain.

10:17

We're now seeing some that are focused

10:19

on strictly geopolitical motivations. And candidly, not

10:22

to scare your audience, we live in

10:24

a dangerous world. And cyber is a

10:26

tool to attack and cause harm to

10:28

countries. You know, they target critical infrastructure

10:31

like oil and gas, energy, financial services,

10:33

health care, to be able to make

10:35

a point, not so much because they

10:37

actually want to make financial gains out

10:40

of that attack. The second thing I

10:42

have seen a huge uptick on. And

10:44

it's quite timely because it's very much

10:47

focused on corporate espionage with AI. AI,

10:49

there's a huge race going on as

10:51

to who's going to meet that new

10:53

technological frontier, who's going to be able

10:56

to lead there, and there's going to

10:58

be huge ramifications for all of our

11:00

economies around the world. And there is

11:03

a rush to acquire any semblance of

11:05

advantage from corporate espionage standpoint. So there's

11:07

countries and individual groups that are targeting.

11:09

the theft of this technology space in

11:12

particular. And then the third thing, probably

11:14

a bit more on a lighter note,

11:16

not as scary, is boards are very

11:18

alive to cyber risks. They've seen what's

11:21

been going on both from litigation and

11:23

you hear about the hearings at Congress

11:25

and so on when a major breach

11:28

occurs. They want to make sure, and

11:30

they're more involved, that the cyber risk

11:32

posture is within an acceptable standard for

11:34

their organization. So there's a bit more

11:37

involvement than what we had seen in

11:39

previous years, a lot of board education,

11:41

a lot of understanding of what KPIs

11:43

are being tracked and how and why.

11:46

Really a big focus on industry regulatory

11:48

compliance, and that also includes SEC requirements,

11:50

the Securities Exchange Commission requirements. on board

11:53

oversight and what they may be judged

11:55

on down the road. So I'd say

11:57

those would be the three. Geopolitical risks

11:59

relate to cyber, corporate espionage being the

12:02

second, and the third would be a

12:04

real focus by the boards and cyber

12:06

risk oversight management. Kind of on that

12:09

one point of cyber risk oversight management.

12:11

And you mentioned kind of education and

12:13

educating the board. How do you think

12:15

about that process of? Communicating threats, educating

12:18

the board, what do you find to

12:20

be most useful? Because these are individuals

12:22

where maybe cyber is not their day

12:24

job and this is not something where

12:27

necessarily they're trying to become an expert

12:29

in. And if you're just maybe a

12:31

casual reader of what is going on

12:34

in the news, it may be overwhelming.

12:36

It may be difficult to say, okay,

12:38

what are the categories of cyber risk

12:40

I need to prioritize? So how do

12:43

you think about approaching that area of

12:45

kind of educating? that maybe you really

12:47

need to get smart on. You know,

12:49

one of the things I've enjoyed over

12:52

the years when talking to boards is

12:54

they're so diverse and so smart, like

12:56

they have experience which is really relevant

12:59

for their board position. And a lot

13:01

of these board members are not coming

13:03

at it just from a pure cybersecurity

13:05

standpoint. They're looking at it from a

13:08

broader enterprise risk management. pick any company,

13:10

whatever industry they may be in, they

13:12

may be saying, well, okay, I am

13:15

concerned about cyber for sure because we

13:17

have technological dependencies on X, Y, or

13:19

Z. But I'm also concerned about reputational

13:21

harm. I'm concerned about an M&A deal

13:24

we're going to be doing the next

13:26

little while and the impact a cyber

13:28

attack could have on that and so

13:30

on. So they have a pretty holistic

13:33

view. What they need and what they

13:35

want to see from management and from

13:37

their advisorsisers. take this threat intelligence information

13:40

and current landscape and tell me for

13:42

my organization specifically what are the risks

13:44

A and then B what are the

13:46

mitigation strategies we need to do and

13:49

put in place And in some cases,

13:51

you know, they're pretty straightforward. In other

13:53

cases, there's some difficult decisions to make

13:55

like on budget, on resource, on hiring,

13:58

even on when you acquire a company,

14:00

you know, what is the risk from

14:02

a cyber threat landscape perspective? Do we

14:05

delay or phase in the integration of

14:07

the two companies over time because of

14:09

X, Y, or Z reasons? So it

14:11

can be really challenging, but what they're

14:14

looking for is give me the lay

14:16

of the land today. and then tell

14:18

me how I can mitigate it, and

14:21

then I will make the decision as

14:23

a board or as a group, you

14:25

know, as a risk committee, if it's

14:27

allocated to the sub-risk committee as to

14:30

how we do that. The other thing

14:32

they're very interested in is ongoing education.

14:34

This is across any company, but most

14:36

boards will have a continuing education program

14:39

they have to go through during the

14:41

year. The number one and two areas

14:43

that they're interested in are cyber risk

14:46

and AI risk. risk but also opportunities

14:48

at the same time. Cyber we often

14:50

see more as a risk you know

14:52

because it can bring down operations or

14:55

it can have a financial impact can

14:57

lead to litigation but when it comes

14:59

to AI in particular I know sort

15:01

of slightly off topic yes there's the

15:04

risk of AI you know if it

15:06

goes wrong if we have biases and

15:08

data sets you know how could that

15:11

hurt our reputation but what are the

15:13

opportunities for the company or the organization

15:15

to utilize AI for increased productivity and

15:17

so on and so forth. So I

15:20

think the boards look at it from

15:22

a risk perspective primarily and looking for

15:24

their advisors not to just come and

15:26

scare them about what the risks are,

15:29

but how do they fix it? Diving

15:31

a little bit deeper into one particular

15:33

problem, I think it's been very difficult

15:36

to have a conversation around cyber threats

15:38

without touching on ransomware. Certainly it's been

15:40

something that has dominated a lot of

15:42

the conversations that we have with customers,

15:45

certainly at least the last four or

15:47

five years. When you think about that

15:49

category of disruptive threats, where there's a

15:52

potential impact to continuity of operations in

15:54

the business, you know, you're a manufacturing

15:56

company and you can't ship out or

15:58

receive orders, for example, it seems who

16:01

have really shaped how a lot of

16:03

organizations, and maybe it's industry specific to

16:05

an extent, but it's shaped how organizations

16:07

think about cyber threat, when you think

16:10

about that category of threat, what are

16:12

some of the ways that you're seeing, maybe

16:14

at the C-sweet level or at the

16:16

risk committee level, organizations thinking about

16:18

either preparing for or even how

16:21

we would respond to that category of

16:23

threat? So what's interesting is, look,

16:25

over the last few years, there's

16:27

been an evolution. Before it was

16:29

a question of being informed at the

16:31

board level what the risks are and

16:34

making sure nothing got through, you know,

16:36

it's only that one time a hacker

16:38

has to be successful to cause significant

16:41

harm, there's been a real shift towards

16:43

let's emphasize building resiliency within the organization.

16:45

And the way I define resilience is probably not

16:47

the most technical way of looking at it

16:50

as being punched in the gut and being

16:52

able to get back up as quickly as

16:54

you can as an organization. So if a

16:56

hacker comes in and shuts down your operations,

16:58

how quickly can you get back up and

17:00

running? And I often give this example. So

17:02

I teach a course on cybersecurity. I've been

17:04

teaching it for about eight or nine years

17:06

now. at the Faculty of Law here in

17:08

Toronto at the University of Toronto. And

17:10

one of the first things I do

17:13

in the class I teach is I

17:15

ask students to take their laptop or

17:17

their iPad, spend 15 minutes, go online,

17:19

find any breach. And there's no

17:21

jurisdiction restriction, there's no time

17:23

restriction, find the two or

17:25

three worst managed breaches in

17:27

their opinion. And then we come

17:29

back as a group and we talk

17:32

about it. And what's interesting is

17:34

there's always three things that come up.

17:36

So one is. Wow, you know, Professor Amad,

17:38

they were down for a really long time.

17:40

So you asked them the question, why do

17:42

you say that? You know, wouldn't they be

17:44

down in any event if they got hacked?

17:46

The sure answer was, look, we get a

17:48

day, a couple of days, maybe a week.

17:51

We don't understand how somebody can be down

17:53

multiple weeks or months. And the impression

17:56

these students had was the longer

17:58

you're down, the less prepared. you

18:00

may have been in terms of disaster

18:02

recovery or business continuity. The second thing

18:04

they came back with in terms of,

18:06

you know, why they felt these were

18:09

not well-managed breaches was the communication was

18:11

really bad. Either they didn't communicate at

18:13

all. They communicated very slowly or even

18:15

worse, they had to correct communication they

18:17

had already issued, which is never a

18:20

good sign. And the reason that didn't...

18:22

sit well with people was it seemed

18:24

like the organization that was a victim

18:26

of this attack didn't have control over

18:29

the situation. The third thing and the

18:31

last thing that's probably relevant and I

18:33

put less weight on this but it's

18:35

still from an optics perspective something to

18:37

think about is there's so many breaches

18:40

going on around the world but there

18:42

are very few of them a small

18:44

portion believe it or not that are

18:46

actively investigated or where litigation ensues or

18:48

there is a regulatory formal investigation that

18:51

commences. And the perception was, well, if

18:53

you have a lot of litigation and

18:55

you have a lot of regulatory investigations,

18:57

maybe there's a fire where we see

18:59

this smoke. And like I said, I

19:02

put less weight on that because that's

19:04

an optics and a perception and each

19:06

thing is case by case, but you

19:08

take those three things together, those standouts,

19:11

what we're talking to these boards in

19:13

terms of what they should be thinking

19:15

about, the goal is not to be

19:17

perfect. But the goal is to have

19:19

the resiliency within the organization so you

19:22

can be up and running quickly so

19:24

that you are communicating and are in

19:26

control of the communication piece and if

19:28

you can avoid it or even if

19:30

you are investigated that you can be

19:33

successful in demonstrating at the end day

19:35

that you acted reasonably and as efficiently

19:37

and quickly as possible. And when you

19:39

think about how this category of extortion

19:41

threats have evolved. and the fact that

19:44

we're seeing more data theft and the

19:46

sort of public leaking these name and

19:48

shame sites these data leak sites associated

19:50

often with ransomware brands ransomware threat actors

19:53

has that changed how organizations view this

19:55

risk because now you're no longer just

19:57

thinking about having to consider the impact

19:59

to your operations and getting back up

20:01

and running, but also, you know, is

20:04

there potentially more regulatory or privacy exposure

20:06

from this this category of extortion now?

20:08

Certainly from a legal perspective, I mean,

20:10

look, if data is being dumped on

20:12

the dark web because the hacker stole

20:15

it, you automatically, there will be a

20:17

trigger in some respects in terms of

20:19

privacy notifications or other types of communication

20:21

they need to put out to business

20:23

partners. Again, it all depends on the

20:26

sensitivity and the type of information impacted.

20:28

I'm sort of of two minds and

20:30

it depends on which camp you find

20:32

yourself in a given situation. There's one

20:35

camp, especially a lot of folks that

20:37

I talk to in the communication side

20:39

of things that may say, look, you

20:41

know, there's so many breaches happening in

20:43

Moran that people are being desensitized to

20:46

a certain, you know, to a certain

20:48

level, that you get a notice once

20:50

in your lifetime, you'll probably be very

20:52

concerned, but if you get 20 of

20:54

them over a two-year period, you'll just

20:57

get desensitizeditized. I'm not sure about that

20:59

I think it's one way of looking

21:01

at it. The other one is you

21:03

are not going to be judged by

21:05

the fact you had a breach, it's

21:08

how you respond to the breach. So

21:10

there is some value in having a

21:12

really robust communications program ready to go.

21:14

You don't have to open kimono from

21:16

A to Z, but certainly you want

21:19

to be able to communicate relevant facts

21:21

and be there for that stakeholder, that

21:23

would be a customer or a shareholder

21:25

or the market or the media, whoever

21:28

that stakeholders are, you've got to be

21:30

there and be able to support them

21:32

through that process. Do you think there's

21:34

any certain categories of cyber risk that

21:36

in your conversations now you think maybe

21:39

you're being underappreciated to the extent to

21:41

which they present actual risk? I mean

21:43

you touched on for example earlier the

21:45

threats posed by nation state actors and

21:47

that sort of category of cyber espionage

21:50

where you know maybe you're a pharmaceutical

21:52

company, your IP is stolen in a

21:54

breach, you don't see immediate impact to

21:56

your operations, you know your systems are

21:58

still up and running, there's no... extortion,

22:01

ransom fee that you have to pay

22:03

to get data back. But maybe ultimately

22:05

that has an impact because a rival

22:07

product comes on the market somewhere that

22:10

you do business. So are there categories

22:12

like maybe that one in particular, but

22:14

other areas where just there's not as

22:16

much attention to the extent that there

22:18

should be on an area of cyber

22:21

risk? Yeah, let me let me actually

22:23

pick up on that one and then

22:25

I'll share another one, which is probably

22:27

a bit less exciting, but one which

22:29

is much more common. But I think

22:32

when we look at corporate espionage, which

22:34

is something I personally feel, this is

22:36

my Imran Amad personal view on this

22:38

piece, it is underappreciated and it's a

22:40

clear and present risk every single day.

22:43

You know, looking at it from a

22:45

North American perspective, just Canada, US for

22:47

example. The level of innovation and R&D

22:49

dollars spent in innovation is huge. You

22:52

spend years and years and years, you

22:54

know, as either as a startup, a

22:56

scale up, a large enterprise, pumping money,

22:58

hiring experts, investing in education and so

23:00

on of your existing staff and on

23:03

a. moments attack you could lose that

23:05

technology and there's some well-documented cases in

23:07

terms of telecommunication company equipment that may

23:09

have been compromised something in the nuclear

23:11

area that construction of nuclear plans that

23:14

may have been compromised years ago and

23:16

a variety of others where companies that

23:18

were at the bleeding edge of technology

23:20

had to basically disappear or scale down

23:22

because they lost that critical R&D and

23:25

that showed up somewhere else in the

23:27

world at less expensive cost and at

23:29

an advantage for that competitor. So that

23:31

is something we absolutely have to do.

23:34

I'll give you an example. During the

23:36

pandemic, you may recall the first half,

23:38

regrettably of the pandemic, there was no

23:40

vaccine. And there was a huge rush

23:42

in the pharma space to develop a

23:45

vaccine and a ton of resources were

23:47

being poured into it. But when you

23:49

look at the broader pharma ecosystem, certainly

23:51

you have the pharma companies, but you

23:53

also have clinical trial companies. as you've

23:56

got research facilities at universities and other

23:58

places, we had seen a significant uptick

24:00

in terms of targeted attacks by states,

24:02

sometimes by groups, looking to acquire that

24:04

specific Intel, that R&D, that IP intellectual

24:07

property. And how did we find it?

24:09

Because when folks like Mandy and where

24:11

our forensic investigators, they would basically look

24:13

at the breadcrumbs and see, well, these

24:15

were the directories they were going through.

24:18

These were the commands they were looking

24:20

for. Here are the folders they may

24:22

have searched, and it doesn't take a

24:24

lot of effort to figure out that

24:27

these folks, the hackers, were trying to

24:29

get information about the development of a

24:31

vaccine. And you can go down the

24:33

list. I mentioned AI being one area

24:35

where there's a lot of investment going

24:38

on. That's a key area where we

24:40

saw and we continue to see cyber

24:42

attacks happening for corporate espionage purposes. The

24:44

goal there is not to create a

24:46

lot of havoc or even be noticed.

24:49

The goal is to go in, watch,

24:51

and take what may be relevant for

24:53

that hacker person or group who's doing

24:55

it. So much more difficult. to track

24:57

in some respects and much more difficult

25:00

candidly to ascertain what was taken and

25:02

to what extent that loss is going

25:04

to impact the bottom line. The other

25:06

example That you asked about you, you

25:09

know, what where what is under appreciated?

25:11

You're going to laugh about this, but

25:13

it's the old classic business email compromise

25:15

for your audience members who are less

25:17

familiar with it Imagine being at work,

25:20

you have a corporate email address and

25:22

you get a fishing email perhaps that

25:24

looks, you know, really legitimate you click

25:26

through it Doesn't go anywhere and you

25:28

just assume maybe it's a bad link

25:31

or maybe your computer is not connected

25:33

properly. It's at work. So maybe that's

25:35

what happened here you'll wait for the

25:37

next alert Meanwhile on the back end

25:39

your MFA multi-factor token has been compromised

25:42

somehow or somehow the access has been

25:44

obtained by the hacker and what they

25:46

typically want to do is some kind

25:48

of financial fraud. They want to transfer

25:51

for the funds to another bank account

25:53

that they potentially control or have access

25:55

to and so on. I'm grossly simplifying

25:57

the BEC financial fraud piece, but that's

25:59

what we're looking at. So here's the

26:02

funny and interesting part in terms of

26:04

how quote unquote that has evolved is

26:06

the use of AI in the deep

26:08

fake piece. The often given advice was

26:10

if you're going to transfer funds to

26:13

a new bank account, make sure you

26:15

do an analog check, you know, call

26:17

the person on the other side. if

26:19

you can do a video conference even

26:21

better, so on and so forth. But

26:24

now with the use of AI and

26:26

deep fakes, you can recreate a lot

26:28

of stuff by capturing people's images and

26:30

voices, which is readily available these days

26:33

in many ways, and do those transfers.

26:35

Now the reason I say it's... underrated

26:37

as a risk is twofold. One, you

26:39

know, we often think multi-factor authentication is

26:41

going to resolve everything. And unfortunately, there

26:44

are ways to get around it, as

26:46

you know, and I'm sure many of

26:48

your audience members know, so they can

26:50

get around MFAs, like having nothing in

26:52

place. But the second piece is the

26:55

cost, the infrastructure to do this kind

26:57

of financial fraud is extremely low. Hence

26:59

the quantity of these attacks are significant

27:01

compared to a ransomware attack which may

27:03

require more of an infrastructure you need

27:06

to have, believe it or not, some

27:08

kind of drive or data centers where

27:10

you can keep the data that you

27:12

steal. You need to have a supply

27:14

chain, you know, one who compromised credentials

27:17

all the way down to the chain

27:19

to the negotiator. You have to be

27:21

able to mix the currencies, the crypto

27:23

currency that you're obtaining through these global

27:26

mixers and then move them to accounts

27:28

and then turn them into fee ads.

27:30

So there's a whole machine behind that

27:32

That takes time and that can be

27:34

brought down. But the BEC, it's not

27:37

too difficult to take advantage of that

27:39

and there's big money involved. So I'd

27:41

say those would be the two, the

27:43

corporate espionage piece and Shirley the second

27:45

one, which is the good old business

27:48

email compromise, if you want to call

27:50

it that. Yeah, on that, the business

27:52

email compromise, we put out a blog,

27:54

actually, some of our... pen testers, red

27:56

teamers, engaged and sort of proved, you

27:59

know, or showcase ways you could use

28:01

voice spoofing and phishing, email, you know,

28:03

voice-based phishing to compromise an organization. And

28:05

they did, you know, just as you

28:08

noted, being able to train a model

28:10

with recordings of, so you have an

28:12

executive who's on the news all the

28:14

time, right? And there's plenty of public

28:16

recordings of that, and then being able

28:19

to kind of spoof their voice. So

28:21

I think there's an interesting, certainly, and

28:23

there's been, you know, several news stories

28:25

where either audio or visual deep fakes

28:27

have been leveraged in, you know, business

28:30

emocompromised like incidents. I think there's an

28:32

interesting question around to what extent will

28:34

threat actors adopt, you know, what might

28:36

at least right now be more complex

28:38

ways to carry out that activity. as

28:41

you know, like the simple email-based method

28:43

of business email compromise is still very

28:45

effective and still makes up the most

28:47

of what is kind of going on

28:50

in that space. And there's this interesting,

28:52

I think, question around how we anticipate

28:54

a certain technology might be employed by

28:56

threat actors and how they might actually

28:58

use it. But the other piece I

29:01

think is also really interesting that you

29:03

touched on is the lowering of barriers

29:05

to entry, because I don't think that

29:07

the cyber crime ecosystem is ever static.

29:09

always the potential globally for new actors

29:12

to enter that space. And I think

29:14

as you see some of these as

29:16

a service like components to the ecosystem,

29:18

whether it's web skimming or tools to

29:20

do business email compromise more efficiently, it

29:23

is an interesting question around how will

29:25

that change the environment? Will we see

29:27

more threat actors doing things? And will

29:29

more threat actors have the ability to

29:32

leverage techniques that in the past only

29:34

more skilled threat actors would do? I

29:36

agree with you. I think if I

29:38

to be a guessing or a betting

29:40

person, I think the barriers to entry

29:43

have materially decreased and it will continue

29:45

to be that way. One of the

29:47

interesting part I was watching a great

29:49

documentary on the BBC the other day

29:51

and they were talking about this whole,

29:54

why did Chad GPT take off the

29:56

way it did when it was released

29:58

almost two years ago? Well it did

30:00

because the interface was so easy. And

30:02

one of the commentators said, you know,

30:05

back maybe five, six, seven, eight years

30:07

ago, we were telling a lot of

30:09

young folks, you got to do coding.

30:11

Well coding is not necessarily what you

30:13

need to do now is to get

30:16

access to the most complicated and sophisticated

30:18

tools that are out there. So a

30:20

lot more questions come to mind in

30:22

terms of what would be the barrier

30:25

to entry. If you've got a computer

30:27

and a keyboard and a couple of

30:29

basic tools which are readily available, arguably

30:31

you have all you need to do

30:33

some harm if you have malicious intent.

30:36

So we've covered a lot of ground

30:38

here and maybe tying this all together.

30:40

What are some of the kind of

30:42

areas of maybe their opportunities around board

30:44

education, engagement with C-suites, getting them more

30:47

involved in preparatory steps, things like tabletop

30:49

exercises, things like that that you're excited

30:51

about this year, or also just areas

30:53

of maybe risk that people should be

30:55

considering, you know, we're recording this in

30:58

early February. What's kind of your outlook

31:00

on the cyber risk landscape there? So

31:02

a couple of positive things, because I

31:04

know we're probably coming to the end

31:07

of our conversation, so I want to

31:09

leave on a positive note instead of

31:11

just being doom and gloom. But always

31:13

when we can. It's always good. In

31:15

cyber free and on a positive note.

31:18

Well, a couple of good trends that

31:20

are happening, which I think worth mentioning.

31:22

One, if you go back, and I'm

31:24

sure you remember this. 10 years ago,

31:26

trying to get attention of the board

31:29

on cyber was not as easy as

31:31

we think it is now. But the

31:33

boards now are very very alive to

31:35

this. Leadership teams are very alive and

31:37

not just alive about the risk, but

31:40

they're alive to the fact they have

31:42

to invest in being prepared for it.

31:44

So that is a good place to

31:46

be to have these conversations. I think

31:49

the other thing that's a positive is

31:51

just talking about the examples earlier about

31:53

tabletop exercises. You know, a lot of

31:55

clients have already done these. They've done

31:57

sort of the... initial tabletop 101 or

32:00

2.0. But now what they're looking for

32:02

is, okay, let's stretch, let's go and

32:04

see how far we can take this,

32:06

let's challenge ourselves a bit more, the

32:08

folks who are there in our organization,

32:11

that it be the CFO or the

32:13

CFO or the compliance officer, the CSO,

32:15

or go down the list of who

32:17

would be typically on an instant response

32:19

team. They want to push the limit

32:22

to see how far they can go

32:24

with a difficult scenario and make the

32:26

best possible decision. So we're seeing more

32:28

complexity being built into these tabletops, which

32:31

candidly are hard to put together because

32:33

it requires a lot of coordination between

32:35

the technical folks, certainly the governance folks,

32:37

in some cases, we have board members

32:40

who attend not to participate, but as

32:42

observers. Obviously, there's a lot of preparation

32:44

and role definition that has to happen

32:47

in those situations, but I'm seeing a

32:49

lot more. sophistication. The joke I often

32:51

share with our team here at Norman

32:53

Rose is it's a bit like Star

32:56

Trek. I don't know if you remember

32:58

that show with with Captain Kirk, the

33:00

the old one, and the story goes

33:03

something like this. Captain Kirk was a

33:05

cadet in the academy and he would

33:07

to pass the officer test you need

33:10

to do this Kobayashi Maroo test where

33:12

you're given Bad and worse options. And

33:14

in the story, Captain Kirk basically changes

33:16

the algorithm to basically make it such

33:18

that he wins, which is not the

33:20

outcome Star Fleet wants in that scenario.

33:22

The reason I tell the story is

33:25

because what they're trying to test in

33:27

that actual real scenario, not the one

33:29

that Captain Kirk changed, was how would

33:31

you respond to a high stress lose-lose

33:33

scenario? And often in a cyber crisis,

33:35

you're dealing with bad and worse options.

33:37

So the goal here is not so

33:39

much to get... the right answer. The

33:41

goal is to see do you have

33:43

the muscle memory, the reflex, to be

33:46

able to do certain things in a

33:48

quick compressed timeline. And I think when

33:50

you do those really complex tabletop, that's

33:53

what I'm seeing boards, certainly leadership teams,

33:55

information security teams, asking for in terms

33:57

of their tabletops. So that's very positive.

34:00

In terms of risks for 2025, it's

34:02

a bit hard to say. Everything that

34:04

I have seen in roughly about a

34:06

month or so, we're into the year,

34:08

plus what I've read and the conversations

34:10

I've had with folks at Mandient or

34:12

elsewhere, we've seen a slight decrease at

34:15

the beginning of the year in terms

34:17

of the traditional ransomware attacks, but they

34:19

haven't gone away. And there's an expectation

34:21

it's going to increase. This is a

34:23

risk that's not going to go away.

34:25

So how do you adapt to it?

34:28

is something that comes up a lot.

34:30

And last point you and I just

34:32

touched on this prior to this last

34:34

point, which was the use of deep

34:36

fakes in very basic cyber attacks like

34:38

wire transfers. We're seeing a lot more

34:40

sophistication in that, you know, the the

34:43

email that looks like a legitimate email

34:45

coming from an e-commerce business you do

34:47

business with or a message coming from

34:49

your cell phone service provider. And what

34:51

they can do with these AI tools

34:53

now is collect a ton of information.

34:56

So if I was a hacker pre-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-

34:58

I would have to go and say,

35:00

okay, well, let me target Imran. Let's

35:02

go on his LinkedIn, let's go on

35:04

his Facebook, let's go figure out what's

35:06

on Norton Rose's website about him, try

35:09

to put it together, then I craft

35:11

an email that would look legit, and

35:13

then send it off. Now with AI,

35:15

you can do is have that all

35:17

that information scraped, put into a database,

35:19

and hit hundreds of Imran, that you

35:21

could do the most, you know, connoisseur

35:24

of people out there who would have

35:26

picked this up otherwise. Well, a lot

35:28

to think about. We got the positive

35:30

outlook and then also the thing to

35:32

be watching from a risk perspective, fitting

35:34

them both and there at the end.

35:37

But Imran thanks for your time and

35:39

sharing your insights. This has been an

35:41

excellent conversation. I think hopefully will kind

35:43

of frame certainly a lot of the

35:45

ways that I'm thinking about this year

35:47

and engaging with some of our customers.

35:49

So thank you for your time today.

35:52

Thanks for having me. It was a

35:54

great conversation. Hope we can do it

35:56

again soon. Okay.