3272: Inside Illumio's Global Ransomware Report - Building Real-World Cyber Resilience

[00:00:03] What would happen if your business was hit by a ransomware attack today? Would you report it? Or would you keep it quiet, fearing reputational fallout? Well today I'm going to be joined by Trevor Deering. He's the Director of Critical Infrastructure at Illumio. And together we're going to unpack the findings from a new report that reveals that 73% of UK organisations are still reluctant to report ransomware attacks.

[00:00:32] And with ransomware attacks rising and many organisations all around the world halting operations as a result, I think Illumio's research paints a stark picture. But there is a more hopeful path forward. Everyone listening to this show knows we always try and leave on an optimistic note. So the big question for you listening today before we invite the guest on is how can you and your business shift from fear to resilience?

[00:00:59] And why is containment proving more effective than prevention? Well, let's get Trevor onto the podcast now and find out more. So a massive warm welcome to the show. Can you tell everyone listening a little about who you are and what you do? Certainly. And thank you, Neil. Thank you for having me on.

[00:01:20] My name is Trevor Deering. I work for an organisation called Illumio and I tend to focus on helping organisations within critical national infrastructure to be able to secure their environments and also to, I guess, drive and drive forward resilience. And this is basically from a position of being able to control and contain an attack when it happens.

[00:01:49] Personally, I've been in this industry for, gosh, 43 years now. Wow. And was sort of around at the sort of start of things like the PC and networking and security and all those sort of things. So I have a sort of a good background in a lot of this type of technology. Well, you have an incredibly young voice. You don't sound like you've been in the industry for 43 years. It's the singing in the church choir that does that. Lovely.

[00:02:18] And as for Illumio, we've had a few people on over the years. I think it was John Kinderwag. I think it was an evangelist talking about the zero trust model, obviously, which he invented. Is he still around? And I think it was Raghu as well. Are both of those still around? Yeah. Yeah. They're both here. So I was just obviously chatting with with Raghu yesterday on a few things. And he mentioned that he'd done a session with you. And yeah, I've worked with John in a few companies now in Palo Alto Networks and both here at Illumio.

[00:02:48] And yeah, he's still very much here. And we're going to be working together at RSA in a couple of weeks. Fantastic. And one of the reasons I was excited to get you on here was having read about Illumio's latest report on ransomware and incident reporting in the UK. And as someone that has been around the block a time or two, I've got to ask what surprised you most from this report? I think there was.

[00:03:12] Well, I mean, there are a few things, but the one outstanding one was the statistic about the number of organizations that had to halt operations during a ransomware attack. So just for background, the survey was for over 3000 organizations around the world, varying shape sizes and industries. And the average number of companies that had to halt operations was 58%.

[00:03:40] And that's gone up in the, you know, from the previous research they did, which was 2021 from about 43%. And, and just in this day and age that with the prevalence of ransomware attacks, the fact that, you know, those organizations suffered that level of disruption was, was, was quite surprising.

[00:04:01] But the other thing that went, that was also quite surprising is that a lot of organizations had a very positive view. They were very optimistic about their ability to repel ransomware. But equally, when there was an attack, it was launched via very basic things like RDP and it suffered from unpatched systems, weak passwords, you know, the very fundamental foundational things that people should be doing.

[00:04:30] So, so I think, you know, one of the key things was a, the disruption it caused be the fact that people were very positive about their ability to repel attacks. But then it was all down to sort of some very, very basic things that caused all the disruption. And I'm curious, why do you think there is still such a strong cultural reluctance among UK businesses to report ransomware attacks to law enforcement?

[00:04:58] And is it GDPR fines or is it something completely different? Well, I mean, obviously if there's a GDPR implication, then you are by law required to report. Yeah. But I guess the challenge is what's the incentive to report?

[00:05:14] You know, I think if you, you know, if you look at what happens about reputation and things like this, there is a potential concern that if people report things and it becomes well known that that's going to have a negative impact. But I think on the flip side, the public have got so immune to this that because almost they just assume every company has been attacked. I'm not sure it's going to have that, that big an issue.

[00:05:38] But I think as we move forward, I think if there was better support for organizations during an attack from, you know, government bodies and things like that, if there was sort of more investment on that side, then I think more organizations would report. And one of my, you know, one of my favorite documents, quite sadly, is the, sort of from last year is the government subcommittee on ransomware report.

[00:06:07] And this was, this was really interesting because it basically said that a sustained ransomware attack on, on the critical infrastructure of the country could have the same impact on GDP as COVID. And there wasn't enough support for, you know, smaller organizations and things like this. So I think if some of that gets implemented and hopefully it will in the, you know, in the upcoming bill, then, then that attitude to reporting may change.

[00:06:38] And it wasn't too long ago that reputational damage from an attack like this was said to last for at least five years. But as you said, I think that has diminished a little bit now because most of us kind of assume that every company is under attack on a regular basis. And fear of retaliation and that reputational damage does seem to be driving some of the under reporting. But how can organizations maybe shift their mindset while still protecting their brand? I'd imagine it's quite a tricky balance.

[00:07:08] Yes, it is. And I think it's interesting. There's, there needs to be a sort of a big shift in, in thinking around this anyway. Yeah. You know, for too many years and, you know, as far as I can remember back to, I guess, when the first, AV came out in, what was that, 1987, people have been very, very focused on stopping and stopping the attack happening in the first place, sort of keeping everyone out.

[00:07:33] And over the years, we've spent more and more and more money on trying to reduce the probability that an attack is successful. And organizations have sort of ignored trying to restrict the impact. So, you know, the one that everyone talks about, colonial pipeline, the fact that there was an attack in the, you know, in the IT environment through reasons that are still not quite clear, caused the pipeline to be turned off.

[00:08:00] It's, it's that sort of planning and preventing, you know, the fundamental stopping of your prime objective that is, that should be driving thinking. So, you know, we've been attacked. So, you know, we've been attacked. Whose fault was it? Who can we blame? To, well, where we were attacked, but we survived. We stayed in business and that's a good thing.

[00:08:27] So, so there needs to be this, this real shift in thinking. And that, that if you are then attacked and you contain it, then why not report it? You know, it's almost a positive thing to do. And the report also suggests that containment strategies are more vital than ever. So what does effective containment look like in practice for modern organizations? Just for anybody listening to help them understand how this could make a real difference to them. Yeah.

[00:08:56] I mean, containment's probably a much cheaper and easier approach to take than, you know, more and more shiny, funky, you know, technologies to try and stop the attack. Yeah. And so what you're, what you're doing is think of it like someone breaks into a room of your house, but that's the only room they can get in. They're locked into that, that specific area and can't get to the, the most valuable assets within your, within your environment.

[00:09:21] So, you know, so being able to sort of identify where the risks are in your organization to sort of see, you know, see what threats are potentially coming. There was a, a great phrase I saw the other day, which is called advanced obfuscation, which is basically, if you apply zero trust principles, you can hide some of the routes that the, the attack could take.

[00:09:48] So that when the, the, the criminal is sort of, you know, doing the recon phase, those routes are blocked. So you're, you know, you're effectively controlling where it goes. And if you can then identify and detect that attack, then it becomes very simple to do like a, you know, a one click containment, which basically ring fences the attack and stops it moving.

[00:10:11] And I guess the big question is at a time when brand damage is often outweighing regulatory costs in many cases, how should companies be prioritizing their investment in things like resilience and recovery planning? I think it's, you know, and a lot of the, the analysts, you know, the analyst world are sort of supporting this move as well. Yeah. That really they, you know, there should be a shift in spending and resource much more towards that resilience approach.

[00:10:41] And that, you know, and that includes planning for what happens when there is an attack. You know, everyone, you know, everyone quotes the, you know, whether it's Mike Tyson or some ancient general, which basically says, you know, all your strategy goes out the window when you get punched in the face. Yeah. But at least have a good idea of what's going to happen. I mean, in the old days, when we used to work on mainframes, we literally would, you know, to test it, you'd turn one off, walk down the road to the disaster recovery center, power up the second one and make sure it all worked.

[00:11:11] But you don't necessarily, you know, in the world we have in the hybrid world of cloud and data center and virtualization and OT and all that sort of thing, you don't always have the capability to do that.

[00:11:23] So, you know, what you have to be able to do is to understand how you minimize the impact on each part of your operation and sort of work out where an attack is likely to happen and how you can, you know, and how you can contain that. Yeah.

[00:11:43] And there's a breathtaking stat that I wanted to share with everyone, and that is only 13% of organizations actually believe that their cyber resilience exceeds their requirements. So from everything that you're seeing here, what's holding back this remaining 87% and where should they begin if some of that 87% are listening to this podcast? Yeah. Yeah. Yeah. Yeah. I mean, I was sort of surprised with that.

[00:12:08] And, you know, I was reading the, you know, the World Economic Forum's cyber resilience report that came out at the end of last year. And, you know, there are some quite scary sort of stats within that. But I think, you know, I think it's because the thinking has always been around reduce the probability that an attack is successful.

[00:12:32] So, you know, so a lot of people are invested in identity management and ZTNA and all the things on the perimeter that stop the attacks getting in. And now that there is a growing realization that at some point that attack is going to get in, then people are now becoming more concerned about resilience. So, you know, we've seen legislation around DORA is all about, you know, improving resilience. NIST 2 is about improving resilience.

[00:12:59] You know, the cyber bill that's coming out of the UK Parliament is all about improving resilience. So I think it's suddenly thrown the spotlight onto this and organizations have sort of had one of those, how do we put this, oh dear moments, where they've realized that actually they're not as prepared as they thought.

[00:13:18] And we've seen, you know, if we see attacks like we saw on Synovus and other, you know, other organizations where it had a major impact, that sort of thing really highlights to not only the regulators but the public what the impact of this could be and how important building a cyber resilience plan actually is.

[00:13:39] So as the UK considers changes like banning ransomware payments, what impacts do you foresee this having on business preparedness and collaboration with authorities? Because it's a pretty big move. It's a needed move. But how do you see this playing out? Yeah, I mean, the conversation about banning ransomware is going on in every country in the world at the moment. And the practicality of that is the challenge.

[00:14:09] Because if you could build a big support infrastructure around organizations that said, when they said, oh, we're suffering a ransomware attack, that sort of the, you know, the good guys came swooping in to help, then I see that, you know, banning ransomware payments could be practical.

[00:14:29] But if we don't, if organizations, especially small organizations are left to themselves and having to spend as much money on bringing in, you know, an organization to help them, then paying the ransom could actually work out cheaper and quicker. I mean, there's always the challenge that once you pay the ransom, the guys come back for more, or they pay the ransom and data gets released anyway.

[00:14:57] Or you pay the ransom and you can't restore, you know, all your data. So there's always some challenges. But I think if there's a support infrastructure put in place around organizations, then a lot of that stuff becomes practical. You can't, you can't just keep, you know, adding laws and adding laws and adding requirements into regulation.

[00:15:22] If an organization hasn't completed the previous set of laws, you know, they're never going to get to that point. So it, you know, it becomes, it becomes worthless without the support infrastructure to, you know, to make it happen. And you mentioned when you first came on the podcast, 43 years in the industry, you've probably seen so many different cycles. Everything changes and yet often remains the same as things come back in.

[00:15:48] But I'm curious, if we look to the future, what makes you hopeful? Any big takeaways for people listening and any words of assurance or what they should be doing? Anything you'd like to leave everyone listening with on the future of this? Yeah, I think, I mean, one of the, you know, one of the key things that the defenders and the security industry need to do is really make the attackers start to think differently.

[00:16:16] So it's historically been too easy for, you know, if I'm an attacker, you know, if I decided to be, I could go onto the dark web and I could download and exploit. I could create, you know, build my own ransomware. I can do all of this thing. I can launch an organization and there's a good chance that that would be successful. We have to take away the ability of the bad guys to be able to do that stuff.

[00:16:44] We, you know, we need to build our infrastructure so that it's, you know, it's, it's very closed. It's very difficult to see what's going on. So, and this is why things like zero trust become so important because if you're, if the only connection and the only communication that can happen is one that you know exactly should happen, then the chances that someone's going to be able to crack that is going to be very limited.

[00:17:11] And we have to also sort of think on that on a, a very wide basis. So a lot of times, you know, we think about the infrastructure in one data center and then the infrastructure in another data center. We have to sort of lift that up above any sort of network infrastructure type thinking and control least privilege access and all that, you know, all the stuff that people talk about.

[00:17:35] So I think if we could do all of that and we can then use technology like AI to be able to sort of identify where those risks are, to sort of come up with some sort of view of, of where, where protection needs to be added. So where are all those open, exposed high risk ports? Where are all those weak password systems?

[00:17:58] You know, all of that sort of thing to do those foundational things could force the cyber criminals to, you know, to have to do something different to, you know, to start to start to really struggle. And, and I think that's, you know, and that's where we have to have to go. And I think the technology is being developed that will, that will make that happen. Well, we've been very forward looking in today's podcast.

[00:18:25] We did start with your origin story to your hugely successful career, the things that you've seen, the changes that you've seen. But as we come full circle now, I'm now going to take you back to where your career began. And the reason I want to do that is because I think none of us are able to achieve any degree of success without a little help along the way. So is there a particular person that you're grateful towards? Maybe they saw something in you at some point in your career or, or just played a part in helping you get you where you are today. Who would that person be and why? It'd be great to give them a shout out.

[00:18:55] Yeah. I mean, there's a few, but I think, I think one, if I was to pick on one single person and, and this person was effectively, I guess he was probably the, the, you know, the original network guru in, in the UK in the late 1980s. And he sort of worked for an organization called three com, which I think, you know, hopefully a lot of people remember.

[00:19:23] And he was the, the go-to guy for, for almost everything. And I had the privilege of working with him and his name is Paul Trowbridge. And I had also had the pleasure of working for him later on within, uh, an organization called Bay networks again, not here anymore.

[00:19:42] Um, and he, he was sort of, I guess the guy who was always in control, always knowledgeable, had good advice, who, you know, was one of the first people to sort of really become successful within, um, within this, this sort of environment. And everyone sort of, I guess followed isn't the right word, but everyone took inspiration for him. He was, uh, you know, very inspirational to a lot of people.

[00:20:10] And some of them may actually be listening onto this, uh, into this podcast. And he was known even in the press as the self-styled, you know, networking guru, but he had sort of such a calming, um, controlled approach that he gave just inspiration to so many people. And, you know, without him, I wouldn't be where I am today. Oh, that is a beautiful moment to end on. So a quick shout out to Paul. I think it's so important to share these stories.

[00:20:40] I think Paul is probably blissfully unaware on the impact that he's had on your career. So, so important that we share stories like this. And of course we, we've covered the latest report from Illumio on ransomware and incidents, et cetera, today. But for anyone listening, wants to find out more information, whether it be checking out that report or keeping up to speed with all things Illumio, where would you like to point everyone? Um, if you go to Illumio.com, then that report, um, is, is obviously available there to, to download and read.

[00:21:10] Well, we covered so much today and there were so many big stats that we didn't get to release as well. I think one of them, there was at 73% of UK organizations are reluctant to report ransomware incidents. And also fear of publicity, 43% and retaliation, 36%. All that suggests organizations are sometimes prioritizing reputation management over broader cybersecurity collaboration. So I'd love to throw those stats out there for anyone listening.

[00:21:38] Let me know your thoughts, how your organization is coping with this. And please check out that report. But more than anything, just a big thank you to you, Trevor, for starting this conversation today. Thank you, Neil. And I hope to talk to you again soon. So what does it really take to move from fear to preparedness in a world where ransomware threats are the new normal? And as Trevor reminded us, the conversation needs to move beyond attack prevention and focus on things like resilience, containment and transparency.

[00:22:08] And with legislation catching up and awareness growing, there's a real opportunity for organizations to lead by example and reframe incident reporting, not just as failure, but as a stronger, smarter response. And the bigger question, of course, is will we rise to meet these challenges before that next attack strikes? It will strike.

[00:22:32] As always, email me techblogwriteroutlook.com, LinkedIn, Instagram, just at Neil C. Hughes. Particularly want to hear from business leaders and cybersecurity experts and what you're doing around this. So remember, check out the report that I'll leave in the show notes. And more than anything, thank you for listening. I'll return again very soon and be waiting in your podcast feeds. I'm always there somewhere. So I'll speak with you all then. Bye for now.

[00:23:07] Bye for now.