Want to protect your data from ransomware and other breaches? Ransomware exploits are reaching new levels. COVID-19 has emboldened criminals to take advantage of the disruption caused by the pandemic. While organizations were vulnerable and distracted, hackers developed new ransomware samples and advanced existing tools to attack companies and organizations of all sizes.
Start to protect your enterprise now! Learn about Cyber Hygiene essentials, including:
• What is Cyber Hygiene?
• Cyber Hygiene and Ransomware Protection
• Cyber Hygiene Best Practices
• The Cyber Hygiene Plan
• Open Source Cyber Hygiene Tools
Dr. Chrisan Herrod
Chief Security Officer, Securities and Exchange Commission (ret.)
Mr. Eric Handy
Executive Vice President, KITC, a leading cyber security and risk consultancy
Dr. Victor Berlin
Founder of the Mission Critical Institute, a cybersecurity thought leadership center and previously the founding president of Potomac College, an accredited institution serving working professionals in management and information systems. Dr. Berlin received his Ph.D. from Northwestern University, and a B.A from Cornell University
Read Transcript Below
Tom: Hi, everybody, this is Tom Riddle from Virtual Intelligence Briefing. Thank you for joining us today for today’s webinar, “Block Ransomware Attacks and Protect your Assets with Cyber Hygiene.”
Dr. Berlin: Tom, thank you. This is Dr. Berlin, President of stacked-UP. I’m very excited to be here today with you, and also very excited to have our panelists, Mr. Eric Handy and Dr. Chrisan Herrod. Both of them are experts in the NIST Risk Management Framework and Cybersecurity Framework, with extensive experience in helping to protect enterprises and prevent breaches, and especially to help prevent ransomware. You’ll see at the bottom of this slide, there’s an email address. So if you don’t get all of your questions answered, please feel free to email Cyberexpert1@stacked-up.org, and we will be getting back to you with responses. So today, what we’re focusing on is how do you block ransomware attacks and protect your assets with cyber hygiene? Ransomware attacks are probably not the most prevalent threats, but they are very dramatic, and they can have major impact. So what we’re gonna talk about today is we’ll go over, just review quickly, what are ransomware attacks? And we’ll talk about cyber hygiene. What is it, and the best practices, so you start to get an idea of what it takes to implement a program to prevent ransomware attacks and also other breaches. We’re gonna drill down to look at some open-source cyber hygiene tools that you can incorporate into your cyber hygiene program. And we’ll end up with a benefit-cost review of is it worth the investment, and what are the benefits of a cyber hygiene program? So, what is cyber hygiene program?
Hygiene, we all know that hygiene is. You take certain actions, wash your hands, especially in this day and age, and do other protective acts, in order to prevent infection, in order to prevent disease. Well, cyber hygiene is taking on preventive acts in order to protect your system. You wanna sanitize that system to make sure that you’re utilizing the best preventive methods and the security best practices you can. And we’re gonna look at how does cyber hygiene impact a ransomware attack, or actually how does it prevent a ransomware attack, or perhaps even help you recover from one.
So, ransomware attacks across sectors. It’s getting more and more expensive. 2021, the projection is $5 trillion globally. We can see here how it’s impacted a number of businesses, and we’re gonna focus on a case study later and examine how a company called CWT was impacted by ransomware, and what they might have done to prevent it, in fact, what advice they actually got from attackers on how they could have prevented it after they paid the ransom. So, Eric and Chrisan, what do you see as fueling this growth in ransomware attacks? Why don’t you start off, Chrisan?
Dr. Herrod: Oh, definitely. A lot of the ransomware attacks are predominantly targeting Windows OS, or Windows operating systems. So if you’re not maintaining a good patching regimen, for example, especially on your Windows operating systems, you’re going to be subjected to a ransomware attack at some point. Also, backups. There’s a rule called the 3-2-1 rule. So, three copies of your data, two different types of media, and one version stored off-site. A lot of companies are not practicing that rule. So, I think that those kinds of things, combined with cloud security, or the lack of cloud security in some cases, can leave an organization completely vulnerable.
Dr. Berlin: Great. So, what we’d like to do is learn a little bit about our audience today, and how concerned they are with a ransomware attack. Yes, I see that we’ve got a very interesting distribution. Forty-three percent are very concerned, and 30% wanna take actions, and 7% wanna learn more. So, a lot of people are ready to do something about it. So let’s see if we can give you some pointers as we move through the webinar. So, what is a ransomware attack? Basically, what the ransomware attack does, as you probably all know, is it freezes your business. It freezes business operations, data, IP, PII, and your systems. And these are the things you wanna prevent. You do not want your system to be frozen. What we’re gonna do is look at a ransomware attack case study, take a quick look at it, and then later drill down into what might have been done to prevent this ransomware attack. CWT is a global company with $1.5 billion in revenue. Ragnar Locker was essentially the tool that was used for this attack, and it encrypted their computer files, and really made it unusable. And this is something you’ll see that could have been prevented with cyber hygiene. Eric, you wanna tell us a little bit about this attack?
Eric: Certainly, and this is on the web. Pretty much, there was a negotiation over a chatline, apparently, that was left open after everything was settled on this. Basically, CWT was hit with the Ragnar Locker exploit, and all their files were decrypted, and basically, like Dr. Berlin just said, nothing was usable at that point, and they had total control over their data. So, they sent them an email and, basically, requesting for 10 million Bitcoin as a payment in order to release all their data back to them so it wouldn’t get out into the wild and it wouldn’t get into the press. And if they had got back within two days, they only had to pay 8 million Bitcoin. So, everything was negotiated. They ended up paying 4.5 million Bitcoin, and if you ever saw the internet description there, it’s more like a business negotiation contract signing versus a crime being committed. If you look at the nature of the transaction, where CWT was very apologetic, very nice to the ransomware pirates as they negotiated through this. So, it ended up costing them 4.5 million Bitcoin from [inaudible 00:07:07] standpoint.
Dr. Berlin: Well, Eric, thank you for a good overview, and what we’re gonna do later is look at what the advice was, and how CWT could have used the open source tools we’ll be discussing to actually prevent this attack. But ransomware vulnerabilities are increasing, and some of the factors doing that are bring-your-own-device, Internet of Things, and teleworking, and especially during the pandemic, teleworking is expanding rapidly, and that’s creating more vulnerabilities that you have to worry about that opens up opportunities for ransomware attacks.
And what are the costs associated with ransomware? Now, Chrisan mentioned the lack of backup implementation. So, recovering and recreating data, recovering your systems, paying the ransom that Eric just described, staff replacement, bad PR, and loss of customers are critical costs that you could face with a ransomware attack. Chrisan, what do you see companies doing to try to prevent this? Is there more attention being paid to ransomware, or is it pretty much certain companies are doing it and other companies are not?
Dr. Herrod: I think, to your point about are companies paying attention, one of the key indicators to me is that in the latest FBI report on this topic, they estimate that there’s approximately 4,000 ransomware attacks launched every day. In other words, every 40 seconds, there’s an attack launched. And more and more of those attacks, almost 97%, are coming from phishing emails, and that’s been documented since 2016. So, as I said, the FBI’s keeping track of this, and I think that is a wake-up call to a lot of companies, especially small companies, because a lot of smaller companies, approximately 60% of small businesses, have already been hit by ransomware. So, yes, I think that there’s growing concern and growing awareness of this kind of attack. And I think that defending against it is something that we’re going to talk more about as we get through this presentation, but it involves really a number of different prevention-type implementations, not just one thing. And one thing is not, putting in firewalls, for example, is not going to prevent ransomware. So, I think as we move through this, there is, as I said, a number of different methods that companies should be aware of to use, to prevent these kind of attacks.
Dr. Berlin: Great. Well, that’s a good prelude to what we’re gonna be taking a look at. So, I think one of the things that, as you’re doing your ransomware planning and prevention, we’d like to know a little bit about who your customers are, because that can impact how you plan your prevention program.
Great. So, we can see that over half of the attendees are commercial enterprises, and consumer-focused. So, again, this tells you that your prevention program will help you with those customers. The assets, obviously, you want to protect the number one asset, are your customers. A ransomware attack could create a bad image. It could actually hurt your customers if they get breached as part of this. You want to protect your staff. You want to keep your staff. You don’t want them to become disillusioned. And, certainly, your data, your information, your intellectual property, and access to your systems and networks, all of these are assets that you need to protect. Eric, since some small firms, as you know, can’t afford to protect everything, which of these…how should they make a decision about what they should be protecting and what they should be spending their budget on?
Eric: Well, usually, in that particular situation, Dr. Berlin, you want to take a risk-based approach, such as using NIST controls is one thing that you can use, risk management framework. Those sort of tools will naturally lead you to a risk-based approach, where you’re taking care of things that are most probable gonna be things that you need to protect the most. So, you’re spending your money wisely, spending your time more efficiently.
Dr. Berlin: Great. Well, that brings us to our next question. In what industry are you working, because that’s gonna impact what methods you use, what plan you put in place, what you have to protect most.
Well, that’s a very even distribution, with most of them in the software and IT services sector, who are, obviously, very sensitive to this. And again, when you look at the open source tools that we’ll be presenting, you’ll be able to adapt those to your particular industry focus.
So, what is cyber hygiene? The key elements of cyber hygiene are planning. You need to set up a cyber hygiene plan. You need to implement it, and part of that involves recovery. Cyber hygiene doesn’t assume it’s perfect, so it puts in place methods and procedures so you are well-positioned to recover data, recover your systems. And the benefits of cyber hygiene are that it reduces the impact of the breach. It prevents the breach, and then if one does occur, it minimizes the impact if you follow all the aspects of your cyber hygiene plan. So, in terms of the multiple assets we looked at before, are there particular assets that cyber hygiene can deal with more effectively than others, or, Chrisan, do you feel it can be used across all the various assets an organization has to protect?
Dr. Herrod: I think it can be used across a number of different assets, but I’m gonna go back to my original point, which is a lot of this can be mitigated through just following basic security practices. And one of them that gets, as I said earlier, often overlooked, is maintaining your backups, testing your backups and your DR strategy. And in that respect, that ties back into the planning and operations piece of what is cyber hygiene, and particularly in the recovery methodology, because if you’ve got a strong backup and recovery plan in place and you’ve tested it, then 90% of the time, you’ll be able to roll back into operations, even though perhaps your main systems have been attacked. So, to my way of thinking, testing, backup, recovery, patching, that’s your foundation. Everything else then complements that foundation, and can enhance your security.
Dr. Berlin: Great. So, basically, what you’re saying is that cyber hygiene can cut across these various aspects of the assets, and it can cut across industries. It’s a great prevention strategy. And as you said earlier, the backup procedure, the 3-2-1 model, is critical. And I want to emphasize something you said, Chrisan, which is testing your backup. And let’s talk a little bit more about that. It’s not enough to have a backup and recovery system in place, but you actually have to test it, and recover material in that test, and make sure you can use it. How many of the organizations, the clients you deal with, do you see actually doing that? And what motivates them to do it?
Dr. Herrod: A lot of times, what motivates them is having to comply with regulatory requirements. For example, if a company is a NIST-based standards company, then one of the several key controls in NIST, for example, the risk management framework, is do you have a backup and recovery program in place? Do you test it? How often do you test it? If you’re using a cloud provider for your backup, do they have a SOC 2 report? Have they gone through multiple test automation, which is becoming a trend in the data management and data protection industry. It’s important that those features are used. And so, all of those things tie together, as I said earlier, in protecting your systems from ransomware.
Dr. Berlin: Exactly. And I think another set of best practices relates to patch management and centralized patch management. Eric, in your experience, what do you feel inhibits organizations from implementing centralized patch management?
Eric: Just not having a program in place and not following it. To follow what Chrisan just said, once you implement a program, the key is that make sure you have continuous monitoring throughout the process, that, it’s one thing to put up a program, but then a lot of times, people celebrate, and then no one does the backup, actually does the testing. So, make sure you follow the program to a tee all the way out, and that way you can feel protected and that you’re doing due diligence. Because, as Chrisan said, a lot of times people don’t follow patching. And because of that, that’s where a lot of these exploits happen. If you had just patched your machine properly, you would probably have been protected.
Dr. Berlin: And since we have a lot, a number of in our audience who are in the IT sector, what motivates an organization? When you look across the clients you’ve served, what sets those organizations apart who are actually using an effective centralized patch management program? Where does the impetus come from within the organization?
Eric: A lot of times, as Chrisan said, it’s regulatory requirements in a lot of cases. Now, today, based on the survey, we have a lot of consumer companies. So, they don’t always have regulatory concerns that they have to focus on. So, there’s not a one set best practice that everyone’s using. So, everyone’s using different formats, maybe NIST. Some people might be using ISO 27001. Some people might be using HITRUST, SOC 2, PCI, so different things are happening out there. So, no one is doing exactly the same thing, and protections can be uneven out in the field, depending on what their requirements are and what history they have. If they’ve been attacked previously before, they’re a little bit more serious about it, I find, and they’re more detailed in their security program.
Dr. Herrod: And, Victor, if I can jump in there and tag on to what Eric’s saying, a lot of the motivation I’ve seen is coming from third-party risk management requirements. So, especially if you’re in a consumer organization, you’re doing business, let’s just take an example, Humana. Humana has over 10,000 business partners. They have a security vendor risk management program that they go through yearly, and verify the security of their X number of key application providers. So, if they don’t meet, for example, Humana’s security standards, Humana’s not gonna do business with them. So, I’ve seen lately that trend become more and more important, and really driving companies to become more secure and implement these basic security standards.
Dr. Berlin: The supply chain risk management methodology, the NIST test, for example, would be very helpful to making sure that a company’s protecting their assets.
Dr. Herrod: Exactly.
Dr. Berlin: Right.
Eric: And, Dr. Berlin, I would say definitely I totally agree with Chrisan from that standpoint. From experience, I’ve dealt with Humana on that end, from a third-party standpoint, and it does affect the company, and it does make things become more detailed and more secure overall [crosstalk 00:19:58] standards.
Dr. Berlin: Your organization, if I recall, basically had to respond to that kind of input from your client. Correct?
Eric: Yes. Yes.
Dr. Berlin: Got it. So, we move on to exactly what are the cyber hygiene best practices you might follow when it comes, and we’re talking right here about third-party supply chain risk management, the third bullet. But avoiding ransomware hiding places, and executing programs in safe locations, again, these are some of the best practices that you can implement into your cyber hygiene plan. So, let’s take a look at the polling question. What is the status of your cyber hygiene plan? So, give us a sense of where everyone is in terms of implementing one, or trying to improve one.
Wow. Almost everybody’s planning their cyber hygiene program. Well, the highest number is 43%. It looks like everyone is aware of and paying attention to this, which is critical. What we’re gonna start talking about now is how you can use open source tools to create a cyber hygiene plan to prevent ransomware attacks. These tools will help you with vulnerability management, protecting your assets with how do you implement it, testing, improvements, and give you some guidance on budgeting.
Let’s return now to preventing the CWT ransomware attack. As Eric said earlier, CWT paid 4.5 million, but you’ll see shortly in the next couple slides that this attack was preventable with NIST open source tools, and you can actually build your cyber hygiene program using these NIST tools.
So, as Eric was saying, in this tweet, these attackers outlined the recommendations that CWT could have followed in order to prevent this attack. So, why don’t you, Eric, tell us, you know, a couple of NIST controls or areas that this related to, as you look at it?
Eric: Well, some of these were access control configurations that could have been adjusted to prevent attacks, such as administrative sessions were still left on after the work was done and it was still available for someone to dive into and exploit. So, a lot of that was going on. And what you see here is, because CWT was such good sports, and also because the ransomware pirates are such nice guys, they actually provided some advice to them what they could have done to prevent this. So, that’s just the whole tone of the whole chat. If you can look on the internet and see this chat, which you can look up, you’ll see exactly what I’m talking about as far as the tone goes. But a lot of it is access control and patch management issues and things of that nature that Chrisan had mentioned that weren’t properly done on time.
Dr. Berlin: Got it. And here’s another… The list goes on. And, again, we’re looking at access control and…
Eric: They were giving them very detailed information on how to prevent this from happening again. So, they did it… You know, they were very nice about it as far as telling them exactly what they could do to prevent it [crosstalk 00:23:30]. They even told them how many people and resources they should have working on a 24-hour basis to stop this from happening again.
Dr. Berlin: Right. That’s what they tell them here. This is the detail. So, I mean, if someone paid you $4.5 million, I guess you’d be pretty nice to them too, wouldn’t you?
Dr. Berlin: So, yeah. So, I guess the question is then, rather than waiting to be attacked and getting advice if you’ve paid $4.5 million, what can you do? Well, here are the open source cyber hygiene controls that Eric referred to. You’ve got the NIST 800-53, which is the broader set, the 800-171, which focuses on a smaller set of controls, and then you’ve got the CMMC, which has 171 controls, and you can see the CMMC has different levels of cyber hygiene. And as you can see in the step [inaudible 00:24:27]. Chrisan, do you want to make some comments about these controls and how they might fit into a cyber hygiene plan?
Dr. Herrod: Well, I think that regardless of how big your company is and what business you’re in, NIST seems to be, in my experience, a really good framework, if you will, to select those controls, which is appropriate to your company, to your risk management tolerance, and to your business practices in general. So, for example, you may not need all 1,000 controls from 800-53. I mean, no company that I’m aware of could ever implement all those controls to begin with. My take on this is that if you look at NIST 800-171, in particular, or the CMMC, you will find a set of controls that will be appropriate for your business, and the basic controls are there. They’re there, as Eric said, in access management, disaster recovery. They’re there for risk management. They’re in place for endpoint protection, malware detection and monitoring, and so forth. And if you can’t possibly implement all of those 110 or 171 controls, then pick those that are of immediate relevance to you, and implement them in a fashion that gets you to where you want to be as far as your security and peace of mind from a risk management perspective. I hope that makes sense.
Dr. Berlin: Yes.
Dr. Herrod: Because, again, I think that it’s difficult for a company to just say, “I’m gonna adopt all these controls.” Some of them might not apply to you at all, and that’s where the business and mission of the organization comes in and your risk tolerance.
Dr. Berlin: Well, that takes us to the next area, which is okay, how do you decide which controls to implement? And so, NIST provides you with a methodology for that, too. You’ve got the NIST cybersecurity framework, which helps you establish what your enterprise risk posture is going to be. Then you have the NIST risk management framework, which is a methodology you can use to determine which controls to select, and then implement, and then assess, and how you set up that continuous monitoring system that Eric mentioned, to make sure your controls stay in effect. The FedRAMP approach is for cloud-based systems. It utilizes the NIST risk management framework and applies it to systems operating in the cloud. So, when an organization is trying to decide which controls to select, Eric, would you say, you know, using one of these methodologies or some combination of them is critical?
Eric: Yes, I definitely think it is critical to use one of these frameworks, if at all possible. And, again, most of the folks here are more consumer commercial-related. And so, in the federal government, you’ll see this quite heavily being used, as far as NIST risk management framework, FedRAMP, those sort of things. Not so much commercially, I don’t find that it’s being used quite as much. We see a lot of ISO 27001 and things of that nature. But just understand, most of those controls from ISO 27001, or PCI, or SOC 2, most of that’s coming from NIST when it’s all said and done. So, like, starting out with NIST, you’re pretty much, in my opinion, and just my opinion, you’re pretty much…it’s, you know, starting at the base level where you’re capturing everything you need if you follow that.
Dr. Berlin: So, Chrisan, I think you’ve seen some more application of NIST frameworks in the private sector, haven’t you?
Dr. Herrod: Yes. I was going to say that just from the clients that I’ve dealt with over the last seven years, those that have adopted ISO, for example, are moving towards NIST, I think because it’s easier to implement. It’s a little bit clearer in terms of what constitutes, you know, the maturity of the control, and NIST has put some, I think, good thought leadership into the entire situation, in terms of our frameworks for security. HIPAA, for example, or PCI… Well, PCI’s a different breed all together, but, for example, HIPAA, if you’re complying with HIPAA and you want to use the NIST framework, then it all dovetails together very nicely, because, as Eric said, most of the controls in HIPAA are covered in NIST. So, if you are NIST-compliant, you’re automatically compliant with a whole lot of other frameworks that some of your business partners might want you to be involved with.
And just so the audience knows, NIST also just released what they’re calling their Zero Trust architecture, which is a road map for organizations when you’re considering your users, your assets, and your resources. So, that’s yet another open source brand new document from NIST that can put, I think, a little boundary around this. And it’s helpful because if you’re looking at it from an enterprise architecture perspective, you’re probably gonna wanna look at that as well.
Dr. Berlin: Great. Well, that’s great input. So, let’s find out how interested the audience is in learning more about these tools, or maybe perhaps another tool, so they can fill in.
Oh, the NIST cybersecurity framework. Excellent. I’d be interested in learning more what’s motivating people to do that, but that’s good, because the NIST cybersecurity framework is clearly what you need to do to set the risk posture for the enterprise, and that guides the rest of your risk management programs throughout the organization.
So, the budget. Chrisan touched on this, but the question is how much can you afford, and what should you invest in? The rule of thumb is that the cyber hygiene budget runs 5% to 20% of the IT budget. And it was interesting. This relates to the survey that we just saw, because your enterprise risk posture determines exactly how much money you should be spending. I mean, you need to set your priorities. And the mission of your organization, and what’s the most important, you’ve got to rank and prioritize your most important assets and what do you need at a minimum, because that’s what you’re gonna protect first, that’s what you’re gonna allocate your budget first. So, your risk posture and your risk environment are gonna drive the decisions about the budget.
And with respect to a small business, if you’re looking, let’s say, at a 40-person firm, and you’re looking at 5% to 20% of the IT budget, you’re looking at, if you have a $3,000-a-month budget for IT, you’re spending $168 to $600 a month. But again, you’re not gonna cover everything. So, Chrisan, if you’re thinking about a small business, if you could only afford, let’s say, one or two things, what should be at the top of the list for a cyber hygiene program that’s gonna help prevent ransomware attacks, or at least prevent the damage associated with it?
Dr. Herrod: Right. Low cost, high impact. And to me, that’s education, training, and awareness. And it’s not something we’ve touched on yet, but it’s incredibly inexpensive to establish your education, training, and awareness program. And if you can ensure that your employees have knowledge of what a phishing attack is, what damage a spam message can do, for example. For example, 40% of all spam contains ransomware, and that’s an extraordinary number. And so, if you can establish a good training and awareness program, and keep it up to date, and, you know, check your employees’ awareness by, for example, doing a phishing attack. And, you know, there are companies out there that will launch a phishing attack on your behalf, basically, to see how many employees bite on it, right? So, those are some low-cost ways you can really have a high impact in your organization. I think, also, just the basics, right, just implement a patch management system. And if you have a little bit of money left over, you know, make sure, at least from an IT budget perspective, you’ve got really good prevention tools in place, firewalls, IDS, IPS, whatever you can do, to ensure that you can detect ransomware before it actually becomes a problem for you.
Dr. Berlin: Well, where does backup and recovery fit into that list?
Dr. Herrod: Well, in my opinion, that should be part of your overall IT budget, not necessarily part of your cyber hygiene budget, so to speak, but certainly your IT department needs to consider backup and recovery as, I suppose, one of their primary missions.
Dr. Berlin: Got it. Very good. So, in terms of a cost-benefit, if your average cost per breach is $3.9 million, and you’re a small business spending $7,200 a year, your benefit-cost ratio is 444%. That doesn’t even touch the angst you would feel if you got hit with a ransomware attack and were not protected and did not have the backup and recovery in position. So, this goes to show that there is a cost-benefit positive with implementing your cyber hygiene ransomware protection. So, let’s take a look at what might prevent you from expanding or improving your cyber hygiene program.
Dr. Berlin: Thank you very much. That’s great, great feedback.
So, the next steps that you want to take to prevent ransomware today, ransomware attacks today, is, again, you want to assess your cyber hygiene program performance. You want to use open source NIST tools to reduce your costs. And then, if you need to, you need to engage cyber hygiene professionals who will help you with that. I mean, at the very least, as Chrisan was pointing out, security awareness and training programs go a long way at low cost to help you prevent ransomware attacks.
So, that concludes our session. We have some Q&A questions that we have some answers for. Again, just to remind you, if we don’t get to all of your questions, we will email you back with the answers, or if you think of questions afterwards, capture the Cyberexpert1@stacked-up.org and send in your questions via email, and we’ll get responses to you.
Bill asks, “What kind of staff is needed to implement a cyber hygiene program?” Bill, that’s a great question. As we’ve been talking, and as Chrisan and Eric indicated, one of the first steps you need to do is to set your cyber hygiene objectives. And clearly, most everyone here sees the importance of using the NIST cybersecurity framework for establishing that enterprise-wide risk posture. Once you establish those objectives, you set up a plan which will really specify your staffing requirements. You’re either gonna need staff or technical support what NIST, CSF, and RMF experience, or you may need to go out to outside consultants. Chrisan, would you want to add anything to that?
Dr. Herrod: Other than it’s really based on, I think, the size and scope and scale of your company, too. I mean, I’ve seen companies that have as few as three to five, you know, full-time employees that are basically double duty as IT and security, up to, you know, hundreds of people working in the IT/cybersecurity area. So, I think it really just depends, again, as Victor said, on, you know, how you scope your company’s risk profile, and then, you know, how you can work with the IT department in your company to, you know, maybe maximize the number of people that you can use for security. And I see that a lot now, you know. It’s not just the security department that stands alone. It’s very integrated into other aspects of the business.
Dr. Berlin: Great. Well, here’s an interesting question from Wendy. It says, “What if our competitors do not have a cyber hygiene plan? Their costs are lower, and hence, their profits are higher, or their prices are lower.” Wendy, this is an especially important consideration. You can also look at it another way. You can treat your cyber hygiene program as a differentiator, competitive differentiator. You’re providing increased protection for your customers, so they can be sure they can accomplish their objectives, and this can become part of your marketing messaging. And I think that’s a point that Eric made, and Chrisan made, that, you know, your customers need that protection. They’re moving to supply chain risk management, so you can set yourself apart from your competitors and show that you’re in compliance. Eric, would you want to add anything to that?
Eric: Yeah. I understand it’s a competitive environment out there, but also, you gotta understand and do your due diligence to protect your privacy and the data of your customers and client. And Chrisan brought up a great point about the third-party situation where you’re sharing information with other folks. Just take the CWT example. There’s a travel organization, I was personally affected by it because they have my personal information because my company travels through them. So, you’re affecting a whole lot of different other companies, just not yourself by not protecting yourself. And because there are a lot of secret hidden costs when it comes to these breaches. Just think about notifying people, how much it costs just to notify people. You’re not even fixing the problem, just licking the stamps and sending things off, if that’s how you decide to communicate, can be very expensive just from that standpoint. So, there’s a lot of hidden costs as well that you need to be worried about. So, it’s great to have the insurance. It’s best to have the insurance of a nice framework working for you.
Dr. Berlin: Great. Well, thank you. Well, this ends our session today. I want to thank all of you for attending. I want to thank our panelists, who’ve done a great job. We’re here to answer more questions. You can email us, or if you’ve already submitted your question, we’ll get back to you with answers. And we really appreciate the opportunity to help you out. Have a great day.