Your Money...Or Your Data?

Your Money…or Your Data

NOTE: While this transcript has been reviewed, it may contain errors. Please review the episode audio before quoting from this transcript.

Jill Wiltfong:
Cyberattacks are now the number one concern in the C-suite. Why can't they stop this?

Joe Mann:
It's pretty staggering. This enterprise of criminals is now in the tune of six to seven trillion dollar.

Craig Stephenson:
The pace is frenetic risks for at an all-time high.

Jill Wiltfong:
It sounds pretty scary.

Joe Mann:
Billions and billions of dollars of impact, nobody sits well on that decision to pay.

Craig Stephenson:
So, what happens with our clients when something happens to us?

Jill Wiltfong:
I'm excited about this one.

Rupak Bhattacharya:
It was into the small hours, what was technically Saturday morning, but actually it was still Friday night. Earlier that evening, a group of hackers broke into the network of an undisclosed company, gained access to proprietary data, and immediately demanded money in return for it.

They called this a ransomware attack. And it set off a mad scramble at the firm.

Woman:
Hey, what book are you reading?

Rupak Bhattacharya:
It's not a book, it's real life. It actually happened at a company.

Woman:
Really? What happened?

Rupak Bhattacharya:
Well, posing as a company IT manager, an outside negotiator was called in from a cybercrime prevention firm. This one was called Arete, and it's full of former military espionage types. They began negotiating with the hackers and used encrypted messages to discuss the demands back and forth. The two sides went.

Then after more than eight hours and dozens of messages, the negotiator finally reached a deal. The company would deliver a payment via bitcoin in exchange for the release of the data or so this negotiator thought.

Woman:
Well, you got me hooked now.

Rupak Bhattacharya:
The hackers came back with one more demand. They wanted an extra 20% payment into a separate account using a different cryptocurrency. And the firm got its data back.

Woman:
These hackers, man, they're really bad dudes.

Rupak Bhattacharya:
You think maybe we should change our usernames and passwords?

Woman:
Which ones?

Rupak Bhattacharya:
All of them?

Jill Wiltfong:
Hi, this is Jill Wiltfong, Chief Marketing Officer for Korn Ferry. And this is Briefings, our deep dive into the world of leadership.

Today we're looking at cybercrimes, specifically ransomware attacks, where hackers extort firms for their data.

According to one watchdog group, there were more than 490 million ransomware cases globally last year, costing companies over $450 million.

Truly any company's business can be ruined by these hackers, some of whom are organized as well as any S&P firm. It's so bad that one survey found that among all the issues firms have, cyber-attacks are now the number one concern in the C-suite, more than even the economy, but there is hope, and it comes from a select group of so-called cyber-crime prevention firms. These outfits operate in the shadows of ransomware attacks, and we're gonna talk today to one of these very cyber knight in shining armor and hear how it works.

What's at stake behind your money…or your data?

Please welcome Joe Mann, CEO of cybercrime prevention firm Arete Incident Response. He's helped firms out of some major jams, so it's great to have him here to give us a rare glimpse into this seemingly cloak and dagger world of ransomware.

Hi, Joe. Thanks for coming on.

Joe Mann:
Hi, Jill. Thank you for having me.

Jill Wiltfong:
Have you ever met any of these ransomware hackers? What are, what are they like? What's the, what's the profile of these types of people?

Joe Mann:
Most of these people feel as if they're, you know, they're just bringing food home to their family. We kind of create this fantasy idea of who these people are. They used to be hooded in sweatshirts, and they used to be, you know, these evil geniuses. It's not like that anymore. It's, it's very organized and they live in a government that makes it legal for them to do these things and is kind of just a regular job.

Jill Wiltfong:
So, Joe was so much at stake. Why is it so hard to stop them? What preventing us from being able to really attack this on our side as business leaders? And, and stop this?

Joe Mann:
There's a number of things at play here. One this industry, if you look at cybercrime has doubled every year for the last five years to the point where the FBI is now saying that this enterprise or complex of criminals is now in the tune of six to seven trillion dollars, which would make this enterprise of criminals as large as the third largest GDP just above Japan.

So, when you think of the size and volume that that kind of economic annual economic, gain creates, it's pretty staggering.

Lorenzo Franceschi-Bicchierai (Cybersecurity Writer at Motherboard):
There's also a new kind or new-ish kind of ransomware, which is called ransomware as a service. So, there's like gangs that all they do is write the malware, the ransomware, they don't even do, they don't even hack people and they sell it as a subscription er model. You don't even need to know how to write malware.

You can just take somebody else's malware, infect victims, and then pay the creators like 10%, 5%, whatever it is.

Jill Wiltfong:
That's Lorenzo Franceschi-Bicchierai of Motherboard speaking.

So, Joe, did we hear that right? Is there a whole subculture creating malware that criminals can buy?

Joe Mann:
The reason that's driving this is the, the hackers have seen that with increased scrutiny from government agencies, increased law enforcement, where we've seen take downs occur. Why take that risk?

News Anchor:
Are you seeing AI written malware out in the real world now? Or is this just theoretical?

Gil Shwed (CEO of Check Point Software Technologies):
No, no, it's not theoretical. We've seen real malware that was written by AI that exploited these tools and created real attacks. And some of them even quite sophisticated attack, some of them even used the unknown zero-day risks.

Jill Wiltfong:
That's Checkpoint Software CEO Gil Shwed on the effect artificial intelligence is having. Joe, first of all, what is this zero-day risks. What does that mean?

Joe Mann:
A zero-day attack is the point at which the, the takedown occurred. So, it's a sophisticated attack that most commercial software today won't be able to block.

Last year we saw a big downturn in the number of attacks here in the US, not in Asia, but here in the US. This year we've seen a big spike upward and that generative AI, and AI built malware is certainly playing a role in that.

Jill Wiltfong:
Yeah, it sounds like really like the stuff of fiction and I guess if only they were right. Thank you so much for coming on. I've appreciated your time today.

Joe Mann:
Thank you, Jill.

Eric Goldstein (Executive Assistant Director of Cybersecurity & Infrastructure Security Agency):
The first barrier to increasing adoption of cybersecurity best practices is, is ensuring awareness among business management and business leaders, to make sure that when companies are deciding where to invest and which risks to invest in driving down cybersecurity and the risk of ransomware attacks is seen as a top priority risk.

Jill Wiltfong:
That's Eric Goldstein of the United States Cybersecurity and Infrastructure Security Agency, urging companies to raise their awareness around cybersecurity. But beyond knowing that there's a cyber boogeyman out there willing to steal your data, how can companies protect themselves? We'll find out after the break.

Rupak Bhattacharya:
Hi, I am Rupak Bhattacharya, and welcome to the break. Here's what else is happening in the world of business from Korn Ferry's This Week in Leadership.

CBS News Money Watch:
Now, some companies are offering incentives to those who come into the office more regularly.

Rupak Bhattacharya:
The return to the office debate rages on and is a sign that leaders are switching from the stick to the carrot. A new survey of 400 US CEOs found that fully 90% said they're willing to reward office-based employees with favorable assignments, raises, or promotions.

Vanessa Cheal (Transmission's Head of Brand Strategy):
Many of the CMOs that we work with, or the marketing leaders we have real contact with, have a challenge in convincing their CFO.

Rupak Bhattacharya:
Is there a troubling disconnect in the C-suite? According to the CMO Council, only 22% of CMOs describe themselves as very willing to collaborate with their CFO peers on such critical issues as investments, metrics and goals.

The Wall Street Journal:
A new salary transparency law took effect that requires most employers to provide good faith salary ranges on job posts.

Rupak Bhattacharya:
Multiple US states are now enacting laws, making it mandatory to disclose salary ranges and job postings. However, only 17% of firms have implemented a strategy of pay transparency according to a new survey from Korn Ferry. For more insights on business and leadership, head to kornferry.com/insights. Now, back to Jill and our episode on Your Money…or Your Data.

Jill Wiltfong:
So, we're back and we're talking about cybercrime, your money or your data. I'm now joined by Craig Stephenson, Managing Director of Korn Ferry's North America, CIO and CTO practices. Hi Craig.

Craig Stephenson:
Hi, Jill. Nice to see you.

Jill Wiltfong:
Nice to see you too. Craig, give us a little insight into how the world of Chief Information and Chief Technology Officers are feeling about all of this. There has to be huge looming pressures on them.

Craig Stephenson:
Well, Jill, there absolutely is, and I think CIOs and CTOs are at the core of a lot of these discussions. A lot of the pressure that's occurring, and obviously they're locking arms in concert with Chief Information Security Officers. So, all in all, it's a very dynamic space. It's a very dynamic environment. The pace is frenetic. Risks are at an all-time high, a variety of reasons for that. But I think all in all, a lot of technology leaders, CIOs and CTOs and their counterparts, Chief Information Security Officers lose sleep on a rather consistent basis based on the number of threats that are occurring on a daily basis.

John Oliver (Host of Last Week Tonight on HBO):
The thing is, it's not just up to the government to take cybersecurity a lot more seriously. Companies and private individuals have to step up too, and there are some basic things that we should all absolutely be doing here. First, set up multi-factor authentication. Seriously, do it right now. Second, keep your computers up to date, and also don't click on suspicious emails. And I know that those meshes sound small when we're facing something so terrifying. But in a world where most people's doors are unlocked and wide open, just locking your door might be something of a deterrent here.

Jill Wiltfong:
That's John Oliver, host of HBO's last week tonight. Craig, we have just heard how sophisticated these cyber villains are. So, are these crime fighting steps that companies take? They, they sound kind of simple.

Craig Stephenson:
Well, I think they're simple and theory, Jill, but I think theoretically and practically they're incredibly challenging. So, you take global Enterprises, for example, what's happening here is not necessarily what's happening there. You've got senior level executives with different, you know, potential areas of thought and or focus or agenda. You've got talent considerations. Do we have the right individuals that are, you know, within the organization? And there's the structure and the culture and the education broadly defined kind of helping shape, employee behavior to avoid some of those risks. But I think while all of that happens, new risks are entering the equation.

Jill Wiltfong:
In a survey of board directors from the Wall Street Journal, when asked about their readiness to deal with a cyber crisis, Craig, only three in 10 directors rated their Board as having an advanced or expert level of preparedness. What should Boards be doing differently, if anything, to, to get ready?

Craig Stephenson:
I think in terms of reaction to a ransomware event, oftentimes you're, you're kind of caught by surprise. A lot of firms have not prepared a kind of a response to that crisis management. Just last week, a client called me and said, “So what happens with our clients when something happens to us?” And so, you know, just starting to figure out who's responsible. Obviously, it's a team game. Multiple people are responsible, but we need someone on point who's gonna be running, efforts and energy against these events when they actually unfold and occur. But, you know, from a Board perspective, we're making some, some really good progress.

Jill Wiltfong:
Makes sense. So, I think my, my to-do is to change that, Jill1234 email password.

Craig Stephenson:
A little too obvious, Jill. A little too obvious.

Jill Wiltfong:
Alright, Craig, thanks. Thanks so much for coming on. Appreciate it.

Craig Stephenson:
Pleasure. Thanks for having us.

Jill Wiltfong:
The Executive Producer of Briefings is Jonathan Dahl.

Today's episode was produced by Rupak Bhattacharya, Chelsea Starks, Nadira Putri, and Teresa Allan, and edited by Jaron Henrie-McCrea. It contains reporting by Russell Pearlman, Arianne Cohen, and Peter Lauria. Our video segment contains original artwork by Frazer Milton, Hayley Kennell, Jonathan Pink and Sasha Kostyuk.

Don't forget to read our magazine available at newsstands and at kornferry.com/briefings. That's it for Korn Ferry's briefings.

I'm Jill Wiltfong. We'll see you next time.