Adam Gleeson:

Hello there and welcome to another episode of Tales from the Cyber Lab. In today’s episode, we’re going to be chatting to Jon Hope from Sophos, who joined us on one in the previous series, and I’ll just let John take a moment to introduce yourself and see what we’re going to be talking about today.

Jon Hope:

Yep. Thanks for the introduction. My name’s John Hope, I’m a Senior Sales Engineer and Technology Evangelist here at Sophos. So today we’re going to be talking a bit about the research that we conduct at Sophos, and particularly focusing on the state of ransomware report, but I might bring in a little bit of research from some other sources too.

Adam Gleeson:

Thanks, John. It’s good to have you back again. So, we’ll follow the typical format that we do. We’ll talk about what it is that we’re talking about, how you go about doing what we’re talking about, and then why people should be paying attention to this. So, let’s start off with what is the state of ransomware report?

Jon Hope:

Okay, so the first and most important thing to understand about the state of ransomware report is we use it as a benchmark to understand what’s happening in the threat landscape. So, although it’s commissioned by Sophos, it is actually a vendor-agnostic survey. We use a third-party organisation to conduct research on our behalf. So, we’re not necessarily talking to our own customers. In fact, we don’t even ask our recipients: what are cybersecurity solutions?

Adam Gleeson:

It’s completely agnostic. There’s no ulterior motive or hidden agendas or anything like that. You’re doing it for the general good.

Jon Hope:

Absolutely, it helps everybody to understand what the state of the landscape looks like. So, the third-party agency that conducts on our behalf selects 5,000 recipients across the world. So, from 14 different countries, from organisations of all sizes and from all verticals. So, the intention is that it’s really a good cross-section of the general cyber community.

Adam Gleeson:

And you get a good snapshot of what’s actually going on out there from real people rather than saying, “well, we’ve analysed this, and we’ve come up with that” sort of thing.

Jon Hope:

Precisely that – the whole point is that it’s a barometer for the cybersecurity landscape. So, we want it to be generic and as random as really possible.

Adam Gleeson:

Cool. What kind of information does it include with regards to, so is this something that’s generic for, it’s not really specific to customers who work in a particular industry or vertical does, is it across all verticals and are the other results actually categorised by vertical?

Jon Hope:

They are. So, we do want to know a bit about the organisation size. We want to know a bit about the vertical that they’re in, but only so that we can group that data back effectively.

Jon Hope:

So, as well as there being a general state of ransomware report, which is a report of all the findings, you will for example, be able to find a state of ransomware report that is specific to education, let’s say. So that if you are in a particular sector and you want to understand how the world looks specifically for that sector, you can drill down into that.

Adam Gleeson:

That’s obviously really, really, really useful. Does it include stuff like who amongst these different verticals? If you’ve got the ability to differentiate that data, does that then allow you to say, well these people seem to be more likely if they’re an education organisation or if they’re a financial services organisation? Not saying that those ones in particular, I’m not singling anyone out and just picking names at random, but does that allow you to be able to see the level of incidents that are occurring in those different verticals?

Jon Hope:

That’s actually one of the key outputs of the state of ransomware. When we interviewed them, one of the first questions that we’ll be asking them is in the 12 months running up to the survey, did you experience a ransomware incident, for example? And then obviously we can see using that, the trends about which sectors are more likely to be hit by cyber criminals, which ones are less likely and what the overall trend looks like, which I’m happy to explore if you want to know a bit more.

Adam Gleeson:

Okay. So, it is really good that this can be used by people to give them a sort of a real-world measuring stick of how are they in the sites of the cyber criminals at the moment or is there industry on the target for that?

Jon Hope:

Absolutely. That and we also look at, for example, what happens if you were hit by ransomware attack? Did the data get encrypted? Did you pay the cyber criminals? Did you recover using a backup? How did the cyber criminals start their attack? So, there’s a whole bunch of practical guidance in there as well.

Adam Gleeson:

That’s invaluable information to have that code. And it’s real-world data as well. I can’t emphasise that enough. Whenever I’ve been looking into doing the research and things in the past, you end up with so many disparate sources of information and then when you start to bring it all together, you start to notice conflicts that in facts and figures that you thought were quite good and then all of a sudden it undermines your confidence in them. So, it’s good to have it all in one place. I think. Does it also include the likely cost of incidents? This is something that I’m trying to raise awareness of as part of these podcasts, because customers that I’ve spoken to, it’s less than it was, but I still speak to a large number of people who say that they’re quite glib about it. It’s like, well, I don’t want to invest in tens of thousands of pounds for a solution to stop me getting hit with ransomware. If I get hit with ransomware, it’s probably going to cost me less than that. So, I’m trying to quiz in and the reality of the situation is that that’s completely incorrect and that’s something I’m trying to raise awareness of.

Jon Hope:

Absolutely. So, we collect a few bits of financial information, so we collect, for example, what the ransom demand was. We also, for the first time this year, have actually asked organisations if they chose to pay the ransom, did they negotiate and what was the demand versus the ransom they actual paid, which is quite interesting. We also play, and probably the most important bit of information I guess is the cost of ransomware recovery. So, we take into account things like reputational damage, loss of business opportunity, cost of downtime, regulatory fines, and we look at what the average cost of ransomware instant is.

Adam Gleeson:

So, they’re quite difficult. Some of those things that you just touched upon there, they’re not insignificant. The value of them is not insignificant, but they’re intangible. It’s very difficult to put a value on what is the value of loss of reputation or reputational damage from having a cyber instant

Jon Hope:

Indeed. But these are critical factors in the cost of a ransomware incident. So we will do our best. They aren’t intangible, but we do our best to quantify that number.

Adam Gleeson:

Well, yeah, I would imagine with the data set that you’ve got and you’re able to look at it with a bit more detail. Well, alright, that’s brilliant. So, let’s move on to how you actually go about creating it. So, you already mentioned that this is conducted on behalf of Sophos, so it’s not something that Sophos goes out and it says, “Hey customers, I want to hear just from my customers”. So, do you want to tell us a little bit more about the company that conducts this on your behalf just for the people at home?

Jon Hope:

Absolutely. So Vanson Bourne, a well-known market research analyst company, this is what they do. So, this is why we go to them. For one, they’re independent, but also, they have plenty of experience in doing so. They use our own methodology to select the audience and then to conduct a survey which we then receive the information from. So, what we get back from them is a questionnaire that includes size of organisation, country, vertical, and then answers to all the questions, about “did you experience an incident, did the data get encrypted?”, so on and so forth. And then it’s our job to piece it all together and then to start to extract trends and understand in more detail what the data is actually telling us.

Adam Gleeson:

And you touched upon something that I just kind of want to reinforce. It’s independent. So, it’s not often that you’ll see a vendor who is in a competitive market doing something independently that’s not just for their benefit, but it’s really for the benefit of all. I kind of think that that’s quite special personally, and it’s one of the things that sort of software stands out in my mind that it’s almost a bit selfless sort of thing, that it’s altruistic almost. But yeah, and it’s all about the data. That’s the important thing. It’s not about customer names or customers and things like that. It’s about getting this data so that we can then use that to combat this growing threat, which, as we’ll touch on it in a bit, is still getting worse. As fast as they develop countermeasures, the attackers change their attack. And I did hear at InfoSec this year that someone said that it’s the old cat and mouse game of the attackers versus the defenders. And with the advent of Sive AI and stuff like that, the attackers are actually better at it than the defenders and it’s potentially a losing battle. But I think that’s at any given state because it it’s a constant cat and bio game.

Jon Hope:

I certainly hope that’s not the case, but the reality is that it is effectively an arms race here, that’s absolutely true. If you want to understand a bit more about some of the cyber-criminal techniques and tactics, it’s probably worth also referencing other steps and surveys that we produce as well, which is the active adversary report.

So – whilst the state of ransomware report is produced annually, the active adversary report we do once every quarter is actually more first-hand evidence from Sophos, right? So, our products feed information back to us on the types of attacks that they’ve seen and how they’ve been blocked. We also operate an incident response service. So that is a service whereby victims of cyber crime contact us, and we work actively to resolve that issue, so we can understand a bit more about the path that a cyber-criminal might take to a mobilisation if they’re not initially stopped. And we also support, through our managed detect and response service, now in excess of 22,000 organisations worldwide. So, we’re getting all that imagery from their network, understanding exactly what’s going on. Of course, that gives us lots of information about the kind of techniques and the speed that cyber criminals operate at. So that’s not so much a survey, more firsthand evidence, but the two data sets are actually quite complimentary. Certainly, when I spend time doing presentations, I will often blend bits of information from both.

Adam Gleeson:

I can imagine that that’s quite a powerful message to take with those two separate pieces of information. But then when you bring them together and especially in a forum that you are presenting at, it just makes it real. It makes it a bit more sort of realistic and relevant. Okay. So, this is something that we do annually, isn’t it? Or the software’s doing annually?

Jon Hope:

The state of ransomware report?

Adam Gleeson:

And then you present that in various forums. I’ve seen you doing it in person, but I’ve seen you do it in webinars and stuff like that, or at events or exhibitions as well.

Jon Hope:

So exactly that. The data set can be used in a whole category of different ways. So, I very much use it at the core of many of my presentations. The white paper is also available in this raw format for organisations to read. Then we also do webinars as well. They help to present in. Then it’s one thing to look at the data, but sometimes it requires a little bit of commentary around that data to play into.

Adam Gleeson:

I know it can be over-awing a little bit when you look at it, like “I don’t quite know how to interpret this to me personally and how this is going to affect my business”. Okay. So, I think we’re kind of wandering into the final section, which is why people should go and read this. And I think we could probably sit here and talk about this for a long time, but let’s see how we go and whether we run out of time. So, the first thing is it’s providing invaluable insight into how attacks happen, certainly with the adversarial report that  you just touched upon there. I think those two together are going to really give people an appreciation of what is the threat that we’re actually looking at. How is this going to develop? Where are the likely attack factors going to come from?

Jon Hope:

Absolutely, yes. So, I mean for one, I gave it a read because it’s genuinely interesting. If you’re in the cyber field, there is a genuinely interesting document to read, but beyond the general interest, there is a whole heap of practical guidance that comes from that. If you can understand how likely your sector is to be targeted, for example, you can put an estimation on how much of a budget you should allocate to cyber security. For example, if you are in a position and an unfortunate position, which I hope nobody’s ever in, but if you’re in a position of being asked for a ransom demand and you’ve already become a victim, you can make an informed decision about how likely you are to get the data back and in what format that it comes back in.

Adam Gleeson:

That’s important, isn’t it? Because a lot of people take it as red that I’ll just pay the ransom and it’ll be as simple as that.

Jon Hope:

It really isn’t, unfortunately. Yes, it is not. I would say it’s not good practice to pay the ransom demands anyway, because you are effectively perpetuating the problem…

Adam Gleeson:

…You’re encouraging it!

Jon Hope:

Yeah, exactly that. But it’s easy for me to say in a nice cosy office, if however, my networks in flames, the conversation would be different. But at least you can go in with the full understanding of what’s likely to be resolved, paying that ransom off. But then I guess winding it up, a little more importantly, if we can understand the root causes of attacks, then it helps us to focus our defensive efforts. So, one of the things from the active adversary report for example, is we see that 32% of attacks, the most common form of attack actually involves an exploited vulnerability.

Adam Gleeson:

Which is a known problem. It is, it’s a known issue that if you are patching, then those attacks were all avoidable.

Jon Hope:

Exactly that. So, we know that we should, maybe it’s an empirical value that tells us we should be looking more at patching. It might help justify, for example, the adoption of something like the Sophos Managed Risk service that helps you to identify the most critical vulnerabilities. So again, it’s informing that thinking by looking at how the attack vectors are and the most effective ways to prevent them.

Adam Gleeson:

I think it comes back to that old adage that ‘information is power’ and it really is in this day and age, certainly around cybersecurity. Understanding the threats that you’re facing, which are changing daily, if not hourly, is a significant challenge and you’re never going to get a hundred percent there! But if you can get something like 95%, you’ve got an idea about the vast majority of stuff that’s out there, that’s obviously a good thing, right?

Jon Hope:

Absolutely. And certainly, one of the things that we’re observing is a massive increase in the quantity of attacks that are delivered by human operatives. And what that is telling us as an industry is that technology on its own property isn’t enough to start with most attacks.

Adam Gleeson:

Because that’s a change, isn’t it? Because that started to drop off and humans are still in there, but the way it got commoditized was a lot of it was being automated and whatnot.

Jon Hope:

That’s correct. But the cybersecurity community has responded with lots of great technology, things like artificial intelligence is very good at blocking attacks because Cybercriminal is not typically great innovators, they will take somebody else’s attack vector, approach and just tweak it.

Adam Gleeson:

If it ain’t broke don’t fix it!

Jon Hope:

Exactly! So, AI works really well for that. But where AI falls down is that humans are inherently unpredictable. They have a tendency to try different tools, different techniques.

Adam Gleeson:

It’s an art form. It’s very much an art form. I’ve seen it from the pen testing side of things, and it very much is there there’s any number of different ways to achieve exactly the same goal. And some of them are quite different from what you might think on approach, like this sort of thing.

Jon Hope:

Exactly. And that’s why we ask a human analyst to look at things like XDR dashboards. If an organisation is going to conduct human threat hunting internally, then using things like XDR dashboards and look at the temperature data spot, the trends that tell us something to go wrong, or it’s also a great reason why organisations adopt managed detection, the response and then have third party analysts like the team at Sophos looking at it.

Adam Gleeson:

I’m just going to touch upon it, because there’s some good news around the Sophos MDR service, just because it’s something that I think is really cool. If I was in my own IT department, then it’s something that I would definitely be looking at just because it’s going to give me a peace of mind that I can sleep at night without worrying someone’s doing something. But MDR is now rated fairly high. Was it in the Garner Magic Quadrant that it is raised top right?

Jon Hope:

Yes, indeed. So, I think you’re referring to the G2, which is the peer insights. Yeah, so the peer insights, I like to call it the ‘Tripadvisor of cyber security’.

Adam Gleeson:

I prefer peer insights over the Garner magic quadrant any day because it’s based on the ‘techies’ who are out there actually reviewing it and giving an honest opinion.

Jon Hope:

Exactly that. And we’ve got that double accolade of being the highest reviewed and also the most frequently reviewed as well, so that’s a great combination. We also recently secured ‘Computing’s best cybersecurity service’ as well. So that’s another great accolade to add to the list.

Adam Gleeson:

It just keeps getting better, doesn’t it?

Jon Hope:

Indeed, it does. It keeps getting better in lots of different ways as well. So, our teams are working really hard on the integrations that we have. The MDR service is not just about monitoring telemetry from our own products, for example, but we’re also taking feeds from Microsoft and other cybersecurity vendors and even vendors from things like the backup and recovery space, so that we get a full view of what and an organisation is experiencing. Take back up and recovery, for example. So, 94% of attacks involved a cyber attacker going after a backup. It’s usually the first thing they do. So, it’s like the canary of the coal mine.

Adam Gleeson:

It’s the get out jail card, isn’t it? That’s the only true or real get out jail card that you’ve got in defensive ransomware, that if you’ve got good local backups that are being taken reliably every day, then you can just blat everything. You’re going to have to take things down for a while, but you’re already down. But it means you can get back up and running very quickly if you’ve invested in a good backup solution.

Jon Hope:

It did, absolutely. And the cybercriminals know that which is why they will often go after the backups. And sometimes it’s slightly unusual ways. So, the logical thing is obviously deleting the backup, but sometimes cybercriminals will steal the admin credentials and then change the passwords. So, the organisation is locked out of their own backups, even though they’re there, they’re unusable. So, all those things, the case creating events that allow us to start an investigation, we can tell very quickly that an organization’s about to tell a problem because the backup is typically the first thing cyber problems have gone after.

Adam Gleeson:

It’s interesting, I haven’t heard that. Anyway, we’re not supposed to be plugging Sophos MDR! No, no, it’s not your fault, I steered you onto it. So, let’s go back to the why people should be looking at this ransomware report, The State of Ransomware Report and we touched upon this earlier, but understanding the risk to your sector. Cyber risk management is without doubt one of the big things people are going to talk about this year and next year. Because it’s people who have been aware of it for a while, but it’s now that people are starting to be like, hang on, it’s not just the risk that the network breaks or something like that, there’s a multitude of different things, some of which are fairly benign and you don’t really need to worry about them, but some of them are really complex and you need to be seriously thinking about “how do we mitigate against this?”.

And backup being one of the obvious ones, still mitigate against ransomware, but being able to build a business case to get the investment to start doing that, because this stuff can be quite time consuming, or you might not have the skills in-house to do it. So, the ransomware report, the state of ransomware report, can really help to build that business case because if you are in one of the sectors that empirically showing the attacks against this type of customer are on the increase, that’s something that’s going to be really useful to help you build your business case, isn’t it?

Jon Hope:

Absolutely is. Yeah. And coming out to manage risk in that aspect, it comes more relevant some sectors than others. So, the sector which is typically attacked most with an exploited vulnerability would be energy, oil, gas, utilities. But you can kind of rationalise that because that sector would typically be relying on legacy systems that they probably can’t update for other operational reasons. But then you look down to education, they’re the next most likely and education are typically unsuccessful at maintaining a secure estate because they simply don’t have the time to be able to carry out patching. So that would lead you towards looking at some sort of found inability service that then tells you as an administrator, rather than just give you a laundry list of things that they’ve patching, what is actually been exploited, which are the high impacts vulnerability are.

Adam Gleeson:

Where should you focus to make sure that you’re getting the biggest bang for your buck.

Jon Hope:

Exactly.

Adam Gleeson:

And that kind of brings us talking around cost and stuff like that. Again, the state of ransomware report with the fact that you’ve identified by sector and by customer size, the information that it’s got in there around typical costs of ransomware incidents. Again, this is something that’s really useful to build business cases to say, look, we really need to be doing this. The cost isn’t just a couple of grand to pay the ransom, it’s all of this other stuff, which then, and we are looking at a solution for 15,000 pounds, for example, and we say, paying the ransomware will be 5,000 pounds. This will give you, again, that empirical data and that just say, hang on a second, we need to change our perception of this because it’s not just as cut and dry this, we pay that, and everything will go back to normal. There’s massive damage would’ve been done both internally and externally.

Jon Hope:

Absolutely, yeah. And we give you a shortcut to those statistics. So, as I said, in most sectors there is a State of Ransomware Report specifically for that sector. So, you can look at that and see what is the cost and what is the common attack vector to in my sector. So, we get you to the good stuff that’s most relevant to you.

Adam Gleeson:

Right. Well, that’s about all we’ve got time for today. John, thank you so much for coming in. Again, it’s always a pleasure. I know how busy you are, so I really appreciate you taking the time out. As I mentioned, there’s links to the state ransomware reports as well as the active adversary reports. You can find them all below. I don’t know why I’m doing this, but that’s what I see people at YouTube doing. So, you can click on those down below and if you’ve got any questions, reach out to CyberLab through our website or to your account manager.

Stay secure.