Adam Gleeson:

Hello and welcome to another episode of Tales from the CyberLab. In this episode, I’m joined by Jarad Carleton from Frost and Sullivan. Jarad, would you like to go ahead and introduce yourself?

Jarad Carleton:

Sure. Hi everyone. I am the global research director for the cyber security programme at Frost and Sullivan, leading a team of analysts in North America, South America, Europe, Indian Subcontinent, and Asia Pacific. Great to be here.

Adam Gleeson:

Cool. Thank you very much. So I think before we start, let’s just first of all cover off the reason we’re here is to talk around the true cost of ransomware. And this is something that I’ve mentioned in many of my podcasts – that it’s often underestimated. And I think businesses often sort of  on the side of, maybe throw caution to the wind a little bit. And it’s sort of like, well, are we going to get hit? We’ll run the risk. Rather than making a big investment in cyber security now we’ll run the risk and if the worst happens, we’ll just pay it and deal with it as it comes. And I think it’s an important thing to note that if you want to take that approach, that’s fine, but just make sure that you’re fully aware of what it is you’re getting into. And that’s really what we’re going to be talking about here today. So first of all, could you tell us a little bit about Frost and Sullivan, just to give us a little bit of background to the people watching?

Jarad Carleton:

Yeah, you betcha. We are a global market research consultancy in a lot of the major cities around the world. We do more than just security and well broader security and cyber security specifically. We also look at things like healthcare, automotive, manufacturing, chemicals, materials and foods. But for my 24 plus year career here, I’ve always been focused on information and communication technologies and then over several years focused specifically on security.

Adam Gleeson:

I think that’s a similar path that we all end up in cyber security. We’ve all come from lots of different places and we end up in the cyber security field. So one of the things that caught my attention was I watched you speak at InfoSec this year and really, really great session, which I sort of fed back to you at the time and I said it’d be really great if we could get you onto the podcast that we do at Cyber. So one of the things that we were discussing at InfoSec was the voice of the enterprise customer survey that you guys do. Could you tell us a little bit more about that?

Jarad Carleton:

Right, so in a nutshell, that particular bit of research, it’s a statistical survey across seven nations, United States, Brazil, the UK, France, Germany, Australia, and Japan. And we also looked at six different industries. We looked at manufacturing, healthcare, financial services, utilities and government. And we did it last year because as the surveys go, the needle doesn’t really move significantly from one 12 month period to another. It usually moves over a 24 month period. And we know this from a lot of the work that we used to do with ISE squared on their information security workforce stuff.

Adam Gleeson:

Cool, thank you very much. So I think you’ve kind of talked around what the scope of it is and the types of people that we’re going to be talking or you have been talking to, what are the outputs of this? What are the key deliverables that the report aims to provide to the readers?

Jarad Carleton:

Essentially what we’re doing is we’ve pulled a lot of senior level executives, CISOs, if they don’t have that defined role VPs or directors, what is causing them a little bit of heartburn, so to speak, or what are they thinking that they need to prepare for in the coming years? And the output of all of this has been several different things. We have static deliverables where we’ve performed analysis around cloud security. We’ve performed some analysis around what’s happening specific to Europe, different themes that we kind of take out of this study. And then we have put all of it into a highly interactive portal where our customers are able to go and filter and say, I want to know what only C level and VP level execs are saying specific to what’s going on in the UK, for example versus Germany. So you can see that kind of delta between the executives in those two parts of the world.

Adam Gleeson:

And I think that that’s one of the reasons that I thought this was particularly pertinent because one of the messages in my podcast I’ve been trying to get across is that cyber security is not just an IT issue, it’s an entire business issue, but it really needs to be driven from the top down. If the guys at the top don’t understand or comprehend or appreciate the level of risk that cyber issues can now present to a business, then the buy-in isn’t there. And it’s only when the worst comes to the worst and something bad happens that all of a sudden this stuff starts to solidify and become tangible and it’s like, oh, now we’re faced with this problem. So let’s just focus initially. So you’ve been talking to CISOs across organisations across Europe and that’s across all the European countries, not just in the UK. What are the three top concerns for European CISOs?

Jarad Carleton:

That’s a darn good question. Interestingly, the top three concerns are targeted phishing or spearfishing, ransomware and identity theft. And when you look at those three things, the one red that goes through all of them is they’re all related. Usually ransomware starts with targeted phishing and then they get a foothold in the network and they do some lateral movement until they move upwards and get super user credentials before they flip the switch. For ransomware, they do a lot of data exfiltration, which then leads to the identity theft portion. I think you

Adam Gleeson:

Hit the nail on the head really they’re all that part and parcel of the same problem. They’re typically intrinsically linked. That one leads to another or one is almost a side effect or a direct result of the other.

Jarad Carleton:

It’s of the whole same criminal business plan. It’s a three tier business plan, so to speak.

Adam Gleeson:

Yeah, it never ceases to amaze me just how organised this all is now on the dark side of things. Now I think there was something else that we were talking about that I found quite interesting. I don’t want to spend too long on it because it’s more of something that I find quite interesting, but the top three trends that are driving European CISOs are not exactly the same as the top trends that are driving the guys over in, I’m going to use the states, you’re American, so I’m going to use the states as a prime example. Just sort of quick summarise what the differences are.

Jarad Carleton:

Yeah, the interesting thing is when we take a look at the top concerns over the US, they’re completely different. When you compare apples to apples in this list of the top three for Europe, ransomware in the United States is actually fifth place and targeted fishing is seventh, whereas identity theft is third. And it’s interesting because targeted phishing really should be up near to the top because that’s really where all of this starts, but they’ve let it fall that far. I’m not exactly certain why, but I do have some thoughts around why ransomware is fifth and identity theft is third, ransomware being fifth. Part of it is that American businesses and the public are getting a bit desensitised. A lot of these attacks happen all the time. I’ve been in Austria for 10 years and these kinds of attacks with at companies and their data were happening well before I immigrated.

But one of the things that was really rising up to the top of everyone’s consciousness in the United States at that time when I left over 10 years ago was identity theft. And you can see it’s still up there. And that’s really because of the pain that it causes for private citizens like you and me and the implications that it has on your ability to get credits, your ability to do a variety of things digitally after people have stolen your identity. So that’s why that’s still floating up at the top because it’s pain that a lot of people have experienced. In fact, before I left the United States, they even had insurance plans that you could get with your homeowner’s insurance that would help you to go through all the processes of getting your identity back after it had been digitally stolen.

Adam Gleeson:

And I think that’s quite interesting because it’s not typically something that we talk about. It’s obviously a direct implication of personal information being breached, which obviously with GDPR and stuff like that. And I think that’s perhaps an interesting thing to touch upon in whereas we have GDPR in Europe, the state’s digital trust has been around is probably a lot more mature

Than it is in Europe. And that kind of follows through to then some of the supply chain vulnerabilities and supply chain attacks and stuff like that. That was when I first read those statistics, that was my initial thought. Is it because they feel like they’ve got their supply chain security tight enough that the ransomware, they see the threat from ransomware as being much diminished, but it’s obviously the scale of the problem as well. There’s a lot more people in the US than anywhere else. So identity theft is probably a significant problem over there compared to us. So moving on now to the hidden cost of ransomware instance, and I’ve sort of alluded to these and touched upon these things around previous podcasts. The ransomware itself is not, that does not make up most of the cost, does it? The cost of paying a ransom.

Jarad Carleton:

It doesn’t. That’s just one bit of it. Also there is the aspect of let’s say you pay the ransom and you get your data decrypted and returned. You also have the issue of they’ve exfiltrated data. Do you believe someone in organised crime when they say, “trust me, I’m going to give you what I stole from you back.” No, it’s a two tier revenue model!

Adam Gleeson:

Not when they can just copy it. Why would they do that?

Jarad Carleton:

Exactly it. It’s a two-tier revenue model. And this is what we’ve seen repeatedly is companies will go and pay to have the data decrypted. They’ll say, you’re safe, we’re not going to sell this. But it does end up on the dark web for sale. And then you’ve got to go back to your infrastructure. You have to figure out what happens. So there’s some digital forensics involved there at a lot of time and you have to find out how they actually got that foothold in your network and then you need to figure out where you need to go and make adjustments to increase your security posture so that you can prevent this from occurring again and again, because once they got you, you’re still viewed as potentially low hanging fruit. It maybe not from the same criminal gang, but these others-

Adam Gleeson:

Others are going to jump on it before we implement. But all of this stuff, this time that you’re spending doing this stuff, this is before you’ve even gone and actually purchased anything that’s actually going to bolster your security. It’s all costing you money. And certainly with GDPR, you have to do all of this stuff to be able to accurately provide details-

Jarad Carleton:

-within 72 hours.

Jarad Carleton:

And that’s the key thing because of GDPR, when something like this happens, you have to notify the data protection authority in the country of concern. And you have to do that within 72 hours. And it’s not just saying, Hey, we’ve had a ransomware attack and a data breach. It’s saying this has happened. Here’s what has happened and here’s what we’re doing about it. They want you to lay it out. They’re not willing to wait two, three months for you to figure this out. Which is why having these plans in place for what happens after an attack are critical, but also why it’s important that you have certain technology in place that can help you to not only understand where your security weak spots are or the chinks in your security armour are, but also so that you can use some of this information to respond appropriately to the data protection authority. Alright,

Adam Gleeson:

So let’s move on. There was an interesting conversation that we had and I thought it was worth us just briefly touching upon it. One of the things that we always recommended in one of my earlier podcasts with Eric from Marsh, we were talking around cyber insurance and how it’s really, why would you not do it really to provide you that sort of safety net to cover you? However, there are instances where the cyber insurance wasn’t worth it. And this was something that I found quite interesting because I think it’s something to be aware of and it highlighted that when it’s another thing to be watching for with cyber insurance when you’re taking out cyber insurance policies is that you understand what the potential risks and the financial impact of your business is. So could we talk a little bit about that?

Jarad Carleton:

Yeah, I know exactly what you’re talking about here.

Adam Gleeson:

What scenario cyber insurance not worth it?

Jarad Carleton:

Well, let me start with this caveat. If you’re in a regulated industry that requires cyber insurance, what I’m about to say is not for you.

Adam Gleeson:

Yes. And I’d also like to caveat that I’m not for a second suggesting that not having cyber insurance is okay.

Jarad Carleton:

And neither am I, but I do have this observation. And the observation is we had a really high-profile ransomware attack and data breach and happened against Norsk Hydro. They’re up in Norway. They are involved in every different step of the aluminium manufacturing process. And when they got hit with ransomware, it immediately put 30,000 employees globally at a standstill. They had to pull old manuals out of long-term storage. They had to beg and plead to get some retired employees that knew how to operate the machinery without the aid of computers out of retirement to help some of the younger generation so they could get back up to speed and running because they had no intention of paying that ransom. After it was all said and done, they went and they rebuilt their infrastructure, got everything back up and running, the total cost, and they tracked everything step by step. The total cost was approximately 70 million. That’s seven zero million dollars. The insurance payout was 3 million. With a differential like that, that’s not even including did any of their suppliers go after them legally? And were there legal bills for that? You have to look at this and say, was that cyber insurance policy worth it? Did they get what they needed out of it? And the other thing, when we’re talking about cyber insurance, it’s not like you can just go down to your insurance broker and get a policy these days. The insurance companies, because they are a business, they want to know that you have taken steps to reduce risk in your organisation.

Jarad Carleton:

Sometimes they won’t even issue the policies unless that security audit comes back and says they fall within the risk zone that we’re looking for. You may be at the top of the risk zone, which gets you a higher premium or the bottom of the risk zone, which gives you a slightly lower one. But they’re turning people away when they haven’t got their security infrastructure sufficiently in place.

Adam Gleeson:

So I think that that’s an extreme example, and I doubt that that is indicative of many insurance policies that are out there. But again, it does highlight the need to be paying attention to what the actual cost looks like to your organisation so that you can make an informed decision when you’re taking out your cyber insurance policy. Is this actually going to be of use to me or are my costs actually going to spiral way higher than this? And this particular policy is only going to fix part of the problem. So again, not suggesting that you shouldn’t do cyber insurance. I think that that’s a very sensible thing that everyone should be doing, but it does mean that there’s a bigger picture to consider. It’s not just a case of can I get cyber insurance and what hoops do I need to jump through to do that, that there is a piece that needs to be done to make sure that the policy is going to be right for you. And this kind of follows onto, again, the message that I keep repeating, that the cost of cyber insurance or the cost, sorry, the cost of cyber incidents specifically those caused by ransomware attacks is continually underestimated. It

Jarad Carleton:

Absolutely is. Yes. When we take a look at some of these instances where cost of a ransomware attack has been estimated to be something that’s eye-popping, some kind of a figure, you say, well, wait a minute. It couldn’t have cost them that much to rebuild their infrastructure. And my response is, yeah, you’re right. It didn’t, but while their systems were down two weeks, three weeks, depending on what kind of technology you had to protect you in these kinds of instances to roll back to a clean copy of everything you were using. There’s also the cost of lost sales because if everything is encrypted, you’re not getting into your CRM because all the laptops and computers in the organisation are basically caper weights.

And then there’s also the issue of sometimes your suppliers that you’re doing business with, their data may have been exfiltrated payment data, all kinds of different bank details that could lead to lawsuits that you have to deal with. Whether or not you lose them or not is entirely beside the point. You’re going to incur legal fees to defend yourself. It doesn’t always happen that way. There’s things that you can do to prevent that type of legal outcome, but it does frequently happen. And then there’s also the brand erosion loss of digital trust. People like you and me, we’re doing business with a company in the end, you’ve got business to business business with the suppliers, but then maybe they’re also selling to consumers, private citizens like you and me, and what do we think if we’re doing business with a company, they’ve been hit by ransomware and then we get that notice that some of our personal data has been exfiltrated including credit card numbers, addresses, et cetera. Well, we’re probably not going to go back to that company again. So that’s higher customer churn and then the revenue goes down and it’s not just kind of a blip in a certain earnings quarter or fiscal year. We’ve done research around digital trust that has shown that the impact on these brands goes out two and three years impacting their revenue.

Adam Gleeson:

Oh, it does. I mean, undoubtedly even there’s some of the big named software vendors that have had breaches over probably over the last five years, and there’s still a stigma when their names crop up that you think, oh no, I’m not really favouring going with that organisation. But I think that that may start to change because I think as time goes on, it will be the case of, it won’t necessarily be, these organisations haven’t been breached and these ones have been breached. I think it will be these ones have been breached and these ones haven’t been breached yet. And that stigma that at the moment is like, “oh, they were breached, they’ve had some kind of data leakage or they’ve had some kind of cyber incident that have affected lots of people.” I think that will start to change to more, I’m not going to touch on that organisation because they had a breach and they didn’t handle it very well.

Adam Gleeson:

Opposed to where other organisations, and you’re going to start to not so much, look, they’ve had a breach. I don’t want to touch them. It’s going to be a case of, well, everyone’s had a breach pretty much. It’s very difficult to find someone that hasn’t.

But this organisation over here really had their act together and they did everything. I mean, I’ve had personal experience of this myself with a big password management organisation that I use personal in my personal life and knowing the steps that should be followed and the openness and all of that sort of stuff, this organisation did it right. And as a consequence, I was one of the fortunate few that wasn’t really affected by it. But as a consequence, I haven’t really thought about going anywhere else because I was like, well, I like the solution as it is. They’ve suffered this incident, which can happen to anyone. Sometimes it can, it wasn’t. But they’ve been really upfront about what the impact of it was. They were really upfront with the customers around when they did that after action remediation and investigation that you talked about earlier. They provided all the details of that as well as the details of that.

And this is why this can never happen again because we’ve put stuff in place to prevent it, as well as all of the other preventative measures that they’ve put in place. Which also kind of brings me on to another point that I’ve seen myself in interaction with customers probably over the last six or seven years is that I’ve now come across literally dozens of customers who have had ransomware that’s impacted them. Most of them were customers that I had spoken to about one cyber security solution or another that I said, this is an area of weakness for you. You should really bolster this. And unequivocally, all of those customers that I’ve spoken to after they were hit by ransomware and they suffered this outage and all of the rest of it that goes along with it, they invested in cyber security products to stop it from happening again, because once they understood the potential risk and the potential cost of the cyber security incident or ransomware in particular, they then realised that actually the cost of that happening again is fairly large compared to the cost of me investing in some solutions that are going to really give me robust cyber security.

Jarad Carleton:

This is a really good point, and it taps into a message that’s being sent not only back for Austin solid, but also by the European Union Agency for Cybersecurity (ENISA) that’s based down in Athens as part of the EU. They’ve been talking about it. We’ve been talking about it, frost and Sullivan for years, security. It should not be viewed as a cost centre for modern businesses unless you’re out on a street corner selling sausages out of a stand, having security for the data in your business. It’s really become a business enabler. It enables you to continue moving forward with your customers to continue our new revenue. And yeah, things happen. There always has been this human side of security, which is why awareness training and human security management is important to lift this all up in our own minds about the things that we should be looking for.

Even when we’re having a tough day, we’re moving quickly, we’re just trying to get our job done, and then oops, we click on something and that’s all it takes. Because even the best email security so easily gets through sometimes. And so yeah, everyone is eventually going to unfortunately have to deal with this, but in the end, it doesn’t have to be a horrible business stopping kind of experience. There are different technologies that can prepare you to recover from this far faster. And like you said, it really is a big part of this is how you respond. Do you get in front of it quickly and do you help your customers understand what happened and what’s being done? Or are you trying to duck cover and hide those who duck cover and hide? They’re the ones that are getting themselves into a lot of hot water and it really angers their suppliers and their customers and it impacts their revenues in a negative way.

Adam Gleeson:

I’m going to throw some figures out there and then we’ll try and make them a little bit more realistic. So in the US, the average cost of ransomware is estimated at $9.36 million. Now for the UK, that drops to £3.4 million, but these are probably fairly large organisations, and this stuff came from an IBM security report that came out last month.

Now looking at something, the NCSC is a wealth of information there. This is the UK National Centre for Cyber Security. They estimate that for SME customers, which is really that they’re the people that I’m trying to get this message across to because a lot of the time they don’t have knowledge or the awareness in house. They’re very busy doing what they do and they don’t necessarily have time to stop and look at this stuff. But the ransomware costs alone run between £4,500 for these organisations all the way up to £40,000. And what I think in a Sophos podcast that I did, I recorded a couple of weeks back, we talked around that and how these ransoms are steadily increasing. So the ransomware gangs are increasing it all the time. Now that £4,500 to 40,000 is really just talking about what the bad guys are asking the company for.

So that doesn’t include any of the intangible costs, which are the ones that are actually going to be doing damages, or reputational damage to your organisation. It could cause customer churn because customers lose faith or it’s like, I don’t want any part of working with these guys, I need people I can trust. Again, unfair as that may be, some people will feel that way, and downtime and stuff like that because obviously the ability of your business to transact business, there’s only so much of that that you can do where you are not doing your day-to-day. Everyone has cash, right?

Jarad Carleton:

Absolutely. If you go back to an old, a really old ransomware case, Sony Pictures, do you remember what happened after they were hit? It was in all the newspapers, their employees went back to pencil and paper until they could get their systems back online. And so yeah, it’s not just the salespeople that can’t close deals. It’s literally everybody that’s been kind of digitally blown back into the stone age.

Adam Gleeson:

But really, the message that I want people to go away from this is that they need to understand their actual risk to their businesses, and I do mean their business in particular. Every business is different. There are nuances. There are areas that are unique to that particular organisation and understand what the representative costs are of not doing anything. So think about if you pay the ransom, that’s not going to guarantee that you’re going to get back to a full operational standard, first of all, and I think some people think that it is, and it’s a very high risk way of doing it, plus you are just perpetuating the problem because you are effectively encouraging the ransomware threat actors. But you need to think about the worst case. What would be the impact to your business if all of a sudden everything was switched off today?

So think about how, start to think about how that’s going to actually affect your business and try to, it’s not easy to do, but try to put some kind of figures. You’re not going to have any new business coming through any renewals or things like that. You’re not going to be able to process any of the invoices and purchase orders that are currently in flight. You may lose records of what you’ve got in flight as well. So that could then be you are then going to be relying on either trying to recover stuff through email backups or if you’ve got some sort of recovery there. But these things are serious costs that very quickly with a small to medium enterprise in the current market environment and the economy that we’re in, I would imagine that it would start to be seriously damaging and make people start to think very seriously about the financial implications once it happens. But of course, at that point it’s too late and you’re then in the position of trying to put things right, whereas if you can do this proactively and understand what the problems are that you’re facing and bolster your defences before they can actually happen, that’s got to be the way to go, hasn’t it?

Jarad Carleton:

It is the way to go. One of the key things that I think about in the voice of the enterprise security customer survey that we did, is we found that CISOs, they claim that, for example, that the senior executives and the board of directors know what their financial risk is in the event of a successful cyber attack that negatively impacts the business. But what we found is these professionals who really know what they’re doing unfortunately also have blinders on because when they think about the financial risk to their organisation, all they’re thinking about is what it’s going to take to rebuild the infrastructure for the network and to make sure that any of the bad stuff has been scrubbed out of storage memory, what have you, across the network so that they can get back up and running. They’re not thinking about lost sales, they’re not thinking about lost productivity. They’re not thinking about any potential firings from A DPA. That’s a data protection authority. If they don’t go and report things in Europe, for example, within 72 hours of, “Hey, this happened. Here’s how it happened, and here’s what we’re currently doing about it.” That’s the kind of information they need in 72 hours. You’re not going to wait for you to dig up this information over two, three weeks or months.

Adam Gleeson:

Now. It needs to be readily available. That kind of brings me to my next point is that as well as understanding what the risks to your business are, you need to have processes in place. And this is, again, hopefully this is not the first time people are hearing me say this, but you need to have cyber incident processes in place and you need to be able to use them effectively. And going back to what I was saying around that sort of stigma that’s maybe attached to a supply that’s been breached or has suffered some kind of incident where data’s been traced, those ones who have got these robust cyber instant processes in place, like the organisation that I’m a customer of, having that, it just gives you reassurance that you know what’s going on, okay, something bad has happened. Unfortunately, the world that we live in, bad stuff happens all the time, and you can’t always avoid it. You should be doing your level best to stand on, put your best foot forward, rather.

Jarad Carleton:

There are two caveats to add to this though. Some additional research that we did was around what happens in a security incident. Do you have a plan in place? And the other thing is, okay, so you have the plan in place. First off, do you keep it in a binder or you keep it in a digital format that’s going to be encrypted when you get hit?

Adam Gleeson:

Very good point. Something I’ve heard that before.

Jarad Carleton:

And then secondly is when there is a cyber incident, do not only your IT professionals but also your non-technical workers across the organisation know what their role is and who to contact. Do they know where that plan is? Because if they don’t, they may start saying things out of turn before the company has figured out what happened and have reported to the data protection authority, for example, or even to their senior executives.

Adam Gleeson:

And that touches on something that, to be honest, it’s been a bit of a learning curve for me over the last couple of months. I myself, despite having a background in cyber security and knowing full well and knowing better than doing this, but I would fall into that category of CISOs that you were talking about there, where it’s like, right, how do we, everything’s down and we have maybe an IT administrator or IT manager perspective is like, right, everything’s down. Everyone’s complaining they can’t work. How do I get everything back up and running? And that’s your instinct is to start working the problem and start doing what you as a techie or as an administrator would do, and someone’s told you about a problem, you try and figure out how to work the problem, but there’s a much bigger picture from the legislative perspective and the legal aspect of it. And again, being able to understanding how this works and being organised and structured in how you respond when an instant happens, the only way you can get that is by having these things in place and by practising them and using it to make sure that everyone’s aware of it.

Jarad Carleton:

There’s a really good parallel to this. A lot of people don’t know this, but I used to be a certified skydiver in the United States, so I’m one of those people that used to jump out of perfectly good planes because I thought it was fun and it was. But one of the things that they always told you was “there are certain processes in place for the event of an emergency”, and one of the key things that they always told you is that “for the really experienced people, accidents happen when you become too comfortable with things”, you always have to be thinking about what is your emergency plan. Do I need to update it? And that’s why reviewing things internally for what our security response plan is, is important. Just like when I used to get up there and jump out of the plane and say, yeah, I know everything I’m supposed to do, but then, oh, maybe I should go through some emergency room manoeuvres of what I’m going to need to do to potentially save my life if something bad happens. This is a really good parallel insecurity that we need to take into account.

Adam Gleeson:

But I think that that’s a really good note to finish on. This is about having a serious look at this. Now, that might not be something that the people watching this know how to do themselves. If that’s the case, then reach out to me. Reach out to your account manager at CyberLab and we can help you to work through these things and start to make sure that the things you’re considering actually are actually relevant to you.

Thank you very much, Jarad. As always, it’s an absolute pleasure. We have very fascinating conversations. I really enjoy it. For everyone watching, thank you for watching this. I hope you found it useful, and I’ll be back with the next podcast soon. Okay.

Take care and stay secure.