Hi, my name is Jamal Ahmed and I'd like to invite you to listen to this episode of the #1 ranked Data Privacy podcast.
In this episode, you'll discover the answers every Data Protection Professional needs to know, including:
and so much more...
So if you're serious about wanting to take your career to the next level Subscribe Now
Crypto Stopper provides ransomware protection by automatically detecting and stopping actively running ransomware attacks.
They are the world's first digital security product to offer 100% ransomware protection. Greg was the president of Axis Backup from 2007 to 2015. He was also the president of Iowa electronics from 1998 to 2007.
Follow Jamal on LinkedIn: https://www.linkedin.com/in/kmjahmed/
Connect with Greg on LinkedIn: https://www.linkedin.com/in/gedwardswpd/
Check out Crypto Stopper here: https://www.getcryptostopper.com/
• Free LIVE Training
• Free Easy Peasy Data Privacy Guides
• Data Protection Updates and so much more
Apply to join here whilst it's still free: https://www.facebook.com/groups/privacypro
Are you ready to know what you don't know about Privacy Pros? Then you're in the right place.
Welcome to the Privacy Pros Academy podcast by Kazient Privacy Experts. A podcast to launch, progress, and excel your career as a privacy pro.
Hear about the latest news and developments in the world of Privacy.
Unknown Speaker 0:22
Discover fascinating insights from leading global privacy professionals.
And hear real stories, and top tips from the people who've been where you want to get to.
We're an official IAPP training partner.
We've trained people in over 137 countries and counting
So whether you're thinking about starting a career in data privacy.
Or you're an experienced professional.
This is the podcast for you.
Hi everyone and welcome to the Privacy Pros Academy podcast, my name is Jamilla, and I'm a data privacy analyst at Kazient Privacy Experts. I'm primarily responsible for conducting research on current and upcoming legislations, as well as any key developments and decisions by supervisory authorities. With me today is my co host, Jamal Ahmed, who is a fellow of information privacy and CEO at Kazient Privacy Experts. Jamal is an established and comprehensively qualified privacy professional with a demonstrable track record solving enterprise wide data privacy and data security challenges for SMEs to complex global organizations. He is a revered global privacy thought leader, world class trainer, and published author for publications such as Thomson Reuters, Independent, Euronews, as well as numerous industry publications. He makes regular appearances in the media, and has been dubbed the King of GDPR by the BBC. Today he has provided privacy and GDPR compliance solutions to organisations across six continents, and in over 30 jurisdictions, helping to safeguard the personal data of over a billion data subjects worldwide. Hi Jamal!
Hello Jamilla! How are you?
Good. How are you?
I'm really good. I'm really good. Really excited. You know, I've been making some positive changes to my lifestyle. So I wake up super early every morning now and I take myself to the gym. And you know what? I feel great. What did I wait all this time? I don't know what I was waiting for.
Jamilla 2:27esident of access backup from:
Greg Edwards 2:57
Yeah, thank you for having me. Jamal, I'm glad to hear you're working out. I'm an early riser too and have been trying to work out as well.
Yeah, thank you, Greg. Thank you for celebrating that with me.
Anyway, so as always, we start off with an icebreaker question on the podcast. And if you had to delete all but three apps from your smartphone, which ones would you keep?
Greg Edwards 3:17
Oh wow! That is a tough one. So I'd have to say I mean, definitely email. I've have to keep email, text messaging and probably my weather app.
Greg Edwards 3:28
I'm a private pilot, and so I'm always checking the weather on my phone.
Greg Edwards 3:37
Are we here to talk about privacy?
Yeah, something about privacy. You know what? I'm excited. This is our first pilot on the podcast. Amazing.
Greg Edwards 3:46
Good. Glad to break that ice.
Jamilla, what 3 apps would you keep?
Well, I probably use whatsapp the most. I've tried going over to signal but there's only about three people on signal. Probably Twitter because it's entertaining, and maybe Reddit. What about you, Jamal?
I don't need any app.
Greg Edwards 4:06
Yeah, I would love that. Wouldn't that'd be great?
It would. It would be awesome.
Alright, let's get down to some questions.
Greg, why don't you explain what ransomware is?
Greg Edwards 4:15
So I mean, I think everyone's probably heard of ransomware at least by now. But fundamentally what ransomware is, is it's an encryption system that will lock the files once it starts running on a PC or on a network. It'll encrypt all the files and lock them and then hold them for ransom with an encryption key that you have to pay for to get back. It's actually a very simple system. We have written our own ransomware to attack a network and be able to go out and discover everything on a network and then start encrypting it. 93 lines of code.
Greg Edwards 4:52
Not a lot. And if you think about applications, like WinZip or seven zip, it uses that exact kind of technology to encrypt the files when we used to have to do that to email stuff. It will encrypt those files and they taken that technology and weaponized it.
So, just to put it in perspective, if it only takes 93 lines of code, how much code does for example, running Facebook? How much would be that?
Greg Edwards 5:18
I mean, 10s of millions, maybe hundreds of millions.
So ransomware is like a virus then.
Greg Edwards 5:24I've been in technology since:
It's been, you said it's been around since the end of the 90s. Was that, I remember Y2K vaguely and things like that. Was that worrying about ransomware malware?
Greg Edwards 6:24
So ransomware really, I mean ransomware has been around. I think the earliest versions of ransomware actually came out on floppy disk, but really, it took the help of cryptocurrency to be able to get ransomware to unfortunately to where it is now because these ransomware attackers can get paid completely anonymously, anywhere in the world, and it's untraceable. It used to be that they have to do some kind of credit card fraud or have some sort of way that they were using the banking system. Well now with cryptocurrency, they've got a whole new way to get paid.
So it's more about how they're getting paid rather than the cryptocurrency itself causing malware around.
Greg Edwards 7:05
Correct. Yeah, yeah, and I'm actually a fan of the cryptocurrency but not a fan of how it's being used by criminals.
Yeah. So imagine this Jamilla. Imagine you had a car right? Imagine you're driving your car, or use your car today for purposes. And then one morning you come to your car and you find out someone's clamped it and you can't actually get into your car, not just for driving, but you get into your car anymore. So, that's what they're doing. They're stopping you from enjoying something that you should already be enjoying. Right? Yeah, they stopping you from getting into your system with your access. And the only way to get this clamp off the car is to pay the guy who's done it. Now if you pay the guy who's done it when he comes to me, you you've got a couple of options. You can ask the police to wait and meet him. Or you can describe him to the police afterwards. So they can trace him down and say hey, why you illegally clamping her car? Now if he says hey, here's the clamps on your car, we can have it removed. All you need is the code to have it removed. And I'll send you the code. All you have to do is send me some bitcoin. Now you don't even know who that person is. Whether it's a he or she or they, they could be anywhere in the world. And because it's got that level of anonymity because Bitcoin or any kind of cryptocurrency doesn't, you don't necessarily need to know the identity of the person receiving it. It means that he can clamp every single car industry and no one will still know who that person is. So that means they can stay safe from a law enforcement I guess.
Cryptocurrency just makes my mind. I don't.. I don't understand how, like people are saying it can be mined, but it takes so much power to be mined. I'm like, well, where do you find it? Is it like on internet?
Greg Edwards 8:40
It's all about solving an algorithmic problem, is really what it comes down to. So it's just solving for these calculations, and that's how Bitcoins are mined and all cryptocurrency are mined.
So tell us more about how Crypto Stopper helps with ransomware attacks and you offer 100% ransomware protection. I know a lot of privacy professionals who would be really interested in learning more about it and how it can really help them with their clients and their businesses that they work in right now. So tell us a little bit more about how that works.
Greg Edwards 9:13e attacks because starting in: Jamilla:
So, your software can tell the difference between ransomware encrypting a file and then me trying to encrypt the file for my own privacy.Greg Edwards:
Yep, Yep, absolutely. And the big difference between that and we have, we have a whitelisting system so that we can go in and whitelist specific applications like a WinZip. But from a privacy standpoint, that's typically done at the disk level. And so it's transparent to the user, which is important and that our system, it doesn't stop that.Jamilla:
Yeah, you said Crypto Stopper offers a 100% ransomware protection. What other things about Crypto Stopper is different from other ransomware providers?Greg Edwards:
So I mean, the the big difference is that deception technology. So intermingling, not only our bait files and those native files but then watching those bait files so that no matter what the encryption is that's running, that we're going to detect it and kill it.Jamilla:
Yeah. And that's really helped playing a lot about ransomware, it has definitely made things more clear in my mind.Greg Edwards:
Yeah well, Jamal's explanation of the the car getting clamped. That's a great analogy of how it really works, and then to pay that attacker completely anonymously. Like how do you know if you're going to get the encryption key back? That was one common thing that would happen two years ago, that about 50% of the time people would pay and they wouldn't get their encryption key back. Well, the attackers realized that they needed to be better businessmen, or people wouldn't pay at all. And so they provide better customer service in that they do provide those encryption keys all the time now.Jamal:
You mentioned that this is ideal for businesses. What kind of businesses is it really ideal for?Greg Edwards:
So really, I mean, it doesn't, the type of business doesn't necessarily matter, but it's, I mean anything in health care, professional services, finance, manufacturing. We do specialize in working with managed service providers. So we sell business to business but all through resellers.Jamal:
How did you feel when you saw the news about Kaseya attack?Greg Edwards:
You know, that was ugly. I mean, I hate to see any ransomware attack that hits on a massive scale like that, or really any ransomware attacks, but that really is just where these attackers are escalating to. So that really may come out that, that was a state sponsored attack. But that kind of attack where they're using the supply chain, so infecting the software provider, and then infecting clients through that provider. That's a very high level kind of attack. And really a pretty scary escalation of where it's going, especially if that was not a state sponsored attacker. So meaning, you know, if it wasn't North Korea, Russia or China, the actual government doing it and now the attackers themselves have that level of sophistication, and that complex of tools to be able to pull something like that off is very scary.Jamal:
It's very frightening. I once wrote an article saying how the next World War is going to be a data driven war, and examples of the state sponsored attack and especially hearing you talking about, it may seem more and more actually, like it was a lot more basically accurate, and that's exactly what's gonna happen. Why are we seeing so many state sponsored attacks?Greg Edwards:
Well, I mean, part of it, the state sponsored attacks, I mean, so North Korea is really the only state sponsored ransomware purveyor, I would say. So the Russian government traditionally hasn't been involved in ransomware, other than a few incidents, but they haven't from a profit motive been involved in ransomware. Now, there are lots of Russian attackers and cyber criminals, because it's not in Russia, it is not against the law to be a ransomware attacker. Well, I mean, as long as they're not attacking anyone in Russia, then it is absolutely not against the law. And you know, so do you say is that a state sponsored attacker then? Well, I mean, it depends, and I do think that we're going to find out in the next several months if the US and US allies will force any kind of sanctions against Russia to try to get them to clamp down. Most recent UN, I don't know if it was a resolution or exactly what Vladimir Putin proposed to the UN. But really, he basically said, Nope, we're not going to do anything.Jamal:
Interesting. We'll see how that plays out. Now you're telling me about the Accenture ransomware. What can you tell us about that?Greg Edwards:
Yeah, so that just came out yesterday. So I really don't have a lot of details about that. But what it was, was an exfiltration of data, and I assume also an encryption of data. But what ransomware has pivoted to is not only what we talked about where it's clamping down the files on the local network, but then also exfiltrating that data and so yesterday, it came out that it was discovered that on the dark web, there's a trove of censored files that are being held for ransom, and I don't have a lot of details on it yet. It just came out yesterday. So I don't know the amount of the ransom that they're demanding, but wouldn't surprise me if it's not in the probably in the 10 to 20 million range would be my guess for a company like Accenture.Jamilla:
Did these companies tend to pay those ransoms?Greg Edwards:
So unfortunately, a lot of them do. So you guys are probably familiar with the Colonial Pipeline attack that happened here in the US. So that attack shut down 45% of the oil and gas flow to the east coast of the US, and they paid a $5 million ransom to try to speed the recovery up. I mean, the CEO of colonial said, Okay, we've got, you know, we, this is critical infrastructure that we have to get turned back on, and so they pay the ransom and about the reports that I've seen, 45 to 50% of companies hit by ransomware attack do end up paying, which seems incredibly high. But it's a faster, I mean, so many companies when you think about the disaster recovery, and that oh, well, everyone has backup, right? Well, not everyone tests those backups and to see how long does it take to actually recover from backup sometimes is much longer than just paying the ransom and getting access to the files back immediately.Jamilla:
Yeah, so I guess they feel like they have no other option than to pay the ransom if they want to get back up and running.Greg Edwards:
Yeah, well, and the fact that not only will the attackers try to sabotage the backups, and then are now exfiltrating that data and then ransoming and saying that they'll release that data if they don't pay, that adds to the complexity of whether or not to pay.Jamilla:
And you didn't, we talked about quite a few large examples of ransomware attacks. Do you think that these kinds of attacks are increasing? And why are services like Crypto Stopper becoming more and more important?Greg Edwards:
Yeah. So when I first started Crypto Stopper, one of a mentor that I've had for a long time said, Hey, what is ransomware? Does anyone know what ransomware is? And does anyone really need it? And I said, well, the attackers are going to educate people. I mean, I saw this coming from way back in 2012. And saw this escalation coming. So absolutely. I mean, it is increasing. I've seen reports for 2021, anywhere from 140 to 700% increase in number of ransomware attacks. I mean, that basically happens every single year. And there's no barrier to entry for these attackers in countries, especially like Russia, where there's no punitive, and there's no penalty for attacking others. You know, as long as they're not in Russia, there's no penalty at all. And so if you think about any people coming up in technology, if you can make millions of dollars and it's not illegal, why would they not do it? I mean, that's why we need the help of governments to make sure that they are penalizing those people.Jamal:
Yeah. If they're actively encouraging them by saying, hey, if you're in Russia, then you can go after any country, any company in the world, just make sure it's not in Russia, and do whatever you want to do, then it's kind of like saying, hey, come over here, and you guys really focus on becoming really good at attacking other people's organizations and holding them down someplace.Greg Edwards:
Exactly. Yeah. And I've said for a long time that I think that these attackers really have been working on perfecting their craft, and that in about 2024, and we're coming on to, maybe we're at the peak of it now, I assume that it would take 10 years or so for these attackers to really perfect their craft and that's really what it is. So if you look back, the rise of ransomware starting at around 2012, 2014, and now they really perfected their craft. And so it's not surprising to me at all, and it's actually very frustrating to me. I've been screaming this for, I don't know, seven years now that this was going to be a problem, and it's unfortunately come even more true than I expected.Jamilla:
You mentioned that you kind of need the government's help or assistance in dealing with ransomware attacks. What is the current US government attitude to ransomware?Greg Edwards:
Yeah. So I mean, so the US is, I mean, there are very few ransomware attackers that are based in the US because the penalties are very high. And the US or in the US, we have the FBI that primarily investigates these kinds of crimes. And one of the problems is that they're so overwhelmed, but then they're also, when they do actually track it back to an individual or an organization, it's a lot more organized crime than just individuals. So even when they do track it back, they can't do anything about it. So I've talked to several FBI agents that are just so frustrated by the fact that yeah, they can track them down but then they can't do anything about it.Jamilla:
So what first, I mean, we heard in your bio, you were president of Iowa Electronics, and then president of Access Backup, but what first sparked your interest in data security?Greg Edwards:
So probably the very first incident when I started my career. So in 1998, I started Iowa electronics, which is now Watchpoint IT, but when I first started, I think it was in 2000 or 2001, there was this virus called the I Love You bug. And I don't know if either of you remember that, but it was, It wasn't encryption. What it did is encrypted files. There wasn't ransomware attached to it. It was just doing damage. But that incident really triggered and that was really the first virus incident that I dealt with as a professional and saw that what the potential wasn't what was going to happen, and that companies needed to take that data privacy very seriously because it's so important. I mean, it's all of our information. It's all of the 7.6 billion humans that are out here. It's all of our information that's at risk.Jamal:
What compelled you to say, I'm gonna be the one to solve it, and I want to help people, to really protect people's personal information.Greg Edwards:
Yes. So starting with the off site backup and disaster recovery company, that seeing the devastation that ransomware caused to companies because even when with our system, we were doing cloud backup before cloud existed. So starting in 2007, that cloud wasn't even in the cloud, but we were doing off site cloud backup and full on recoveries, well you can imagine in 2007, when a company whether they have a hardware failure, because it's pre ransomware, but a hardware failure and seeing how devastating that was even when you had good backup and good recovery, we'd bring them back up in two hours, but you're taking the whole company and saying okay, now you've got to work from the cloud. And if they didn't, you know they had no idea what that was. And then fast forward to 2015, when we were seeing the most ransomware attacks and doing the most recoveries with access back up, seeing how badly companies were being hit by ransomware and how costly that was. That really is what drove me to create Crypto Stopper.Jamal:
Okay, awesome. Thank you for sharing that story with us. It's quite inspiring. So you was just getting on with your work one day and then you discover that your company had been attacked. And immediately you was like, hang on a minute, if this is what they can do now, imagine the consequences of this, and how devastating this could be as things progress, and as we become more and more reliant on technology. And now we see that you will come to a stage where you actually said you know what, I'm going to actually step up and I'm going to provide a solution. Not just any solution, I'm going to provide 100% protection against ransomware using all of these clever technologies and the embedding of the bait files, and then the other technology you spoke to us about and put together crypto stopper.Greg Edwards:
Yeah, exactly. I mean, it was really that 20 years of experience of being in the trenches of seeing what was happening to companies on the reactive side. To say, okay, we've got to stop this so that it's not as devastating, and really what we do is damage reduction and basically stopping the bleeding. With crypto stopper, the attack has gotten in and it's actively running and that's something that I knew was always going to happen that these attacks just like malware, I mean, it's something is always going to slip through. One I mean, if you have 10,000 or 10 people in your company, it only takes one person to slip up to let that attack.Jamal:
Exactly. And I always say to my clients, it's not a matter of when it's going to happen just when it happens, and when it does happen, you want to make sure that you put yourself in the best position to mitigate you know, really decrease chances of any damage, and If we're gonna make ourselves resilient or if you're listening, and you're privacy professional, and you want to help make your organization the new craft resilient, this is really the way forward.Greg Edwards:
Yeah, you know, I'm obviously coming from an offsite backup and disaster recovery standpoint. I mean, you have to have backup, but you don't want to have to go to that backup and you can imagine, again, use the car analogy that you do. I mean, being locked out of your car is bad. Imagine a 10,000 employee company being completely locked out of their computer system. I mean, it shuts companies down.Jamal:
Yeah, we had, we had an incident here in the UK not too far ago. They shut down the National Health Service. People are waiting to have the operations and there's people waiting for urgent medical procedures and the NHS, National Health Service, nobody could access their files. Nobody could access that information.Greg Edwards:
Right. And if you think about it, almost every business today if you take away their computer system, you've shut them down pretty much. That's what these attackers know. I mean, everything from healthcare to manufacturing to even there's a lawn care service that's local here in my area that they said, yeah, you shut down our computer system, we can't do anything because we don't know where to send our staff. You know, so you think about that from a lawn care service that is out of business if their computer system is down.Jamilla:
Yeah. Well, you spoke a little bit about the current kind of climate around ramps and whereas like you said, you saw kind of a record number of attacks in 2015. But what do you think the security, data privacy industry will look like over the next five years? Do you think there'll be an increase in attack?Greg Edwards:
Certainly an increase in attacks. And I do think that companies are finally taking privacy and data security seriously, or at least starting to. I think that GDPR and some of the California Consumer Protection Act, I mean, I think some of those things are also helping. I think we need a combination of both CEOs, boards of directors, educating themselves, understanding the risks. And then there's also some government involvement to put regulation around what needs to be done. So absolutely, I see that over the next five years, it's going to continue to get worse, the protections are going to get better and better and make that, we really have to do is make that barrier to entry, from the punitive side government's taking it seriously penalising these people plus regulations plus companies taking seriously. I mean, it's not one thing that's gonna solve this. It's a multi front attack.Jamal:
Yeah, definitely a combination of things that are going to help us to see a reduction. I don't think we'll ever see an entry but we have seen a reduction. And the good news for privacy pros is, because of all of these attacks, because we are actually understanding how devastating it can be when unauthorized, and people get access or lock you out of your files and lock businesses out. It means that there is going to be a huge demand or an increased demand for data privacy and data security professionals. And that's where we can really help with the privacy pros Academy. If someone's looking to pivot their career, or someone's thinking about making a career change, why should they consider data privacy, Greg?Greg Edwards:
For lots of reasons. I mean, number one would be because you're going to really help companies and help the society at large, but then it's also a great profession and they're so like you say there's such a need for it that those jobs are in high demand.Jamal:
Absolutely. I've seen people come into the industry where previously they've been stuck in a career, or they've been stuck in like almost like a glass ceiling, like they kind of get past a certain stage. But they've come to privacy. And within this very short time they've gone from 50-60 grand to six figures without even thinking twice about this deal. Now there's so much more out there waiting for them. And the other fascinating thing is put the money to one side, is it's constantly changing. You mentioned earlier the GDPR and how much of an impact that's had and how that's actually influencing organizations all over the world. You speak about government stepping in to bring in regulation and we can see that in 2021, only 10% of the globe has privacy legislation. But we can see that by 2023, we can say it's stable for about 50% of the globe to start introducing privacy legislation. And I'm speaking to one or two governments right now and consulting them on how to go about doing that for their own organization, for their own countries. And we can see that everywhere around the globe, GDPR has inspired everyone to raise the level of protection. And because the GDPR is the most comprehensive set of data privacy laws we find in the world, we find that multinational organizations and other countries and organizations in other countries around the world, they want to make sure they get to a level of compliance with the most comprehensive because if they get that right, it makes everything else very easy. And they can now start doing trade with the 500 million residents in the European Union and start really making the most of those opportunities available to them.Greg Edwards:
Yeah, I completely agree.Jamilla:
Right. So the last question is your opportunity to ask Jamal a question.Greg Edwards:
All right. So Jamal, what do you see as the number one thing that companies can do to protect the privacy of their data?Jamal:
Number one thing is awareness. An awareness that data privacy is a thing. People's personal information needs to be protected. I think that is the number one thing is raising that awareness and making sure people are always thinking privacy first. I mean, the law and all of the talk about privacy, but people talk about privacy by design, but unless there is an awareness of privacy and an awareness of the risk associated to it, it doesn't mean anything about it. So yeah, the number one thing is awareness.Greg Edwards:
Yeah. And I think, add to that, it's got to come from the top down. It's got to be the board of directors and the CEO that take it seriously and implement the controls that are needed.Jamal:
Couldn't agree more on that one, Greg.Jamilla:
Thank you so much for joining us today. It's been great speaking to you.Greg Edwards:
Yeah. Thanks for having me.Rahena:
If you enjoyed this episode be sure to subscribe, like, and share, so you're notified when a new episode is released.Jamal:
Remember to join the Privacy Pros Academy Facebook group where we answer your questions.Rahena:
Thank you so much for listening. I hope to leave you with some great things that will add value on your journey as a world class privacy pro.Jamal:
Please leave us a four or five star review.Rahena:
And if you'd like to be on a future episode of our podcast.Jamal:
Or have a suggestion for a topic you'd like to hear more about.Rahena:
Please send an email to Team@kazient.co.ukJamal:
Until next time.