Martin Hinton (00:00)
Welcome to the Cyber Insurance News and Information Podcast. We'll get started in just a second. But before we do, if you could subscribe, we'd be very grateful. Thank you.

Martin Hinton (00:14)
Welcome to the latest edition of the Cyber Insurance News and Information Podcast. I'm the executive editor of Cyber Insurance News, Martin Hinton. Joining me today is Joseph Wright with Blue Team Alpha, an incident response specialist who's going to tell us all about that space, what you need to know, how you need to plan, tell us some stories, I hope. Before we get to him and have Joe tell us a little bit about his background and how he got to this cybersecurity space in his life, like, subscribe, follow, you know how to do it, help us grow. We do really appreciate it.

If you've got any questions, can drop them in the comments when you see this. And either I or Joe will do our best to get you answers. So with no further ado, Joseph Wright with Blue Team Alpha. First of all, thanks for joining us. And before we get into the nitty gritty of incident response and cybersecurity, Blue Team Alpha, one of the things I liked about it when I read about you is heavily veteran populated. So I wanted to tell you, tell us a little bit about how you come to this space and your background professionally before.

⁓ this moment in time and the private sector. again, Joseph, really great to have you and take us away. Tell us about yourself.

Joseph Wright (01:21)
hey, Martin. Hey, thanks for having me on. I feel privileged to be in the position to have a good discussion about this space. 26 years ago, 20, no, 24 years ago, I started a journey at 18 years old after being a college dropout of joining the US Coast Guard.

And initially I spent the first half of my career driving boats, saving lives, doing all the awesome things you see on ⁓ television ⁓ and literally being the boat driver, being a boatswains mate is what they called it. Leading teams, leading rescues, leading law enforcement actions throughout the country, ⁓ doing escorts, things of that nature, ⁓ operational. ⁓

And that taught me a lot about growing up and being awesome. And then I decided I have a latter portion of my life that I'm going to need to not be able to, or I'm going to need some other skills in this world. So I started a journey towards information systems and security. had a passion for computers my entire life. I built my first computer when I was like 15, and that's in early, late 90s, I guess.

which most kids probably weren't really doing back then. I knew I was something special. Somebody, people would always ask me to help them with their computers and their cell phones. And so I was that tech guy that everyone leaned on my whole life. So ⁓ I was smart enough to know I want to do something I have a passion for. So I leaned into that a bit and found myself in an information system security degree plan.

⁓ and got through it pretty quickly. I got through it in two and a half years, a four year degree. And ⁓ I did that while being in the Coast Guard. And the Coast Guard just so happened to at the same time as me finishing my degree, be standing up ⁓ a large cyber division in the Department of Homeland Security up in the DC area. And I lived in Yorktown at the time, Virginia. And so, ⁓

You know, they were looking for operators, people who knew how to lead people, knew how to do some of that stuff. So I applied for a job with the Coast Guard Cyber Division and they picked me up based on my degree plan and the things I had done up until that point. ⁓ I received from the Coast Guard a bunch of really awesome training. It was down in Pensacola, Florida for about six months working with Army, Marines, Navy and Air Force.

going through some of their programs and leading one of the schools there. And then coming back into the Coast Guard, leading and being a watch supervisor of the Cyber Security Operations Center up in the DC area. And then leading some incidents and things that happened during early '19 '20-ish was really where I got my feet wet in

real cybersecurity, forensics, things of that nature. ⁓ And then, ⁓ so I was a boatswain mate still though. I never switched in, and in the military you have a MOS or a job title and in the Coast Guard they call it a rating ⁓ I never had the opportunity to switch out of being a boatswain's mate into what would be like a cyber job. I was just being a cyber warrior as a boatswain's mate. So. ⁓

When it came time to hit my 20 year mark, there was no path forward for me in my career. So I decided it was time to retire and I figured I'll probably make a little bit more cash on the outside than I was making in the military. I loved my time in the military. I loved everything I did. But what I did is I found a home here at Blue Team Alpha as I was transitioning out of the military.

⁓ And started doing some contracting for a little bit and then shortly thereafter they picked me up my my incident response ⁓ prowess in the Coast Guard led me down an incident response ⁓ prowess in in Blue Team Alpha with small and medium-sized businesses and my first I can't say the name of it, but my first ⁓ Incident was a car dealership down in the south somewhere

And I spent the entire time down there re-imaging machines and really learning the civilian side of the effect of incident response and what happens to organizations from an emotional aspect. And so I've been with Blue Team Alpha ever since, and I'm proud to say I'm the vice president of services here at Blue Team Alpha now.

Martin Hinton (06:07)
Well, thank you for all that. you transition this perfectly because one of the things that we cover here is the idea that no one is ⁓ escaping the threat of a cybercrime or a cyber attack. You mentioned an individual car dealership. So before we get into any details about any specific incident outside of identifying anyone, which is fine because we understand completely why that is, tell us a little bit about what

leads to the need of an incident response. You know, in that case or in any other case or just generically, when do you get a phone call? And I should start by saying that we have now rescheduled this podcast two or three times because you have slightly more pressing things to do, which I it's a good way to betray the reality of your job, right? You are in incident response. You used to rescue people who were having trouble on the oceans and now you're having

Joseph Wright (06:46)
Yeah

It is.

Martin Hinton (07:02)
to rescue people who are adrift on a digital sea, I suppose. So I wonder what leads to that moment when you get a phone call, what are you hearing? What are people saying?

Joseph Wright (07:05)
Yeah, absolutely.

Yeah, so, you know, my entire career of life, essentially since I was 18 has been incident response. You know, I joined the Coast Guard about two months before 9-11, right? So things from that perspective, June of 2001, you know, has been fast forward ever since. I mean, I remember the day like it was yesterday in 9-11, right? So for me, responding has been a thing for my entire lifeblood. It is who I am. It's built into me.

⁓ You know anytime day or night on the high seas right? That's the Coast Guard's motto right so anytime day or night now for ⁓ for blue team alpha I say the the Coast Guard's motto was Semper Paratus, and I'm Semper Gumby I'm always flexible now, so I I am always You know involved in that space, and you asked a very good question when do people do it? And typically when they least expect it right nights weekends

holidays especially, ⁓ we see a severe uptick when people aren't paying attention. And unfortunately, for their sake, it happens almost every single time that you're not looking.

Martin Hinton (08:24)
Yeah, I mean, one of the things we've covered here is the spike in I did a report not long ago about spikes in Asia in the lead up to the Lunar New Year, where everyone's distracted or, you know, during classic times in other parts of the world where people are on vacation and you have maybe a cybersecurity team of 10 is reduced to seven and it's a Saturday morning and that sort of thing. And it's a classic, you know, you don't attack your foe when they're expecting it, right. And that's, you know, in the the the incident of warfare.

Joseph Wright (08:53)
Mm-hmm.

Martin Hinton (08:54)
there is that reality of taking advantage when the enemy is not looking and that sort of thing. So when an auto dealership like you're talking about, or a small business, what's the typical scenario that they encounter that causes them to need to respond? What is the incident?

Joseph Wright (09:12)
Yeah, so they typically show up to work on a Monday morning after a long weekend, holiday weekend, take 4th of July or, you know, one of those long, long weeks ⁓ off holidays. know, Christmas is a big one too, right? But they show up to work and for some reason or another, someone can't access something. So they start to look into what's going on and essentially they come across, you know, some sort of encryption or

an event in which something is affected in some fashion and they don't know what to do. The organizations that we work with are typically very immature in their cybersecurity path ⁓ or they know what needed to be done but didn't have the budget and things of that nature to get those things done. So some of the guys that actually that happens to have done all the proper things that they can from their perspective, but just never got the support either from leadership or somewhere else.

to make those things happen, which is super unfortunate because now when they call us, it's a rude awakening, they're in a position where ⁓ we are going into a very critical ⁓ incident ⁓ position, both from a personal perspective for all the employees, but also from the organizational level. ⁓ And so it's actually a really tough situation to walk into, but one I thrive in obviously is as we are here where we are, right? ⁓

⁓ And I like to say that we are the knight in shining armor typically when we come in to these situations to help organizations hopefully minimize the effect of these types of things.

Martin Hinton (10:53)
You touched on something there. When you get these phone calls, are they typically people who you have a relationship prior to this or have they Googled you and thought, let's call these people. We've got some kind of breach or whatever it might be, or something is not working properly. And it's quite clear that that's happened. How does that manifest?

Joseph Wright (11:12)
Yeah, so that's the biggest hurdle we face as an organization, right, is to let people know who we are, what we do, and to get in front of ⁓ organizations hopefully before it happens, right? We would love for every organization to have Blue Team Alpha as their incident response firm in their policy ready to go in case something did happen, because that would minimize the impact. Unfortunately, that's not necessarily always the case. And yeah, a lot of times we see...

from Google, from partnerships. We work a lot of time on our partnerships with MSPs or master service providers as well as insurance organizations to make sure that there's someone available 24-7 to these organizations when something does happen. ⁓ They have someone to turn to. But oftentimes it's not the case and we see days or maybe even three or four days after the fact being brought into those situations.

Martin Hinton (12:09)
When you're dealing with small and medium sized businesses, one of the things that I've encountered in the time I've been looking into this space, both the cyber insurance world and then the very heavily overlapped sort of interlaced reality of that being a cybersecurity reality is that small and medium sized businesses often come at this, as I say, frequency with a teenager mentality. And that exists to the Fortune 500. So I don't want to single out the small and medium sized guys and gals. But they...

tend to think, why would anyone attack me? I'm a small. What do I have? When it comes to incident response, if you will now talking directly to a small business owner who is like, well, I don't have incident response. What's going on? What do they need to hear to make it clear to them that having a plan for when things goes wrong, whether it's digital or the fire alarm goes off in the mechanical bay of your auto dealership, how important is it to have a plan, to know who to call?

for all the employees know where to muster if you will, that you can do a head count or how do you assess what's on fire? Like, you know, so you can maybe report to the fire department, oh, it's oil or oil fire or electrical or we've got these, you we've got, see those signs on buildings and tankers so that firefighters responding to an incident know what might be burning so they can address how to put out a fire or begin to fight the fire.

What would you say to a small medium-sized owner who's now hearing this and thinking, do I have incident response? I mean, I have a cyber insurance. What do they need to hear?

Joseph Wright (13:39)
They need to hear that you want somebody trusted that's going to be there, right? So to seek out and have a pre-arranged agreement is pivotal. think what they really need to know is what the effects of these things actually are. A lot of people kind of like you said have a teenager mentality, it's never going to hit me. no, it's never going to affect me in the way that we think it's going to. But when I have a scoping call or I have a conversation with a small medium sized business,

Those conversations typically go with, I need a pen test. Well, no, you need a lot more than a pen test. Pen test is down the road. You really need to get your ducks in a row from a security perspective before you start pen testing. And when I say that, what I mean is one of the questions I ask, what would you do if tomorrow you came into work and you had no access to any information technology whatsoever? Because that's essentially what happens in the worst case scenario. You show up to work and you can't pay your employees.

You can't get the invoices out the door for the next shipment that's coming in. You can't ⁓ get a label for printing. You can't do any of that. ⁓ And how would that affect you? And typically that's an eye opener for them right away, right out the gate. And then, you know, obviously doing a incident response policy review and seeing where they are in their maturity aspect and looking at what actions they would take, who would they contact and things of that nature. That's...

Those are how those conversations start. And typically we see, you know, some organizations are starting to get in line with that. But, but I would say probably 70 % of organizations don't have a plan even in place. And I'd say better than that, 90 % of organizations that do have a plan in place have never practiced it or put it into action. And, know, my experience in military says training makes perfect. You know, we would go out on missions on a boat.

and we would throw a dummy overboard and we'd go pick it up, right? ⁓ You need to go throw the dummy overboard and pick it up multiple times in order to understand what the true effects of what you're gonna end to perfect your response in and when it does happen. So it's not a matter of if, but when from our perspective.

Martin Hinton (15:52)
I mean, you touch on something that I've heard from countless people, frankly, is this idea that even when you're dealing with people having awareness, their ability to, if you will, practice like you're going to play, to war game it, if you will, is something where there's a bit of a detachment. Like, you check the box on your policy and you think you're covered, but if there are 30 people on your staff and...

maybe 10 of them are off and they don't all know who to call. They don't know all know who to react to. that, I mean, is it fair to say that this is almost like a fire drill? Like you might have a fire drill every six months to maintain sort of the qualification in your insurance policy for something like fire, obviously. Is there, is your idea that this needs to be moved into that sort of reality and you need to, I the phrase you hear is gamify it so that it.

is ingrained in the sort of conduct of employees and their sort of holistic approach to work, both from a cybersecurity point of view, but when trouble hits, they have at least the beginnings of a plan. And as we know, plans survive first contact, but at least you have some framework for how to approach a situation where your business is fundamentally off from the inside and from the outside perspective, which is we know those business interruptions are catastrophic for businesses with small timeframes with regard to cash flow and that sort of thing.

What do think about that?

Joseph Wright (17:18)
Yeah, I think it's a disaster, right? Either way, whether it's a cyber disaster or a fire, it's still a disaster. And you have to look at it that way. ⁓ You wouldn't, you know, and here's the other kind of, talk about this quite often too, but you know, ⁓ when you get into a car accident or something, you don't, you know, call the insurance company and ask them to call the police for you. You call the police and you call the fire department and the EMS to get there and rescue you.

I would love for it to change our mentality to say the first person you call in a cyber security incident is the people who know how to respond to it, or at least have a plan to do so ⁓ and have that in place. And so I think practice does make perfect. think tabletop exercises, walking through it, doing those types of things, doing those proactive things can save you possibly millions of dollars in the long run, right? ⁓ You know, depending on the size of your organization, at least hundreds of thousands of dollars.

and just in response alone. So if you have that time reduced and you're able to get to that fire before it becomes an engulfed ⁓ organization, you're actually saving yourself hundreds of thousands of dollars in advance. And it just makes sense from my brain and I'm just going off of my experience, but it's hard to get that across to some organizations who think, like you said before,

have a teenager mentality, it's not going to happen to me. And it takes for it to happen. I mean, I could refer you to a thousand of our clients who say the same thing in the middle of it. Hey, I never thought this would happen to us. You know, and that's sad, but it is the it is the world we live in.

Martin Hinton (19:02)
You touch on something there. Sometimes you see studies about this and reports and surveys of IT departments and that sort of thing. Attaching a financial cost to failure on the cybersecurity level prior to an incident. I think a lot of people don't appreciate how much there is involved in the incident response. The long tail of an incident. was on a podcast recently and the question was what's worse, the attack.

or the response. And I was like, well, that's a ridiculous question. I mean, it's always the aftermath because you don't know whether they're still in your system, you know, depending on the nature of your business, the reputational harm that can be done and that sort of thing. Take me through some of the layers that exist with regard to the issues created by a cyber attack and how they can play out. And I mean, you touched on the financial cost. I mean, things like PR and crisis management communications, nevermind the technical side stuff of it. These are, you know, whether there's like

Joseph Wright (19:34)
Mm-hmm.

Martin Hinton (19:58)
credit monitoring you have to get for the 10,000 people whose data is now out there in the dark web. Take me through some of the layers of the litany of things that can have a price tag to them, whatever it might be, hundreds of thousands of millions that exist as a function of the incident.

Joseph Wright (20:14)
Yeah, so I mean, there's countless things and depends again on your organization and what manufacturing healthcare what vertical you're in, you know, with what regards to what laws you have to abide by when it comes to the information that may or may not have been lost and or accessed. You know, so there's there's a litany, as you said, of costs when it comes to protecting other people's privacy and their information.

To add to that, there's a human cost to it outside of that. But financially speaking, ⁓ I think it's much cheaper to be proactive than it is to be reactive in this world. ⁓ I know from sending out the quotes, it's cheaper. Just ⁓ incident response in and of itself is an expensive forte, right?

Martin Hinton (21:05)
Hahaha

Joseph Wright (21:13)
That's just to get the threat actor out of the way. Then you have recovery costs of the infrastructure. You have the hours spent by the engineers who have to now rebuild all of those things. Even in a situation, in a best case scenario where you have backups to recover from, you're still spending hundreds of thousands of dollars getting that information back in its place where it should be from specialists and people who need to be interactive with that data.

and people who don't know what they're doing. And in the middle of that recovery, you're losing money on a profit basis day by day as an organization that you're not even thinking about. And then you get to a point if you don't do it fast enough, ⁓ the customers are not getting their products, the employees may not get paid because payroll can't be processed. There's so many things that people don't take into consideration.

when these bad things start to happen and navigating that, especially when you don't have ⁓ a firm or a partner or someone to work through with you, navigating that on your own is almost impossible if you've never done it, right? And so relying on people, breach counsel and insurance organizations and IR firms ends up being a task too. So now you're focused on that as a business owner, a business

leader and you're not focused on the business itself and everything that gets missed over the course of that time where you're focused on that is now more money down the road. So it just compiles, right? It continues to pile on and then the legal battles down the road. If there is personal information released, ⁓ you know, ⁓ so many laws have been introduced to protect people and protect information, which is great. I agree with completely and I hope

that organizations take that seriously so that they become proactive because it's going to cost you so much more. would say, know, somewhere in the ballpark of 10 to 15 times more expensive to not pay attention to it than it would be to pay attention to it before it happens.

Martin Hinton (23:27)
You touched on something a minute ago and it's sort of of core to my feeling about it is that for all the technology in the world and AI and that sort of thing, people are integral to the way companies operate, particularly small and medium sized businesses. They're, they're an essential element and there is a real psychological impact from the, the impact of a breach, the extra work, the stress over whether you're going to get paid. You know, if you're, if you're the person who clicked a fishing link or the cause of the breach.

You know, I've said recently that this is one of the crimes where it's still, we see it's still comfortable blaming the victim. Like these aren't sophisticated, psychologically engineered and incredibly ⁓ powerful with regard to things like behavioral psychology. Cons in the case of some of these things. When you go through this, you deal with the employees, what's the impact you see there, which is, you know, sometimes a bit like vapor. It's hard to put a price tag on people who were like brought down and like the

that there's a defeat, but you've led people, the military is all about leadership. What do you see in that space with regard to the human element ⁓ outside of the financial cost?

Joseph Wright (24:33)
Yeah, so I think I kind of touched on that. In the military, we went through a training called Critical Incident Stress Management. And that really taught us how to take those situations and understand them, mitigate the risks, and kind of set them aside and find a way forward, right? I think for me, that's become really natural. It's something I discuss with the clients on site. One of the things that I think bothers me most is the people who are concerned.

with their jobs and things of that nature. It's hard to see. It is just like if you were to pick up a body or pick up ⁓ a person out of the water who was alive but still in a bad shape, you know, having to tell the family and be that person with them. It's almost the same. I relate it oftentimes to the clients as stages of grief, right? Because ⁓ when you're on site, the initial reaction is, can't believe this happened.

And when somebody passes and your family or your friends, I can't believe this happened is the first thing. And then you go into that panic mode of like, what am I going to do now that that thing is gone or that thing has been affected? Right. And they go through these stages ⁓ almost identical. And you can identify them if you're used to it, that people move through those stages of grief ⁓ as this goes on. And then as we start to recover, you start to see the smiles start to come back and the feeling of, you know,

everything is going to be okay and you get on that latter end of it. But in the midst of it, it can be tough. And I've seen people quit. I've seen people leave organizations in the middle of it and say, I'm not doing this. And no matter what we say to them, it doesn't matter, they're done. There's been others where the CEO puts the blame on people and they fire them on the spot. And then now we are there trying to help fix it.

but the people that are key to making it all happen are no longer accessible to us. So, ⁓ you know, every situation is different, but I think there's a ⁓ human cost to it that people don't realize it's tough, it's a ⁓ critical situation, and ⁓ we try to do our best at Blue Team Alpha to make sure that that's as light as possible. We try to communicate with the CEOs and COOs about, you know, be careful about...

you how you treat these people, they're in a bad situation, they know that things are messed up already. Let's treat this as a situation and we're all working together toward a common goal, which is to bring the organization back as securely and safely as possible and as quickly as possible so that there's a minimal effect on everything overall.

Martin Hinton (27:15)
You touched on something there that I think is, when it happens to you, it feels, because it is, like the first time and it's unprecedented. But for people with experience and, you know, in your case, hundreds of incidents you've responded to, there are patterns to how it all unfolds that help you navigate the recovery. And for me, that's like the big takeaway, right? This is not a catastrophic event necessarily, right? There are things that can be done very quickly.

and the path to recovery can begin very early. Is that a fair way to think about it to make sure this isn't so, you know, the sky is falling dire, but that if you're a small business owner and you've got an incident or plan, you can maybe sleep a little better at night. Is that fair?

Joseph Wright (28:02)
Yeah, I think, you know, from my experience, it takes a couple of days for us to get through to some of the organizations to say, look, it's going to be OK. It's going to it's it's like running uphill. We often related to that running uphill for a while. And then and then oftentimes you get to the top of that hill and it's a sprint down the other side of OK, everything's back. You know, ⁓ but it's tough to it's sometimes it's tough to get them on board. And ⁓ I think from.

from my perspective, the experience we have, I'm doing this has been beneficial for all organizations we've ever come across in some fashion, whether during or after, right? Unfortunately, it's a lesson well learned in the end. And I really hope I can tell people about it and they don't get in that situation before that.

because I don't want to see people on their worst day. I don't want to be there in the incident. I want to have the proactive discussion about how we can get that incident response policy in place and get that retainer in place so that when and if something happens, it's minimized at best and nothing significant happens. And you can just say, hey, don't click on that link again. And that would be the best case scenario.

Martin Hinton (29:22)
So you take me to something we sort of touched on. I'm a small business owner. And I realized, don't know if I have an incident response plan. What's the first thing I should do? Are there one or two things to begin me on the journey to creating that cyber resilience that you touch on wanting everyone to have?

Joseph Wright (29:41)
Yeah, so I think from a cyber resilience perspective, the first things that someone should do is review that their incident response plan and have an incident response retainer with an incident response organization. Somebody that's familiar with their organization. When I say familiar, let them look at your policies. at, them understand your infrastructure. Let them be familiar with how you operate in some fashion. Have a non-disclosure agreement and let them understand it because the last thing you want to do is

somebody in in the heat of the moment who does know who you are what you what you do right and that makes that process just that much longer right to get back and so I think reviewing that incident response policy getting someone on retainer having cyber insurance lined up having that incident response organization as part of your plan with the insurance organization which means they're aware of who your incident response firm is and what their what their cost is

and come to a conclusion. We work with many organizations ⁓ insurance wise. ⁓ We have a preset ⁓ amount that we can charge by hour for certain services ⁓ from start to finish. Making sure that the policy that you have in insurance covers what would be needed in the case of the worst event possible, right? Think about the things like payroll and making those happen.

Think about the possibility of needing to pay a ransom and what your organization looks like. Threat actors, from my knowledge in open source Intel, says they typically do some reconnaissance on the organization before they come up with a number. And that number is based on web info, right? They're not calling and asking you how much your net worth is, right? They're looking at ⁓ open source Intel and just coming to an assumption. So you can come to almost the same assumption as

what they would typically ask you for in the sense of a ransomware. So you can kind of look at what you would need to pay in that situation. And then backups are a big thing. mean, backups, having air gap solutions is gonna be pivotal in getting you back to work as fast and effectively as possible. And that's been the crux of so many organizations not having an air gap solution, not having an immutable backup in place. And they end up having to work

with threat actors to get back to business. that's a tough one.

Martin Hinton (32:09)
Two is one and one is none, right?

Joseph Wright (32:11)
Yeah, that's right.

Martin Hinton (32:13)
That's a saying I've heard. I used to do military history documentaries and it was everywhere. The idea that redundancy is the hallmark of being able to adapt to things that you can't predict, right? The idea is that there is that flexibility and malleability in your approach to know you can't have thought of everything, but there are ways to be ready for anything, if you will. It's almost a mindset kind of thing. And again, it seems easy to say. Are there any, can you take me through a couple of, or one? ⁓

Joseph Wright (32:25)
Certainly.

Martin Hinton (32:43)
specific incident without names and without things that just give me a scenario where, you know, someone watching this now could say, okay, I can imagine myself being that business owner. You got any anecdotes to share?

Joseph Wright (32:55)
Yeah, sure. So ⁓ recently I had an organization that worked in the healthcare space. ⁓ You know, they protected ⁓ with, ⁓ you know, portion of their organization with EDR. ⁓ The other portion of the organization was not covered. The portion that was covered was client facing and the part that was important, most important to them. However, the

the part of the organization that hadn't had EDR or XDR or some sort of protection in place was compromised. What that did though was take down the organization from an operational level. It left the ability for them to still service their customers for the most part. But what it was was a reputational issue at that point. You know, they're working with multiple health care organizations. And so from that perspective, you know, they've now

been compromised and you know when when you get compromised in a healthcare space the the other organizations are going to run the other way whether they were affected or not and so that's that's a tough pill to swallow for an organization you know to understand the reputational cause of something that would have been so simple to protect yourself against especially because they knew but they didn't take the steps quick enough to make sure it was buttoned up.

Martin Hinton (34:24)
So, mean, we sort of cheekily talk about the teenager mentality. And again, that's sort of pointing the finger and all that sort of thing, but it's context a lot of people can feel and sense, I remember that attitude, or maybe I've got that attitude to something now. The other way to think about that and the positive take I would put on it is the idea that that means that there are some very obvious things that someone like yourself and other experts could see and be like, we should do this, we should do that.

These are the things that will help us navigate and prepare. Is that, you know, trying not to be too negative and maintain a sort of positive outlook, like there are solutions to this reality. There are solutions to the threats that companies face. And they're not all, you know, complex. Some of it's very basic. The idea that, like you said, you compare what's in your insurance policy to the realities of what might happen if you have a business interruption or business email compromise or something like that. Is that a way to think about it?

Joseph Wright (35:24)
Yeah, so I think that's pretty accurate. I would even go further to say, if an IT or a security person within your organization is telling you you need to do something, they're not telling you that because they just feel like buying or wasting a bunch of money typically. They see a necessity for it. The best way to really map out a security program is to also look from an advisory perspective at a CISO or a vCISO.

and really map out what those security controls look like and how do they affect your organization. ⁓ And assigning priorities, a roadmap, you know, it's clearly obvious that not everything is going to get solved with money tomorrow morning, right? There's going to be time and effort put into securing environments. ⁓ But we can start with the little things. You can start with things like MFA on VPNs. You can start with

making sure that people who are there supposed to be when they log in, know, unrealistic travel, all of these little things when they start to compound and these are simple implementations, when they start to compound into many simple things, that's when it gets real serious and where the biggest, ⁓ you know, target is because an organization can be hit from so many different directions at once when there's these little things that are overlooked.

The big things the big expensive EDRs and things of that nature and security operation center to protect you Those things are going to get implemented But you can protect yourself up into a point until those need to be put in place And I think having someone who understands incidents understands incident response understands the frameworks and security that can help you develop a roadmap for your organization and get you from point a to point B so that you can prioritize

how to get there is super imperative. Again, a CISO in the bigger organizations, an advisor or a vCISO in the smaller SMB space like we work in. We often work with small organizations to get developed that roadmap, look at NIST framework and CMMC and all of these and say, look, this is the way to get there. This is the priorities we see from our perspective. And these are the things that can help you.

get yourself in a line so you're not compromised. And then in the latter part, if you are, somebody can help you.

Martin Hinton (37:50)
Yeah. When you took

you that advice is once upon a time and I guess property and casualty, it was like, you need this kind of sprinkler system or these sorts of locks or this type of alarm system. The idea that you bring people to a space where they're better risk for an insurance company and more secure in their own space. So it's again, these are new, new fangled problems, but they're not entirely new problems. The idea that there's this new threat. You did touch on something just now and it's something I've read a bit about lately.

And it's this idea that within organizations, within the security or the cybersecurity or the CISO level or the VCISO level, there is awareness of this and communication of the issue, but it doesn't resonate with the board or other C-suite executives. And there's like a communication gap internally that you can see post-incident. Is that something you encounter often or is that, know, where someone's been, you know, if you will,

crying wolf and they're not wrong. It is in fact a wolf.

Joseph Wright (38:50)
It is something we do encounter and I would say 50 % of the cases we come across have that mentality where somebody's asked for something or wanted something, but it was put off till next quarter, next half of the year, something like that. And they need the help to kind of drive that need. And again, that's why I think that advisory side really helps develop that roadmap. This is the why, right? Because you go to a... ⁓

you know, chief operating officer or financial officer, they're just looking at the numbers and what it costs to the organization. They don't understand the needs. You really, you know, if you can explain that need to them, which can be difficult for somebody who doesn't understand the full nuances of cybersecurity and the business impact of an incident, ⁓ that can be difficult for them to get that point across. So a lot of times that's where we...

where we really see success is when we get a VSISO contract or an advisory contract with an organization where we're trying to be proactive, we can really help them drive their security program to the next level and really get them to a place where their whole C-suite starts to understand the effects that could happen. And they're ready to pull out the checkbook to make it happen because it needs to. You'd rather pull it out now than pull it out later and spend 10 times more.

Martin Hinton (40:13)
Well, that element of being able to attach a ⁓ financial cost to something that is over the horizon or unexperienced is a challenge that a lot of organizations face. And I think that, you know, that ability to be proactive, you know, I mean, this is a problem, right? You don't, it's almost like spending money you hope you never have to really rely on. And that is a tough sell when you're like, well, what about next quarter? We've got this, you know, wall in our warehouse we've got to rebuild. And these are, this is the...

the challenge that a lot of people have expressed to me, at least in this space, that, you know, it's like making people worry about something they can't comprehend in a way. And that communication gap is tough. We've covered a lot of ground, and there's a few things in what we discussed prior to this that we haven't gotten to. But we're about 40 minutes in, and I just want to ask, is there anything that we haven't talked about or anything I didn't ask about or anything we did talk about that you'd like to touch on again before we wrap up?

Joseph Wright (40:52)
Right.

No, I think we've covered a lot of what I wanted to get across to people, especially with regards to incident response. The human factor ⁓ related to it has a special place for me because I've dealt with real human tragedy throughout my career. And then to see the emotional side of it from a cyber side is tough to swallow at times. And I don't want to see people do that. I don't want to...

see people go through tough times in any fashion. And then, you know, obviously the ability for organizations like ours, Blue Team Alpha, to help these people so that they don't have to have these things happen. And then also to be there on those worst days, you know, get the name out there, let people know who we are and how we can help them ⁓ both from a proactive and a reactive perspective was my goal as of talking with you today, Martin, and I appreciate it.

you putting me on here and giving us that voice to spread the word about this.

Martin Hinton (42:08)
Well, I will, I will, without any hesitation say I'm a huge fan of heavy and veteran owned businesses. So if you're a small business owner watching this, you're unsure about what to do. You're unsure about your situation. You've heard some horror stories from your business community in your state or your local community. Within our show notes, there'll be links to Joe Wright's company and you can find him on all the easy places. They're not hiding because they're in business, but those links will be in our show notes.

⁓ and, and have a conversation that that's my, know, advocacy journalism is part of this. One of the things in America that is the core of our economy is a small and medium sized businesses. It's a huge part of the economy. And I think it's, it's underserved with regard to, ⁓ the awareness with regard to the importance of cybersecurity, the importance of these things, the importance of having an incident response plan, their vulnerability to cyber risk. And again, for the, for the good of us all.

have a conversation, get in touch with Joe, get in touch with Blue Team Alpha and see where you stand. I don't know where your particulars are with how that works, but I'm sure a conversation and some idea would be welcomed by you. unless it's... Yeah, sorry.

Joseph Wright (43:19)
Yeah, absolutely.

Yeah, conversation conversations and and things of that nature are no charge. We'd love to talk to people. I love to talk to you. I love talking cyber with anyone. Coffee, whatever. So yeah, anytime.

Martin Hinton (43:36)
Well, Joseph Wright with Blue Team Alpha incident response ⁓ organization. ⁓ Joe, it's been a real pleasure to talk to you. I hope that everyone who watched ⁓ understands that if you've got a question or any other comment, please leave it down below. ⁓ And again, Joe, an absolute pleasure to chat with you. Really, really interesting. ⁓ Again, everyone, I'm Martin Hinton, the executive editor of Cyber Insurance News and Information. Joe Wright was our guest today with Blue Team Alpha. Really glad to have him.

got comments, questions, drop them in below wherever we are on whatever platform. Thanks so much for watching. Again, if you don't, please like, follow, subscribe. We need your support to grow and we want to bring more information like this to communities that ⁓ do really need a greater level of cyber resilience. So again, thanks so much for watching. We'll have another podcast soon and we're really, really grateful that you tuned in. Take care.

All right,