How working for the Hong Kong Police felt like winning the lottery for Paul
How the pandemic changed many companies’ methods of operating
The two reasons why the percentage of risk of breach of a company is lower in Asia
The importance for a company to discuss what they want to protect and what the value is
The emphasis on needing to understand how to use third parties the smart way and the need to practice scenarios to test readiness
Some other titles we considered for this episode, but ultimately rejected:
Having Processes in Place With the Right People Is Critical
How Much You Are Trying to Spend on Security vs What You Are Trying to Protect
Protecting the Important Things Without Going Overboard on Spending on the Latest and Greatest Tools
Speed is Everything
This episode was produced by Stephanie Ng.
Read the best-effort transcript
Read the best-effort transcript below (This technology is still not as good as they say it is…):
Read the best-effort transcript below (This technology is still not as good as they say it is…):
Michael Waitze 0:03
Hi, this is Michael Waitze and welcome back to the Asia Tech Podcast. Today we’re joined by Paul Jackson, the Regional Managing Director APAC for Cyber Security & investigations at Kroll. Paul, thank you so much for coming on the show. How are you doing?
Paul Jackson 0:16
My pleasure? I’m doing great. Thanks. So it’s great to be talking to you, Michael.
Michael Waitze 0:20
It is my pleasure completely before we jump into the main part of this conversation can get a little bit of your background for some context.
Paul Jackson 0:27
Sure. This could take up the whole hour. Just very quickly. So look, I came out to Hong Kong in 1988. So quite a while ago now. And I joined the Hong Kong Police. You know, back in the day, I was an engineer, but didn’t really want to do engineering. So I wanted to do something more exciting. I’m quite an outdoor person and police just appealed to me. And by chance, I stumbled across the Hong Kong Police. And it was like winning the lottery for me. So it was early days were chasing smugglers and speedboats. And then I moved on to technology in the mid 90s. When things changed because of my engineering background. They asked me to get in technology, cyber policing. And it was the sort of era where internet was just starting. And mobile phones were just happening. So my background fitted in nicely to that agenda. What I loved it from, from the get go is an exciting new world of dealing with technology in arresting bad guys arresting bad guys. Yeah, for the next 15 years. That was all I did really until eventually the lure of the private sector came along and I jumped ship in 2010 to JP Morgan.
Michael Waitze 1:32
Oh, wow. Can I ask you this though? Where are you from originally?
Paul Jackson 1:36
Oh, yeah, I’m from the UK. So born in alvia. I’m British apologising for gifts.
Michael Waitze 1:44
I’m American. How do you think I feel? I want to ask you this, though. Is there a thing, right? Because I’ve got another buddy whose dad and you’re not his age, you’re closer to my age. But his dad also did the same thing left the UK came to Hong Kong joined the police did kind of a similar thing, obviously much older than you so didn’t get to be involved in the cyber thing. But is there something happening in the UK that says like excitement is in Hong Kong? Go there join the police? Or was it just something you decided to do on your own? You know what I mean?
Paul Jackson 2:12
Well, it was quite a bizarre story. Because you know, setting the pub on lunchtime, as you do when you were a student, I’d been planning to join the UK Police, because just policing did appeal to me. And by chance a friend walked in. And he put a newspaper down on the table and said, Oh, you want to be in the police? Why don’t you join the Hong Kong Police. And there was an advertisement there for joining the Hong Kong Police in the British newspaper. And I looked at it and thought why not applied and very luckily got the job. Do you
Michael Waitze 2:39
know when the texting was coming along that there was this paradigm shift that was actually taking place? I mean, I because in my business was kind of the same thing. When I showed up at Morgan Stanley in 1987. I literally had a Tenki. With, it’s hard to explain what it is like what an accountant would have had on his desk in like the 1940s with that little piece of paper on it. And every time I hit Enter, it would print on that little thing. But I could feel the tech coming. Could you feel it as well? And did you make a conscious effort to join that tech thing?
Paul Jackson 3:05
I could definitely feel it coming. It was a massive shift. It’s seismic almost right this Yeah, you know, and I saw it happening in the in the in the 90s. And this was, you know, when I joined in 88, it was typewriter still carbon paper, multiple copies and and then we move very quickly and you know, things just moves so fast in the 90s into the computing year into the digital age, and policing struggled, you know, cops, to that point, they would have no technology background, and I was just luck that I had done computing and as part of my university degree and background and they needed suddenly the policing world needed people like myself with that technology knowledge. It was a real, real psychic change.
Michael Waitze 3:52
What do you think was more exciting for you riding around on the boats chasing smugglers or like actually getting involved in a ticket? Because the smuggling thing is, it’s like uniquely local? Do you know what I mean? It’s literally like right off the coast. And like once you get further away, like you’re not smuggling anymore, you just fishing it away. Right? But the tech stuff is everywhere.
Paul Jackson 4:11
No. Yeah, definitely. I mean, look, yeah, the smuggling stuff. It was real Miami Vice and a lot of fun, you know, for a youngster better. Yeah, you know, when I think the technology stuff was game changing, it was truly global. And, you know, it felt, you know, at the time a real paradigm shift in the way that policing was done. And I was just really proud and excited to be a part of that. A real pioneer in that world.
Michael Waitze 4:36
And what got you to JPMorgan? You know, I used to because you now you know where I was, I was at Morgan Stanley and Goldman Sachs. So when I see you at JP Morgan, I’m thinking okay, what was he actually doing there? That would be familiar to me
Paul Jackson 4:47
very little, because if somebody if somebody you know, got to know me in the business there then it was probably for the wrong reasons, because I ran investment and there For looked at internal investigations, but I was initially employed to do that within the Asia Pacific region. So it’s still based in Hong Kong. Okay. But I brought the knowledge that I learned in the policing world about forensics, computer forensics analysis of computers, and basically learning how to tell stories from digital devices. And, you know, explain that in layman’s terms to understand what actually happened during an investigation. So I brought that into that sort of technology into Asia, and it was looked at from the US as well, that’s pretty good. And would you move across to the us and help us build out a consistent platform globally for doing investigations and forensics. So, of course, that was quite an honour. And I took the opportunity and moved across to New York, always treated it as more of a secondment, but yeah, moved across New York and ran global cyber investigations. And it was timely because I was allowed to build out a big team, which probably the leading I would say, team in corporate America. And well, as we know, I can’t talk too much about it. But historically, in that time, JP Morgan suffered a very public major bank breach. And this team excelled in the investigation of that, of that case. So it was a, it was timely, and it was very important. And, you know, I was honoured to be a part of building that whole structure out.
Michael Waitze 6:30
Without getting into specifics. Can you talk a little bit about what that investigation entails? Just for people that don’t really understand this idea of forensics in general, but computer forensics in particular? It’s so What year was this? Just out of curiosity?
Paul Jackson 6:47
Michael Waitze 6:48
I guess I’m not that long ago. In other words, a lot of stuff has changed in some senses. But in some cases, a lot of stuff hasn’t changed, right? We had connectivity. We had throughput. The cloud was kind of there, there were some things going on, once you feel like something bad has happened, what is the kind of call to action? And I want you to remember this afterwards to like, what changed internally to make sure that like, this didn’t happen again. You know what I mean? Like, was it a clarion call people like, Oh, for God’s sakes, why, but first of all, what happened? And then how do you fix it?
Paul Jackson 7:17
Yeah, so that’s, those are very good questions, and few people realise the need for speed. Yeah. When there is a an incident involving, you know, a data breach or hack, digital evidence is transient. And it needs to be preserved as quickly as possible, and logs disappear. They get overwritten evidence in what we call digital memory, or RAM is transient, and is overwritten quickly. And these pieces of evidence are crucial to understanding what happened in a case and understanding whether the attackers traverse the network, whether they built in backdoors, how they actually, you know, gain the entry in the first place, so you can fix the systemic problems. And all these questions need to be answered during the course of an investigation. And unless you’re positioned to capture all that evidence quickly, then you’re it’s just guesswork. And so many times I’ve come into investigations whereby it’s just been too late, and all of those questions will be answered. And therefore, you’re basically making assumptions, and just trying to hypothesise of what may have happened. And you’re also guessing as to whether you’re still at risk. So, in these investigations, the the one example I cited is one of very, very many Sure, the ability to have captured that evidence quickly to have plans in place of incident response processes, and the right people, and the right support is critical. And that kind of segues nicely into the work we do here at Kroll, which is exactly what we do. We like the fireman for the digital world. We’re here to respond quickly to make sure that evidence gets preserved quickly and make sure those questions can be answered. And the stories can be told about what happened during during an incident.
Michael Waitze 9:08
So I feel like in my lifetime, you have to know this. I was a systems administrator Morgan Stanley when I first joined like this tech team called fixed income research, right? We supported the fixed income trading desk. And I remember when we first started installing Sun workstations across the whole floor, right, this was 1990. Oh, God, I want to say to now it’s a long time ago. Yeah. Yep. But back then the internet was like barely a thing. And maybe it was 93. And I could literally once I figured out and I actually went and did a course for Sunday in New York, right? So I understood a lot of sysadmin stuff. You could literally sit there in your desk and like telnet into amazon.com. You could because back then like nobody was thinking about security in the same way that we are today. So a lot of stuff has changed. But if you look at it now at scale, I like to talk about Asia because that’s where we We live right in, that’s where most of our experiences are. And a lot of the listeners are here as well. Can you make some sort of distinction between like what’s happening in Asia? What’s happening in the rest of the world? And how it’s different?
Paul Jackson 10:10
Yeah, absolutely. But going back to your first point, convenience is still king. Yeah, for sure. Yeah, you know, the oldest stuff used the towel nets, etc. Were all about convenience, remote access, being able to do things quickly, without being need to be physically on site. And not the pandemic changed a lot of the ways that companies operated because convenience again, became necessary, right, I get into my systems from home, could I you know, quickly do things that I used to do in the office when I’m remote working
Michael Waitze 10:42
it can we point out that a typical manager, right, cares about cybersecurity, but you’re right, they were home for the first time, their boss is now in Atlanta yelling at them for like, some information and like, I don’t care what it takes, I have to get that file, I have to get it. And there’s some gal or some guy in it just going like, Okay, I’ll do it. Do you know what I mean? Like, there’s so much internal pressure that doesn’t get talked about? And that’s where breaches happen. In some cases? No.
Paul Jackson 11:05
Definitely. Oh, absolutely. You know, KPIs metrics, these guys aren’t measured on, you know, cybersecurity, they’re measured on business and success, right. So that’s where they can undermine lies. And I think that’s a constant battle, it hasn’t really changed hasn’t really evolved. Except that I would say that security now at the board level, you know, in those days, back in the day, it never really hit the board’s agenda. And now we are seeing that it’s, in fact, this year, you know, surveys have shown that it’s the top tops, the list of most challenging issues for boards to deal with is cybersecurity. So it is finally hitting their agenda. And, you know, it has been made part of the business process, if you like, or business leaders to be incorporating cybersecurity into what they do and be measured on it, importantly, be measured on it. And that’s the big difference.
Michael Waitze 11:55
But this is a really big difference. Right? In other words being measured on it matters now at scale, right? This is where you get back to these KPIs and OKRs. Around You said earlier, nobody really cared about it. They just cared about how the business was growing. But you could literally do a billion dollars worth of business. But if somebody kind of hacks in and does something bad cybersecurity wise, and it cost us 750 million bucks. Nobody’s gonna care about this billion dollars of revenue. Yeah,
Paul Jackson 12:18
it’s absolutely true. It’s great to see companies taking notes for this. So go back to the difference between Asia perhaps and the rest of the world. We’ve seen like, yeah, like in maturity, you know, to answer your question. And there’s definitely been a slow uptick in this recognition that security and business reputation and future prosperity go hand in hand. And we are seeing companies taking this more seriously. And I think, you know, that some of the metrics that we recently highlighted in our state of incident response. were interesting, because they did highlight a gap between a recognition of where there has been incidents because in the US, there were very high numbers of reported incidents occurring within organisations, more than 90% of organisations reported that they had a breach where the numbers were far lower in Asia. So we surmise that this is because of two reasons. Firstly, unwillingness to report
Michael Waitze 13:17
didn’t happen, yet.
Paul Jackson 13:19
Yeah. Well, let’s let’s fix fix the computers, rebuild them and carry on. That’s a very, you know, negative mindset. And it doesn’t address the root causes of the problem in the first place. And it leaves them open to future attacks of a similar nature. It’s also been driven by I would say, in the US and in Europe, in particular, there are very strong reporting obligations for when there has been a data breach. So you know, you have to be about this. You have to you have to report when there’s been an incident. Otherwise, you face punitive actions. In Asia, this has been slow to catch up, but it is catching up. So companies are now compelled to report when there has been breaches of personally identifiable information that they hold who compels
Michael Waitze 14:04
the reporting in the United States or in the West. I’m presuming there’s a GDPR angle to this right as well, in the sense that if some data if there’s a data breach obviously needs to get reported. But who was changing the reporting mechanism in Asia? Is it regulators?
Paul Jackson 14:17
Yeah, a combination. So regulators obviously will only change things for organisations that they regulate. Right. So financial regulators will obviously regulate the bank and compel them. It does depend on the regulator who they enforce it on. But also, you know, data protection laws are generally driven by, you know, a Data Protection Authority in that particular jurisdiction. Now, in Asia, we’ve seen almost every country introducing laws to protect data, and that is good thing. The trouble is the city for enforcing these laws hasn’t reached the same level. So there’s no stick there’s no stick to it to end force currently these laws, it is changing, it is advancing. But you’ve got to feel for some of these organisations, this is a very complex field, and to have the right people, the, you know, the investigators, etc. To be able to determine how and where a company has breached these data protection is not is not trivial.
Michael Waitze 15:18
Like I just keep thinking about the interconnectivity all the time, right. And mainly because I’ve just seen it change. You know, I remember, again, I’m dating myself a little bit, but I remember a guy in my dormitory carrying around one of those little Mac’s, do you know anything with the handle that was kind of embedded into the thing. And that basically changed my whole view on portability of technology and writing papers. Because before that, I was doing it all on a typewriter, as you suggested, but then they were LANs, and WANs. And all these types of connectivity. And it still seemed like you said, a little bit simple and a little bit convenient, I can now log into the directories in London, and then I can share files with them easier. Nobody really thought about stealing stuff. But now you have the cloud, you have internet connectivity, I mean, I have 500 megabits up and down in my home, not to mention in my studio, like all the connectivity, all the throughput, all the compute that we have quantum is coming, like, are things just getting too complicated? You’re gonna be like, is this a constant cat and mouse thing that’s just gonna keep happening forever? It’s not gonna get solved, per se. Yeah, well,
Paul Jackson 16:20
these are really good questions. And it’s, they’re tough to answer. Because technology does evolve at such a rapid pace. And the simply the size and the scale of some of these breaches of the systems that are involved and the the massive amounts of data that have to be ploughed through, make incident response, just an incredible challenge. Yeah. But that’s where we have evolved as well, because we build tools that are capable of sifting through the noise of finding that needle in a haystack, almost the you know, and, you know, it is a constant. Yeah, cat and mouse, you know, keeping up, you know, arms race, almost, with the threat actors, but building those capabilities very hard, you know, in government, especially, because, you know, the private sector tend to poach the best people, and higher pay, but pay a bit more. And therefore, I do feel for government, as a former police officer, myself, I, myself recently hired two former police officers. And yeah, I do feel guilty because it reduces their capability. But on the other hand, we also need to have that top notch level of capability. So the reality is, those government bodies, regulators, privacy commissioners, etc. They do struggle to attract and equip the people to do those kinds of investigations. So, yeah, it is really a massive challenge to keep up with this, before I
Michael Waitze 17:41
get to the tools that you use, because I’m really curious, like, what you’re looking for, you know, I mean, in other words, if I build a house, right, and I don’t put any locks on it, somebody breaks in and steals like the diamond earrings, I kind of know what to do. First of all, I gotta put locks on the front of the house and all this other stuff. Right. So I want to know what those tools are in a second. But more interestingly, at least at the beginning, is were you surprised if you go through all the data, because the breakdown in this report is actually pretty interesting. But one of the pieces of the data that stuck out to me, and I’m just curious what you think about this is that the insider threat in Japan was zero. Like, are you familiar enough with Jim, I just thought it was funny, like as a market that, at least from a reporting perspective, it was like nobody inside here is gonna do anything wrong. We did that surprise you. You know what I mean?
Paul Jackson 18:28
It isn’t it didn’t. I’m quite sure there is an issue there. It’s just that
Michael Waitze 18:35
nobody just liked the way it fell out.
Paul Jackson 18:38
Yeah, I agree. So I was actually in Japan last month. And we did a public seminar on this. And it was actually debated with the audience as to why this might be. And again, the consensus was, it was really more of a cultural response rather than a realistic response. And we’re pretty sure it’s just as endemic there as it is in other parts of the region. But yeah, the insider threat is a worrying one, because that is so hard to defend against, yeah, technology is traditionally deployed to protect the perimeter. So in other words, to stop the bad guys getting into the network, right. However, if an insider who always has already has trusted access has been compromised, or has been in some way subverted to do something wrong, then you have a different kind of problem on your hands. So the way we look at this, we often talk to companies and say, look, it’s all very well testing your perimeter, you know, doing what we call red team or penetration testing type attacks on the system. But you’ve also got to look at it from the inside out, what could an employee actually do when they’re sat at their desktop? So in other words, equip our folks with that same level of access and see what they can do and how we can detect any errant behaviour on the part of those insiders. Because, you know, like it or not these days, we have to trust our employees as much as possible, but we do have to also monitor and be aware of any anomalous behaviour coming from an employee system. So these are challenges, then there are tool tools go back to your question about tools, there are tools which will help detect aberrations or you know, anomalies in in behaviour of a computer system. But that’s not the be all and end all and crawl we kind of sit independently, we don’t make any of these tools, which is what actually most of our clients like, because we can guide on which tools work most effectively, and fit within budgets and also fit within their needs, what threats are they trying to defend against? You know, what’s their major concern? What are they trying to protect? Very often companies don’t ask these kinds of questions, because leadership don’t get involved, right? It’s left to an IT guy and it you know, IT security guy to decide what tools will work best. And really, it’s a business decision, what do we what are we trying to protect here? What’s the value, you know, and, and those are the kind of inputs that are most needed when you’re choosing tools. So we can often hit sit with clients and help them decide which which tools might be the most effective for their, for their budgets, and keep the cost. Because, you know, at the end of the day, the struggle is really about how much you spent on security, versus what you’re trying to protect
Michael Waitze 21:22
when I was at, you won’t believe this. But when I was at Morgan Stanley, I used to manage the data centre that we had, which means that back in the day, I would actually come in and change the tape decks that rotated around to do the backup, you’re laughing. But that means you understand. That’s why you’re laughing, because you know that, you know that I actually did this, because you cannot make that up. But it always felt kind of safe to me. Because, again, that door had a lock on it. That was an internal network. You know, all this stuff that I read says moving to the cloud makes it more secure. But to me, it just feels like it’s further away from my control, like, how does that help or hurt? Just for my knowledge? Do you know what I mean? Like, is that better? Is it more secure to be on the cloud? Because somebody else is managing the security? How does that work?
Paul Jackson 22:08
Yeah, so there are pros and cons. Now, obviously, those who are managing the security of the cloud are very skilled at it, there’s their cloud, right? So they are experts at protecting the perimeter. But But what you’ve got to realise again, is this is like a big room where you store your computers, where you put your computers, it is just virtual, it’s in the cloud, you still have to sponsible for your accesses your permissions for your, how you configure the systems there, etc. So yeah, it’s a bit of a fallacy to say that you obviate your responsibility for securing the environment to the cloud provider. And the reality is, this needs just as much testing and actually more advanced understanding of the cloud to really help protect clients, because we actually bought a company because we recognise this, we bought a company who specialised in this, you know, security compass. So they have cloud specialists, and we help clients day in day out to test and assess their security configurations in the cloud, to make sure that they you know, they’re not going to, you know, build any weaknesses into their platforms.
Michael Waitze 23:11
Have you seen a mindset change in this, particularly as things get more distributed, where big companies are now you said, have made it to the board, but have you where now it’s easy to go in? And like, say, you guys should really pay attention to this where maybe five years ago or seven years ago, you’d walk into, like, we don’t have any security problems here? Do you know what I mean?
Paul Jackson 23:27
Yeah, definitely. Because, you know, without a doubt, boards are becoming more and more aware that they are actually getting hit their companies, you know, where there may be minor incidents. But you know, the numbers show the statistics show that even even though we’re lower in number in Asia, right, theoretically, you’re still high, but they’re still high, they’re still very high, you know, the numbers of organisations who are being impacted with cyber incidents. And therefore, of course, the board is aware that these things are going on, and they are damaging to their companies and damaging to reputation. So yes, the emphasis is being put on it from a leadership. I love doing board briefings, because you know, this is becoming a bigger and bigger part of my work is going and sitting with boards, because they’re smart people. These are intelligent people. And they ask the right questions. And I can see clearly that they want to understand more, but they’re very often not getting the right answers from their internal teams. And they sometimes feel maybe their cybersecurity teams are battling them with I can’t say the word but you know, battling them with technology shows, and you know, they’re not getting the clarity that they need. So that’s one of the major concerns I find from these board briefings, they really want to understand and really want to be able to make decisions, but they want things explained to them in business context. And in a way that makes sense to them.
Michael Waitze 24:47
Yeah, I mean, there’s an ROI aspect of this right you had a small companies compete because as this becomes more complex, and as it becomes more endemic, right, you It’s gonna become more expensive to protect. Right? So like I said, when I built my house, I could just, you know, put some alarms on it and stuff like that. But these massive companies are building entire units just to I mean, they have Chief Security Information Officers, we know that right? How do small companies try to keep up? And like, is there a tipping point from a cost perspective where you just have to pay this to get the right protection? Yeah, this
Paul Jackson 25:25
is a great question. Because you’re absolutely right, you know, the kind of the kind of budgets that the JP Morgan’s of this world are outstanding, you know, just is, is different, it’s just different. Yeah, it’s different. It’s different world, right. So we always say that to look at smaller companies, it’s more about the people, it’s more about taking care of the basics. And, you know, the cyber Hi, Jean, as we call it, you know, just fixing the low hanging fruit, we work with a lot of smaller companies, for example, you know, because Kroll is a large firm that, that works across multiple different towers such as valuations, and etc. So we work with a lot of small companies like hedge funds, you know, PE funds, etc, these are small firms that have high value, or dealing with high value monetary wise, but there are only maybe 1020 people right in the companies. And these are good examples of companies with a lot to protect, but not really the staffing to do it. So, you know, we try and devise simple, we call them productive retainers where we work with them to fix the very simple thing. So we look at, you know, their, their setups for email, for example, making sure that they’re properly configured, because email is one of the main vectors for attacks, you know, through social engineering, etc, or through hacking, phishing emails, like I get exactly right. And, you know, making sure that their infrastructure has the basic configurations all tested and checked, and you know, that their employees are well educated that their employees understand the risks of social engineering. So it’s a lot about the human. And, and those are fairly simple, straightforward steps that they can take that don’t cost a huge amount and can really save them from from the low hanging fruit type of attacks that the bad guys go for. The second area, I think, is monitoring. So you know, handing over the monitoring of their network to an organisation, such as ourselves, you know, who really understand the threats really are able to detect for them and, and prevent them before they actually become a reality. You know, it’s about using third parties in a smart way, I think, you know, protecting the important things without going over board on spending on the, you know, the latest and greatest tools that may that may be out
Michael Waitze 27:40
there. At some level, I feel like a big cyber attack is like a natural catastrophe like, and there’s not cat insurance, I don’t know how familiar you are with the insurance industry, but like not cats, a big part of the insurance industry. And with, again, all the things that we’ve talked about, it just brings up this idea of parametric insurance for me, right? In other words, if somebody hacks in and there’s some notification or some system that you’re running to monitor, it goes off, it feeds real time data that’s confirmed, right third party analysed, goes directly to a parametric insurance engine, and then triggers a payment, like, how important is the insurance angle here? And you work with the insurance companies on the flip side with their actuarial teams to say, how likely is this risk? Do you want to because you’re working both sides of this?
Paul Jackson 28:28
Yeah. So insurance firms, it’s huge. I mean, it’s one of the biggest drivers of our work, because we’re on the books of more than 60 insurance carriers across the globe, as a provider, so a fireman going back to my previous analogy for when something does happen. So insurance, cyber insurance is a big thing. And, you know, most mature companies do have cybersecurity insurance protection. So what happens when when that gets triggered, is that the insurance companies will bring us in, they will pay our fees for for putting out the fire. And, you know, it’s interesting, the way things work, because we also, you know, constantly in contact with the insurance companies, and we do feed back our intelligence, you know, to them, so to help with their actuarial data to help them to assess the insurance worthiness is that the right word of a client, and, you know, and also to understand what risks they’re taking on because a few years ago, they were, you know, giving away insurance, almost cyber insurance. And then the ransomware wave came, and they ended up paying out huge sums of money through insurance to their affected clients, and they realised they needed to tighten up on the cyber insurance, make sure that there was a degree of security assurance within that organisation so that they were, you know, they, they were meeting certain standards. You know, if you think about a car, you know, you’re not going to insure a car unless it’s had its mot, worthiness roadworthiness tested, and it’s a similar thing now for cyber insurance in your company has to prove prove that they are cyber safe, or at least to a certain degree before they can be insurable limits have gone up and the cost of insurance has gone right up. So it is more challenging to get. But then companies are seeing the costs of a breach, and they realise it is a necessary thing to get to get cyber insurance. So it’s, it’s a very interesting space and one that we operate very heavily in is ever evolving.
Michael Waitze 30:24
Do you want to understand what the landscape looks like? Before I let you go just in in Asia, in particular, like how ready are companies really for this? I feel completely unprepared. I do a lot of data protection stuff. But again, I’m running a small company, right? And I’ve actually been with people I’ve been sitting with somebody, I kid you not. When somebody hacked into their website and changed like, everything, as we were just like sitting there and that feeling of oh, my gosh, what do I do now to fix this is scary.
Paul Jackson 30:55
It’s a horrible feeling. Look, I’ve been there, you know, and it’s really horrible. When you realise that you’ve been you’ve been breached? Yeah, your all your hard work has been compromised, you know, your business is falling apart because of, you know, you basically had your, your data encrypted, or your systems have been knocked over. It’s an awful feeling. But then I think to myself, you know, when we get calls from companies like this right out of the blue, they’ve maybe Google us or GM, you know, that maybe their insurance company has told them to call us. Well hang on a minute, why didn’t you plan for this in advance, right, we’ve now got to go through contracts, we got to sit arguing over limits of liability and indemnity clauses on a contract, before we can even start work. And going back to my point, rather than beginning speed, if you’re not prepared, P does everything, speed is everything. And you’re you know, every day that goes by negotiating contracts, or trying to get things set up, you are losing the opportunity to you know, to fix this quickly, a fix this quickly, and be minimise the costs of an event. And it just really frustrates me that organisations only come to us as a knee jerk when something bad has gone wrong, they haven’t anticipated this, and preparedness is everything. So, you know, luckily, I mean, and the the survey again highlights this companies are getting better at being prepared. And we are seeing it, I want to finish on a positive note, we are seeing companies now taking more steps to be ready. So they are coming to us to you know, to get retainers, we call them Incident Response retainers, so retainer is key, you know, get everything set up, have somebody on call, you know, we got SLAs we can be responsive within within minutes, really to an incident, you know, and make sure that you’re testing the playbooks as well, you know, do crisis simulation exercises, set up a scenario realistic scenario and then go through it before it actually happens to you. You know, it’s it’s so much better to practice it in a in a safe in a safe way, rather than learning the hard way during a real incident. So all these kind of common sense, like almost common sense steps that we are seeing companies now finally taking but it’s been a long journey to get to that point.
Michael Waitze 33:03
Yeah, I mean, let’s end on this. I remember when I was much younger, and I was sitting on the trading desk at Morgan Stanley and Tokyo, and I was reading this article on Bloomberg and one of the quotes said, the person who’s most prepared, always wins. And I literally cut it out. Right? I screenshotted it and then I printed it out and put it on my monitor just so I knew and I think you’re right. The person who’s prepared, most prepared, always wins. Anyway.
Paul Jackson 33:30
I couldn’t have said it better. That’s that’s a really good way to end.
Michael Waitze 33:34
Thank you so much for doing this. Paul Jackson, Regional Managing Director APAC Cyber Security investigations at Kroll. We got to have you back. That was really awesome. Thank you so much for doing that.
Paul Jackson 33:45
Thanks so much Michael. Really enjoyed it.