Privacy Please

S5, E216 - Mid-Year Check-In: AI Governance and Ransomware Resilience

Cameron Ivey

Send us a text

As we reach the middle of the year, the focus is on responsible AI usage and the advancement of privacy measures, emphasizing their significance in both personal and business settings.

Our discussion then turns to a more serious topic: the alarming increase in ransomware attacks. Occurring approximately every 17 seconds and leading to the compromise of billions of records, there's a clear need for strong data protection and recovery strategies. We delve into the evolving nature of these cyber threats and explore what businesses can do to protect their operations.

Additionally, mark your calendars for our live show on July 16th featuring special guest Amit Danneberg, who will share insights on integrating privacy and security into business practices. 

Source - https://www.itgovernanceusa.com/blog/data-breaches-and-cyber-attacks-in-2024-in-the-usa#april-2024

Support the show

Speaker 1:

All righty then. Ladies and gentlemen, welcome back to Privacy, please. Cameron Ivey, here hanging out with Gabe Gumbs how you doing, gabe, I'm good how you doing.

Speaker 2:

Doing well, doing well, getting ready to celebrate the independence of days. Yeah, the independence of the days. Yes, the independence of the days, ah, yes, the old tradition of the forefathers.

Speaker 1:

Yes, the independent. Ah yes, the old tradition of the forefathers. Buy some overly priced, expensive fireworks and take the chance of blowing your fingers off.

Speaker 2:

I'm ready for it I mean sounds, sounds like tradition, that ain't america yeah, I don't know what it is.

Speaker 2:

I don't know what it is. I don't know what it is. M80s and apple pies they go well together. They go well. I hope everyone does stay safe out there this year. Like, unfortunately we're joking, but it happens and I'm only half a degree away from someone that it happened to once a few years back and, oh man, not good. Like you're not interested in this kind of trauma, they lost four or five fingers on one hand. It's just not good. Be safe, Don't do anything stupid. No drinking and driving. No setting off fireworks while drinking and driving.

Speaker 1:

Yeah, you don't want to be down the road where your friends nickname you nubs.

Speaker 2:

No, that's right, there's three headlines you don't want. John was breached by ransomware nubs. No, that's right, there's three headlines you don't want. John was breached by ransomware. Sorry John. Six months later, john has still not come back online because he was breached by ransomware. John lost four fingers in a fireworks drunk boating accident.

Speaker 1:

John's not doing so well.

Speaker 2:

John has some Real deep, introspective. You know, time he needs To spend really looking at himself in the mirror Asking himself why, john, why? Why are these things happening to me? Apologies if your name is John, yeah, sorry, john.

Speaker 1:

There's a lot of Johns out there. That was a good name to pick.

Speaker 2:

John Doe, that's the John I'm talking about.

Speaker 1:

You know who you are, Mr Doe.

Speaker 2:

Mr Doe knows who he is. He's always getting into some kind of shit. I love Doe.

Speaker 1:

Yeah, fried Doe.

Speaker 2:

Yeah, fresh bake is good too. Fried Doe Every country in the world has their own version of fried dough. Everyone out there knows what I'm talking about and they're just fabulous. Some people, some countries, sprinkle, you know, like confectionaries on it, like powdered sugar, other stuff. I'm full of savory stuff. Some just some just serve it with butter, some just serve it as is.

Speaker 1:

It's fried dough, man so, speaking of that, I don't know what made me think of this, but, um, have you ever made pancakes? But instead of making them pancakes, when you pour the batter into the pan start to break up all the mix and then make it into like little pieces. So then you pour those little pieces into a bowl and then you dribble you you know, blueberries on top. I take like powdered peanut butter and mix it with egg whites and then pour that on top. Holy moly, and it's. It's like eating a healthy, cause. I make protein pancakes. It's like eating healthy. Like what's that dessert? That's like the fried.

Speaker 2:

I don't know. We fried fried funnel cake.

Speaker 1:

So it's like. So it's almost like a funnel cake, like bowl that I make. I'm going to need to go back and re-listen to this episode such that I capture that recipe again, because I am, so it's yummy and you can make good pancakes out of cottage cheese eggs and like protein powder or something to give it like a flavor, and then make pancakes, maybe some oatmeal in there or something with it to make it a little thicker it's good anyways, I like it yeah so, speaking about let's, let's, let's talk a little bit.

Speaker 1:

This is like our halfway point in the year.

Speaker 2:

We are just about halfway in the year. It moves fast, doesn't it? Every year it happens.

Speaker 1:

And here we are about halfway through. You know what doesn't move fast?

Speaker 2:

Yeah, the rated interest compounds.

Speaker 1:

Actually, you know what does move fast? That definitely doesn't.

Speaker 2:

The ones and zeros ticking up in my bank account. Those don't move as fast as that.

Speaker 2:

Yeah, those are very slow, yeah, I was going to say Increasing number of commas. Shit, those have been going up too fast. Those have been going up too fast. We're only I don't know a few months out before the salty soot say returns and review some of his predictions for the year, but we figured we're halfway through the year. Let's check in so far and just you know how we do it, how we do it. We pulled some of the naughty numbers, but why don't we start with the positive?

Speaker 2:

I think there's some good things that have happened this year so far. I mean, I'll open up with a couple of things. I think one of the things that we saw was some really, really great conversations around AI, governance and responsibility. We spent a ton of time talking about how AI was all the doom and gloom and the world was going to end and all the privacy was going to be violated, et cetera, et cetera, and we definitely had some incidents and there's still a lot of work to be done. But we saw some really, really great progress on the larger conversation about how we leverage it as businesses, as individuals, to improve our lives and our businesses. But how do we do that in responsible ways? I thought there was really good work around that.

Speaker 2:

I think in other sectors of privacy and security, some other really good things that have happened. I think privacy tech is really starting to settle into its own, if you would. I think it is moving away from just, oh my God, we're just going to buy a cookie banner thing and throw that up and that's privacy, to really start investing in technology that enables the business to execute on its privacy goals. I think we see the same thing from security. I think we see some really really good advancements in how we approach security, not from just a tooling perspective, but from a risk perspective. Not from just a tooling perspective, but from a risk perspective. I think things like ransomware has forced us to do that. It's okay, there is, you know, the change is here and we have to change. With what else did you witness so far?

Speaker 1:

this year in the privacy and security world that you want to give a shout out to everything that you said, but on top of it, you know you can see the shift in the privacy community in terms of new positions coming out. I think the voice is out there a little bit louder in terms of I need more support for my security teams um, that kind of thing which is great to see. And, like you were talking about, the ai governance thing, some laws it seems like extremely quickly put together and put in place. To be in this era I mean, you know, being born in the 80s, I've gone through almost everything, just like you have, in terms of technology, and it's fascinating to see the rapid speed of AI and privacy and state privacy laws as well of AI and privacy and state privacy laws as well, like with APRA, seeing some progress in terms. I know there were some cancellations by the committee, but it's kind of cool to see that they're pushing for something bigger like GDPR over here in the States.

Speaker 2:

That is good stuff. The not-so-good news yeah, not-so-good stuff. The not-so-good stuff. The not so good yeah, not so good stuff, the not so good stuff. Where we're only halfway through the year and we have seen a staggering 2741 publicly disclosed incidents of data breaches, and this is just in the united states. And this, by the way, does does dip into last year a little bit. So these numbers cover from november 23 to april 24. So you there's a bit of a lagging indicator, if you want to call it that. The indicator here would be things are not well. One every 17 seconds. I saw some reports on, I saw some reports that mirrored similar things, but ultimately, I think we see it in the news. We were joking at the top of the show. There's another one, there's another one and someone just got it with ransomware.

Speaker 2:

There it is.

Speaker 2:

There it is before I even finished that sentence. Yeah, we were joking about the headlines, but I was also talking to you, cam, earlier today, reflecting on the trajectory that we've watched ransomware take from being a nuisance. We've seen a lot in technology over the last 30 years and in that last 30 years we've watched it go from nuisance to it'll put you right out of business, from nuisance to it'll put you out of business. And so, yeah, the halfway point of this year is not looking great. I don't know what was the worst of the worst of those months.

Speaker 1:

Who can we credit to this Gabe? Is this the USA report? Data Breaches and Cybertax USA report yeah, it is.

Speaker 2:

That's exactly who it is, and we'll drop creds to this report on the show. Make sure we tag them and point out those sources. But that is what this is from.

Speaker 1:

Now, I know you were voicing some strong opinions about ransomware. There's that I don't know if we stated this yet the ransomware and supply chain attacks.

Speaker 2:

They're up there. They continue to be one of the number one ways that businesses are affected, and I mean how do we not have an answer to that?

Speaker 1:

Do we never have an answer to it? Is it just one of those?

Speaker 2:

things that have an answer to what to ransomware.

Speaker 1:

Yeah.

Speaker 2:

Oh, there are answers. There are definitely answers, and it is relatively easy to perpetrate.

Speaker 2:

And the business model has democratized it such that ransomware gangs have affiliate members that can carry out their dirty work and get kicked in for a percentage. As for the answers, you need three things you need to make sure your data is safe, you need to make sure it's recoverable and you need to do so in a manner that doesn't break the freaking bank, because that's the reason why a lot of to your question about what answer do we have? A lot of answers don't get sought or executed on because people choose to do nothing, and then they're not malicious, they're not like, oh well, I just do nothing. They're making shitty trade-offs between what they have to do and I see it every day.

Speaker 2:

But if but those three things that data safe, that data being recoverable and doing it, uh, economically those things will will help you against rash, they will prevent ransomware. They will not necessarily prevent it from going away, in the same way that, like you know, a flu shot doesn't prevent the flu from existing. Um, but maybe I shouldn't have brought up flus. I don't want my anti-vax people canceling. It's like stay subscribed. Stay subscribed. Anti-vax people.

Speaker 1:

They're coming for you.

Speaker 2:

They are coming for me. They know what I'm about to say Don't at me, don't at me, don't at him.

Speaker 1:

Don't at him, don't at him.

Speaker 2:

No, you're not.

Speaker 1:

It's not going to happen?

Speaker 2:

It's not going to happen.

Speaker 1:

It is not impossible.

Speaker 2:

It is not impossible for us to put an end to the scourge. Why do I say that? It's not like these are zero days for the most part, for frick's sake, right. It's not like, oh no, we will never stop a zero day because it happens that fast. Like that's not how ransomware is happening. It's not how it's happening at all. They're dwelling, they're taking the time they get into the stuff, they're hitting the backups to make sure you can't recover like. We have answers. We have answers. If we make it less profitable such that we never pay them, they'll change their mode, their, their motive. They'll change their modus operandi. They'll go to something different. For what it's worth. That doesn't mean we won't then be greeted with a different problem yeah, right am I, am I right now right?

Speaker 1:

yeah, oh, sorry, go now. I was gonna say am I reading this right? It says look at that number, for there's a monthly breakdown. Um, for you know, from, like you were saying, from november 23 to april of 24, what is april? That much more than everybody else. It's like what happened in April. Am I reading that number right?

Speaker 2:

That number is 4,277,728,098 records breach. You, sir, are reading that number correctly.

Speaker 2:

And there's nothing nowhere near that. That dwarfs everything else. The last one that was that big was in December. There were 1 billion, 1.6 billion. I'll just round it. 1.6 billion. I'll just round 1.6 billion. Actually I'm rounding down. But whatever, 1.6 billion in december. I want to. I want to be intellectually honest there. We're journalists after all. Right, can't you see your little handwritten? It says it right there press in my cap. I wrote it in the paper and I stuck it in my hand. I am depressed now. Um, what happened in april?

Speaker 1:

yeah, shit, I mean it's such a good month man got my birthday in april.

Speaker 2:

What happened in april there? Was the that there was that mother of all breaches, but I think that was prior to that. Uh, misconfigured google firebase websites that exposed a whole ton of shit. Uh, yeah with google yeah, no we gotta go dig in. Yeah, we gotta go dig into. Uh, we gotta go dig into that a bit more and see exactly what pushed that number up quite so high.

Speaker 1:

It's crazy, though yeah, that's a big. Yeah, I definitely want to know a little bit more about that. But uh, if anybody listening knows, now's not the time.

Speaker 2:

Now's not the time to get all dejected, though we can. We can definitely put. We can put a lot of this genie back in the box not all of it, but we can put a lot of it back in the bottom. There's not a good enough reason why we should have, you know, four billion records breached in in a month and that's just the us. That's wild. That's just the us this report at all.

Speaker 1:

I'm not sure if I see it, but um, is there a a trend in um organization or, uh, the type of organization that's mostly hit the most particularly?

Speaker 2:

it. It does seem fairly scattered, um, I mean there's's some clusters right, like in the healthcare space and such, but it's equally opportunistic. No one's safe because it's easy. Wow, yeah, it's easy. I take you offline, you pay right. This isn't just even about exposing records any longer. I mean, that is problematic for most businesses, but this is very much a hey, you're going to get caught in headline number two. Headline number one was we breach you. Headline number two is you're still offline. Maybe you pay us. Maybe you pay us if you want to get back online.

Speaker 1:

It's unfortunate.

Speaker 2:

Not to know that I'm not picking on anyone, but we watched the LA Unified School District. Not to know that I'm not picking on anyone, but we watched the LA Unified School District. I feel so very had to have been a stressful environment to have been in. They were down for months, down for months, months, months, months. That's another trend we see. Most of the folks, even if they pay the ransom, they're not getting their data back. They don't get their data back even if they pay the ransom. Some folks paid it this year. They got nothing back. There was some nonsense in there. One of the affiliate groups ran off with the money. Whatever, doesn't matter, business is still closed.

Speaker 1:

Oh, I got some. I got some statistics here. I I opened, I went a little deeper. Let me see if I can. Oh yeah, you're good, but before we wrap this up real quick, looks like there was it's between, like, hospitality and leisure insurance, it services and software. It's all over the place, yeah.

Speaker 2:

It's all over the place.

Speaker 1:

Well, anyways, this is pretty fascinating Gabe. Anything else you want to?

Speaker 2:

No, it's a good check-in. We're going to do a little blog cast action on it. One of the things we'll be talking about in our next live show related. We're going to be talking a bit more about embracing privacy and security and how that can really affect the operations of your business. Right? Which is really what we're talking about here today is these numbers are getting worse, but it's gone from nuisance to put you out out of business, so right, what do we have for that live show?

Speaker 1:

who's coming on for that live show? Um, that is amit. Uh, amit dannenberg. Um, she'll be on with us, um, on july 16th.

Speaker 2:

I'm excited looking forward to that so we've, got episodes between now and then.

Speaker 1:

Of course, listeners, but that's the next live show that is the next live one, so register, join us and we'll see you guys there.

Speaker 2:

I appreciate it, David.

People on this episode