Horror Stories Of When Data Back-ups Fail Artwork

Cyber Crime Junkies

Translating Cyber into Plain Terms. Newest AI, Social Engineering, and Ransomware Attack Insight to Protect Businesses and Reduce Risk. Latest Cyber News from the Dark web, research, and insider info. Interviews of Global Technology Leaders, sharing True Cyber Crime stories and advice on how to manage cyber risk.

Find all content at www.CyberCrimeJunkies.com and videos on YouTube @CyberCrimeJunkiesPodcast

All Episodes

Cyber Crime Junkies

Horror Stories Of When Data Back-ups Fail

August 10, 2025 • Cyber Crime Junkies-David Mauro • Season 7 • Episode 16

Shocking stories from a global leader Gabe Gambill with Quorum covering horror stories of when data back ups fail, saving yourself when data back ups fail, and how to get back data after ransomware.

Send us a text

Growth without Interruption. Get peace of mind. Stay Competitive-Get NetGain. Contact NetGain today at 844-777-6278 or reach out online at www.NETGAINIT.com

Support the show

🔥New Special Offers! 🔥

Remove Your Private Data Online Risk Free Today. Try Optery Risk Free. Protect your privacy and remove your data from data brokers and more.
🔥No risk.🔥Sign up here https://get.optery.com/DMauro-CyberCrimeJunkies
🔥Want to Try AI Translation, Audio Reader & Voice Cloning? Try Eleven Labs Today 🔥 Want Translator, Audio Reader or prefer a Custom AI Agent for your organization? Highest quality we found anywhere. You can try ELEVAN LABS here risk free: https://try.elevenlabs.io/gla58o32c6hq

🎧 Subscribe now http://www.youtube.com/@cybercrimejunkiespodcast and never miss a video episode!

Dive Deeper:
🔗 Website: https://cybercrimejunkies.com

Engage with us on Socials:

✅ LinkedIn: https://www.linkedin.com/in/daviddmauro/
📱 X/Twitter: https://x.com/CybercrimeJunky
📸 Instagram: https://www.instagram.com/cybercrimejunkies/

Horror Stories Of When Data Back-ups Fail

Topics: horror stories of when data back ups fail, saving yourself when data back ups fail, how to get back data after ransomware, saving yourself when back ups fail , pitfalls of data back ups, pitfalls of data back ups, how to reduce risk of failed data back ups, importance of cyber leadership for brands, importance of data back up and restoration, importance of data back up, stories of when data back ups fail, what to do when data back ups fail, how to avoid risk when data back ups fail, lessons learned data back ups from hurricanes, data back up risks natural disasters,

Im sure You’ve heard the phrase that data is the new Gould. CLOSE

The truth is, it’s more like plutonium

When managed correctly, it allows you to market the Wright products and services to the right people at the right time, to increase revenues, overall market your brand better than ever before.

. It’s something that is mined and developed//// and when lost or inginted can have a nuclear like devastating affect that spreads far and wide across and beyond and organization, bringing it to its knees. WIDE

So what happens after a Diab breach. What happens after ransom or attack. What happens if you date his ex filtrated fancy word for and how do you save yourself when data backups fail?

Crime junkies this is David Mauro and today’s episode is all about this. We sit down with Gabe Gamble, who has been instrumental in developing ways of saving yourself when data backups fail across the globe in his role in leadership with a company called quorum.

It’s one of our better discussions with someone who has seen it all. This is the story about saving yourself when data backups fail and how to get back data after ransom attack.

[00:00:00] Come join us as we dive deeper behind the scenes of security and cybercrime today. Interviewing top technology leaders from around the world and sharing true cybercrime stories to raise awareness. From the creators of Vigilance. The newest global technology newsletter translating cyber news into business language we all understand.

So please help us keep this going by subscribing for free to our YouTube channel and downloading our podcast episodes on Apple and Spotify so we can continue to bring you more of what matters. This is Cyber Crime Junkies and now the show.

Welcome everybody to Cyber Crime Junkies. I am your [00:01:00] host David Mauro on this day during the week of Thanksgiving. We are excited about our guest and joined. in the studio today is the Mark Mosher, our regular counterpart who is always positive and always assistive. Mark, how are you? I'm wonderful, David.

This is going to be a great episode. I'm I'm excited about Thanksgiving and the holidays, but I'm really excited about today's episode. David, who do we have in the studio with us today? Yeah, so we're, we're excited. We're, we're having Gabe Gimbel. We did a a webinar shortly what was it, Gabe?

A few, few weeks back, right? A few weeks back, yeah. Yeah, and it was about the the impact and the differences in the MGM and the Caesars breach. Gabe is a one of the senior leaders at Quorum. He's vice president of products and technical operations. He's responsible for And [00:02:00] correct me if I'm wrong, Gabe, but like the product direction and roadmap, as well as Quorum's cloud and technical infrastructure, right?

And you've been... That's it? Yep, you've been instrumental in expanding Quorum's work. Throughout the UK, Europe, and then beyond. So that is also correct. Yep. Pretty good stuff So tell us tell us a little bit about yourself kind of like what what got you to get into? technology and Cybersecurity in general like what like people have some some kind of interesting Segues into the field.

Yeah, I Went to school for chemical engineering So totally different field I found that, yeah, when you graduate from chemical engineering, most chemical engineers go work in some kind of manufacturing facility or plant of some sort, managing things like a water system or whatever, where you do the [00:03:00] same tests every day for 50 years and then you retire.

That did not really seem to be my... my goal in life. So I kind of took a right turn and went into technology. I started out doing pre sales tech support and moved into being in managed service providing. I worked with community banks across the U S and that really got, it got me into the cybersecurity field and the, you know, disaster recovery field where we managed them from, you know, keyboard to router.

So everything within their bank was under our purview. And you know, doing disaster recovery planning BCP planning we set up a although I wasn't part of the team, we set up a MSSP, so we had a security services for all of these banks, monitoring everything going in and out that really kind of built that platform.

Yeah, so, so you've worked in our field where you're actually. Both kind of at MSP, where you're doing the day to day operations, developing cloud offerings, helping support clients with [00:04:00] compliance and stuff, and then also the MSSP, where it's all of the security operations, pen testing, offense, defense, all of that stuff.

Right. And then from there, kind of took a left turn and hopped onto the Quorum bandwagon and started, managing, you know, the, the team there and just kind of grew within the company and now I do all these other crazy stuff. Very cool. So tell us a little bit about Quorum. Yeah, in my experience and yeah, yeah, I just wanted to preface it like in our experience, there's, there's a couple different flavors of, of it.

There's like three different levels. It seems like there's cloud components, stuff like that. But what's, what's the mission of Quorum? What is it that it does for organizations? When we started out, it actually started as a policy engine used for military application. So if a naval vessel was, say, hit by a torpedo, you could transfer function to another part of the ship to keep things running.

So that is how the policy engine and the original brain of Quorum [00:05:00] kind of came into, into being. When we took it to the commercial side we tried to find our way on how best to leverage that engine to work with things. And what we found is, is in the backup and recovery field that seemed to be the way forward.

And so we took that and we built on that, that mentality of making recovery easy. Coming from an MSP and doing disaster recovery and planning for customers. You know, I remember the days where you had those big binders, right? Yeah, and it's a lot of work for clients. Yeah. And, you know, one thing changes and the binder's no good.

So we had to think of a way to make it as easy as possible and when we originally came to market, we focused on kind of the small to medium business, right? We were working for people to make it so that the one IT guy could go on vacation and they could still recover from a disaster. That was kind of our mentality when we went to market.

Just kind of a long for the [00:06:00] ride. That's still needed today. I mean, we still see that today. Absolutely. That's our bread and butter, right? But as we, as we did that, we really got into a, an idea of, okay, so we can make it really easy, but now because we came from that military background and everything we did was really focused on, you know, when we started, it was all backup.

Everybody focused on backup. Now we really focus on recovery. And so we started that way and that's kind of our DNA is secure, easy recovery. And so everything we did was kind of, You know, like the term immutability is now the buzzword, but we've had that for a decade, and that's just the way our product was built.

And so we, you know, we grew from that. So we grew from a secure, easy way to recover in the, in the, in the event of a disaster. And our initial products were appliance based. So you put it in your environment, you protected your stuff, you could replicate to another appliance and you could do recovery. [00:07:00] Well, then the logical jump from there was to build a cloud.

So we made it so you could replicate from an appliance to the cloud, or you could back up directly to the cloud. And then the, you know, next evolution was cloud to cloud, right? So if you had a cloud service like... Azure or if you were doing Office 365 or Google Office, Salesforce, you know, those kind of things, being able to back up and recover that kind of data as well.

So those were our, you know, three big leaps that we've gone over time to build our product so that it would work in this environment. That's great. Oh, that's, that's excellent. And are you guys primarily in the us Are you, are you primarily US based? We're I, we're also doing work. We're definitely US based UK and, um, but we have a presence in, in the uk, like you said all over the Middle East, Africa, and Asia.

Oh, really? So we're, yeah. It, it, it's weird. In Africa, the appliance model is really appealing, right. Everybody [00:08:00] is very siloed there. Yep. A lot of buildings have their own power, their own thing, so everything is very. Much appliance driven there. And you know, Middle East and in Asia, it's much more, much more flexible, but that's just kind of how we grew.

So we're really all over the world for that. We have actually one of our initial partners from the very, very early days, actually in Australia, and they sought us out saying, Hey, we need this solution. And so they've been a partner with us for the better part of a decade. So that's very cool. So when you were, when you were younger, what, like, Was there something that transitioned you?

I know you got into I. T. and you were working in the M. S. P., but is there something, like, lately, you've been really focused on cyber security, and is it, is it just because of the glaring need for more people to jump in? Right? Like, you know, like, people with your skill set, right? Like, like, there's such a, you know, we hear about the, the skills gap, or the [00:09:00] job gap, and, While clearly there's a lot of open jobs that we don't have people to place, there's also issues in how they're even trying to hire for those jobs, in my opinion.

They keep advertising for entry level job after you've managed a sock for three years. It's like, what? It's not an entry level, we're talking entry level right out of college, or right out of trade school, right out of the, getting certs, or you have a home lab, and you know, like You know, and there's so many excellent, excellent people in security that didn't do the traditional four year route.

Like, it's, it's, it's almost not, depending on which element of, which position, which niche within security, a lot of times you don't need that anymore. So, it's it's a really fascinating field to all of us. But what, what drove you into it? Yeah, so, several things drove me into it, really. Coming from that MSP environment and that banking environment and [00:10:00] seeing things firsthand on how fast a vulnerability can be exploited.

And knowing that all the security you put in place, I mean everything you can do and, you know, as we had on our webinar, MGM is a good example of this. All the security you can do eventually something will break. Taken down by an 18 year old basically, right? And so you have to find a way in and then get online and get his, his cyber crime buddies to to, to, to launch the ransomware.

Exactly. And so you have to have that. Okay. So when it goes bad, it's not, if it will go bad, it's when it goes bad, what do you do? And that kind of became the calling card for me going through my career is Always taking that look of, okay, this is going to break and that goes more, you know, than just cyber security and everything I do, I look at when this breaks, what do I do, right?[00:11:00]

People put in processes that are people driven. Okay, that's going to break because it's people driven. You know, those, that mentality exudes through everything you end up doing. And so putting that together became an important facet of how I did this. I got a story for you. So we had a customer. And this was, hmm, maybe two years ago.

We have a customer, and we go through the training, we set them up, and we do all of the security things you can think about, right? We have multi factor authentication, we have a zero trust environment. We don't want to use single sign on, because that's going to be how they're going to get to us, right? We do none of that.

But a customer said, I need to make it easy for me, so I'm going to use my admin password to be the quorum password. Yeah, there you go. Okay. What a horrid decision. So that's something Mosher would do. I thought it was best practice to use the same password for everything, right? Yeah, no, no. Use the same password for everything, just don't change it.

[00:12:00] Yeah, it's easy to remember that way. So, so he did. They got in his environment and they logged into the on queue and deleted all his backups. Oh, you're kidding. Well, because that was an account takeover then. They were him. They were him. Yeah. Totally. And that's one of the, there's so many recurring themes we've had about what, Mark, we're at like 130 interviews of people, right?

In addition to the, the, the, the crime. the true crime true cyber crime like research that we've done. So we've got other episodes on that, but the interviews that we find. It is shocking how some of the largest breaches, or some of the most devastating ones, were fundamentals. It was just pure, basic, knucklehead actions that caused it, right?

Like, like, don't reuse your passwords. Like, back up your data. Like, you know, update and [00:13:00] patch in time, right? You know, I wanted to get your, that's a good story, and I also want to hear Because you guys were involved, you have a fascinating story about one of the major tragedies that happened years back with Katrina.

I want to, I want to get to that in just a second. But I want to, I want to ask you about this. To me, there's got to be a better way. Maybe there is, and I just haven't seen it in the cybersecurity because I'm not involved in, like, the high tech service delivery aspect of cybersecurity. Like, when manufacturers post vulnerabilities and patches, right?

It'd be great if they could do it in a way so the good guys could see it, but not the bad guys. Like, there's no way for them to actually do that, right? Like, when I see this, I'm, I'm, I'm, I was like, hey, we have a vulnerability. Here's the update in the patch. And the good guys are struggling to get that [00:14:00] patched in a week, 30 days sometimes.

It's not immediate, right? And, and obviously a best practice is as soon as there's an open vulnerability, clearly patch it right away. But when you do that in an enterprise environment or even SMB environment, sometimes you break things. And so there's a reason why they, they wait. They're testing, they're rolling things out, they might have an initiative.

There's a whole bunch of socially acceptable excuses why they don't do it immediately. But you've let the threat actors... Know that that vulnerability exists, they can run scans and find out who's got that system in place and then they can, they can target it. I mean, isn't that kind of like open season?

Yeah, it's, it's a, it's a horrible scenario and it really comes down to, and this is obviously my personal experience. What I see is, most of the delays in getting something patched are driven by like one of three factors, right? They're [00:15:00] either, they have a piece of software that, is not updated, is not managed well, was in house built, or something, where they know that if they patch, they're gonna break something.

Okay, so it's, it's, it's their own, yeah, exactly, it's their own coded, it's their own poison pill scenario, right? Yeah, yeah, they build their own, they build their own inventory management system or something. Exactly. Or, they've destructured their IT environment in such a rigid way, That they have to go through a QA process and a qualitative assurance nightmare of change controls or whatever to get it done, and it's never going to happen.

It's an administrative issue, right? It's their own internal process. Right, right. So, you know, they've pulled their own trigger. And then the third is, is the worst. They just don't know. [00:16:00] Oh, they don't even know that the patch is available. They don't know every piece of software that's out there. They don't know what Bob in accounting put on his machine or, you know, what, or it's departmentally driven.

How does IT not know? How does IT and your own security team not know that, right? It's connected to the internet. It's their responsibility. Think of a bigger, think of a universe. Because that's what people think, right? People, I mean, but think about it. That's what... That's one of the main challenges, right, is knowing everything that's being used, that you're responsible for supporting or securing, right?

Right, but if you think of something like the university, a different IT department for every college, for every major, for every whatever. They create a nightmare of who's in charge of the All these collaborative tools they're using, they're plugging things in, they're throwing things on the network, BYOD, all this stuff.

It's a nightmare. It's horrible. When I was working at the MSP, we had a real estate office. And it was a national real estate firm that allowed [00:17:00] any realtor to bring in their laptop and plug it in. And so they would take down the network on a regular basis because, you know, some 90 year old realtor got in and was on their AOL account or whatever, because it's that, you know, Now, now, now, the data actually shows, we were just doing a security awareness training, so we did a bunch of research for a, for a educational organization yesterday.

And the data actually supports, right, Mark, which generation is actually more prone to negligence and clicking on phishing emails. It's actually digital natives. So the phrase digital natives encompasses 35 and below, right? So whether it's Gen Z, part of the Millennials, and maybe Gen Alpha or whatever.

But it's something about... They're, they're, they're so used to it that they just trust too much. And, and, and I think the older generations are, are [00:18:00] kind of, they've been yelled at by Gen X for so long, like, For so long, yeah. Would you please not do that? That that maybe they're, they're getting my, they're, they're number two.

You're absolutely right. Right behind it, you know. But this is, but this is dating me. This is, you know. 15 years ago when this was happening. Yeah. No, that's so interesting though. What? Man, holy cow. You know, but that was their policy is they wanted to make it easy for the reeler, but they would take down their networks on a regular basis.

And, and, you know, we would go through the fire drill of trying to get them out of it. That kind of mentality, it permeates a company. What's an organization to do as it starts to grow, right? We have a lot of listeners that are SMBs that are growing or they're in leadership and growing organizations. And, you know, they, they want to balance between.

Allowing flexibility and BYOD, letting people have collaborative tools, [00:19:00] trying things out, because there's so much, especially since last fall, since Jenner of AI shot out of the gate on the, you know, among commonplace, a lot of things that, a lot of things that everybody's saying is AI has been around for a while, like it's not really that shocking, but the, but the commoditization of it and the popularization clearly out there, what how do they balance that with Having some level of control over testing before we connect things to our network, without coming into, like you said, some massive admin, you know, people blocking logjam where you can't get anything done.

Well, there's definitely softwares out there that are, that are better equipped to, to help with that nowadays. There are things out there that are looking on the network saying, hey, this is weird activity, right? It's looking for what is happening on the network, not... You know, not like the old antivirus looked at signatures in the files or signatures.

Oh, yeah Yeah, well, I mean there's computers acting. Oh, yeah. No, [00:20:00] there's there's MSIEM tools. There's MDR platforms All of those. Yeah, all that. Okay, so that's from the security state, but I was almost thinking from the organizational piece Well, see this is the hardest part. So I've always watched this happen in an IT The, it is viewed as a necessity in a, in a company, right?

Right. Yep. You need to have your computers in order to do your job, but it is a cost center. It's always viewed, and every company wants, wants to manage that cost and so they do that risk assessment. And if you have the wrong people in leadership that don't view it as important as the IT guy, that's where it breaks down.

That's how the Katrina thing broke down. Yeah. We wanna jump back into that story, so let's segue to that. So, yeah. Yeah. Most, most everybody. Knows about the tragedy, most of us either were impacted or involved or had, have had friends or colleagues involved in the catastrophe from the [00:21:00] Katrina tell us about how the challenge of data and backup played a role in making that catastrophe even worse.

Sure. So, as, as we were just talking, the management wanted to control costs. Right. They switched from their classic backup systems, whatever they had locally, to a cloud based backup. And they thought, oh, we've saved so much money, everything's great. The problem that happened with Katrina is it was an extended amount of downtime, right?

The, the servers that were there were destroyed. They had to rely on their backups, which they thought, Oh, they're all in the cloud. The problem is they only had 30 days of retention in the cloud, and Katrina lasted much longer than 30 days. So all of the data in the cloud expired. So when they went to recover, they had nothing.

So walk us through, so walk us through a third grade [00:22:00] level of what you're talking about. So the massive storm comes in. Store comes in, wipes out the data center. Because of the, because of the, the level, right? The, the water table level, the dams, the, like, all of that. We all saw that. It was, it was horrible.

Right. The data center that housed the data for all of the mortgage, all of the housing, everyone that bought a house, owned a house, that data system was in those data centers. And it was destroyed. And those data centers were destroyed by the flood, by the... Completely. Later. Okay. Actually, I think they were destroyed by the initial hurricane impact, to be honest.

Like, if I remember right, they weren't in the upstate data center. They were right there, and they were destroyed. anD so, the people managing the systems, um, never reached out to the cloud providers to say, Hey, hold the data, and it expired off. So when [00:23:00] they went to recover, they had nothing. Now the problem that this created, far beyond that of the data itself, is that nobody in, in New Orleans could buy a house, or sell a house.

If you were arrested and wanted to post bail, you couldn't do it. sO lawsuits were being filed, you know, every, everybody's trying to go, Hey, I need to file insurance. You can't file insurance because I can't prove you own the home. The ripple effect of this was immense. So what they had to do is one of the I.

T. guys, and I can't remember the names. It's been, it's been a little while had a tape from before they replicated to the cloud and they moved and they recovered that data. The problem was that tape was nine years out of date. So they had to hire an army full of college students to come in and [00:24:00] manually reenter.

All of the data from every housing transaction over the last nine years. Get out of here. Horrible scenario. And, and so it cost... Well, first of all, you're talking about tapes, which is a scary thing when I'm right here. Right. Backups and they've still got tapes and I'm like... Yeah, let me, let me, I was watching a show on my VCR last night.

Like, that's the time frame that this was. That's the time frame, right. Wow. Oh man, that's horrible. So what happened ultimately? Like, walk us through. Okay, so what happened is they manually reentered all the data. There were multiple lawsuits, right? Anyone that was arrested wanted to file insurance.

Lawsuits were going crazy. It cost the city something along the lines of almost a billion dollars. in, in stuff to get out of this mess. aNd what they did horribly is, you know, in [00:25:00] that kind of scenario, you just cost us a billion dollars. I want to know who to point the finger at. So they looked at the it guy, like one individual who was employed by them, or was it a firm?

It was a, it was the individual, individual employed by them. Oh, this is a city employee. And they went after her. They went after her. Luckily, she had all of her emails going back stating this is a bad plan, here's why it won't work. She had covered herself to say hold on, you're not listening to me. 30 days of retention is not enough.

Oh, this is great. Well, she did the right thing. Yeah, she did absolutely the right thing. She still got, she still got laid off, but there was obviously settlements and stuff that came from that and yeah, she I'm sure landed on her feet But that mentality had to purview and and it was a scenario of you know [00:26:00] The the management layer made a call to save money Without regard to the impact if it goes wrong, right?

And that's you know what we were talking about earlier that happens in security that happens in password management That happens in everything where someone says, I'll take on that risk that happens with the the would you call it the under 35? Digital natives that say, you know, it won't happen to me, right?

That mentality is what's killing all of this stuff. Yeah. Well and it it gets to a bigger picture right and that is The role of the CISO, or even if an organization isn't large enough to have their own CISO, right? but whoever is in charge, even at the SMB level, of Securing an organization. If you're just in charge of IT, and there's nobody else, then you're also in charge of security, right?

That's right. That's the way business owners will look, because when the data breach happens, you're the IT guy, and [00:27:00] they're pointing a finger right at you. I think it's so important. And, and there's a whole, there's issues with the way vendors sell security. That's a whole other rabbit hole to go down.

We address that pretty often because we want to make sure we're doing it right. But the role of that IT person or CISO or whatever the scenario is for the client, they have to make sure that they have A paper trail. Because should this happen, like, it is a wise move to engage with different vendors, different offerings, and to make a recommendation that's backed up.

Yes. Right? Like, look, I've spoken to clients that have used this platform. This will give us 24 7 eyes on glass. They have their own sock. Like, I recommend that we have this. I am one person and I don't work 24 7. And I take vacations, et cetera. Like we, [00:28:00] right. We have all these other initiatives we're doing.

I need to be more strategic. I can't be sitting there 24 7 eyes Z glassen. Right? We can't hire a kid to do that. Right? Right. We need a platform. We need actual trained you know, advanced threat hunters, all of that. Making those, making those recommendations. And even if you get shot down, at least you have that in there because.

We've seen it right where post post breach post boom and they they didn't have enough or they didn't have cybersecurity insurance or the security insurance company declines coverage right and then we get brought in right and we're walking them through this and They're pointing fingers right at the IT person and the IT guy is able to say here's my recommendation last year The year before, I said we needed 24 7 eyes on glass.

These guys were in for a while. We could have detected it immediately. We could have stopped it. We could have leveraged our EER platform. Whatever the scenario is, right, given the type of [00:29:00] attack. But I think that's so important. And part of it is also making that internal business case. Right? I mean, you get involved.

And no IT guy is trained in that. I mean, have you ever seen an IT guy that's trained to make that business case? No, and if anything the personality type doesn't Lead doesn't tend to be all so strong in that field, right? Like the personality type is not the type that is an excellent conveyor of messaging and business impact and understands like the Harvard, there's, you know, there's a Harvard course on how to make an internal business case.

That's our most CISOs and most IT guys haven't really even taken that course. They don't know, like, you've got to evaluate this. There's like whole steps that you need to take to convince. It's a board or a CEO and a CFO that yes, it's going to cost money, but the ROI is actually positive because of the stats and the [00:30:00] predictor, if data is a predictor, if past data is a predictor of future behavior, future incidents, we will get breached, but there's a difference between a breach that is an inconvenience and a short sum of money and a breach that gets you in the news.

Right, right. And that's, I mean, we have ROI calculators, like everybody else does. And I've gone into companies and I've shown them and I said, look, based on your revenue stream, your number of sales reps, your cost of downtime, right? You walk them through all the steps and you show them, this is what your, your ROI looks like.

Like it's, it's a no brainer. You're going to lose, you know, whatever it is, 7 million over your outage. The answer inevitably I always get back is no, it won't be that. It won't be there. Always. You're just trying to spread fear, uncertainty, and doubt. And we're like, and this is, we kind of explain this to people, and we talk about this on the show, [00:31:00] we're not spreading fear, uncertainty, and doubt.

We're not trying to. Yeah, it exists. It's, it's there. We're telling the story. We're socializing it in English so that the technical fears can be understood because once we understand it in a business impact, like I don't understand what cybersecurity, I don't know why we need this acronym, that acronym tool.

I don't understand it. I think some of it's pokey, right? I don't, I don't get it. I want to go build widgets. I want to go. I don't want to be big brother, right? Yeah, exactly. And, and, and the, yeah. Right. And the problem is, is that will torpedo all those efforts. And here's a good example. It'll absolutely destroy it.

Yeah. Let's look at a small company that has an IT team of less than three people. Maybe less than five people. Oh, yeah. That's pretty normal. In order to make that business case, they would actually have to have the information on [00:32:00] what the finances are of the company. But they don't have that. Most of those five team, five, five man teams, they're not going to be led into what the finances are of the company.

That's, that's on the business side. You just manage the computers. We'll take care of that. So how are they going to make an ROI discussion? They have no way, no way. It's almost like they need to partner. Yeah. Well, when they're, I think they need to look at their vendors, not as just a vendor, right? Like if you look at.

Chris Roberts always talks about this, and it's the, if you look at a vendor as a strategic partner to help you make your business case, we need this service because here's our internal model, whatever, it's big, small, whatever, right? Whatever layers of security you've got or you don't have, here's our existing model.

We need this additional layer in this model. Here's the [00:33:00] likelihood of a breach. Here's the cost of. Our people, right, we could find out even from Glassdoor, roughly, you could find out online through Robert Half, like there's, oh, there's, there's data points out there that you can get rough estimates, and if those are the salaries, you can estimate the overall burn rate of those employees, if they are down for five, six days, right, because we're not going to pay the ransom, we're not going to do that we're going to be down until we recover.

Then what is the cost? And so how much is this each year? What's the likelihood of it even happening? And I always, if you have insurance, what's your premium going to go up? No, you're not even going to have it. Well, first of all, Yeah, you won't. Yeah. After you've got a claim, you're not getting it. You're barely getting insurance again.

It's not, it's not in any cost effective way. Right. It's, it's, it's it's, it's, it's, ransomware has [00:34:00] done one positive thing. It's such a complicated chess game, all of this. Well, ransomware has done one positive thing that it's made businesses actually look at IT as, Hey, we, we, we need you. Yeah. We need you to make sure this doesn't happen to us because I'm afraid of this.

I'm not afraid of a hacker. They don't exist. I'm not afraid of a disaster because those always happen somewhere else, right? I'm afraid of ransomware because I've seen it happen. It's exact. It took down MGM. It took down Caesars. It took down government officials. Any business owner, any leader in any educational government entity always belongs to associations.

It's how they network. It's how they built their brand and they've all heard those stories. They've all heard That school district was down for a while. They declared a state of emergency in that local town. Like, there's three state of emergencies going on right now, as this podcast is being recorded, in various small towns across the U.

It's just because of ransomware attacks. And it's so [00:35:00] crazy. And then, because of that, they can actually... Start to gather up an ROI. I mean, obviously it's not like a ROI in terms of investment. If you, you know, like if you're, if you're offering to build a mobile app, let's say for an organization, you invest this amount, you can capture new revenue this way.

Okay. That's great. Right. And it's very powerful, but in here it's, you are at X risk, right? And how do we quantify that? And I think that's a really interesting discussion. Because in every field, in every sport, right? Like last night's game, right? Kansas City against the Eagles. Like, they were able to quantify it.

After a specific time, X amount of points, they declared a winner. It's true, had they played longer, the game could have turned around, or it could have even gotten worse, right? Like, there's so [00:36:00] many different ways, but we've all agreed at the rules in the beginning, at X amount of time, whatever the score is, we declare the winner.

And, in cyber security, a lot of IT leaders and CISOs are like, low, medium, high, in terms of risk. Right, so we can't like everything else is measured. How do we measure? Cybersecurity because we need to do that for business owners or decision makers, you know, because that's the language that they speak Yeah, and the the only thing you can do is is measured downtime I mean that's really and the fallout right you have to measure the fallout.

So there's actually Studies that have been done and it's one of the things I use that say hey you had An outage for this much time that causes on average, you know, across your industry, this many customers to leave you, [00:37:00] right? So you have to look at that number. You have to look at the cybersecurity insurance.

You have to look at the cost of actually not being able to make sales. Oh yeah. I think that's, that's the key. I think there's even more metrics than just downtime too, that could be added in. I just don't know that, that somebody is selling a calculator or a. model that captures it all. But think about it, like the long term loss of being like, let's say post breach that gets you in the news, guess what?

It becomes there's tons of data out there. It becomes higher, harder to hire. Good talent. What does that cost you? Your SEO is harmed. Like when people Google you, it looks bad. How long? How do you quantify that? Right. In terms of new sales. If your product or your offering has, is, is something that the competitive market can switch very quickly.

For example, I may really trust my [00:38:00] doctor. If they're involved, if the hospital organization that he works for is involved in a data breach, may not switch doctors. Some people will, but some people may not. Because of the region, let's say they live rural, like that's the only friggin place I can go. I'm still gotta go there, right?

But how about lawyers? There's a million of them. Literally, there's more than a million. Like, you can get a new one, I don't care how great your law school was, how great you were in trial, etc. You can go hire another one immediately. Because, and when, when an attorney loses their data breach, that's a huge, like when they lose their confidential information, everything you tell them is supposed to be sacred.

Right? Within, within the attorney client privilege. Confined. Right. But it's all supposed to be sacred. If that got publicized, we'd be, as so many people would be searching for another lawyer and there's other industries like that, like auto parts makers or manufacturers, you [00:39:00] know, a, a, a, you know, if they're a sub of, of a larger group, right?

Let's say it's Toyota or even not even that big, but they're, they're, they're a sub of a, of, of a larger group in the, in the chain of custody, in the supply chain. Right. then they're going to just find another one of your other competitors to go with. They can't risk it themselves. So there's so many elements that could be captured in that.

Yeah. And it's, it's a moving target for your industry, right? Your industry is going to dictate that sometimes you're kind of locked in, sometimes you're not. But one of the things that, that. Like, I live on the other side of the fence from you guys. You guys spend a lot of your time trying to mitigate the disaster.

Yeah, I spend a lot of my time going. Okay, it's happened. Where do we do now? Yeah, we're mostly pre boom and then we have some people on our organization that handle [00:40:00] boom and post boom But that's more the exception than the rule. We're mostly preventative, right? Right, and what you just said is a perfect thing.

Boom and post boom. So everyone tries to put those two together, and they are actually two distinct different things. Boom is your security team coming in going, how did this happen? And then post boom is, okay, how do I get back up? And if you don't have both of those pieces thought through, you're in a world of hurt.

A world of hurt. So in our post boom world, where I spend most of my time, you know, we spend a lot of our time getting customers back up, recovering their servers, getting them rebooted. But a lot of times we have like we we hit ransomware I don't know on a weekly basis. Maybe one of our customers will get ransomware at some level and and we'll spend time going Okay, we're ready.

We're ready to recover when you say go, but they'll spend three days Figuring out that boom. Oh, yeah [00:41:00] And so that three day outage even though we can recover in minutes that three day outage is a cost And that's the, that's goes onto your side to the pre boom, like they should have been ROI ing and planning for that because the boom has a cost in itself.

Absolutely. And then think about the, think about the time. Time is money. Even if you don't, even if you're not like an attorney and you bill your hours, but time is money. And when there's boom, when a data breach occurs, there are so many meetings. That internal resources from HR, from the executive suite, from other directors and different roles and people using platforms and users and end users.

So many meetings where we're evaluating what happened, how it happened, who did what, and then how do we fix this, the planning, so that, so that it doesn't happen again. And all of that, that can be quantified. Like, that's [00:42:00] cost to the organization, outside of we're building the brand. Right? We invest in salespeople, we know the ROI, if they're profitable, they will give us this.

That's a, that's a very clear ROI. There's also an ROI in Boom, right? Like, when that happens, there's so many meetings involved that are not making you money. Right? They're not helping your operations that have to do that. It's so interesting. It's, it's, it's, and, and there's different types of, you know, I'm, I'm coming to the realization, and I'm sure there's A lot more smarter people to me that have already written about this that I haven't read or Mark hasn't brought to my attention.

Mark's my guy that like, on Saturday night, he's like, Nick Alpha V is, is posting this on the dark web, like, when, when, when Black Hat, was it Black Hat? Yeah, Black Hat filed the SEC.[00:43:00] aFter after the organization didn't pay the ransom. So they locked him down, extorted him, they made the ransom demand, they didn't pay, right?

So they threatened to leak the data, right? And that's like the triple ransom attack, right? And then this last week we saw... Where Alpha V, Black Cat, actually then filed their own SEC complaint that said they did not disclose the data breach within four days as required by the new SEC rule. I'm like what?

That's next level. That is just, that is some mafia like thought process. That is brutal. You know, like, but that's what they're doing is they're, I mean, that's just unbelievable. So think about it. If they're doing that, think about a healthcare organization. You're going to file those HIPAA complaints.

They're going to contact [00:44:00] the health and human services. If it's a, if it's a financial institution, right, they're going to contact auditors because they'll be able to find it. Who your past audience were and stuff all, they'll have all your records. They'll be able to see everything, right? And they will go and notify.

And we have heard where they've reached out to actual customers in the past. So that's why when everybody was kind of shocked about what Black cat. did to the SEC. I'm like, I wasn't that shocked. We've seen organizations. There was one a Mark, do you remember this? It was a health care organization, online platform.

It wasn't Better Health, but it was something like that. And where they did the online therapy work, right? Online mental health. They got all those records. And when they wouldn't pay, right, the, the ransom, they went and contacted The actual customers and tried to blackmail the actual patients and saying, if you don't pay me a [00:45:00] thousand bucks individually, we're going to release all of your records and we'll post it, we'll throw it on social media.

The lawsuit filed after that, I mean, could you imagine? Think about that. Oh my gosh. The fallout of that has got to be catastrophic. Yeah. Yeah. That's unbelievable. So I'm, I'm getting to the point where. Oh, go ahead. I was gonna say, these are big companies that you're talking about that have these, these breaches that are, you know, broadly impactful.

Yeah. But even the little companies that you don't think about, that don't make the news, that have these breaches, it takes these companies out. It really does. I mean, one statistic we've seen... Yeah, one statistic we've seen is like close to 60 percent close within a year or six months. Within a year? I don't know if it's that, yeah, I don't know if it's that, like there's, there's some debate on that, but I think it's clearly a contributing factor.

Meaning, since it's a small business, right? Right. It [00:46:00] could be on a shoestring budget and just teetering anyway. But that breach seals the deal. That breach is the final thing. It's like losing your biggest client, right? And those small companies are the ones that are least likely to invest in security.

Absolutely. And those small companies make up 98 percent of who Americans work for. Most Americans don't actually work for big companies. Most people think they do. And most Americans work for small businesses. Unbelievable. It's such a challenge. And I think that what we're gonna see is, because there's so many breaches, so many different attacks, two things.

Tell me what your thoughts are on this. One, there's a difference between a breach that gets you in the news, and a breach that is contained and restored from backup, etc. Both struggle, but to [00:47:00] me, I think there's a difference between those two. Like, and we, you and I discussed that, Gabe, in like the MGM and the Caesars at, at a, at a, at a macro level, but I think even with small business, I think there's, and, and small organizations and school districts, there's some that, that are more minor than others, and I also, I, I, I think that is something that most people don't think about, like, oh, they were breached, but they all kind of assume a breach is a breach and they're all the same.

I'm like, no, I don't think they are at all. Secondly, what do you think about this, that, We're going to get to the point where there's either a grading system or an informal system where People are going to judge their vendors who they do business with Consumers who they buy from online not whether they've been breached, but how they handle it.

I think we'll get there Yeah, I mean most people the the target breach was a Phenomenal story back in the day, right? And especially [00:48:00] because it wasn't Target. They were doing a lot of the best practices. They had FireEye. They didn't necessarily have it configured right, but they had FireEye. Like, they were doing themselves good best practices.

They got breached through their HVAC system. So what broke down there, it seems, are the processes for vendor value. Okay, that's fair. Very few people have stopped shopping at Target because of that. Right? Like people still go there, right? Right. It might be a blip, a short term blip, but people still go there.

But I think it's because, not necessarily that people understood that the breach wasn't that bad because it wasn't their fault, it was the third party, it was their HVAC vendor. I think most people don't even know that. I, I, I think some brands are able to sustain You know, longer, but, but I mean, it's like anything else.

Some brands are able to sustain bad PR better than other brands, right? [00:49:00] I mean, there's, there's, there's been other controversies affecting Target. And, and their stock will dip and people will stop buying. It's either going to do as you say, we're, we're going to gravitate towards the people that handle it well.

Or it becomes one of the things that I, I typically see is, it's just noise. The average person just sees it as white noise. Oh, there I am again. I'm, I was breached again at Walmart or at Target or at, you know, Yeah, I get, I get free credit monitoring again. Like, I think we all have free credit monitoring, like threefold or fourfold.

Right. We all have it. And so they're like, I, I can't, there's so much information. From my college that I went to. Yeah. Right here. I'm holding up. They just don't know how to adjust. They can't pivot. Yeah. They can't pivot. Right. They just have to accept that's the way it is and that's a horrible thing. Yeah.

Yeah, you know, I mean I use those What is it secure [00:50:00] 360 that kind of stuff? And so I'm always getting updates saying hey this you showed up here Okay, let's go change those passwords. Let's lock that back down, right? But you know, that's gonna become a full time job after a while Yeah, so one of the things we tell people is always freeze your credit Right.

It's so important. Always for, for you personally, not for a small business or a larger enterprise, but always freeze your credit always because you can. Look, you're not taking out loans every day anyway, and you can still use your credit cards and your FICO score can still improve, right? It's just freezing it from allowing any new accounts to be opened in your name in an unauthorized manner.

That's all it does. And then you can literally, with a button on your phone, unfreeze your credit, get the store credit card you want to get, or the car you want to get, or whatever you're buying, and then freeze it back up. And it just, it is such a smart move and obviously monitor your credit, but [00:51:00] a lot of that wouldn't matter if you just used different passwords on everything.

Gets back to those fundamentals. Yeah. And I mean, when mine shows up in a breach, like all my passwords are already pretty different. But you know, it's catching it and doing what to do with that information that there's no mass training out there for the average home person. to say, hey, you know, your Instagram account has shown up on the dark web.

You better go change your Instagram password. Because so many people don't care. They're like, what are they going to do with my Instagram? I'm like, would you like us to tell you? Like, yeah, I can tell you. Yeah, they can become you. Like they can become you. They can, they can leverage something like that as a evidence of that is who you are with.

with your credentials and leverage that into credential stuffing a [00:52:00] whole bunch of different tactics to, to, to take loans out for you, to buy things on your behalf that you're liable for that those products and goods and services go to the threat actor. There's so many different ways they could use that to establish other.

and, and other forms of identity. So we've, we've seen quite, quite a bit. Gabe, this was an excellent conversation, man. Happy to have it. Happy to have it. Absolutely. Excellent. And we will also have a link to the MGM Caesars discussion that we had. We'll, we'll have that link in the show notes. It was a great discussion because those two breaches really show how in the short term, one of the.

People that follow the best practices and that fought the fight, they actually got really bad PR in the beginning, but, you know, the truth is, is that once you pay ransom, [00:53:00] everybody on the dark web knows, and you are a prime target again, so, you know, people on the dark web are like, when is Caesar's gonna get hit next?

Because they paid. Right. Now they didn't sustain the bad PR that they, that, that MGM did, but, but they did pay. So on unlike MGM who fought the good fight. So very interesting. Great, great conversation. Gabe follow we will have Gabe's link to his LinkedIn, um, in the show notes and information on Quorum in the show notes.

Check them out. And sir, we will, this will not be the last time we talk. I hope so. I look forward to the next one. Excellent. Thank you, gentlemen. Have a great day. Have a great day. Take care everybody. See you guys.

Well that wraps this up. Thanks for joining everybody Hope you got value out of digging deeper behind the scenes of security and cybercrime [00:54:00] today Please don't forget to help keep this going by subscribing free to our YouTube channel at cybercrime junkies podcast and Download and enjoy all of our past episodes on Apple and Spotify Podcasts so we can continue to bring you more of what matters.

This is Cyber Crime Junkies And we thank you for joining us.

People on this episode

David Mauro

Host

Cyber Crime Junkies