|
|
"Cybersecurity: Governance Steps You Need to Take Now"Thursday, July 16, 2015 2:00 - 2:45 pm, eastern [archive and transcript to follow] Cybersecurity incidents are happening more frequently - and are becoming more serious. And accountability for them is running all the way to the top. So the time to prepare is before they happen. This program will tackle why it's important to get a handle on this area from a governance perspective, as well as how to approach employee training. And much more. Join our experts:
Broc Romanek, Editor, TheCorporateCounsel.net: Welcome to today's program, "Cybersecurity: Governance Steps You Need to Take Now." The first thing you should do is click on the link that says Course Materials on the page where you accessed this webcast. There's a 26-page deck from our speakers that you want to print out so that you can take notes as they go along. Let me go ahead and introduce our panel. Paul Ferrillo is a Partner of Weil, Gotshal in New York. I want to thank Paul for bringing this hot topic to my attention and arranging this program. He did a great webcast for us last year. His Partner, Randi Singer, is also at Weil, Gotshal in New York. They've brought along Aaron Higbee, who's a Co-founder and Chief Technology Officer of PhishMe. Paul, take it away. Paul Ferrillo, Partner, Weil, Gotshal & Manges LLP: Good afternoon, everybody. We think we have a very good and timely program. It couldn't be more timely, after the Office of Personnel Management attack a couple of weeks ago. Our agenda, very quickly, is to talk a little bit about the subject of spearphishing attacks. We will talk specifically about the problem of socially-engineered spearphishing, some known attacks, and the consequences of those attacks. Then we're going talk a little bit about a few spearphishes - what to look out for, what to think about, and what to talk to your employees about. Finally, we're going to talk a little bit with Aaron about what we at Weil can see is extremely important, which is employee training and awareness on spearphishing, and how to create a regimented training program for your employees. By the way, for the lawyers in the audience, law firms need the same training as well. Randi and I can tell you some funny stories about that. Ferrillo: If you go to Slide 3 of the Course Materials, you can see that 2014 was a pretty terrible year for cyberattacks. Global financial institutions head the list. The computer and professional services operation leap out. Retail and consumer companies got hammered. Healthcare got hammered in the middle of the year. At the beginning of 2015, hotels, media and gaming - of course, that's Sony - aerospace and defense contractors, and power utility grids all got hit. Most recently, there have been very successful attacks against higher education institutions, such as Penn State and Harvard. Basically, the atmosphere today is if your IP, R&D, M&A data, trading data, or trading algorithms are not nailed down or put in a sealed vault disconnected from a network, they could be subject to an attack. And all of the intellectual capital put into that could be destroyed. On the next slide, we talk a little bit about how 2014 was the year of the retail breach. The statistics about how many pieces of personally identifiable information were stolen are certainly dramatic. I note on the slide that spearphishing attacks were up 25% in 2014, compared to 2013. If you look at the PWC report, they think that increase will probably be closer to 48% as the data is more refined. The costs of these attacks, to the U.S. economy alone, were estimated at $100 - $400 billion. The scary part is in the60 Minutes close, shown on the slide. There are probably three, four or 5,000 people who could do the Sony-type attack today. That is stunningly scary to hear when you think about the damage - that attack took Sony offline for six weeks and caused all sorts of business difficulties. I'd like to talk a little bit about what's going on today. The reason why attacks like spearphishing and whaling are so important is because of the dramatic increase of personally identifiable information for sale on the web, in the "dark web." You're talking about 22 million new pieces of information from the OPM attack alone, going back 10 to 15 years. There were 8.1 million records in Anthem, 1.1 million records in CareFirst. The Penn State and Harvard attacks are too new to understand the extent of those breaches. But certainly, the more information that is out there and the more information that is available makes it scary. In particular, I think it's scary because you have the confluence of all the personally identifiable information out there with the startling statistic that 75% of all employees are on LinkedIn, Facebook or Twitter. The social engineering part of this, Randi, really makes the spearphishing attacks more dangerous for companies. Randi Singer, Partner, Weil, Gotshal & Manges LLP: Absolutely. We talk about using our cybersecurity and all of our other security to protect sensitive and personal information and to protect privacy. These hacks wreak havoc both on the computer systems and on the company. There are two types of information that get out. On the one hand, you have corporate information. That can be anything from M&A information to IP, trade secrets or confidential information. On the other hand, you have all of the personal information that companies store about their employees and about their customers. That's everything from sensitive medical information, credit card data and financial data to all kinds of contact information or shopping trends, purchase history, and things like that. So there's a tremendous amount of information. And there are a lot of people who think that, when this information gets out, there are people who sift through the information from the breaches and match it up so that they can create profiles of people. A little bit later on, Aaron is going to talk about how hackers can put together some of these different pieces of information to create some of the spearphishing e-mails. Ferrillo: This is just plainly and simply a problem. If you're a hacktivist, you can create, at the very least, incredible amounts of publicity for yourselves. Criminals and organized crime offer botnets for sale and simply information for sale, including proprietary corporate and M&A information. Many in the United States government theorize that nation-state hacks coming from either China or Russia are a problem. Last but not least, we don't want you to forget that your own employees, former employees and company insiders are similar problems, whether they are malicious or they just want you to click on a link to cause you an equal amount of havoc and pain and suffering as they think you caused them. Ferrillo: If you go to Slide 8, you can see we divide social engineering-led attacks into three specific types of attacks. The "phishing" attacks are generic in nature. This kind of attack is sent out to thousands of people who are in a certain category, such as customers of Chase, Sears, J. C. Penney or some other organization. The "spearphishing" attacks are more personal and more intense. They are directed to groups of individuals within companies, such as an IT group or financial group. More dangerous, potentially, are the "whaling" attacks, where company individuals - CEOs, CFOs, managing directors - are falling prey, again because there is so much information on the web regarding yourself, your kids, your banking, your shopping habits and the like. I remember a few years ago being very intrigued when I received a few e-mails from a widow in London who was heir to a $10 million fortune, who wanted me to help her disclose her assets in the United States. Or as we see on Slide 9, the sultan of Brunei, or the daughter of a Libyan executive, writes, "I want you to help me to please transfer money into your bank account." You might respond, "That sounds really cool. I didn't get a raise last year - maybe this could be a substitute." But the world has absolutely and completely changed when you add in the prevalence of spearphishing. There have been plenty of statistics published. On the next slide, Slide 10, we talk a little bit about the targeted spearphishing attacks on, say, IT departments, or security-related attacks, often trying to impersonate company's IT employees or executives or an anti-virus vendor. You can also see on that slide that many phishing e-mails are sent out on weekdays. Despite all the publicity since the attack on Target, 23% of recipients still open phishing messages, and 11% click on the attachment. And nearly 50 % open e-mails and click on links within the first hour of receiving those e-mails. Singer: Some of the spearphishing is very sophisticated. But before we get too far down that path, we want to make sure that people don't forget about the very low-tech methods as well. When you get to the bottom of a lot of the hacks, there are all kinds of stories. It could be something like diversion theft, which is convincing a courier to deliver a package to the wrong place, and somebody signs for it on another floor. Or you get possession of the package some other way. It could be as easy as what's called tail-gating, which is following someone who is using a badge to swipe in to a protected area. The badgeholder, a very nice, polite person, holds the door. And the hacker follows them right in and has free access to the workplace. That gives the hacker the ability to do things like shoulder surfing, where you literally look over somebody's shoulder. That's also very popular on airplanes, trains and other modes of transportation. Just take a look at what a person shorter than you is reading on their phone on the train. Another very popular technique is baiting, where you leave a malware-infected USB drive just lying around. Or you have a branded conference giveaway. The statistics on the number of people who will pick up an unattended flash drive and stick it into their computer to see what's on it are pretty astounding. There are a number of people who will do that. And there goes the network. If you flip briefly back to Slide 7, there is a diagram of how a botnet works. As you can see in the first part of the diagram, you have a hacker who downloads malware onto many different computers. They may send out a virus or a worm. They may be sending out spearphishing e-mails. Basically, they go in and get control of the computers. They create - as shown on part 2 of the diagram - a network of compromised, infected computers - basically, zombie computers. In part 3 of the diagram, you see a spammer or some other sort of criminal who purchases access. They buy the ability to access this network of infected computers. In part 4, they deploy this network. In this case, they're sending out a lot of spam. Perhaps they are just plain old phishing e-mails. Obviously, this can be used for many more nefarious purposes as well. If you have control of a huge network, you can use it for a brute force attack. You can purchase access to a humongous computer network that is hopefully untraceable. And you have the ability to cause a lot of damage there. Those methods can be used without targeted access. And those are just some of the very low- tech methods that we've seen. As we move towards the spearphishing and whaling attacks that Paul was just talking about, you start to see the ability to create much more mischief. The thing to remember is that it is much easier to trick somebody into giving you their password than it is to try to crack or hack into the system and figure it out yourself. And it may be, that when you employ the spearphishing methods here, you have the ability to get a much higher level of access into the computer than you can get by just hoping you can find somebody gullible enough to give you their information. Ferrillo: Thank you, Randi. That's good clarification. Aaron Higbee, Co-founder and Chief Technology Officer, PhishMe: I'd like to expand on phishing a little bit. I talk to people about phishing all of the time. What I find is that most people are kind of aware of what phishing is, because they get it in their personal e-mail boxes all the time. Oftentimes, they will laugh it off. They will think, "This person is asking me for my Bank of America information, and I don't even have a Bank of America account. They're not that clever after all. If this is what phishing is, I don't need to worry about it." So they have this understanding of what phishing is from what they get in their personal e-mail. But what they get in their work e-mail is quite different. There are really three different categories of phishing that people need to be aware of. One type, which I think a lot of people are already aware of, uses attachments that could cause harm to the computer. An e-mail that's trying to get you to click or open an attachment might be something to be suspicious of. So that's one type of phishing. Another type would be an e-mail that is trying to get the recipients to click and follow a link. There is no attachment in that kind of e-mail. It gets through anti-virus scanners because there's no malicious attachment. The attacker is hoping is they can entice the victim to click that link. That link will take them to an attacker-controlled website that launches and installs malware on their computer. We call that the "click-only" type of phishing e-mail. A third type of phishing e-mail that everyone should be aware of is what Randi described, where the e-mail is trying to tell the victim, "Click on this website. There's been a problem." And that website might be a very official-looking, branded website, where they're using the logos of brands that you're familiar with or from your own company. And it will come up with some story explaining that you have to log in to this website in order to do something. What they're trying to do is gather usernames and passwords. That type of attack is particularly hard for an IT department to defend against, because there's no malware at all. There is no signature that they can recognize. They have to rely on their users to be able to spot and identify the attack. But it really doesn't matter if it's a click-only phishing attack, one that has an attachment or one that is trying to get you to go to a website. There are always going to be some common emotional triggers in every type of those phishing e-mails. Attackers will use either fear, reward, curiosity or urgency to get you to do something. And it's through practice that we begin to identify that and become more suspicious when we pick up on those triggers. Ferrillo: I think that the important point here is that studies show that 91% of all cyberattacks occur when malware is delivered by e-mail, either with links or through downloads. That statistic encourages hackers to deploy spearphishing attacks time and time again. These are very successful attacks that gain the hackers a ton of money not only by their creativity and ingenuity but come directly as a result of all the personal information that is out on the Web through social media. Randi and Aaron, let me turn it over to both of you, and especially to Aaron, to talk about the different sorts of spearphishing attacks that we put in this presentation to alert the audience as to what to think about. Singer: Why don't we turn to Slide 12, which is an actual example of a spearphishing e-mail that was used to launch a targeted APT - advanced persistent threat - attack. Aaron, do you want to walk us through what we're looking at here on Slide 12? Higbee: Sure. What the attackers do is try to find people inside of the organization that they want to deliver an e-mail to. Usually, it's not that hard. They can go on LinkedIn. They can use other Google searches. And once you know the email address format of an organization - commonly, it's first name.last name@ company.com - you're ready to go, as far as having a list of people to deliver it to. In this case, what the attackers wanted to do was get those people to click on a document that was infected with malware. In some cases, where the attackers are particularly sophisticated, they are able to create their own malware from scratch. In the case of the RSA attack, that is what happened. That's why they were able to get this particular Excel document inside of that organization. They were hoping that the words "recruitment plan" would encourage people to click on the document. The attackers thought, "What emotional trigger are we going to use in order to get those employees to click? We're going to go after curiosity - give them something they would very much like to see. People want to know, is my department growing? Is it shrinking? What are the salary ranges like?" This would be a great example of using the curiosity emotion to try to entice people to click. And when they did, there was a macro inside that document that executed malware on those systems, which allowed the attackers to then use that malware to get into that network. Singer: It depends on what stage an attacker is in. There are attackers who are already inside systems or who will track your social media presence across different social media platforms. They can figure out where you are, when you're traveling for work, when you're on vacation, if your child had a birthday party or if your child attended a birthday party. So the files can be something like, "Check out these photos of little Johnny's birthday party from the other day." These attacks can be extraordinarily targeted. There are a certain percentage of these phishing e-mails that get even the professionals. You may look at a file like the one on Slide 12, where the English is a little bit stilted: "I forward this file to you for review. Please open and view it." If the person who sent this to you doesn't usually speak that way, if they are usually a lot more colloquial, there may be some alarms around this. But some of these e-mails appear to be coming from somebody who's already inside your system and who knows, for example, that you get some sort of report every Tuesday from a particular person. If you skip ahead a little bit to Slide 14, we show another flavor of phishing e-mail. This is the business e-mail CEO compromise fraud. In this case, the attacker knows the identity of somebody who's got wire transfer authority. Often, there will have to be two people to approve a wire transfer. So they spoof the e-mail account of a high-level business executive who has the right to initiate wire transfers or who commonly initiates wire transfers, and they pose as that executive. And the fraudster sends a request for wire transfer from the compromised e-mail account to whoever in the company is normally responsible for processing the request. Once you're inside the system, and you have the ability to know who it is that initiates them, you know what the codes might look like and what the amounts might look like. If you've got a lot of this kind of information, you're able to send an e-mail that's very well worded and very specific. It may tell you, for example, exactly who to code the wire transfer to. These e-mails often do not raise suspicion. Whoever gets the e-mail says, "My boss wants me to, wire $257 million to whoever it is." And they go ahead and do that. P.S. - that is money that has now left the organization. And it's extraordinarily difficult to get it back. Higbee: That's an excellent point. A variant that we see quite often is someone who will research the organization and find people in the finance team. They will continue to mine information out of LinkedIn to figure out who may be a manager inside of that finance team. Then they will go over to a free-mail provider - Yahoo, Gmail, Hotmail. And they'll register a free e-mail address using the name of that supervisor or manager. Then they will send a variant of this example e-mail that we're showing on Slide 14, which says something to the effect of, "I'm on vacation and I'm away from my work laptop. I'm using my personal e-mail account. But I really need you to do this. It's urgent. Thank you." In that situation, the story lines up. The person might actually be on vacation. Maybe the attacker's been following them on Twitter tweeting wonderful, fabulous photos about what they're doing. So an e-mail comes in, using a name that someone recognizes. And it gets them to click. That's a great example of what are deemed sophisticated phishing e-mails. If you followed any of the news around the OPM breach, some of the headlines I read called it the most sophisticated cyberattack in American history. If you're a member of the United States CERT, the Computer Emergency Response Team, you can actually download a report - and I would have included it here but you have to be a member in order to see it - that has details around that specific breach. If you look at the indicators of compromise, the things that were specific to that breach, they have examples of a few different phishing e-mails. The stories that we have been sharing show attackers who are more sophisticated. The attacker took the time to research who you are and your job and your role. But in the case of the OPM breach, the evidence points to the employees receiving phishing e-mails that appeared to be "toll pass" violations. They were using logos that made it look like the e-mails were from Easy Pass - that's the toll system that we use here on the East Coast. The e-mail essentially said, "You violated a toll. Click on this. Open this document to see your toll or go to this website to pay your fine." That's not terribly sophisticated. But in fact, that's a story that's often used. Also involved in that OPM breach was a phishing e-mail saying, "You received an invoice." That is a very common phishing theme that plagues every organization. Fake e-mails about invoices, faxes, package delivery notices - these are very common themes. And even though the experts agree - and I agree with them - that all the indicators of the attack infrastructure point back to an attacker originating from China who is known to be sophisticated, the method they used here wasn't that sophisticated. They re-used a phishing story about an invoice and an Easy Pass toll violation. And that was enough to elicit the right emotional response from those employees to get them to click attachments or follow dangerous links.
Ferrillo: Pretty scary. Thanks, Aaron. We included in our presentation the related problems that we see on a daily basis, called either malvertisements or "watering hole" attacks. These are not targeted to an individual. Instead, they are targeted to groups of individuals who may have an interest in shopping in a particular place, reading a particular magazine or engaging in a favorite hobby. They will say something like, "Click here to get more information on how to create your hybrid cloud environment." You click on the link. And, without your suspecting anything, malware get downloaded onto your system. And you thought you were doing yourself a favor by learning a little bit more about how to create your hybrid cloud. If you look at Slides 16 and 17, you can see the creativity and ingenuity of individuals trying to get access to one's personal information. Slide 17 illustrates how hackers, unable to breach the computer network at a big oil company, infected with malware the online menu of a Chinese restaurant that was popular with its employees. People will often go to known links, and hunger creates an emotional urge to click on the link. What are the hackers gaining? As you can see on Slide 18, they can get both financial information and personal information. Their malware can scoop up passwords, account numbers, credit card data, trade secrets and the like. Slide 19. I'm not sure any of us want to see the Sony slide. But this was the famous Sony slide that employees saw when Sony was hacked - certainly one of the most notorious hacks of 2014. Singer: Paul, you made this point a little bit earlier, but it's worth highlighting. One of the scariest things about the Sony attack was that they weren't necessarily after some of the things shown on Slide 18, such as confidential information or personal information. Certainly, they got a lot of that. But there are indications that what they were after was just destruction, plain and simple. They installed wiper software on the computer's network and really took it down. Paul, you mentioned earlier that Sony was without e-mail for weeks. And when you talk to a lot of Chief Technology Officers or Chief Information Officers, that's really what keeps them up at night - somebody coming in and just wiping their entire system. That's a really scary thing. Increasingly, it's really become a truism now - it's not an "if," it's a "when." You know that these breaches are going to happen.
Singer: So what do you do about these attacks? How do you find them and stop them? You see a lot of people turning their resources towards quick discovery and quick turnaround. Mandiant put out a report recently which found that the median time to discovery was 205 days. That's the median length of time that a threat group can be present on a victim's network before detection. At the extreme, in one case a hacker was inside a system for more than eight years before they were detected. And even more terrifying - only 3 in 10 organizations actually detect their own breach. That means 70% of them are actually notified by an outside organization that they have been breached. I'm going to turn it back to Paul to talk a little bit about how we find these breaches, how we stop them, and what should we be doing to help prevent the attacks, or at least detect them quickly so that we can cabin the harm. Ferrillo: Thank you, Randi. I wish I had some magic slide box to help all of you. But I really don't. I spent a lot of my day talking with clients about "silly stuff" that's not really so silly at the end of the day, and that's called good cyberhygiene. I cannot stress enough that there are things that companies can do to help themselves tremendously to try to fend off an attack and to tremendously deter that 91% figure which comes as a result of a spearphishing attack. If you look at Slide 23, Cybersecurity Basics, these could probably be the subject of another webinar, if Broc allows us back. We talk to clients a lot about passwords. We talk to clients a lot about two-factor authentication. We are talking to clients now about biometric authentication, as a result of the fact that there have been so many attacks, so many passwords stolen and the like. We spend a lot of time with clients talking about simply blocking and tackling - information security policies, incident response plans, mobile device plans, and social media policy. And finally, we talk an awful lot to clients about employee training and employee awareness - the things we talked about today. Ferrillo: When we speak with clients, we say that we cannot stress enough the importance pf spearphishing training. We ask them how often they do the training. If they say once every six months, I want to stick a knife in my eye to dull the pain. There is so much information out there on social media and on the Internet that once every six months is not enough to regiment or regulate an employee's Internet usage in a way that can make a dent in that 91% figure. We talk a lot more about instituting really regimented, regulated and specific training programs for employees. In that regard, we are fortunate to have here today one of the co-founders of PhishMe. He's not here to talk PhishMe. He's here to talk about the importance of setting up a specific process, a regimented process, a crafted process to help train employees to recognize these links and to turn them in to the IT department so others don't fall prey, and so the IT department can block them. Aaron will also talk a little bit about the psychology behind the regimented type of training programs that we talk to our clients about. Higbee: Thank you for an excellent setup. I appreciate that. I know we might have alarmed some people with some of the examples in the beginning. It might sound like these attackers will go at any lengths. And if they want to get in, they're eventually going to get in. That's a difficult thing to hear and to really digest. You in the audience really do have a difficult challenge ahead of you, because the nature of your job is to interface with people outside of the organization, communicate with them via e-mail, and send links and attachments back and forth. It's kind of the perfect storm for potentially creating an incident. When I look at awareness and what it means, it's tricky. The IT security industry, in my opinion, failed in the beginning because it was compliance driven. I am sure we've all sat through a number of different compliance-based cybersecurity training courses. And humans - they're smart. They know when you are giving them training to fill a compliance need. As soon as they figure that out, mentally they start checking out. They start figuring out the quickest way they can click through the training so they can get back to their jobs. So when you need to deliver a really important message such as, "91% of breaches start with spearphishing," and it gets cast in the compliance area, it's tricky to get that to stick. One of the things that we help people with - and this is something that you can try on your own - is instituting an awareness program in which the employees are immersed in the experience. They get real phishing simulations sent to them in various categories so that they can get experience with them, and so that they can understand firsthand what is coming into their e-mail. If they fall for it, they're funneled into a short training message saying something like, "This was that spearphishing thing that we were telling you about. In the future, if you get a suspicious e-mail, this is what you should do with it." One of the first things that you can do for your company, in the beginning, is find out if you even have a process in place for your employees to tell you when they believe that they received something suspicious. If your employees are taught to send everything to spam@organization.com, that's not really the right thing to do with what might be perceived as a targeted attack. So you need to tell your employees that, if it's something suspicious, this is how you get the word out and tell people about it. What we've found is that a lot of people think they know what spearphishing is. And if you ask them if they would ever click on that or fall for that, they will tell you, "No, never." But in our experience, when our new clients start doing phishing simulations, over half of the population falls for the simulation the first run. At that point, there's kind of a wake-up call. There's actually a part in our brain, the amygdala, which learns based on an emotional experience. So we create a little bit of tension. As soon as they fall for that phish, the message that we're trying to deliver is, "This was that spearphishing we told you about. Did you hover over your mouse over the link? Did you notice it wasn't taking you to your Outlook portal?" That helps people to begin to learn and understand. Unfortunately, we didn't learn poor e-mail hygiene or practices overnight. And we don't unlearn them from a once-a-year training exercise. So giving people repeated access gives them opportunities to understand what those emotional triggers are. It allows them to begin processing e-mail in a different way, to be able to pull out whether there is a theme of fear, reward, curiosity, or greed in this e-mail that's trying to get you to act. Urgency is another theme that's commonly used. That's one of the things that we've helped people to do. Another thing that I always like to point out when I'm talking to people about phishing is that, almost entirely, most of the payloads successfully execute only on a Windows platform. If you look at the families of malware that are in active circulation, only a very small percentage of that malware executes on mobile devices. If you're unsure of an e-mail, if it's suspicious at all, you should not interact with it. You should get it in the hands of your IT department and ask them for help. But if you don't have that luxury, or maybe you're on your home device, you can actually safely view most documents from an Apple iOS platform or an Android platform, because the malware isn't configured to execute on that. You do still have to be careful about phishing e-mails that are asking for passwords. Because even if you type your password into a phishing site from a mobile device, you have no safety there. These are some things to consider. Higbee: I'll just add one other thing. We put a lot of effort into the training. So when someone falls prey to one of our phishing simulations, they can get funneled into a bit of content of our customer's choosing - it could be a short video, or maybe just an infographic. We put a counter on that education page. So when someone falls for one of our phishing simulations, and they're funneled into the education, we begin counting the number of seconds the person views the educational content. Our shortest video about phishing and avoiding phishing is 37 seconds. Our longest video on the topic is 3 minutes and 50 seconds. If I look at the statistics for our customers - and we have over 550 enterprise customers worldwide - we send millions and millions of spearphishing e-mails a year. The average time spent on the education material is 9 seconds. So our shortest video is 37 seconds. Our longest video on the topic is 3 minutes and 50 seconds. Yet the average time spent on the educational material is 9 seconds. That could be a little disheartening for our content team, which works hard on making sure that things look correct and are translated into the right language. However, if you look at the results, the susceptibility of the organization trails down dramatically after each successful "phish". So that's interesting. Why is it that they're not looking at the educational material, yet the susceptibility rate is dramatically improving? I'm not a psychologist, so I can only offer my best theory on that. My theory is that we rapidly go through e-mail throughout our day. It's just what we do. We have to get through our e-mail quickly because we have to get to the next conference call. When you do encounter a suspicious e-mail, you may have that feeling that there's something - not to be corny - "fishy" about this e-mail. And when you interact with it, and it happens to be one of our simulations, and that education page pops up, which says something like, "This is Paul. This is the phishing problem that we were telling you about. Here's that video that we want you to watch" - you're closing that browser. My theory is that the education that we're presenting post-phishing simulation is only reinforcing the suspicion that the person had to begin with. They were just thinking, "You got me again, Paul. I may be a little more vigilant and take a little extra time next time I encounter a suspicious e-mail." So that's my theory on what's happening. It's interesting to study. And it's the same across every industry vertical. We have customers in every industry vertical. And employees in every industry vertical spends fewer than 10 seconds on the education page. Singer: Thank you for that, Aaron. And speaking of 9 seconds, we're cognizant of time here. We want to leave you with the thought that this is a problem that is not going away. There are lots of different ways that organizations can be protecting themselves. And certainly, employee training is a huge piece of that. This is a humongous topic, which we've only touched on. I believe there is a place on TheCorporateCounsel.net website to submit questions. If you have them, we'd be happy to entertain them. Our contact information is also in the deck. We thank you all for taking the time and for your attention today. Romanek: That's great. I also wanted to thank again the panelists for this really great program. And I hope everyone has a great day. 
|