Shook Lin & Bok Can Happen to Anyone
Shook Lin & Bok, a law firm based in Singapore, has paid a ransom of 1.4 million US Dollars in Bitcoin to a ransomware gang. The hostage? Their data, apparently. Shook Lin & Bok is likely not the first of its kind to pay a ransom and it will very likely not be the last. This is sad when you realize that 5% of the ransom is a little over S$100,000 Singapore dollars. For a law firm of that size, I think a 100k would be enough to get some proper endpoint security, phishing simulations, staff training, a bug bounty, and even a pentest or two.
I hate pitching why security is important to would-be clients. I no longer do it and instead focus on digital forensics and incident response (things that happen AFTER you get hacked.) I hate selling security because I don’t think I am good at pointing out the why of it. I feel like my pitch becomes woefully close to the much loathed act of selling insurance: “If you don’t pentest your infrastructure today, you won’t get hacked later in the year.” I am also just really bad at sales. I imagine every time I leave one of these pitch sessions the participants gather around and high five each other because they “showed me” by not paying my fee and instead have saved up their profits to pay out to ransomware gangs just for the news-cycle flex.
In my experience companies viewed me with suspicion, most likely founded on an insufficient understanding of technology and security. Does this mean they trust the anonymous ransomware gangs more than an ineffective insurance salesman with no teaching skills? Probably. But then I thought about this a bit more. Is it time that we, as cybersecurity practitioners, do more pro-bono work in educating the masses?
To me, this looks like carving out a number of hours in a month to dedicate towards either conducting workshops or having one-on-one calls with SMEs to help demystify why security is important. It isn’t enough that we release tiktoks or bite sized LinkedIn posts no matter how much the world supposedly has ADHD. The educational aspect has to be real and this means wilfully setting aside time to teach and answer questions. You absolutely cannot and should not have any expectation of loyalty or lock-in from the client after the session. Your pro-bono work should be dictated by the simple fact that once the time is given, there are zero expectations of “value” that should come out of it, other than the value of having more savvy SMEs who understand why security is important.
So let me start: If you’re an SME in Singapore that has questions about ransomware, or even how to structure your in-house security, drop me an email and schedule some time to meet. It won’t cost you anything other than your time and there are no stupid questions that you can ask. Speak soon!