Get Cyber Resilient Ep 92 | How to Build Ransomware Muscle Memory - with Nick Abrahams
We are joined by Nick Abrahams Global Co-leader Digital Transformation Practice Norton Rose Fullbright.
Nick is also the founder of the successful online legal site “LawPath”, he created the world's first AI-enabled privacy chatbot “Parker”, he has a thriving career as a keynote speaker on future trends and innovation, and is the author of the best-selling Kindle books "Big Data, Big Responsibilities" and "Digital Disruption in Australia".
In this episode jam-packed with his insights on ransomware, Nick walks us through his experiences working with boards during breaches and how they can build their muscle memory on how to tackle ransom payments. Nick also stares into the crystal ball to talk us through his vision on the future of Web3.
The Get Cyber Resilient Show Episode #92 Transcript
Garrett O'Hara: Welcome to the Get Cyber Resilient podcast, I'm Gar O'Hara. We're joined today by Nick Abrahams, who's the global co-leader of digital transformation practice at Norton Rose Fulbright. Nick is also a corporate tech lawyer, a speaker on web3, crypto, NFT, and the metaverse, entrepreneur through LawPath, author of Big Data, Big Responsibilities and Digital Disruption in Australia. We had a cracking conversation where Nick walked us through his experiences working with boards during breaches, and maybe more importantly, his work with boards to build their muscle memory on what they will do when it comes to ransom payments. He runs simulations with boards using six steps to really help them get clarity while they're not under a huge amount of stress. We also got briefly to touch on web3, what that is, and a little taste of what it can mean for us all in the future. Over to the conversation.
Welcome to the Get Cyber Resilient podcast. I'm Gar O'Hara, today I am joined by Nick Abrahams, who is the global co-leader for digital transformation practice at Norton Rose Fulbright, amongst many other things, but I'm not gonna steal Nick's thunder. How you doing today, Nick? Welcome to the podcast.
Nick Abrahams: Thanks very much, Gar, I'm delighted to be here. I am very well indeed, thank you.
Garrett O'Hara: Happy days, yeah, we're both surviving the the fl- the biblical flood levels that we're experiencing here in Sydney, so yeah, good to have you on today. Nick, the, the first question we ask pretty much everybody is how did you get to where you are today? I'm looking at your [laughs] the things you're, you're, you're sort of down for doing, and it's quite a broad set of things that you're involved in. But would love for you to kinda run us through to how you got to where you are today.
Nick Abrahams: Sure, sure. Well, and just ... I guess ... Well, I say I'll say it quickly, and my wife says, "Well, no, you always labor this story." So anyway. So yeah, started off as a lawyer, then had a a bit of a personality flaw that I wanted to be a Hollywood studio executive. And so went to Los Angeles and went to film school at University of Southern California. And that was all great, and I was working at Warner Brothers as a, actually as a sort of creative executive, and then had another epiphany, which is that the the number of sociopaths in film and television in Los Angeles is really quite significant.
So left that, then got together with a dotcom, this was back in '98, and just really at the start of the first dotcom boom, and I was chief operating officer of that company. We listed it on the ASX, and it it looked for all the world like it was never work again time for me. But Gar, you know, money would've spoiled me, and so with the-
Garrett O'Hara: [laughs]
Nick Abrahams: ... dotcom crash, my equity went south very fast, and my interest in the law rekindled at a similar rate, and then came back to Australia then from LA, and really focused, then, on doing what I'd seen a number of the US tech [inaudible 00:03:07] firms do, which is become super integrated in the technology community. And so since 2002, I've really sought to be a, you know, be a part of the technology community both in providing technology law related services, and also you know, just helping out with the network and so forth, helping people where I can.
And so my, my core practice is in technology work, so I do technology, M&A, and then I also do data-related work, privacy, and cyber, what we'll, we'll talk a little bit today, and I've written two books on technology. And then just sort of quickly to cap it out, I've got a separate business that I started seven years ago called LawPath, it's an online legal business that's [inaudible 00:03:54], so I've got 45 people entered, and also been on a listed board, a software company, ASX 300, for six years, and then also s- sit on three other boards. So yeah, that was that's, that's how I came to be here.
Garrett O'Hara: And to, to sorta synthesize that, that's why we should be listening to you, you've got a-
Nick Abrahams: [laughs] I don't know about that.
Garrett O'Hara: ... yeah, pretty, [
Nick Abrahams: crosstalk 00:04:19]-
Garrett O'Hara: ... And I think y- you've, you can probably see behind you, Nick, I think your book Big Data, Big Responsibilities is on that shelf somewhere.
Nick Abrahams: Ugh, now you're talking, Gar.
Garrett O'Hara: So,
Nick Abrahams: Normally it's holding up the monitor.
Garrett O'Hara: [laughs] There you go.
Nick Abrahams: That's the way most people use it.
Garrett O'Hara: [laughs] Fantastic. So, yeah, clearly, clearly someone who's got a a strong pedigree in, in tech, and then obviously the legal side, so that, that is fantastic, and a really good way into this conversation. One of the things we, we wanted to talk about today was ransomware, which clearly, you know, it's a very hot topic. And I know you've done quite a lot of work, obviously, with boards and in the industry on this as a, a sort of subject. And one of the things that I think it's fair to say is that like the board would normally not be involved in certainly the operational decisions when it comes to, like, recovering from a cyber attack. That's kinda not really their thing, or they would have oversight, but they're not really making the decisions. So why, then, would it be necessary or why is it necessary for a board to be involved in the decision, then, when it comes to ransom payments?
Nick Abrahams: Yeah, so it- it's, it's a very different proposition with ransomware to a normal data compromise. So in any sort of normal data compromise, where there's not a ransom issue, yeah, the board just has oversight. You know, they, they would generally leave it up to the senior technology executives to, to actually just make sure that, you know, the business gets back up and running as quickly as possible. So the board just has oversight. But interestingly, with ransomware, the board has to make a decision, and it is a decision which every board is singularly unprepared for. Because if we distill it down, the decision is should the company pay a criminal to get an advantageous outcome for the company? Boards have never made that decision before. And so it's a very complicated question for them.
Garrett O'Hara: Yeah, I can well imagine. And in, in sort of your attempts to assist with this or to, to help them get to the point where that becomes easier, and then I suppose they're not making that decision for the first [laughs] time when it- when it's kinda real life, you've actually created a, a simulation, right, to help boards get a handle on this kinda ransom payment question, to pay or not to pay and, you know, do we negotiate with terrorists? You know, there's a, there's l- [laughs] lots of tee shirt slogans that get said in the industry. Why did you create the sim?
Nick Abrahams: Yeah, so, so it's, it's based off the back of ... So w- I've been doing a long-form sim, a two hour sim which was for senior leadership team. We take them through the whole ransomware and privacy notification issues, and so w- that's been very successful, done that many, many times, and good fun. And what became clear, though, is that generally board members weren't in those senior leadership team simulations, and what was happening is when you've got a ransomware attack, and, you know, we've dealt with many, many ransomware attacks. I mean it's, it's unfortunate, but it's become a very significant part of my practice and my team's practice. What, what happens in a ransomware attack is the organization is in a state of shock, and is, is massive anxiety, and at that time, the board comes together and has to make quite a quick decision as to whether or not to pay ransom.
So as I said before, boards have never made this sort of a decision before. And so what was happening is I was getting parachuted in, and, to address boards when they are in extremis, and trying to give them a sense of, you know, what are the key questions they should be asking?
And so what ... And, and it's a, it's a very it's a very complicated decision for boards for a variety of reasons which we'll go into. But what, what I then decided is that boards need to have some framework for dealing with this, and also some muscle memory. I think it would be good for a board to have gone through a simulation where they made a decision as to whether or not to pay ransom, and then had a framework for making that decision. So I, I pitched the idea to a couple boards, and it's been very successful, so I've done it many, many times. Going into boards, and it's a, it's a truncated version, it's, it's basically just 45 minutes, 'cause all boards are time-poor.
And so the first 15 minutes I spend giving people the, it's, it's the, the six view framework, it's a six questions framework that I think every board needs to ask before they decide whether they will pay the ransom or not. And so the first 15 minutes is that, and then the next 30 minutes is the board, I then give the board sorta their, their you know, their parameters, and then it's watching the board as they try to make this decision. And it's, it's fascinating, and I should say, so contentious is this issue that I've never had a unanimous board. There's always one or two people who who, who don't wanna pay for, for often moral reasons. So it's important to have I think, for all boards to have, you know, role-played that beforehand, so you know how to handle it when, ... And unfortunately, you know, it's, it's likely to be more of a a when it happens rather than if it happens.
Garrett O'Hara: Have you seen any variety in terms of the type of organization, and, you know, the, the, you know, what the board is involved in, and, you know, here I'm thinking of organizations where you know, ransomware attack, depending on, you know, what's been set up in advance may or may not be significant. So there may be a a dialed-down version of the pressure. And then the other scenario where there's types of organizations where the pressure could be significantly dolled up, and, you know, here I'm thinking about the, the stuff where it's literally, we do something that's, you know, on paper u- unethical, but it keeps people in jobs, keeps the business going, potentially assuming that, you know, the, the the keys are handed over post-payment. Tha- that must be incredibly difficult to, to navigate in, you know, in a board situation. But, you know, I suppose the question is h- in your experience, with the amount of boards that you're talking to, do you see patterns in terms of, like, "Oh, if it's this type of organization, we'll tend to see a v- they'll veer towards pay, whereas this type of organization maybe less so?"
Nick Abrahams: Yeah, yeah. I, I think so in founder-led or strong sort of wh- where there's a strong shareholder sitting on a board, or something like that, there's generally an enormous amount of pragmatism, and this is on, you know, on listed boards generally speaking. So a, a high amount of pragmatism. And so there's an overwhelming sense of, this is just something that we've gotta do. We'll pay the money, we'll take our chances. And so the you know, the ethical thing moves away a little bit, and, you know, you can see the strength of, you know, particular voices on a board.
And then you get to perhaps more diverse boards. And so say, for example, a, you know, for whatever reason, I- I've been sort of, done quite a few in the sort of energy and infrastructure space, and they tend to have s- have slightly more diverse boards, with people who, who think of things oth- you know, they're not, it's not necessarily about, you know, the financials and so forth, there's a whole lot of other things. So they will think a little bit more broadly about the ethical questions.
And then, you know, the, one thing that gets gets, gets you to paying very quickly is if there are, if, if there's ever sorta life endangered. And so we've seen, obviously with healthcare and, you know, these threat actors have you know, no scruples. They are, they are attacking everywhere. And so, you know, with healthcare and so forth, we've certainly seen their preparedness to pay.
But I have to say, in every simulation, and in fact in most of the ransomware cases I have been involved with there has been a decision to pay. I think people get you know, people get their way around that and, you know, will talk through that sort of as we go through the sim, but yeah, I think that most organizations end up making the payment.
Garrett O'Hara: Yeah, interesting. Is, is there a play into the decision that comes from whatever the status would be for the organization in terms of cyber insurance? 'Cause I do know that they have a voice in terms of, you know, access to expertise, obviously, and the people who potentially can [laughs] negotiate with the terrorists, as, as they say. How have you seen that play out where, like, does that dilute the ability for the board to make a decision one way or the other sometimes where, you know, based on a, you know, contractual obligation in some cybersecurity policy, that is a pay or not pay clause or s- or, or like, how does that work?
Nick Abrahams: Yeah, yeah, no, it's great point. So yeah, if the organization has cyber insurance and particularly if the cyber insurance is prepared to pay, and they, they used to be pretty open to paying, we're starting to see that not so much be the case now, so people shouldn't get too comfortable that it will all be covered by cyber insurance. It may well be, but you know, we're starting to see that fall away a little bit. But [inaudible 00:14:10], if there's cyber insurance, then often the board is in a better position, because they can effectively abdicate responsibility for the decision, because the board can say, "Well, you know, we're covered by cyber insurance, and it is the, we've handed the claim over to the cyber insurer, and it's the cyber insurer who makes the decision whether or not to pay the ransom." So yes, and, and i- in fact, in the simulation, I specifically talk about cyber insurance, but take it off the table, because it is all too easy for the board to simply abdicate and say, "Well, you know, we'll leave it up to the cyber insurer, and, and they will, you know, they make the decision."
And I should say, it's, you know, I have had some wonderful experiences with cyber insurers where they take control of the situation and do the negotiations, very good at it. And, and so there's a, you know, there's a ... I, I'm not a, not a [inaudible 00:15:06] for cyber insurance, but just you know, that is the reality, which is those folks are dealing with these threat actors every day, and they've got some very good methods for managing those ransom claims, and, and, and sort of dealing with things in quite an effective and efficient way. And you feel like you're, you're in the hands of, of true professionals.
Garrett O'Hara: Which is, like, to your point earlier, that's exactly what you want on this, assuming when you're in that situation of, of max stress, you know, you wanna be able to that you're, you've almost [inaudible 00:15:37] cyber insurance, 'cause the idea, not having to make a decision I'm, I'm, I'm all for that, any [laughs] any opportunity I ge- I get to not make a decision.
One of the things that occurs to me, w- look, we talk about this in general training, forget about cyber, just in life in general is that like repetition is mastery. You know, y- you gotta do this stuff over and over again to, I s- I think, to use your words, to build the muscle memory. How do you see that play out with your simulations with boards in terms of like a cadence? Is it once a year, once every six months, like how d- how do you see that work most successfully?
Nick Abrahams: Very interesting. It's, so, so there's one particular board who, you know, we're on a cadence of once every six months, and-
Garrett O'Hara: Yep.
Nick Abrahams: ... Because th- the sim is intended to really introduce a whole range of concepts and, and a structure for thinking about how to make the decision. So you don't need to repeat the simulation, but out of, out of that you know, organizations might develop a playbook, in terms of, you know, what should they be looking at? They've got the s- they've got the structure, but how do they feel about that? And then I'm, I'm invited back sort of every six months, really to give a sense, a bit of an update on what's happening, 'cause it is a, quite a fluid issue in some of the things, you know, that we touch on in terms of, you know, is it legal you know, what are the director's duties implications, et cetera. That sort of nuance is moving a little bit, and so so yeah, so there, there, there can be [inaudible 00:17:12], doesn't always be, you know, some, some boards have just been, you know, "Thanks, Nick, that's, that's terrific, and and we'll take it from here."
But others have seen it as, you know, having someone to come in who's, who's regularly facing this and being able to, you know, just update, like-
Garrett O'Hara: As you're talking there you talk about the, the things that change. I'd be keen to get your thoughts on mandatory reporting of ransom payments and, and where you sit on that, and like pro/con, wh- wh- what, how do you see it?
Nick Abrahams: Yeah, look, I think, I think I think it's absolutely critical that, that we do have mandatory reporting of ransom payments. I think, I mean, this is, this is just a despicable business model that has grown up, and, and it feels like it's accelerating, not decelerating, and there's sort of precious little that the government can do to, to stymie it, short of making it illegal to pay ransom, which you know, goverments around the world have not have not gone that direction, but that would obviously be a way to, to kill this particular business model. But I don't think that's going to happen.
So the government's proposition around mandatory reporting is, is really, it's an information-gathering exercise, and I think that the more information that we can have the better off we can be when we're trying to respond to these things. So they're, we've been involved in s- some of the discussions around what that, wh- you know, wha- what the mandatory notification will look like. I think y- we, we need to be conscious that this is, th- the whole data space is starting to get sort of quite, quite regulated by a whole bunch of different folks. And, and so it's starting to become a little bit complicated as to what notice needs to be given to who and when, and so I think if we can just recognize that you know, there's, you know, tha- that organizations should be as streamlined as possible but I think notifying of ransomware attacks is a, is a good idea, I think the government can consolidate that information, and then hopefully provide it back.
And y- you know, it's simple in one sense, in what it could achieve, in that some of these folks aren't super sophisticated, and they're just using tools that are available on the dark web, and so forth. And so the more knowledge that we have fast, coming to us when you've got a breach like this to, you know, okay, is there a way around this, do we, have we, do we know this perpetrator? You know, what is their, what is their history? Are they you know, do they, you know, do they generally, do their decryption keys work, et cetera? The more information we've got like that the better, because right at the moment, and that's one of the things that I try to get boards used to is you are operating in an absolute vacuum with, with information. You don't know how extensive the you know, the malware is within the system, you gotta be locking down a lotta systems, doing a lot of analysis, that takes time. You don't know how successful it's going to be if you, you know, pay and get the decryption keys and so forth. So the more information that we can have the better.
Garrett O'Hara: I was joking abou- [laughs] about this with somebody recently, where and we were talking about about the, the mandatory reporting stuff and, you know, how that dataset becomes useful then in terms of p- you know, pay, you know, like as you've described, and [laughs] sort of like, we, we got to the point where we thought it was gonna be like, you know, rating your car share driver, where you give them a star and leave a comment. You know, "10/10, would pay ransom again," you know, i-
Nick Abrahams: Well, I mean, I gotta say, the user experience on some of these is actually not too bad, as bizarre as that sounds. I mean, obvi- there's obvious- th- there's the FAQs, which, you know, if you need to understand how to buy crypto to pay the ransom, there's, there's a whole array of things around that. So they, and they're very clear, often, with their messaging. It's, you know, it's, it's, there's a, it's you're left in no uncertainty around that. So I think as bizarre as it may sound you are better off getting hit by someone, or a, or an organization that is good at this rather than someone who is having a go and just downloading some tools and just got lucky.
Because if you, if you got a, you know, an organization that is actually very good at this, then often the decryption keys will work better. And that's, that's the big unknown. And that's something, actually, which is hard for boards to get their heads acro- because, you know, generally the ransom is around the million dollar mark, which most boards can get their heads around, you know, that's a, it's a, you know, it's a lot of money, but it's, you're basically placing a bet. You're saying, you know, "If I put a million dollars down you know, my systems might come back up quicker."
But boards struggle with that proposition. So boards, s- some of them think it's, it's a bit like they're dealing with Accenture. And if they pay their million dollars, and they'll get the decryption keys, and, you know, the next day we're all good. So, so it's not that. A- and that's a, that's a good learning for boards, 'cause boards particularly when, you know, if, if they're tryna make this decision when the business is under duress because they're [inaudible 00:22:56], it you know, there, there, there's a lot for them to get their heads around. So that's been one of the great learnings, I think, excuse me, for boards, which is, you know, this, this money that you pay, there are zero guarantee that the decryption keys will work. So, so all we are doing is paying an amount of money and hoping that, you know, we might get our systems and our data back a, a bit quicker. In some cases, you might get it a lot quicker, in some cases it may not work at all. Well, it generally works a little bit 'cause you've done sort of the, the sort of proof of life where you test the decryption key's capability. It's been trying to get the boards across the uncertainty of that is quite difficult.
Garrett O'Hara: Yeah, there's, there is so much so much to kinda get through in that one. I- it's sort of an interesting one as you were talking about the utility of ransom reporting, and, you know, tha- that sort of, that's one lever that the government could pull. And I don't wanna steal thunder from something we're gonna talk about a little bit later, which is web3, but y- purely f- to the lens of ransomware, like any kinda thoughts on regulating cryptocurrencies, with a view to kinda chopping the legs out from the [laughs] the monster?
Nick Abrahams: No, no. I I mean, gosh, the, you know, the government is, is going to attempt to do some regulation of, of crypto later on this year the Bragg report was a good report you know, and they've, they've thought, I think, somewhat deeply about the area. And one of the problems, actually, the bottleneck with getting this regulation is the treasury, who are tasked with getting with getting these regulated into market, have 60 open positions looking for people with crypto expertise to help them craft the legislation. So-
Garrett O'Hara: Right.
Nick Abrahams: ... you know, I, I, I think that, you know, this, the, the crypto world and, you know, web3, NFT, it's, it's actually quite a small environment. There's not, you know, i- there's, there's, there's obviously some people, but there's lot a lotta people in that space. And so I think, you know, for the government to come up with a proposition which would solve, solve it from the crypto side, I think, is unlikely. But, you know, there wa- there've been some examples where, like in the US where, I think it was the FBI was able to track the crypto payments into wallets and seize the wallets in in r- in ransomware payments. So, so I think the solution to this may well sound more in the technology, sorry, and maybe that's the lawyer pushing back to Gar the technologist saying [laughs] "We can't solve it, you guys have to solve it."
But I think, you know, tha- that feels like there may be, you know, some, some better solution there if you've got a, you know, a s- a super, super capability of tracking crypto, and, and where it goes in the wallet, maybe that's, maybe that's something.
Garrett O'Hara: Yeah, it, it sorta feels like the toothpaste is out of the, the tube a little bit on that as well. You know, at this point it's, it's sort of hard to, hard to kinda go and regulate at this point. Before we go too dow- too far down that track, I'd been keen to kinda circle back on on your sim and if it's okay, to kinda actually go through maybe the structure of that sim. You know, you've talked about it's, it's 45 minutes and, but I'd love to get a sense of how you work with the board and, and those steps that you, you go through with them?
Nick Abrahams: Great, great, yeah. So, so, well, the first thing is I'm, I'm always working hand in glove with the with the in-house sort of technology leadership and, and the security, the CISO, and so forth, the security leadership. Because the sim really needs to reinforce what has been, you know, a pattern of, of conduct and processes that the technology leadership have orchestrated. So, so the sim is designed to sit in and support that and so it's not, not intended to try to expose things. And, and that's one of the things I've, I've had to try to keep directors, in the early days, keep directors on track. Because they're, often directors'll be like well why don't we you know, wh- why is this happening to us? Do we not have the right security?" And it's like, this is a simulation. So it's not about, you know, the, the technology team, you know, whether they've done a good or a bad job. This is a simulation.
So, so it's very much about working together with the technology leadership, and then what is critical about the sim is it forces the board to make a decision. And, and I've spent a lot of time in, in boardrooms, and I think boards can be incredibly effective. But the first response for most boards to any issue is, "We need a paper on that." They, boards love asking for a paper. "Let's get, you know, someone to do a paper." And so, you know, I protest it in a nice way. I'm like, "There's no papers. No- no one's gonna do a paper. You've gotta make a decision at the end of this 45 minutes as to whether you're gonna pay a ransom or not, and there'll be a whole lot of information which you don't have, which will make you feel awkward, but that is the nature of what happens. That is the reality. You, you cannot [inaudible 00:28:27] this thing down 100%."
So, so that, that sorta sets the framework. And then the very first, so there's, as I said, there's 16 questions. The first one, and in fact, the most important one, which is the organization's values. And so is the payment of, as I said, you know, it is paying a criminal to get an advantageous outcome. How does this fit with the organization's values? And what I had seen is boards often just completely ignored this. It sort of, you know, it, it sort of got to this pragmatic commercial discussion, should we pay or should we not? I think, I think where, how it fits with the values of an organization is really important. So we know that 55% of the Fortune 100 in the US have integrity as a value. And so you know, if you know, that value comes to be tested and you just throw it out immediately without even giving it due consideration, then you're certainly not a values-driven organization, we know that obviously that's what organizations should be doing.
So I encourage people to think it through from their values, and and [inaudible 00:29:41] and that often also becomes in their personal values as well, which is sort of, you know, comes into the discussion. But, but it's really going to it from the organization's values, how would you defend this if your staff found out that you paid a ransom, if your clients or customers found out, et cetera? So we talk about that, and that you know, tha- that gets, that often gets people sort of quite engaged, and, and, and so we ultimately, I'm not saying that you shouldn't pay because of your values. If you've got a value of integrity, it doesn't mean that you shouldn't pay. And where most organizations get to is the [inaudible 00:30:20] argument, which is, "You know what? You know, we, you know, we, we hate this idea of paying, you know, a perpetrator a ransom. But, you know, we- we've got our obligations to our people, to our customers, to our partners, we need to, we need to get this business back as quickly as possible.
So, so that's [inaudible 00:30:42], you know, it should be articulated that way. So that's the first one. The second one is the legality of it. And now sort of going, going down the the alley on that. There, it's, it's not necessarily straightforward in Australia how legal it is. So ultimately, I can get organizations comfortable that it is legal to pay, but you need to go through a process, and there's two key considerations on the legality question. So the first one is could it be considered to be payment to a terrorist organization? And so what we've seen in the US is that they've started to schedule certain ransomware perpetrators as terrorist organizations, and once those ransomware perpetrators become listed as terrorist organizations, then no way you can make that payment, because we've got a series of conventions and treaties that we've signed up to that if, if the US or other places say they're a terrorist organization, then then that's what Australia says, and no one can make any payment.
So, so that's a very important one, you definitely do not wanna get caught up in that. And then the next legal issue is could the payment be said to be funding criminal activities? And there's v- and this is v- this is a state law question, the states have each state has th- that sorta law in, in s- sorta more or less the same sorta language. And this is, you know, on one view of it, you're like, "Well, I mean, you're paying money to criminals, of course what are, you know, [inaudible 00:32:28] are they going to use?" But you need to really work through that question delicately, and come up with a defensible position as to, you know, wh- why you can be comfortable that it doesn't trigger that criminal liability. And that's sort of, I know that will sound like, sort of lawyer speak, but it is, it is important to, to think that through, and, and to have some good supporting sort of background that you've recorded which justifies why the board came to that decision.
The, the next one is director's duties. And so obviously every board is critically concerned with their director's duties, and we go through a few of those and determine whether it is i- you know, is there anything that would prohibit them making the decision to pay? And or, or, you know, conversely, should they, is there, you know, are there director's duties that require them to actually make a payment? So that's an interesting discussion.
Next one is around reputation, and really this is something which I do just because I know that people get incredibly anxious when they're being attacked. It is, it is a horrible situation, and no one's sleeping, [inaudible 00:33:54] you know, and particularly the tech teams, it's, I mean it's, it's just a nightmare. And what I try to do is to calm people down because the reality is that this happens a lot, and you will survive. And so we've done some proprietary research where we've looked at every ASX-listed company that has had a data breach, and they don't say whether it's ransomware or not. But we've looked at where they've say they've had a data breach, then we've analyzed the short, medium, and long-term impacts on share price. And what my proposition there is that the share price is a proxy, it's a very rough proxy, for reputation of the company. And so and I, I appreciate, it is a very rough proxy. It's not, you know, it's not, not a direct representation, but it's as good as we can get.
And so in doing that, [inaudible 00:34:52] on a few views on which organizations are most likely to have more permanent damage as a result of this sort of breach, and so I have some theories around that. And the final two, just quickly so to the, to the technologists who are listening I talk about the practical or technical assessment, practical and technical assessment. And so this is where the board gets particularly I guess, energized as to, they want the CTO or the CISO or someone in, in, in the executive team to tell them what they should do. So they wan- they want someone to say, "Yep, we should pay the money, because that'll be a good thing." And ultimately, I don't think anyone in, you know, in the executive, you know, be it the, particularly the major security officer or anyone else can really say, "Yep, I think that, you know, absolutely the board should do it."
I think for the most part, the advice is, "We can get the systems up, and we can get our data back. We've got, you know, we've got great backups," et cetera. It may take us time, and y- you know, this, this timeframe can run from, yeah, a week to, to many weeks. And so, so we can get it up and then what I can tell you about paying a ransom is that we can't be certain it will work, but it's probably worth a shot. You know, that, that's s- that's the sort of, sometimes like the vibe that you have to give. I think it's you know, and, and, you know, the CISO might say, you know, "I'm" you know, "I'm, I'd be comfortable paying the ransom." But you, you can't ... I don't think, I don't think anyone can make the board's decision for them, because it's more than a pure technical proposition, for the reasons that I've said.
So yeah, so that, that's a very helpful thing, I think, for most technologists, for boards to become a little bit more insightful around, around what to expect on that. And then the final one is cyber insurance, which we talked about, which I, I take off the table, I say, "You don't have to consider cyber insurance because, in the, for the sim," because it you know, it may well pay a ransom, but in a real life situation, cyber insurance would be your first point of call, to see if y- if they would take the problem off your hands. But for the purpose of the sim I don't want the boards abdicating.
Yep, and so we, I give them, I give them all those, and then I basically say ... So that's the first fift- taken me more than 15 minutes I think to explain those, but I give it, I give [inaudible 00:37:27] for 15 minutes, and then they've got 30 minutes where I sort of, I'm just available, sort of as an advisor, as they make the decision. But I take the legality question off the table for them. I say, "Let's assume it's legal," I take the director's duty issue off the table, I say, "Just assume that you can [inaudible 00:37:42] director's duties," and then I take the cyber insurance issue off the table. So they, they basically, often they are just they are just discussing a- you know, gets down almost to the values proposition, 'cause you know, I m- as I said, you know, these, this stuff is, is sort of opportunistically priced around a million dollars, so they can generally get their heads around that as an expense. And then, yes, I mean, that runs for 30 minutes, and then they have, they have to make a decision by the end of it.
Garrett O'Hara: I've got, I could feel a- adrenaline and anxiety going through my body as you're talking about it. It's i- it's such a ... [laughs]
Nick Abrahams: It's so, it's so good to watch, it's like it's-
Garrett O'Hara: Yeah.
Nick Abrahams: .... fascinating to watch, watch, watch how boards work and how boards make decisions, and the influence of the chair is obviously critical, and making sure particularly those people who you can tell some people have a very strong moral compass on this, and, you know, they, they need to be listened to. You know, it's-
Garrett O'Hara: Yeah.
Nick Abrahams: ... it's not, it's not just a pragmatic decision. Yeah, so it's, it's fascinating. As I say, everyone gets around to paying you know, they get their head around paying. It may not be unanimous, but ultimately they, they ...
Garrett O'Hara: Yeah, you get to a decision at the end. You, as you were talking through the legals and I'm, I'm very conscious that we are rapidly approaching time here, so I'll try to be quick here. But, you know, one of the things that did occur to me is that you, you've mentioned the kinda sanctioned list of of entities, you know, these are terrorist organizations, therefore it is illegal to pay. And then it feels like you get stuck between a rock and a hard place where if your decision is literally, well, you know like, "We close the doors of the business," or, "We abide by the law," you may not be able to even answer this question for many reasons. But do you see situations where a- an organization on balance will make a decision that may not be sort of fully in line with the law, purely because that's the only way to keep the doors of a business open, or is it very black and white and they just won't do that?
Nick Abrahams: Yeah, I've, I, look, to be honest, I've never seen ... Because it's generally, generally it's not, it's not an existential crisis for companies. Like-
Garrett O'Hara: Okay.
Nick Abrahams: ... companies can come back from this. It's-
Garrett O'Hara: Yeah.
Nick Abrahams: I mean, I, even when I had a terrible one, which I mean, it was just, I mean, it was a decent-sized business, probably worth, I don't know, 250, $300 million. A decent-sized business. I mean, just terrible sort of you know, cyber hygiene. You know, not patching things, like that [inaudible 00:40:18] ...
Garrett O'Hara: Mm-hmm [affirmative].
Nick Abrahams: I thought that not patching thing- you know, was gone years ago. So and, and even though they got hit pretty hard you know, [inaudible 00:40:27] you know, they lately have had some backups, and they could rebuild from that. So I've never seen it where it's a true existential crisis where it's like-
Garrett O'Hara: Yeah.
Nick Abrahams: ... literally, "We're gonna have to shut the doors, because this business is done." I mean, I have had situations, oh my gosh, where people you know, particularly pe- where I- I'm a big believer, if you don't have the expertise in-house, I think very few organizations have this sophisticated, you know, live ransomware inside the system experience. I don't think very many organizations, the banks probably do, but few others have that level of capability. So I'm a big believer in bringing in real competence from-
Garrett O'Hara: Hm.
Nick Abrahams: ... Third-party advisors who do this every day. But I had one situation where a an organization, this is in a, a live breach you know, they had a, you know, a technology services company, it was a very small one, who did their IT work. And, you know, they're like, "Oh, no, we're not gonna get any [inaudible 00:41:32]." And so the IT company started backing up you know, just, just, thought it would just back up because it had the backups. And then the you know, the malware was smart enough to figure out what was going on and encrypted the backups.
Garrett O'Hara: Oh.
Nick Abrahams: So, so yeah. I big believer in you know, bringing in, in third-party capability [inaudible 00:41:57].
Garrett O'Hara: Yeah, definitely. We, we may try the impossible here. So I got, got two kinda questions left, and I suspect this is gonna be a task of Everest size. But we touched very briefly early on on web3, and I know from following you on LinkedIn, like this is something you're quite passionate about. And and for those listening, we'll, we'll include a, the links in the show notes to some of your, your kind of explainer videos, they're fantastically well-done. Th- let's try to do the impossible in the n- you know, the next five minutes. What is web3?
Nick Abrahams: Yeah, yeah, sure. So I think if we think about it, it is it's, it's best to look at it in terms of h- the evolution. So web1, around '95, '96 until 2004 was the read-only internet. So, you know, it's some nice [inaudible 00:42:50] some nice sites, but you couldn't book a hotel and you couldn't make you know, bank transfers and so forth. So that was web1, read only. And then web2 which is sort of 2005 to now has been read and write. So we've been able to really interact and, and we do bank transfers, we can buy things. Social media lotta content creation. And so web3 is the, changes the game in two ways. So firstly is that we can now read, write, and own in the internet. So because of NFT technology, we can actually own digital files, and NFT technology gives provable scarcity. So you actually provide an asset which we havne't had before, because, you know, you put a JPEG on the internet and it can be copied an infinite number of times at zero incremental cost.
Now, you've actually got a protectable asset. So I think, you know, read, write, and own is critical. And then also with web3 is the move from the two-dimensional web experience to the three-dimensional experience. And so the idea of the metaverse is, you know, otherwise known as the embodied internet. So the, think of the way that you currently buy something online, you know, you mi- it's a very sort of flat, two-dimensional experience. You click on something, it goes into a sort of virtual shopping cart.
Well, the promise of web3 and the metaverse is that, you know, you will actually be, physically feel like you are in a store grabbing that item and putting it into a cart or shopping bag, and so that may be done either with existing technology, and that's where you've got Decentraland and Sandbox and Somnium Space and so forth, which you can sort of negotiate your little avatar around a virtual world or you can, you know, have a heightened experience, and that may be through virtual reality goggles, which actually take you completley out of your own environment into a simulated environment, and so that's where Met's Oculus would take you. Or extended reality, with something like Microsoft's HoloLens, which is, you know, effectively just a, a lens that you look at your own world through but various amounts of information are being projected or actually projected onto your eyeball, not onto the lens where you're actually seeing different, different amounts of information, but s- you're still in your own reality.
So, so yeah, I think [inaudible 00:45:36], you know, my, my belief is that we will move everything that we will do on the two-dimensional internet into the three-dimensional internet over time. You know, it's not [inaudible 00:45:46].
Garrett O'Hara: Y- you sorta painted a vision there, almost like Ready Player One with haptic suits and s- you know, th- that sort of full immersion experience. Feels like it's gonna go that way. I'm gonna get nostalgic here for a second. There's a, there's a game called Mercenary, a guy called Paul Woakes, I think, was the guy who wrote it, back on ... Like it's, we're talking like C-64, way, way back, you know, monochrome vector graphics.
This thing, I mean, the whole game is like 10k in size, right? But I remember loading that up and this, it still blows my mind, it's still a game I download every now and again just to have a little wander around. But it's a vector graphic world that you can walk around, basically a city with spaceships flying around in 3D. And, you know, nine year old brain was exploded by this. And I think about when you see the technology that is, is available now, there's no way I would've believed, like, that we would be doing what we're doing today. And I, I d- do sorta think that we're probably not as far away from this stuff as it may seem sometimes. You know, we, we have the technology, it's just kinda the, the broader adoption of that.
I- I've got literally like 50 questions that I would like to ask you now, and I think [laughs] we've got like five minutes left. It, some of the things I've heard about things like NFTs in sort of broader commentary around this stuff is the, the utility for people like even funding themselves, so, you know, somebody coming out of an arts degree and you buy sort of part of an NFT contract, and as they, you know, it funds their education, it funds them getting going, and then you get some points as they go forward and become a huge global artist or, you know, musician, or sports person. Like is that, in your mind, is this al part of web3, like is it that kinda stuff we're talking about, or ... Yeah, it is.
Nick Abrahams: Yeah, yeah, yeah, I think so. So I think the best area to look at to show what are the business models, and the revenue models for the future is gaming. And so if we look at, if we look at you know, gaming originally was you know, you just said, so for example, Fortnite, so it's operated by the gaming operator, and then you buy your stuff in Fortnite, but you're paying the owner of Fortnite and, and you're just keeping your stuff in-game. And then, you know, now we've got the play-to-earn platforms, and this is, this is, I think, right on hitch with, you know, what we're saying about, you know, [inaudible 00:48:05].
So with the play-to-earn platform, particularly what's, what's known as play-to-earn v2 now you've got folks who are doing on, say, Axie Infinity you know, there are gamers who are full-time gamers, it's been very big in the Philippines, there are, there are, you know, these are- these aren't super egamers sort of people who are, who are true sort of super professionals, these are just people who like playing the game, but do that as a job, you know, would spend many hours a day in it and so they are able to earn cryptocurrency effectively within Axie Infinity, and there's a number of, I, it's very common in the Philippines for those games to be earning two to three times average wage.
And then what we've seen, which is this, this extension of, of the business model is quite expensive, it's about $2000 to get started in Axie Infinity, you gotta buy your Axie type Atari thing. So, so there's guilds, now, there's sort of gaming guilds. So they're folks, you know, often from the west, who join together and who effectively make available these NFTs, so they might make available an Axie for a, a gamer in the Philippines or Indonesia to go and, and do, and play the game, and then they split the proceeds of, of that. And so, you know, those, those gaming guilds are formed by what's called DAOs, decentralized autonomous organizations, and then they are loaning out NFTs and then, and then reaping, you know, the benefit of that. So, so that's a phenomenal business model, and that's why I said, you know, the critical thing is that we can own things now.
So this would n- people often talk about Second Life and, and, you know, Second Life was around in, you know, 2007, 2008, it's all there. I- it looks, you know, the actual visual experience and the graphics are very similar to what you would see in Decentraland or Sandbox. So that [inaudible 00:50:12] hasn't, hasn't come on. But what has come on is the ability to own digital assets within places like Decentraland and Sandbox. Once you own a digital asset, you can create a business off the back of it, and that's the exciting proposition. You've now got, you know, what these, these sort of Axie gamers are now the first Metaverse workers.
Garrett O'Hara: Quite incredible, quite incredible. I think we- we've just hit time, unfortunately. It's, I, this, this is one where if you're up for it, maybe sometime in the future I'd love to ... Like, there's so much new stuff here that I think many people maybe think they get, but actually probably don't really get, and I, I would put my hand up and say I'm one of those. [laughs] Nick, it's been an absolute pleasure to talk to you, so, so grateful for you joining us today, very much appreciate your time.
Nick Abrahams: Thanks very much, Gar. I really appreciate being asked. It was lovely to to be able to spend some time and, and do [inaudible 00:51:05] is, which is, hopefully everything that you've learned about ransomware you will never have to use, and this will have been the biggest waste of an hour you've ever had, which would be my, my solemn wish for you. So we've ha- thanks very much, Gar, thanks everyone.
Garrett O'Hara: Thanks, Nick.Garrett O'Hara: Welcome to the Get Cyber Resilient podcast, I'm Gar O'Hara. We're joined today by Nick Abrahams, who's the global co-leader of digital transformation practice at Norton Rose Fulbright. Nick is also a corporate tech lawyer, a speaker on web3, crypto, NFT, and the metaverse, entrepreneur through LawPath, author of Big Data, Big Responsibilities and Digital Disruption in Australia. We had a cracking conversation where Nick walked us through his experiences working with boards during breaches, and maybe more importantly, his work with boards to build their muscle memory on what they will do when it comes to ransom payments. He runs simulations with boards using six steps to really help them get clarity while they're not under a huge amount of stress. We also got briefly to touch on web3, what that is, and a little taste of what it can mean for us all in the future. Over to the conversation.
Welcome to the Get Cyber Resilient podcast. I'm Gar O'Hara, today I am joined by Nick Abrahams, who is the global co-leader for digital transformation practice at Norton Rose Fulbright, amongst many other things, but I'm not gonna steal Nick's thunder. How you doing today, Nick? Welcome to the podcast.
Nick Abrahams: Thanks very much, Gar, I'm delighted to be here. I am very well indeed, thank you.
Garrett O'Hara: Happy days, yeah, we're both surviving the the fl- the biblical flood levels that we're experiencing here in Sydney, so yeah, good to have you on today. Nick, the, the first question we ask pretty much everybody is how did you get to where you are today? I'm looking at your [laughs] the things you're, you're, you're sort of down for doing, and it's quite a broad set of things that you're involved in. But would love for you to kinda run us through to how you got to where you are today.
Nick Abrahams: Sure, sure. Well, and just ... I guess ... Well, I say I'll say it quickly, and my wife says, "Well, no, you always labor this story." So anyway. So yeah, started off as a lawyer, then had a a bit of a personality flaw that I wanted to be a Hollywood studio executive. And so went to Los Angeles and went to film school at University of Southern California. And that was all great, and I was working at Warner Brothers as a, actually as a sort of creative executive, and then had another epiphany, which is that the the number of sociopaths in film and television in Los Angeles is really quite significant.
So left that, then got together with a dotcom, this was back in '98, and just really at the start of the first dotcom boom, and I was chief operating officer of that company. We listed it on the ASX, and it it looked for all the world like it was never work again time for me. But Gar, you know, money would've spoiled me, and so with the-
Garrett O'Hara: [laughs]
Nick Abrahams: ... dotcom crash, my equity went south very fast, and my interest in the law rekindled at a similar rate, and then came back to Australia then from LA, and really focused, then, on doing what I'd seen a number of the US tech [inaudible 00:03:07] firms do, which is become super integrated in the technology community. And so since 2002, I've really sought to be a, you know, be a part of the technology community both in providing technology law related services, and also you know, just helping out with the network and so forth, helping people where I can.
And so my, my core practice is in technology work, so I do technology, M&A, and then I also do data-related work, privacy, and cyber, what we'll, we'll talk a little bit today, and I've written two books on technology. And then just sort of quickly to cap it out, I've got a separate business that I started seven years ago called LawPath, it's an online legal business that's [inaudible 00:03:54], so I've got 45 people entered, and also been on a listed board, a software company, ASX 300, for six years, and then also s- sit on three other boards. So yeah, that was that's, that's how I came to be here.
Garrett O'Hara: And to, to sorta synthesize that, that's why we should be listening to you, you've got a-
Nick Abrahams: [laughs] I don't know about that.
Garrett O'Hara: ... yeah, pretty, [
Nick Abrahams: crosstalk 00:04:19]-
Garrett O'Hara: ... And I think y- you've, you can probably see behind you, Nick, I think your book Big Data, Big Responsibilities is on that shelf somewhere.
Nick Abrahams: Ugh, now you're talking, Gar.
Garrett O'Hara: So,
Nick Abrahams: Normally it's holding up the monitor.
Garrett O'Hara: [laughs] There you go.
Nick Abrahams: That's the way most people use it.
Garrett O'Hara: [laughs] Fantastic. So, yeah, clearly, clearly someone who's got a a strong pedigree in, in tech, and then obviously the legal side, so that, that is fantastic, and a really good way into this conversation. One of the things we, we wanted to talk about today was ransomware, which clearly, you know, it's a very hot topic. And I know you've done quite a lot of work, obviously, with boards and in the industry on this as a, a sort of subject. And one of the things that I think it's fair to say is that like the board would normally not be involved in certainly the operational decisions when it comes to, like, recovering from a cyber attack. That's kinda not really their thing, or they would have oversight, but they're not really making the decisions. So why, then, would it be necessary or why is it necessary for a board to be involved in the decision, then, when it comes to ransom payments?
Nick Abrahams: Yeah, so it- it's, it's a very different proposition with ransomware to a normal data compromise. So in any sort of normal data compromise, where there's not a ransom issue, yeah, the board just has oversight. You know, they, they would generally leave it up to the senior technology executives to, to actually just make sure that, you know, the business gets back up and running as quickly as possible. So the board just has oversight. But interestingly, with ransomware, the board has to make a decision, and it is a decision which every board is singularly unprepared for. Because if we distill it down, the decision is should the company pay a criminal to get an advantageous outcome for the company? Boards have never made that decision before. And so it's a very complicated question for them.
Garrett O'Hara: Yeah, I can well imagine. And in, in sort of your attempts to assist with this or to, to help them get to the point where that becomes easier, and then I suppose they're not making that decision for the first [laughs] time when it- when it's kinda real life, you've actually created a, a simulation, right, to help boards get a handle on this kinda ransom payment question, to pay or not to pay and, you know, do we negotiate with terrorists? You know, there's a, there's l- [laughs] lots of tee shirt slogans that get said in the industry. Why did you create the sim?
Nick Abrahams: Yeah, so, so it's, it's based off the back of ... So w- I've been doing a long-form sim, a two hour sim which was for senior leadership team. We take them through the whole ransomware and privacy notification issues, and so w- that's been very successful, done that many, many times, and good fun. And what became clear, though, is that generally board members weren't in those senior leadership team simulations, and what was happening is when you've got a ransomware attack, and, you know, we've dealt with many, many ransomware attacks. I mean it's, it's unfortunate, but it's become a very significant part of my practice and my team's practice. What, what happens in a ransomware attack is the organization is in a state of shock, and is, is massive anxiety, and at that time, the board comes together and has to make quite a quick decision as to whether or not to pay ransom.
So as I said before, boards have never made this sort of a decision before. And so what was happening is I was getting parachuted in, and, to address boards when they are in extremis, and trying to give them a sense of, you know, what are the key questions they should be asking?
And so what ... And, and it's a, it's a very it's a very complicated decision for boards for a variety of reasons which we'll go into. But what, what I then decided is that boards need to have some framework for dealing with this, and also some muscle memory. I think it would be good for a board to have gone through a simulation where they made a decision as to whether or not to pay ransom, and then had a framework for making that decision. So I, I pitched the idea to a couple boards, and it's been very successful, so I've done it many, many times. Going into boards, and it's a, it's a truncated version, it's, it's basically just 45 minutes, 'cause all boards are time-poor.
And so the first 15 minutes I spend giving people the, it's, it's the, the six view framework, it's a six questions framework that I think every board needs to ask before they decide whether they will pay the ransom or not. And so the first 15 minutes is that, and then the next 30 minutes is the board, I then give the board sorta their, their you know, their parameters, and then it's watching the board as they try to make this decision. And it's, it's fascinating, and I should say, so contentious is this issue that I've never had a unanimous board. There's always one or two people who who, who don't wanna pay for, for often moral reasons. So it's important to have I think, for all boards to have, you know, role-played that beforehand, so you know how to handle it when, ... And unfortunately, you know, it's, it's likely to be more of a a when it happens rather than if it happens.
Garrett O'Hara: Have you seen any variety in terms of the type of organization, and, you know, the, the, you know, what the board is involved in, and, you know, here I'm thinking of organizations where you know, ransomware attack, depending on, you know, what's been set up in advance may or may not be significant. So there may be a a dialed-down version of the pressure. And then the other scenario where there's types of organizations where the pressure could be significantly dolled up, and, you know, here I'm thinking about the, the stuff where it's literally, we do something that's, you know, on paper u- unethical, but it keeps people in jobs, keeps the business going, potentially assuming that, you know, the, the the keys are handed over post-payment. Tha- that must be incredibly difficult to, to navigate in, you know, in a board situation. But, you know, I suppose the question is h- in your experience, with the amount of boards that you're talking to, do you see patterns in terms of, like, "Oh, if it's this type of organization, we'll tend to see a v- they'll veer towards pay, whereas this type of organization maybe less so?"
Nick Abrahams: Yeah, yeah. I, I think so in founder-led or strong sort of wh- where there's a strong shareholder sitting on a board, or something like that, there's generally an enormous amount of pragmatism, and this is on, you know, on listed boards generally speaking. So a, a high amount of pragmatism. And so there's an overwhelming sense of, this is just something that we've gotta do. We'll pay the money, we'll take our chances. And so the you know, the ethical thing moves away a little bit, and, you know, you can see the strength of, you know, particular voices on a board.
And then you get to perhaps more diverse boards. And so say, for example, a, you know, for whatever reason, I- I've been sort of, done quite a few in the sort of energy and infrastructure space, and they tend to have s- have slightly more diverse boards, with people who, who think of things oth- you know, they're not, it's not necessarily about, you know, the financials and so forth, there's a whole lot of other things. So they will think a little bit more broadly about the ethical questions.
And then, you know, the, one thing that gets gets, gets you to paying very quickly is if there are, if, if there's ever sorta life endangered. And so we've seen, obviously with healthcare and, you know, these threat actors have you know, no scruples. They are, they are attacking everywhere. And so, you know, with healthcare and so forth, we've certainly seen their preparedness to pay.
But I have to say, in every simulation, and in fact in most of the ransomware cases I have been involved with there has been a decision to pay. I think people get you know, people get their way around that and, you know, will talk through that sort of as we go through the sim, but yeah, I think that most organizations end up making the payment.
Garrett O'Hara: Yeah, interesting. Is, is there a play into the decision that comes from whatever the status would be for the organization in terms of cyber insurance? 'Cause I do know that they have a voice in terms of, you know, access to expertise, obviously, and the people who potentially can [laughs] negotiate with the terrorists, as, as they say. How have you seen that play out where, like, does that dilute the ability for the board to make a decision one way or the other sometimes where, you know, based on a, you know, contractual obligation in some cybersecurity policy, that is a pay or not pay clause or s- or, or like, how does that work?
Nick Abrahams: Yeah, yeah, no, it's great point. So yeah, if the organization has cyber insurance and particularly if the cyber insurance is prepared to pay, and they, they used to be pretty open to paying, we're starting to see that not so much be the case now, so people shouldn't get too comfortable that it will all be covered by cyber insurance. It may well be, but you know, we're starting to see that fall away a little bit. But [inaudible 00:14:10], if there's cyber insurance, then often the board is in a better position, because they can effectively abdicate responsibility for the decision, because the board can say, "Well, you know, we're covered by cyber insurance, and it is the, we've handed the claim over to the cyber insurer, and it's the cyber insurer who makes the decision whether or not to pay the ransom." So yes, and, and i- in fact, in the simulation, I specifically talk about cyber insurance, but take it off the table, because it is all too easy for the board to simply abdicate and say, "Well, you know, we'll leave it up to the cyber insurer, and, and they will, you know, they make the decision."
And I should say, it's, you know, I have had some wonderful experiences with cyber insurers where they take control of the situation and do the negotiations, very good at it. And, and so there's a, you know, there's a ... I, I'm not a, not a [inaudible 00:15:06] for cyber insurance, but just you know, that is the reality, which is those folks are dealing with these threat actors every day, and they've got some very good methods for managing those ransom claims, and, and, and sort of dealing with things in quite an effective and efficient way. And you feel like you're, you're in the hands of, of true professionals.
Garrett O'Hara: Which is, like, to your point earlier, that's exactly what you want on this, assuming when you're in that situation of, of max stress, you know, you wanna be able to that you're, you've almost [inaudible 00:15:37] cyber insurance, 'cause the idea, not having to make a decision I'm, I'm, I'm all for that, any [laughs] any opportunity I ge- I get to not make a decision.
One of the things that occurs to me, w- look, we talk about this in general training, forget about cyber, just in life in general is that like repetition is mastery. You know, y- you gotta do this stuff over and over again to, I s- I think, to use your words, to build the muscle memory. How do you see that play out with your simulations with boards in terms of like a cadence? Is it once a year, once every six months, like how d- how do you see that work most successfully?
Nick Abrahams: Very interesting. It's, so, so there's one particular board who, you know, we're on a cadence of once every six months, and-
Garrett O'Hara: Yep.
Nick Abrahams: ... Because th- the sim is intended to really introduce a whole range of concepts and, and a structure for thinking about how to make the decision. So you don't need to repeat the simulation, but out of, out of that you know, organizations might develop a playbook, in terms of, you know, what should they be looking at? They've got the s- they've got the structure, but how do they feel about that? And then I'm, I'm invited back sort of every six months, really to give a sense, a bit of an update on what's happening, 'cause it is a, quite a fluid issue in some of the things, you know, that we touch on in terms of, you know, is it legal you know, what are the director's duties implications, et cetera. That sort of nuance is moving a little bit, and so so yeah, so there, there, there can be [inaudible 00:17:12], doesn't always be, you know, some, some boards have just been, you know, "Thanks, Nick, that's, that's terrific, and and we'll take it from here."
But others have seen it as, you know, having someone to come in who's, who's regularly facing this and being able to, you know, just update, like-
Garrett O'Hara: As you're talking there you talk about the, the things that change. I'd be keen to get your thoughts on mandatory reporting of ransom payments and, and where you sit on that, and like pro/con, wh- wh- what, how do you see it?
Nick Abrahams: Yeah, look, I think, I think I think it's absolutely critical that, that we do have mandatory reporting of ransom payments. I think, I mean, this is, this is just a despicable business model that has grown up, and, and it feels like it's accelerating, not decelerating, and there's sort of precious little that the government can do to, to stymie it, short of making it illegal to pay ransom, which you know, goverments around the world have not have not gone that direction, but that would obviously be a way to, to kill this particular business model. But I don't think that's going to happen.
So the government's proposition around mandatory reporting is, is really, it's an information-gathering exercise, and I think that the more information that we can have the better off we can be when we're trying to respond to these things. So they're, we've been involved in s- some of the discussions around what that, wh- you know, wha- what the mandatory notification will look like. I think y- we, we need to be conscious that this is, th- the whole data space is starting to get sort of quite, quite regulated by a whole bunch of different folks. And, and so it's starting to become a little bit complicated as to what notice needs to be given to who and when, and so I think if we can just recognize that you know, there's, you know, tha- that organizations should be as streamlined as possible but I think notifying of ransomware attacks is a, is a good idea, I think the government can consolidate that information, and then hopefully provide it back.
And y- you know, it's simple in one sense, in what it could achieve, in that some of these folks aren't super sophisticated, and they're just using tools that are available on the dark web, and so forth. And so the more knowledge that we have fast, coming to us when you've got a breach like this to, you know, okay, is there a way around this, do we, have we, do we know this perpetrator? You know, what is their, what is their history? Are they you know, do they, you know, do they generally, do their decryption keys work, et cetera? The more information we've got like that the better, because right at the moment, and that's one of the things that I try to get boards used to is you are operating in an absolute vacuum with, with information. You don't know how extensive the you know, the malware is within the system, you gotta be locking down a lotta systems, doing a lot of analysis, that takes time. You don't know how successful it's going to be if you, you know, pay and get the decryption keys and so forth. So the more information that we can have the better.
Garrett O'Hara: I was joking abou- [laughs] about this with somebody recently, where and we were talking about about the, the mandatory reporting stuff and, you know, how that dataset becomes useful then in terms of p- you know, pay, you know, like as you've described, and [laughs] sort of like, we, we got to the point where we thought it was gonna be like, you know, rating your car share driver, where you give them a star and leave a comment. You know, "10/10, would pay ransom again," you know, i-
Nick Abrahams: Well, I mean, I gotta say, the user experience on some of these is actually not too bad, as bizarre as that sounds. I mean, obvi- there's obvious- th- there's the FAQs, which, you know, if you need to understand how to buy crypto to pay the ransom, there's, there's a whole array of things around that. So they, and they're very clear, often, with their messaging. It's, you know, it's, it's, there's a, it's you're left in no uncertainty around that. So I think as bizarre as it may sound you are better off getting hit by someone, or a, or an organization that is good at this rather than someone who is having a go and just downloading some tools and just got lucky.
Because if you, if you got a, you know, an organization that is actually very good at this, then often the decryption keys will work better. And that's, that's the big unknown. And that's something, actually, which is hard for boards to get their heads acro- because, you know, generally the ransom is around the million dollar mark, which most boards can get their heads around, you know, that's a, it's a, you know, it's a lot of money, but it's, you're basically placing a bet. You're saying, you know, "If I put a million dollars down you know, my systems might come back up quicker."
But boards struggle with that proposition. So boards, s- some of them think it's, it's a bit like they're dealing with Accenture. And if they pay their million dollars, and they'll get the decryption keys, and, you know, the next day we're all good. So, so it's not that. A- and that's a, that's a good learning for boards, 'cause boards particularly when, you know, if, if they're tryna make this decision when the business is under duress because they're [inaudible 00:22:56], it you know, there, there, there's a lot for them to get their heads around. So that's been one of the great learnings, I think, excuse me, for boards, which is, you know, this, this money that you pay, there are zero guarantee that the decryption keys will work. So, so all we are doing is paying an amount of money and hoping that, you know, we might get our systems and our data back a, a bit quicker. In some cases, you might get it a lot quicker, in some cases it may not work at all. Well, it generally works a little bit 'cause you've done sort of the, the sort of proof of life where you test the decryption key's capability. It's been trying to get the boards across the uncertainty of that is quite difficult.
Garrett O'Hara: Yeah, there's, there is so much so much to kinda get through in that one. I- it's sort of an interesting one as you were talking about the utility of ransom reporting, and, you know, tha- that sort of, that's one lever that the government could pull. And I don't wanna steal thunder from something we're gonna talk about a little bit later, which is web3, but y- purely f- to the lens of ransomware, like any kinda thoughts on regulating cryptocurrencies, with a view to kinda chopping the legs out from the [laughs] the monster?
Nick Abrahams: No, no. I I mean, gosh, the, you know, the government is, is going to attempt to do some regulation of, of crypto later on this year the Bragg report was a good report you know, and they've, they've thought, I think, somewhat deeply about the area. And one of the problems, actually, the bottleneck with getting this regulation is the treasury, who are tasked with getting with getting these regulated into market, have 60 open positions looking for people with crypto expertise to help them craft the legislation. So-
Garrett O'Hara: Right.
Nick Abrahams: ... you know, I, I, I think that, you know, this, the, the crypto world and, you know, web3, NFT, it's, it's actually quite a small environment. There's not, you know, i- there's, there's, there's obviously some people, but there's lot a lotta people in that space. And so I think, you know, for the government to come up with a proposition which would solve, solve it from the crypto side, I think, is unlikely. But, you know, there wa- there've been some examples where, like in the US where, I think it was the FBI was able to track the crypto payments into wallets and seize the wallets in in r- in ransomware payments. So, so I think the solution to this may well sound more in the technology, sorry, and maybe that's the lawyer pushing back to Gar the technologist saying [laughs] "We can't solve it, you guys have to solve it."
But I think, you know, tha- that feels like there may be, you know, some, some better solution there if you've got a, you know, a s- a super, super capability of tracking crypto, and, and where it goes in the wallet, maybe that's, maybe that's something.
Garrett O'Hara: Yeah, it, it sorta feels like the toothpaste is out of the, the tube a little bit on that as well. You know, at this point it's, it's sort of hard to, hard to kinda go and regulate at this point. Before we go too dow- too far down that track, I'd been keen to kinda circle back on on your sim and if it's okay, to kinda actually go through maybe the structure of that sim. You know, you've talked about it's, it's 45 minutes and, but I'd love to get a sense of how you work with the board and, and those steps that you, you go through with them?
Nick Abrahams: Great, great, yeah. So, so, well, the first thing is I'm, I'm always working hand in glove with the with the in-house sort of technology leadership and, and the security, the CISO, and so forth, the security leadership. Because the sim really needs to reinforce what has been, you know, a pattern of, of conduct and processes that the technology leadership have orchestrated. So, so the sim is designed to sit in and support that and so it's not, not intended to try to expose things. And, and that's one of the things I've, I've had to try to keep directors, in the early days, keep directors on track. Because they're, often directors'll be like well why don't we you know, wh- why is this happening to us? Do we not have the right security?" And it's like, this is a simulation. So it's not about, you know, the, the technology team, you know, whether they've done a good or a bad job. This is a simulation.
So, so it's very much about working together with the technology leadership, and then what is critical about the sim is it forces the board to make a decision. And, and I've spent a lot of time in, in boardrooms, and I think boards can be incredibly effective. But the first response for most boards to any issue is, "We need a paper on that." They, boards love asking for a paper. "Let's get, you know, someone to do a paper." And so, you know, I protest it in a nice way. I'm like, "There's no papers. No- no one's gonna do a paper. You've gotta make a decision at the end of this 45 minutes as to whether you're gonna pay a ransom or not, and there'll be a whole lot of information which you don't have, which will make you feel awkward, but that is the nature of what happens. That is the reality. You, you cannot [inaudible 00:28:27] this thing down 100%."
So, so that, that sorta sets the framework. And then the very first, so there's, as I said, there's 16 questions. The first one, and in fact, the most important one, which is the organization's values. And so is the payment of, as I said, you know, it is paying a criminal to get an advantageous outcome. How does this fit with the organization's values? And what I had seen is boards often just completely ignored this. It sort of, you know, it, it sort of got to this pragmatic commercial discussion, should we pay or should we not? I think, I think where, how it fits with the values of an organization is really important. So we know that 55% of the Fortune 100 in the US have integrity as a value. And so you know, if you know, that value comes to be tested and you just throw it out immediately without even giving it due consideration, then you're certainly not a values-driven organization, we know that obviously that's what organizations should be doing.
So I encourage people to think it through from their values, and and [inaudible 00:29:41] and that often also becomes in their personal values as well, which is sort of, you know, comes into the discussion. But, but it's really going to it from the organization's values, how would you defend this if your staff found out that you paid a ransom, if your clients or customers found out, et cetera? So we talk about that, and that you know, tha- that gets, that often gets people sort of quite engaged, and, and, and so we ultimately, I'm not saying that you shouldn't pay because of your values. If you've got a value of integrity, it doesn't mean that you shouldn't pay. And where most organizations get to is the [inaudible 00:30:20] argument, which is, "You know what? You know, we, you know, we, we hate this idea of paying, you know, a perpetrator a ransom. But, you know, we- we've got our obligations to our people, to our customers, to our partners, we need to, we need to get this business back as quickly as possible.
So, so that's [inaudible 00:30:42], you know, it should be articulated that way. So that's the first one. The second one is the legality of it. And now sort of going, going down the the alley on that. There, it's, it's not necessarily straightforward in Australia how legal it is. So ultimately, I can get organizations comfortable that it is legal to pay, but you need to go through a process, and there's two key considerations on the legality question. So the first one is could it be considered to be payment to a terrorist organization? And so what we've seen in the US is that they've started to schedule certain ransomware perpetrators as terrorist organizations, and once those ransomware perpetrators become listed as terrorist organizations, then no way you can make that payment, because we've got a series of conventions and treaties that we've signed up to that if, if the US or other places say they're a terrorist organization, then then that's what Australia says, and no one can make any payment.
So, so that's a very important one, you definitely do not wanna get caught up in that. And then the next legal issue is could the payment be said to be funding criminal activities? And there's v- and this is v- this is a state law question, the states have each state has th- that sorta law in, in s- sorta more or less the same sorta language. And this is, you know, on one view of it, you're like, "Well, I mean, you're paying money to criminals, of course what are, you know, [inaudible 00:32:28] are they going to use?" But you need to really work through that question delicately, and come up with a defensible position as to, you know, wh- why you can be comfortable that it doesn't trigger that criminal liability. And that's sort of, I know that will sound like, sort of lawyer speak, but it is, it is important to, to think that through, and, and to have some good supporting sort of background that you've recorded which justifies why the board came to that decision.
The, the next one is director's duties. And so obviously every board is critically concerned with their director's duties, and we go through a few of those and determine whether it is i- you know, is there anything that would prohibit them making the decision to pay? And or, or, you know, conversely, should they, is there, you know, are there director's duties that require them to actually make a payment? So that's an interesting discussion.
Next one is around reputation, and really this is something which I do just because I know that people get incredibly anxious when they're being attacked. It is, it is a horrible situation, and no one's sleeping, [inaudible 00:33:54] you know, and particularly the tech teams, it's, I mean it's, it's just a nightmare. And what I try to do is to calm people down because the reality is that this happens a lot, and you will survive. And so we've done some proprietary research where we've looked at every ASX-listed company that has had a data breach, and they don't say whether it's ransomware or not. But we've looked at where they've say they've had a data breach, then we've analyzed the short, medium, and long-term impacts on share price. And what my proposition there is that the share price is a proxy, it's a very rough proxy, for reputation of the company. And so and I, I appreciate, it is a very rough proxy. It's not, you know, it's not, not a direct representation, but it's as good as we can get.
And so in doing that, [inaudible 00:34:52] on a few views on which organizations are most likely to have more permanent damage as a result of this sort of breach, and so I have some theories around that. And the final two, just quickly so to the, to the technologists who are listening I talk about the practical or technical assessment, practical and technical assessment. And so this is where the board gets particularly I guess, energized as to, they want the CTO or the CISO or someone in, in, in the executive team to tell them what they should do. So they wan- they want someone to say, "Yep, we should pay the money, because that'll be a good thing." And ultimately, I don't think anyone in, you know, in the executive, you know, be it the, particularly the major security officer or anyone else can really say, "Yep, I think that, you know, absolutely the board should do it."
I think for the most part, the advice is, "We can get the systems up, and we can get our data back. We've got, you know, we've got great backups," et cetera. It may take us time, and y- you know, this, this timeframe can run from, yeah, a week to, to many weeks. And so, so we can get it up and then what I can tell you about paying a ransom is that we can't be certain it will work, but it's probably worth a shot. You know, that, that's s- that's the sort of, sometimes like the vibe that you have to give. I think it's you know, and, and, you know, the CISO might say, you know, "I'm" you know, "I'm, I'd be comfortable paying the ransom." But you, you can't ... I don't think, I don't think anyone can make the board's decision for them, because it's more than a pure technical proposition, for the reasons that I've said.
So yeah, so that, that's a very helpful thing, I think, for most technologists, for boards to become a little bit more insightful around, around what to expect on that. And then the final one is cyber insurance, which we talked about, which I, I take off the table, I say, "You don't have to consider cyber insurance because, in the, for the sim," because it you know, it may well pay a ransom, but in a real life situation, cyber insurance would be your first point of call, to see if y- if they would take the problem off your hands. But for the purpose of the sim I don't want the boards abdicating.
Yep, and so we, I give them, I give them all those, and then I basically say ... So that's the first fift- taken me more than 15 minutes I think to explain those, but I give it, I give [inaudible 00:37:27] for 15 minutes, and then they've got 30 minutes where I sort of, I'm just available, sort of as an advisor, as they make the decision. But I take the legality question off the table for them. I say, "Let's assume it's legal," I take the director's duty issue off the table, I say, "Just assume that you can [inaudible 00:37:42] director's duties," and then I take the cyber insurance issue off the table. So they, they basically, often they are just they are just discussing a- you know, gets down almost to the values proposition, 'cause you know, I m- as I said, you know, these, this stuff is, is sort of opportunistically priced around a million dollars, so they can generally get their heads around that as an expense. And then, yes, I mean, that runs for 30 minutes, and then they have, they have to make a decision by the end of it.
Garrett O'Hara: I've got, I could feel a- adrenaline and anxiety going through my body as you're talking about it. It's i- it's such a ... [laughs]
Nick Abrahams: It's so, it's so good to watch, it's like it's-
Garrett O'Hara: Yeah.
Nick Abrahams: .... fascinating to watch, watch, watch how boards work and how boards make decisions, and the influence of the chair is obviously critical, and making sure particularly those people who you can tell some people have a very strong moral compass on this, and, you know, they, they need to be listened to. You know, it's-
Garrett O'Hara: Yeah.
Nick Abrahams: ... it's not, it's not just a pragmatic decision. Yeah, so it's, it's fascinating. As I say, everyone gets around to paying you know, they get their head around paying. It may not be unanimous, but ultimately they, they ...
Garrett O'Hara: Yeah, you get to a decision at the end. You, as you were talking through the legals and I'm, I'm very conscious that we are rapidly approaching time here, so I'll try to be quick here. But, you know, one of the things that did occur to me is that you, you've mentioned the kinda sanctioned list of of entities, you know, these are terrorist organizations, therefore it is illegal to pay. And then it feels like you get stuck between a rock and a hard place where if your decision is literally, well, you know like, "We close the doors of the business," or, "We abide by the law," you may not be able to even answer this question for many reasons. But do you see situations where a- an organization on balance will make a decision that may not be sort of fully in line with the law, purely because that's the only way to keep the doors of a business open, or is it very black and white and they just won't do that?
Nick Abrahams: Yeah, I've, I, look, to be honest, I've never seen ... Because it's generally, generally it's not, it's not an existential crisis for companies. Like-
Garrett O'Hara: Okay.
Nick Abrahams: ... companies can come back from this. It's-
Garrett O'Hara: Yeah.
Nick Abrahams: I mean, I, even when I had a terrible one, which I mean, it was just, I mean, it was a decent-sized business, probably worth, I don't know, 250, $300 million. A decent-sized business. I mean, just terrible sort of you know, cyber hygiene. You know, not patching things, like that [inaudible 00:40:18] ...
Garrett O'Hara: Mm-hmm [affirmative].
Nick Abrahams: I thought that not patching thing- you know, was gone years ago. So and, and even though they got hit pretty hard you know, [inaudible 00:40:27] you know, they lately have had some backups, and they could rebuild from that. So I've never seen it where it's a true existential crisis where it's like-
Garrett O'Hara: Yeah.
Nick Abrahams: ... literally, "We're gonna have to shut the doors, because this business is done." I mean, I have had situations, oh my gosh, where people you know, particularly pe- where I- I'm a big believer, if you don't have the expertise in-house, I think very few organizations have this sophisticated, you know, live ransomware inside the system experience. I don't think very many organizations, the banks probably do, but few others have that level of capability. So I'm a big believer in bringing in real competence from-
Garrett O'Hara: Hm.
Nick Abrahams: ... Third-party advisors who do this every day. But I had one situation where a an organization, this is in a, a live breach you know, they had a, you know, a technology services company, it was a very small one, who did their IT work. And, you know, they're like, "Oh, no, we're not gonna get any [inaudible 00:41:32]." And so the IT company started backing up you know, just, just, thought it would just back up because it had the backups. And then the you know, the malware was smart enough to figure out what was going on and encrypted the backups.
Garrett O'Hara: Oh.
Nick Abrahams: So, so yeah. I big believer in you know, bringing in, in third-party capability [inaudible 00:41:57].
Garrett O'Hara: Yeah, definitely. We, we may try the impossible here. So I got, got two kinda questions left, and I suspect this is gonna be a task of Everest size. But we touched very briefly early on on web3, and I know from following you on LinkedIn, like this is something you're quite passionate about. And and for those listening, we'll, we'll include a, the links in the show notes to some of your, your kind of explainer videos, they're fantastically well-done. Th- let's try to do the impossible in the n- you know, the next five minutes. What is web3?
Nick Abrahams: Yeah, yeah, sure. So I think if we think about it, it is it's, it's best to look at it in terms of h- the evolution. So web1, around '95, '96 until 2004 was the read-only internet. So, you know, it's some nice [inaudible 00:42:50] some nice sites, but you couldn't book a hotel and you couldn't make you know, bank transfers and so forth. So that was web1, read only. And then web2 which is sort of 2005 to now has been read and write. So we've been able to really interact and, and we do bank transfers, we can buy things. Social media lotta content creation. And so web3 is the, changes the game in two ways. So firstly is that we can now read, write, and own in the internet. So because of NFT technology, we can actually own digital files, and NFT technology gives provable scarcity. So you actually provide an asset which we havne't had before, because, you know, you put a JPEG on the internet and it can be copied an infinite number of times at zero incremental cost.
Now, you've actually got a protectable asset. So I think, you know, read, write, and own is critical. And then also with web3 is the move from the two-dimensional web experience to the three-dimensional experience. And so the idea of the metaverse is, you know, otherwise known as the embodied internet. So the, think of the way that you currently buy something online, you know, you mi- it's a very sort of flat, two-dimensional experience. You click on something, it goes into a sort of virtual shopping cart.
Well, the promise of web3 and the metaverse is that, you know, you will actually be, physically feel like you are in a store grabbing that item and putting it into a cart or shopping bag, and so that may be done either with existing technology, and that's where you've got Decentraland and Sandbox and Somnium Space and so forth, which you can sort of negotiate your little avatar around a virtual world or you can, you know, have a heightened experience, and that may be through virtual reality goggles, which actually take you completley out of your own environment into a simulated environment, and so that's where Met's Oculus would take you. Or extended reality, with something like Microsoft's HoloLens, which is, you know, effectively just a, a lens that you look at your own world through but various amounts of information are being projected or actually projected onto your eyeball, not onto the lens where you're actually seeing different, different amounts of information, but s- you're still in your own reality.
So, so yeah, I think [inaudible 00:45:36], you know, my, my belief is that we will move everything that we will do on the two-dimensional internet into the three-dimensional internet over time. You know, it's not [inaudible 00:45:46].
Garrett O'Hara: Y- you sorta painted a vision there, almost like Ready Player One with haptic suits and s- you know, th- that sort of full immersion experience. Feels like it's gonna go that way. I'm gonna get nostalgic here for a second. There's a, there's a game called Mercenary, a guy called Paul Woakes, I think, was the guy who wrote it, back on ... Like it's, we're talking like C-64, way, way back, you know, monochrome vector graphics.
This thing, I mean, the whole game is like 10k in size, right? But I remember loading that up and this, it still blows my mind, it's still a game I download every now and again just to have a little wander around. But it's a vector graphic world that you can walk around, basically a city with spaceships flying around in 3D. And, you know, nine year old brain was exploded by this. And I think about when you see the technology that is, is available now, there's no way I would've believed, like, that we would be doing what we're doing today. And I, I d- do sorta think that we're probably not as far away from this stuff as it may seem sometimes. You know, we, we have the technology, it's just kinda the, the broader adoption of that.
I- I've got literally like 50 questions that I would like to ask you now, and I think [laughs] we've got like five minutes left. It, some of the things I've heard about things like NFTs in sort of broader commentary around this stuff is the, the utility for people like even funding themselves, so, you know, somebody coming out of an arts degree and you buy sort of part of an NFT contract, and as they, you know, it funds their education, it funds them getting going, and then you get some points as they go forward and become a huge global artist or, you know, musician, or sports person. Like is that, in your mind, is this al part of web3, like is it that kinda stuff we're talking about, or ... Yeah, it is.
Nick Abrahams: Yeah, yeah, yeah, I think so. So I think the best area to look at to show what are the business models, and the revenue models for the future is gaming. And so if we look at, if we look at you know, gaming originally was you know, you just said, so for example, Fortnite, so it's operated by the gaming operator, and then you buy your stuff in Fortnite, but you're paying the owner of Fortnite and, and you're just keeping your stuff in-game. And then, you know, now we've got the play-to-earn platforms, and this is, this is, I think, right on hitch with, you know, what we're saying about, you know, [inaudible 00:48:05].
So with the play-to-earn platform, particularly what's, what's known as play-to-earn v2 now you've got folks who are doing on, say, Axie Infinity you know, there are gamers who are full-time gamers, it's been very big in the Philippines, there are, there are, you know, these are- these aren't super egamers sort of people who are, who are true sort of super professionals, these are just people who like playing the game, but do that as a job, you know, would spend many hours a day in it and so they are able to earn cryptocurrency effectively within Axie Infinity, and there's a number of, I, it's very common in the Philippines for those games to be earning two to three times average wage.
And then what we've seen, which is this, this extension of, of the business model is quite expensive, it's about $2000 to get started in Axie Infinity, you gotta buy your Axie type Atari thing. So, so there's guilds, now, there's sort of gaming guilds. So they're folks, you know, often from the west, who join together and who effectively make available these NFTs, so they might make available an Axie for a, a gamer in the Philippines or Indonesia to go and, and do, and play the game, and then they split the proceeds of, of that. And so, you know, those, those gaming guilds are formed by what's called DAOs, decentralized autonomous organizations, and then they are loaning out NFTs and then, and then reaping, you know, the benefit of that. So, so that's a phenomenal business model, and that's why I said, you know, the critical thing is that we can own things now.
So this would n- people often talk about Second Life and, and, you know, Second Life was around in, you know, 2007, 2008, it's all there. I- it looks, you know, the actual visual experience and the graphics are very similar to what you would see in Decentraland or Sandbox. So that [inaudible 00:50:12] hasn't, hasn't come on. But what has come on is the ability to own digital assets within places like Decentraland and Sandbox. Once you own a digital asset, you can create a business off the back of it, and that's the exciting proposition. You've now got, you know, what these, these sort of Axie gamers are now the first Metaverse workers.
Garrett O'Hara: Quite incredible, quite incredible. I think we- we've just hit time, unfortunately. It's, I, this, this is one where if you're up for it, maybe sometime in the future I'd love to ... Like, there's so much new stuff here that I think many people maybe think they get, but actually probably don't really get, and I, I would put my hand up and say I'm one of those. [laughs] Nick, it's been an absolute pleasure to talk to you, so, so grateful for you joining us today, very much appreciate your time.
Nick Abrahams: Thanks very much, Gar. I really appreciate being asked. It was lovely to to be able to spend some time and, and do [inaudible 00:51:05] is, which is, hopefully everything that you've learned about ransomware you will never have to use, and this will have been the biggest waste of an hour you've ever had, which would be my, my solemn wish for you. So we've ha- thanks very much, Gar, thanks everyone.
Garrett O'Hara: Thanks, Nick.
Thank you so much to Nick for joining us. And as always, thank you for listening to the Get Cyber Resilient podcast. Jump into our back catalog of episodes and like, subscribe, and please do leave us a review. For now, stay safe, and I'll look forward to catching you on the next episode.