Adam Parks (00:08)
Hello everybody, Adam Parks here with another episode of Receivables Podcast. Today I'm here with a new friend, Eder Ribeiro who's joining us from TransUnion. I had the chance to meet this gentleman at the TU Summit last year, and I didn't even know that TransUnion was handling cyber incidents and helping people to walk through it, but the more that I've talked with Eder, the more it makes a whole lot of sense as to why they're engaged in that, and why our industry being the deck collection space really needs to be aware of these tools and resources that are available to us because it's not a function of if you'll get hacked or have a cyber incident, it's a function of when and knowing which tools you have and resources are available to you can make all of the difference in that first 72 hours. So Eder, thank you so much for joining me today. I really appreciate you coming on and sharing your insights.
Eder Ribeiro (01:01)
Yeah, thanks Adam. It's a pleasure, brother. Happy to be here and talk to the folks in the industry. been a little while.
Adam Parks (01:07)
So for anyone who has not been as lucky as me to get to know you a little bit personally, can you tell everyone a little about yourself and how you got to the seat that you're in today?
Eder Ribeiro (01:16)
Sure, yeah, yeah. I think like all good racetracks, they're not built in a single line. So it wasn't a linear road. I was born and raised in Brazil, from Southeast Brazil. So I just grew up as kind of a around the mill Brazilian kid, always been fascinated by computers, technologies, know, staking stuff apart, putting stuff back together in the 90s and going through that time. We came over here, I'm in Rhode Island, so we came straight to Rhode Island in the late 90s, 99, 2000. Time and I still love computers and was still taking stuff apart and putting stuff together Doing some software work and all that stuff. So I you know had a big passion for that and along amongst other things right like any other man. You know, one thing I didn't like was C. I was not a fan of C the coding language and back then if you were gonna make a decent living you really needed to be on top of it with C and so I decided towards the end of high school I was like
Eder Ribeiro (02:10)
I don't know that this is gonna be the road, right? I really am not a huge fan of this. And do I see me doing this 80 hours a week, right? Because I'm an immigrant, right? I don't think in 40 hour work weeks, I think in like 80 hour work weeks. So I was like, am I gonna do this forever into perpetuity for 80 hours a week? And so I took a break, I also was deeply kind of.
Eder Ribeiro (02:30)
humbled and appreciative of the opportunities that America gave to me. So I enlisted in military at 17, went to the National Guard here in Rhode Island, where I serve to this day. you know, so I went to Fort Benning for basic training, infantry school, all that good stuff. And I was actually doing automotive and other things, other passions that as a young man you had, right? So I completed an associates in advanced auto, high performance, dining cars, you know, boosting stuff and building trannies and all sorts of stuff and doing all sorts
Adam Parks (02:51)
Sure.
Eder Ribeiro (03:00)
it's a cool car stuff, But as the road keeps going and life changes, especially after coming back from a combat deployment in Kandahar back in 2012, it kind of resets you a little bit, right? And you start thinking, all right, I just made it through a lot of stuff. Life is short. Really got to chase those true passions and the stuff that I really could do for a long time. And I've always stayed up with the tech part of the world and the technology made the decision to, you I want to go into cyber. I'm also fascinated by the legal part of cyber and how that landscape is evolving. So continue to gain some certification level stuff and then took another plunge at education again and completed that earning a Juris Doctor and a Master's in cyber at the same time, which not in three years, which they totally advised against, right? Because that's how
Adam Parks (03:41)
Wow, at the same time that's Sandy. Wow.
Eder Ribeiro (03:49)
takes to do a JD. So I had no life basically for about three years. Summers, full time, it just didn't matter, it just kept rolling. But we got it done. it started, took an opportunity. I had great mentors along the way and great mentors to this day. And one particular shout out to Macalina, who's our leader of our group now, still here, took a shot on me when I was in my second year of law school. And I started working at Cyber Scout, which at the time was an identity management company based out of Arizona with an office in Rhode Island. And we had a consulting practice there. And upon graduation, I started there full time as a privacy analyst, saw an opportunity that we were doing some level of incident response work and thought to myself, why aren't we a full, like what we call a DFIR shop or a D-F-I-R shop, digital forensics incident response. We were doing some of that work ad hoc.
And it made sense to me, we could do this, right, all the time. And I think the industry was calling for it. We had, you know, we were well positioned for it. So I did what any, you know, guy that's really trying to get after it does, right? I went to the big boss and I said, Hey coach, I want the ball, right? And I was again, fortunate to have those good mentors that were like, here kid, take the ball. And I went running.
And here we are, Because CyberScout, we grew the practice there and it was focused and still is focused on our cyber insurance market. Of course, we work with anyone, not just in that market or through those channels, but that's what it was designed for originally, right? So that initial product was designed there and we kept growing it and scaling it and scaling it. And then in March of 21, we were acquired by another group called Sontiq, which we then kept working under them for a bit. Later in the same year were acquired by TransUnion and became part of TransUnion, which is blessed and fantastic, you know, and just amazing to be part of this huge organization and this group of people that are just so talented and the scaling that can come with that and the opportunities that can come with that. And so we've been working this under TransUnion now for the better part of four years.
Eder Ribeiro (05:54)
It's fantastic, and it really is a great place to be at. So that's how TransUnion came to also provide these services, So we can continue where TU did not previously provide the incident response as a B2B or even B2C type of service. But it was something that was certainly missing when it came to round out the offering. And so now we support personal lines, support commercial lines heavily. And we guide the pleasure and the honor guiding these businesses through what's usually the most difficult times of their business lives, commercial lives. And we've gone through absolute thousands of incidents. We performed this at scale across over 15 countries, we support multiple languages. It's a big operation now. But it all started, you 10 plus years ago in this little thing and eventually we got here. So that's the road. That's what the racetrack looks like.
Adam Parks (06:56)
That's incredible. I love that story and I don't think I've ever met two people who have come into this business through the same path. Coming to the United States, finding that passion for the cyber and so much to unpack with what you were talking about what you're doing now and how that offering has kind of evolved over time because last year in the 2024 TransUnion Debt Collection Industry Report, the number one concern of the debt collection industry was cybersecurity. I think part of that is tied back to there being multiple incidences that have happened both with debt buyers and agencies, some of which had been around for 30 plus years and are no longer here which has been very sad to watch, but I don't know that these folks necessarily understood the level of resources that were available to them in building those relationships prior to an incident. Because when we think about incident response, it's always that first 72 hours. That's mission critical for all of that, but also trying to onboard and engage with a new vendor during that time period seems like a next to impossible task.
Having responded to incidences in the past. So when organizations are preparing themselves for the inevitable, how do you structure that type of an engagement? Do you start building that relationship early on and evaluating the current technical stack and where the weaknesses might be? It sounds like you guys are also tied into insurance. So what does that look like to appropriately prepare before an incident strikes?
Eder Ribeiro (08:31)
So overall, I'll give you each side of the spectrum. One side, you have the best case scenario, which is kind of what you're describing. It's the you've prepared, you take this seriously, you've taken the time, you've put some sufficient resources into place, you crossed out the must thing, the must have things.
Eder Ribeiro (08:53)
And a lot of it is things that folks always think about, such as actually truly knowing what you have, knowing your data. It may sound absurd almost to say that, but it is true. You ask any IR practitioner, any incident response practitioner, I hate using acronyms or initialisms without definitions, so I will do my best to define. If you ask any incident response or IR practitioner,
Adam Parks (09:15)
Fair.
Eder Ribeiro (09:19)
across the board. I have never met one that disagrees with this. People don't actually know their data. And by people, I mean organizations, right? For the most part.Yeah, size scope, there's a lot of pieces to that. It's not just like what's in the database. It's how are things being archived? Where they being stored? Encryption at rest, all the things.
Eder Ribeiro (09:40)
Even when you're micro, can, you know, support businesses that are of any size, right? We support businesses that are single practitioners to large enterprise. Even the single practitioner, ask your mom and pop CPA if they actually know what clients emailed them W2s. Exactly the name of the client. I guarantee you, in 10 plus years, I've had one tell me exactly what accuracy of what their data was.
They don't know how could they, right? They go because they want to help people like with this challenge of navigating through our tech system, which what a challenge that is, right? And then, you know, and that's where they spend their time. They don't spend their time in cyber. It's not their thing. And there's all these fallacies like the myths of too small to be hit and blah, blah. And so people don't focus on that, right? But all it takes is they click on a link, something of that sort happened. Now Threat Actor gets into their email account and now they have access to 600 people, 1,000 people, 2,000 people's personal information, whoever's been sending them information, but they have no idea whose information that is. And that triggers a chain of events that months long has to be highly costly, incredibly stressful. All those things happen. You can avoid those things if you had prepared. So the preparation is absolutely critical, right? And not enough companies, especially
Eder Ribeiro (11:02)
below large enterprise, actually take that seriously. So in the best case scenario, that's what you have. You have somebody that spent the time to bring in the right resources, figure out, OK, what are the things I need to get a handle on? Where is my data? What kind of data am I hosting? How am I hosting it? What kind of systems am I using? What are the securities? Where is that encryption, assuming there even is encryption? like as you mentioned, encryption at rest, but there's other things in transit, there's other types of encryption. How does encryption apply to the data that you have in one location, but how does it apply to other locations? Everyone's tapped to the cloud in one way or another, so you're relinquishing control in hopes that the cloud provider is taking care of business. Are they? So you have to ask those questions. And so there's a lot of ground to cover. And even if you're a small business,
Eder Ribeiro (11:51)
you're a small collections agency, 15 people, you'd be surprised how many different assets you have digitally. And you have to lock it down on every single one of those assets holistically. If you really think that when it hits the fan, you're going to be able to react, right? React accordingly. And you have to train. You have to train the people. You have to train your systems, right? That's where penetration testing and red teaming, that kind of thing comes into place.
Eder Ribeiro (12:18)
A proper test would train everything all the way data to physical security. Even just starting with looking through your incident response plan and actually going through the exercise. Well, I mean, having one I think is mission critical for all organizations. Like we all must have one. But even at that, whenever you've got new staff coming in, it can't just be an annual thing. Like it needs to be constantly trained so that when something does happen, muscle memory kicks in. I know that you served in the military and did combat tours. Like muscle memory under stress is everything.
Eder Ribeiro (12:29)
Absolutely. Yes. Absolutely.
Adam Parks (12:53)
That is, that's life or death for an organization and for an individual. how can they start to prepare that? I've also got one other question for you kind of baked into this, which is the infrastructure that you've chosen for your organization in the insurance premiums that you're paying for cyber liability must have direct correlations. The size of the volume of records. I know that there's some different features and functions to how we're being charged for cyber insurance, but it's based on what do we have in place.
Eder Ribeiro (13:23)
Absolutely. So when you're looking at the plan and everyone should have a plan. I agree there. Although most smaller businesses, we can look at any stat, but they don't. They should. And there's a saying in the Army that we always say, we always preach, you train as you fight, right? And we do for a reason because we understand that when, you know, stuff is chaotic,
Eder Ribeiro (13:45)
when things are all over the place and when the stuff hits the fan, more likely or not the people are going to default to the lowest level of training that they have. Because of that, you want your training standard to be high. So that way your default position is high. And then hopefully with experience and other things, you can operate actually above your default. And so absolutely, cybersecurity has to be in your onboarding.
Eder Ribeiro (14:13)
It has to be part of just your governance plan and your management plan for your organization and not just some once a year thing that you check the box because the threats are evolving all the time and they're constant. And it could be from anything nowadays, you know, as the technology evolves, you have something as benign as your web browser, you know, web browser almost becoming their own operation system. So it's just one of those things where. Data is being collected all over the place. Data is being shared all over the place. Connection to environments are being shared and established. And it requires constant attention and training. So you have to really build in first level principles as part of your governance strategy that are cyber based. And that's really the only way to try to attempt maintaining proper security. For lack of better terms, if there is such a thing, right? At any level of an organization. and repeat the last part again,
Adam Parks (15:12)
I was thinking about that, the tie in between the shut the cyber insurance costs in the infrastructure that we have in place.
Eder Ribeiro (15:14)
Yes. So, every carrier is going to take you through underwriting, right? And that is a journey that's going to fluctuate a lot. There's a lot of high-end data that's being used or tooling that's being used by carriers now on pre-underwriting, collecting data from when you're even looking at quotes, right? All of this to help also penetration of insurance, because one of the issues with insurance is penetration. Right? It's getting into the market because of perceived value. Everyone knows that insurance has value. But when you're a small business owner, especially, which you tend to see much higher penetration rates at enterprise. So when you come out of that, though, it's hard for a small business to think, well, I'm going to spend X big dollar figure in a year in something that will hopefully or it might not ever happen. And again,
Eder Ribeiro (16:08)
bring back those myths of, I'm too smart to why am going to pay X thousands of dollars in insurance and whatever? So you have to make it easy, which part of where like a lot of the technology and tooling is happening for pre-underwriting and just in underwriting in general and making it easy. The questionnaires and things like that. how much evidence do you request, you know, a prospect to provide to you before you write a policy for them? Right. So it's a journey.
Eder Ribeiro (16:34)
And ideally, when you're engaging on that as a consumer, you should be ready and should be coming to that knowing that I need to take on some of this responsibility and try to address these basic principles because the insurance carriers are doing God's work out there. They're trying to, okay, well, I have to provide you cover, but at the same time, I have to understand some risk. But at the same time, I can't make this too hard for you. You see how these things don't exactly walk hand and hand.
Adam Parks (16:48)
Thank you. Well, that's the challenge, right? Is that it's, it's an education for the underwriters as well, because from a debt collection perspective, we're not everybody else and the value of the information that we're holding is significantly higher. And so I've seen organizations strategically change their
Eder Ribeiro (17:02)
It's very good.
Adam Parks (17:17)
their archiving programs to remove as many accounts from the system of record as possible to minimize their let's call it their risk interface or their risk exposure and to reduce their target surface area as much as possible because the less accounts that I have within my platform ultimately the less likely my insurance premiums are to rise but what does that start to look like over time and is it maintainable?
Eder Ribeiro (17:43)
Absolutely, absolutely. The collection space is in kind of this gray zone or kind of special zone because it's in a sufficiently high enough risk area and perhaps it's not as high risk of a target as healthcare or infrastructure, but it's certainly not far from it. But it's kind of its own thing, which is why I say gray zone-ish, right? Because you're inherently a high risk because you're handling personal information for people in order for you
Eder Ribeiro (18:10)
you're taking in social security numbers, you're taking in data birth information, you're taking in all sorts of information normally. And it's just part of the business. So then you have to figure out, okay, well, what do I do with all the sensitive information? Right. And then go see a point, you know, how do I secure it? Right. Perhaps some of that's encryption. Perhaps some of that is allocation. It's moving data from one level of storage that's kind of in a production environment to a non-production environment that's aimed at, you know, that's something you can isolate, make it taking it offline, reducing those connection points.
Eder Ribeiro (18:43)
Right, but how often do you have to tap back into that information? Become really burdensome, right? Cloud storage is a lot cheaper when it's in quote unquote cold storage, but not always as easy to retrieve. And if you're a small shop of 15 people, 20 people, 30 people, how many IT practitioners? Right, and if that one guy has to manage everyone's connection problems, user error.
Adam Parks (18:45)
was gonna say, if you got one IT guy, this is a big lift. It's dealing with mice and keyboards and right like it to ask him to manage cybersecurity infrastructure. I think is is kind of a big lift
Eder Ribeiro (19:14)
Right. Very difficult, which is also then why you see a lot of condition to cloud, right? Because then you're not maintaining the servers. You're not maintaining the patching. You're not maintaining some of these things. You're entrusting that Microsoft is doing so, or that Amazon or whoever is doing so. But you still have responsibility and you can't let the cloud be a false blanket of security. You still have your account management that needs to come into place. You still have MFA implementation needs to come into place. You know, sometimes we do some warranty claims work. And we'll see a claim come in and in order for them to take advantage of the full amount that they want to get from the policy in order to cover this under the warranty, they have to then provide proof that XYZ has been implemented. you'll see people say, yes, of course MFA is implemented, blah, blah, blah. And then you actually get the log data. And yes, it's enabled, but is it really in, is it actually on? Right? Is it actually on? But is it forced? Is it forced?
Eder Ribeiro (20:10)
Yes, you turned it on, like the features on, is it installed properly? Is it running? You know, and if you don't actually get all the way across the finish line with implementation of that technology, then it's the same as pretty much not having the technology. So you have to implement. But what happens, like you said, when it's a, a small shop and you bring in that new person, that new staff member. Do you remember, does your plan force you as part of SOPs or your standard operating procedures and protocols? to say, we have a new person. Part of onboarding is making sure these tokens are assigned. It's testing the authentication technology. Because often it will fall through the cracks, right? People are busy. They want to get to doing their jobs. The folks hiring want them to be doing their jobs. That's why you hire them. They're not paying attention often to these details. So having a review of your plan is review it quarterly. Review it at least twice a year.
Eder Ribeiro (21:06)
Don't make it once a year, especially if you're in the collections industry. Your information is too sensitive to take that approach.
Adam Parks (21:13)
The technology is moving too fast. There's too many updates to manage. Look at artificial and now the application of artificial intelligence because one of the things we talked about is we prepped for, you know, starting this conversation was talking about the implementation of artificial intelligence. And when we look at cybersecurity incidences, and correct me if I'm wrong, but I want to say it's between 80 and 90 % of cyber incidences are driven based on social engineering and not a technology hack. Meaning it's not that somebody beat, you know, CloudFlare, whoever's technology, but they beat an individual who clicked the link, who provided information over the phone that they shouldn't have provided. It can go as low as the secretary.
I always go back to the art of deception by Kevin Mitnick and I'm a huge Kevin Mitnick fan. You know, read all the books for anybody who hasn't read them. The art of intrusion and the art of deception are two of the best books. And if you want to read his whole story, the ghost and the wires about hacking the FBI's voicemail system and all of the other different things. all of the hacks that he had were not penetration of technology. It was the social engineering of individuals. So As we start thinking about that, and we've talked about cybersecurity and cyber insurance from a technology perspective, how does one start to even comprehend the level of risk that comes from social engineering?
Eder Ribeiro (22:34)
Man, it's everything in some ways.
Adam Parks (22:37)
It's everything and nothing simultaneously.
Eder Ribeiro (22:40)
It's funny how it works like that, right? It's so many reasons too why that number is so high for start there, right? Some of it is just as hardware technology kind of changes, right? It used to be everyone hosted everything in-house. had, know, even a small business would have a server hosting exchange services, AKA email. ⁓
Eder Ribeiro (23:02)
hosting web services, aka your website, you know, it wasn't as popular, you know, now people start businesses or, you know, even medium sized businesses, their websites on Wix or whatever. And I get it, it's easy, it's easy to maintain, easy to set up, it's good enough for your business. I get it, I totally get it. So all of those things are motivators that took people out from hosting. And I'm not saying that you should host everything because there's
Adam Parks (23:11)
Yeah.
Eder Ribeiro (23:30)
The maintenance of all of that is incredibly burdensome, right? And how much can you put on that one IT guy thing like we were just talking about? There's all of these reasons. There's so many reasons why the cloud migration evolution happened. And it's a good thing in many ways that we're there. But that meant that the threat actors now had to also shift, right? I was listening to a podcast.
Eder Ribeiro (23:51)
few months ago when I was on a run, I want to say it was probably Lex Fridman. And he was, yeah, because he was interviewing a video game designer. And in the conversation, this really stuck with me because they were saying how piracy drives innovation. And I was like, because
Adam Parks (24:03)
True, LimeWire, I mean, drove a significant amount of innovation across the entire technology ecosystem.
Eder Ribeiro (24:08)
Right? They created Steam. They created the way that games are streamed nowadays via Steam and other types of technology, right? Because you would design this thing that you think you're going to get a hundred million buys and it has 10,000 and it's got 5 million users. You know, like, is this possible? Well, of course, quarantine your game. That's how, right? And so, but they don't have governance. They don't have regulators. They don't have all the things that every collections agency has to worry about.
Adam Parks (24:27)
you
Eder Ribeiro (24:36)
There's no AG's office for them to worry about. There's no federal government for them to worry about only from a criminal perspective, right? But cops and robbers, they don't have those concerns. They don't have to make those decisions. So they just have the freedom to do whatever they want. So they're always going to be creative. They're going to be innovating. And so when that migration happened, it became, well, it's really hard now to
Eder Ribeiro (25:01)
take advantage of easy vulnerabilities because less and less these folks that are managing things in-house and have low-hanging fruit, right? I remember.
Adam Parks (25:05)
You The infrastructure is more standardized. So now you're not worried about did the one IT guy not run that new Microsoft update and you can't run through that unpatched platform because it's happening in a much more systematic way. Yeah.
Eder Ribeiro (25:17)
Good. Exactly. That's exactly it. That's exactly it. mean, we would see businesses, I remember 10 years ago, see hearing about hospitals, they were sharing data centers in the basement with another business that was completely unknown, no physical security, somebody could just walk in, swap tapes to whatever they wanted. You know, and that was a hospital. And so we've come a long way. And so the threat actors have realized, well, okay, We're not going to see a small collection of the agency anymore running 2008 servers that are end of line that have all these known vulnerabilities in 2016. That was popular in 2016, seeing 08 servers when we were doing forensic investigations. You don't see that anymore. So that's because people are now on Azure, they're on CP, they're in AWS, they're in whatever.
Eder Ribeiro (26:09)
And so they're running these instances and it's a lot easier to maintain them up to date and keep up with that kind of work. So now the threat actors have to figure out, I still have to earn a living. I got to get paid, right? And I got to make a lot of money because the risk here is pretty severe if I get caught. So what do we do? Well, the human. So next best thing, people are tired, people overworked, people aren't paying attention, people are untrained. You combine all those things, which are pretty common. especially in the collections agencies, right? How many folks are putting in crazy hours, how many folks are not getting the training, how many folks are so busy, they're wearing so many hats that they don't have time to pay attention to email headers. They don't have to do these things, right?
Adam Parks (26:49)
They don't understand the risk levels, right? Like, the person answering the phone does not understand how much information they have or how this person's phone extension could potentially be used to crack this next thing, this next thing, because they're not looking at it from that perspective.
Eder Ribeiro (26:54)
Thank And look at some of the most, the mega breaches that we've been seeing over last 24 months, Sony, MGM, all sorts, right? How did they start? They call enough people in a call center that eventually they get somebody, somebody that isn't paying attention or isn't trained properly, somebody that is just maybe a little overworked, somebody that's tired, somebody has personal stuff going on, right? More and more, we have to care. have to be empathetic leaders. We have to care about our people.
Adam Parks (27:07)
Sony.
Eder Ribeiro (27:30)
even when it comes to cybersecurity, because the mental state and the wellbeing of our people translate to their attention span on their job. And it translates to how much of a human firewall they are for you and your data. And that data is the risk of your business, right? So we have to make sure those people are doing good. So that way they are performing adequately. And so you don't have these situations happen where somebody picks up the phone and says, yeah, this sounds plausible. I'll let you remote into my computer.
Eder Ribeiro (27:59)
And then we all know what happens from there, right? The escalation of privileges is a lot easier, right? Back in the day, if you look at attack kill chains, used to have to be brute force or known vulnerability. And of course, these things still happen, right? The numbers out there, they still happen. I think 20 some percent of attacks in a lot of industries are hovering around that number. They still happen via those types of vulnerabilities. But then you're in. But now you have to.
Eder Ribeiro (28:23)
learn the telemetry and learn the network, right? And then you have to, once you've learned the map, you have to then escalate your privileges cause you're probably just some user, right? And you've got to get the keys to the kingdom. You got to get those admin credits. You got to do a lot of work before you get there and eventually detonate your ransomware and whatever. Like a lot of work has to happen. Well, that road is a lot easier if you come in because somebody let you in and now you are just working as them, right? Now you're that user. Yeah.
Eder Ribeiro (28:51)
And of course that makes it even harder to investigate because the IP traces, the breadcrumbs aren't always as clean. So now you're looking at a lot more anecdotal information about what's happening with specific users, how's that behavior different than behavior analysis of normal parameters. All of that stuff can make things even more difficult, which is again, why those instant response plans are just getting longer, they're getting more complicated, why testing of them has to become more important.
Eder Ribeiro (29:19)
You know, more frequent, it's, it's all ties together, right? But when you look at how much damage you can cause to a mega-sized company, what makes you think that if you just bring that down a little bit company size-wise, that it might not be even easier? Of course it is. And that's why you're seeing large entities, medium, you know, entities, they're all getting popped via the humans because it's even easier.
Adam Parks (29:36)
Okay.
Eder Ribeiro (29:45)
and threat actors, they behave as businesses. No collections agency wants to chase after two guys with huge amounts of debt, right? It's lot better to chase after 2,000 guys with a bit smaller debt. And it's just economy of scale. Threat actors want economy of scale too, which is why they target not always just mega enterprise. They need to keep the bills.
Adam Parks (29:48)
What's easier to get it to roll over if the organization is smaller. So the probability of them paying the ransom or whatever the case may be is exponentially higher because they don't have the same kind of technical contracts preparation like they're not as prepared or knowledgeable on how to how to execute. Or do they have access to somebody like you who can come in and kind of walk them through what this response would look like the probability of things being released.
Eder Ribeiro (30:24)
Absolutely. Absolutely.
Adam Parks (30:35)
if the ransom were even to be paid and what does that start to look like? So I guess my kind of my last question for you was about that first 72 hours. So something something happens, whether it be a technical penetration or a social engineering penetration, but they're into the system. Like, now what? I really a loaded question for the final minutes of a podcast, I feel like we're going to need a second episode to kind of cover this in more depth. But
Eder Ribeiro (30:56)
You've got prepped. You've got to get prepped. We might. Yeah.
Adam Parks (31:02)
Give me that 50,000 foot view. What's those first three or four steps that we need to take when that when an incident is recognized?
Eder Ribeiro (31:10)
Yeah, absolutely. 50,000, right? We talked about a spectrum and we really didn't cover the other end of the spectrum, but I think it's obvious, right? If you have super prepared, super planned detail training, all of that, the other side is nothing, right? Which is common. Let's not act like nothing doesn't exist. Nothing happens all the time. So let's establish that. So 50,000 feet. One, you're going to find out real fast in that 72 hours. We're in the spectrum. You actually live.
Adam Parks (31:23)
Very common. The first like three hours.
Eder Ribeiro (31:39)
Very quickly, that reality is up. Right, right. Arguably the first 45 minutes, especially if you discover it doing normal business hours when everyone's turned on, very quickly you're gonna find out where you're landing there, right? Those 72 hours, first and foremost, containment, eradication, right? Can't overemphasize that. You need to stop the bleeding, right? You need to stop the threat actors access. You need to get them out of there.
Adam Parks (31:46)
triage first.
Eder Ribeiro (32:07)
You gotta make that happen. But the problem is at the same time, you have to start understanding scope of the loss or scope of the risk. Because more and more, you have regulatory pressure that's just right on your back. Most collection agencies, especially if you're a larger, you start having to report to the state and to federal entities. And some of those reporting guidelines are 72 hours within
Eder Ribeiro (32:36)
understanding that an incident occurred, you have to be making some sort of statement to a regulator. And they're going to come asking questions. So you got to, AKA, come correct, right? You got to show up, but, okay, this happened. We're not sure exactly how it happened, but it looks like this. We are doing these things, and this is why we're doing these things. Ideally, you have a plan. So you can say, our plan is covering all these things, so we know what to do next. and we're going to do this and this next, and you're giving that transparency and context because that's going to help have less questions, right? And the more time you spend dealing with that, the less time you can spend on it, what else is going on? Which is also why it's so important is to delegation roles and responsibilities. It's probably one of the most critical parts of an IR plan is roles and responsibilities. And so in those 72 hours, you're going to find that you can't do everything. You're not Kryptonian you you can't move faster than a bullet. You can't be two places at one time Therefore you can't make every decision You can't be in every call You're not going to have the knowledge base is fear the owner, CEO, president of this collection agency. You're not going to have the knowledge base for everything and you're going to need help You're going to need crisis management Do you pay that ransom? Even if you know a lot of collections agencies have paid ransoms even when they had the data?
Eder Ribeiro (34:02)
Because somebody may or may not have had, they may or may not have had a conversation about what are the optics looking like here? Do we believe the threat actor that if we pay the ransom, they delete the data? That's a whole conversation to be had on its own, because that's part of every, especially if we're talking ransomware, right? Or cyber extortion, that's part of every cyber extortion ransomware scenario is, don't worry about it, we'll delete the data. Well, do you believe that? Do you not believe that? There's data there to point you one way or another.
Adam Parks (34:28)
Yeah.
Eder Ribeiro (34:31)
But that in itself is a whole conversation. Have you had these conversations? Does your plan take that into account? Do you have a crisis management team? What do you say to employees? What do you say to the market? If this brought you down, say you are hosting some external-facing resources in-house, and that ransomware takes down your website, that means your incident is going to be in some way public very quickly.
Adam Parks (34:38)
All of these things that happen all at once.
Eder Ribeiro (34:56)
People can't talk to you anymore. They can't find you on the web anymore. All of these things are going to happen all at once. And you then also, of course, you have our good partners in our legal counsel partners. Got to bring the lawyers in because what are the chances that if you own or run a collections agency, you understand nitty gritty what all your legal obligations are. On top of that, how do you protect all these conversations, all this discovery, this journey you're going into? attorney client privilege might be a friend right now, right? So you need to, who do you bring in? All of these things have to happen, arguably immediately. But how hard is immediate? When it is multiple things, right? Immediate isn't just containment and eradication. Immediate isn't just deploying the right technologies from a security apparatus in place so you can,
Adam Parks (35:27)
getting everybody on the phone or into the right meetings at the right times yeah
Eder Ribeiro (35:50)
try to achieve containment. Immediate isn't preserving evidence for forensics because you have to do that, right? You can't just burn the house down and just wipe everything and rebuild so you can get back up and running because you know you had backups. Awesome. That's great that you had that. But you still have to record stuff because you're going to have to answer questions. You're going to have to answer questions to your clients, consumers, your partners, right? You're going to have contractual obligations. You're going to have to answer questions to the government. And I make this analogy all the time.
Adam Parks (36:03)
No, you still have to capture everything.
Eder Ribeiro (36:19)
We've all seen cop shows or legal shows, some sort of CSI shows, If somebody robs your house and you go and you burn the house down and then you call the cops, it's going to be really hard for them to find a fingerprint on the wall because you burnt the house down. The digital is good for that, right? And we see that every day. We had it happen literally yesterday. We had a client who deals with a lot of personal information, luckily not in a collections agency.
Adam Parks (36:35)
That's a really good analogy. I like that.
Eder Ribeiro (36:47)
but deals with a lot of personal information. They had an incident over this weekend. They called their IT guy, very small business, six people. So no IT staff, right? Have an IT trusted person on what I call the fix it and break it model, right? Some shit breaks, they come in and they fix it. And then they go away and you never see them again until something breaks again, right? How many collection agencies find themselves in that place? And they call that guy and that guy is great at his job, which is fixing things and being an IT guy. He's not a forensic expert. He's not an IR.
Eder Ribeiro (37:16)
you know, instant response expert, he's not in the digital forensics, instant response space like we are. Evidence preservation was the last thing this fellow was thinking of. And he was just trying to help him get back up and running, doing his job. Nothing wrong there. It's just different industries, different considerations. And that guy comes in and it's like, I can get you back up and running by Monday close to business. the guy's like, of course, let's go, we have work to do. Burns the house down. And now this friend is saying, you might want
Adam Parks (37:38)
Yeah.
Eder Ribeiro (37:45)
call your insurance carrier, help you out with this, get you some access to some experts, blah, blah, blah. They come to talk to one of my analysts, right? And these folks are like, well, okay, what happened? And they tell them the story. And in that story, they're like, yeah, we wiped everything. We didn't keep copies of it. We didn't make any images. Everything is basically gone. They're just about to be fully operational again. Okay, great. But we're gonna have a really hard time answering questions. And you're going to start having questions. Two hours.
Eder Ribeiro (38:14)
right there. That was all in first 72 hours, right? They burnt the house down. All of these things happened. And now they're going to have a hard time answering some questions. Don't be that guy. You know, those 72 hours are chaos. But in that chaos, you can have organized chaos. And that's a big difference to having a telephone problem. Right.
Adam Parks (38:25)
But that's all about planning, right? Having that plan in place determines the level of organization that exists in your chaos going back to the training ideology of you're going to drop to your lowest common denominator under stress. How prepared are you to operate under stress?
Eder Ribeiro (38:40)
who have the fear.
Adam Parks (38:52)
Eder, this has been a fantastic conversation. And clearly, we need to have a follow up to talk more about that first 72 hours, and really how things get back on track for an organization that has had one of these experiences. So I'm going to reach out to schedule yet another interview with you so that we can continue this conversation because I think this is exactly what the debt collection industry needs to hear. They've been vocal in what their needs are right that everybody has some level of fear regarding cyber incidences. And I think part of that is just a lack of understanding and having more people like you on their side, I think puts them in a better position as an organization to survive these types of incidences in the future.
Eder Ribeiro (39:37)
Adam, absolutely, looking forward to it. Let's talk more about it. We can do a much deeper dive in these first 72 hours. Maybe we can even start scratching on the risk that folks in the collection side are facing now with all these AI tools that we're all using because I get it, they're convenient, they help with a crazy amount of efficiency, but it is game-changing. ⁓ And folks need to really get around it yesterday because it's moving at quantum speeds. So yesterday already passed.
Eder Ribeiro (40:04)
that yesterday I was just talking about already passed. And so that's the speed we're talking about here. So looking forward to it, brother. It's great seeing you again. Looking forward to doing this however many times. Happy to be here.
Adam Parks (40:06)
Yeah. Well, I really do appreciate you for those of you that are watching. If you have additional questions you'd like to ask, you can leave those in the comments on LinkedIn and YouTube and we will be responding to those. Or if you have additional topics you'd like to see us discuss, you can leave those in the comments below as well. And I know I'm going to get him back here at least one more time to help me continue to create great content for a great industry. But until next time, Eder thank you so much for joining me. I really do appreciate your insights.
Eder Ribeiro (40:40)
Absolutely. you, Adam. Thank you, everyone. It's a pleasure.
Adam Parks (40:42)
And thank you everybody for watching. We appreciate your time and attention. We'll see you all again soon. Bye everyone.
Eder Ribeiro (40:48)
See you soon.
