- Corporate Security
- Governance, Risk & Compliance
- Information Security
Governance, Risk and Compliance
By Resolver Modified February 7, 2021
To kick off the new year, industry experts and hosts of our new podcast, The Watchdog, Brian McIlravey and Tim Chisholm sat down to chat about their forecasts for the shifting risk and security landscape this year and how practitioners can stay ahead of the curve. Read the full guide to the top corporate security threats of 2018 here.
Prefer to listen? No problem! Tune in to the episode on iTunes.
Tim Chisholm: All right. It’s a new year, Brian.
Brian McIlravey: It is, Tim. It’s 2018. How do you think the planet is this month, Tim?
Tim Chisholm: The planet has maybe been in better shape before. But what do you think? Where are you sitting? How are you feeling?
Brian McIlravey: There are all kinds of different charts on the top security risks that pop out for 2018, and they’re all very similar. But in terms of Resolver’s guide to the top risk and security trends of 2018, I went through a bunch of them and found some patterns that were very interesting. What I’m going to do is focus it down to two that I think are very prevalent. One that’s been common going back to probably about 1811 is natural disasters. I mean, there’s some risks that we know are going to be on this list every single year. But there was an article that came out about the planet and natural disasters that I found especially fascinating – 2017 was the most costly U.S. disaster year on record just in terms of the massive, massive amount of billions spent—which you might expect given the significant disasters that happened this year.
When it comes to natural disasters, I often say they’re always on the list of top threats. You have to protect yourself against natural disasters if you’re in Miami, if you’re in California, or if you’re in the Midwest. Different types of disasters will happen to different corporations depending on where they’re geographically located. What I found interesting in the article was not so much that the number or the quantity of natural disasters were that much different compared to previous years—in 2005 there were actually more natural disasters. So it’s not the quantity. The frequency doesn’t change that much. You don’t go from 10 hurricanes to 125 hurricanes from year-to-year. What the article pointed out was just that the significance of the disasters—like the hurricanes this year—were way beyond most they’ve ever seen. Wildfires were especially worse than they’ve ever seen.
So in terms of the things to watch out for in 2018, it will be interesting to see whether natural disasters will carry the same frequency, but the severity will be similar to 2017, or whether it will calm down a little bit. My question asking how you think the planet is doing was kind of led by that one because I don’t think 2017 was a good year for our planet, Tim.
Tim Chisholm: Well, it brings up an interesting question about how you end up planning for those kinds of escalations. I mean, obviously I don’t think people could’ve seen 2017 coming in terms of the sheer severity of the things that were thrown at the United States, but going into 2018, how as a company do you adjust that calculus? Do you now have to factor in and assume that 2018 is as bad as 2017? Do you look at it as an outlier? How does that kind of natural disaster planning actually happen?
Brian McIlravey: Yeah. I think you have to. I think the keyword is planning, for sure. I mean, you can’t expect that you’re going to go from 10 really bad hurricanes and horrible wildfires down to zero, and say, “Hey, hopefully nothing’s going to happen in 2018 and we’ll just wait and see.” Wait and see will never cut it. It’s all planning and you have to plan for the worst case scenario. Some of the hurricanes and the responses to hurricanes over the course of the year just become lessons learned – learn these little things so that going into 2018 you plan a little differently, you respond a little differently. It’d be interesting to talk to business resiliency professionals on their take on the differences. Did they plan any differently in 2017 than they did in 2016, and what did they miss going into 2018? What are they planning in 2018 that they didn’t last year during a hurricane? So maybe one of these Watchdogs need to get a business resiliency pro in here and let them answer that question on how you change when you have these serious events happening. What do you have to do to protect yourself against the absolute worst thing that can happen, and then what is that worst thing that can happen? Can it be any worse than 2017?
Tim Chisholm: It’s that idea that you can’t reasonably plan for your actual worse case scenario. It has to be rooted in some kind of grounding and some sort of precedent. But I think if 2017 showed us anything, it’s that there can be a gulf between what we are able to considerably, reasonably imagine and what can actually happen. I think it becomes interesting from a corporate perspective when you have to start allocating actual funds and actual resources to this kind of planning. How much do you dictate through your imagination of how bad it can get versus what is a reasonable spend on the part of the company and on the part of the corporation?
Brian McIlravey: Yeah. Historical information really plays in a lot. If you look at something as simple as urban planning for lake area properties, they go by something that’s called the hundred-year flood mark. When they do setbacks, they take a flood marking and say your property setback has to be here because if we have the worst possible flood in the next hundred years, the worst possible flood in the last hundred years was before mark. We don’t expect it should ever go higher than this mark. If it goes 25% higher, you’re still good. So for hurricanes and other types of weather events, the historical context must have some kind of play in terms of how bad things can get. I’m not feigning expertise in this field in any way, but I wonder if there are any historical components that played into planning for hurricanes over the past hundred years. This year has been the most costly ever, but not necessarily the worst storms ever. There’s been some pretty bad hurricanes in the past. You wonder if the economic disaster piece to it is just more people, more businesses, more things that can get destroyed, more claims, things like that.
Wildfires, on the other hand, are a different story. Historically, once a fire has burned through a forest, there’s a very low likelihood that the same forest is going to catch on fire again next year. But the one 20 kilometers away from it still could. I’m sure there’s some historical extrapolation there.
So you know, Tim, the concept of natural disasters will never go away. I just found that one article on it being the most costly ever was pretty interesting even though the frequency hasn’t change. Risk is all about frequency and expectations.
Tim Chisholm: That being said, is there anything that’s predicted for the next year that strikes you as something a little bit more contemporary, a little bit more rooted in newfound threats?
Brian McIlravey: Going back to how the planet is doing today, some of the threats being predicted for this year are very obvious. Some are not. But there were some that just kept repeating themselves. It’s not going to be a surprise to anyone. The two biggest ones that I kept seeing over and over again were cyber attacks and soft target attacks. But then what I found more interesting was within each of those two, there was actually a common theme. I can let you in on that theme as I get to the end because I don’t want to tell you right away. It would just spoil it.
Tim Chisholm: Excellent. Stay tuned to the end.
Brian McIlravey: Yeah. Stay tuned to the end because there’s a big twist to all of this as you research it. Take cyber attacks as the first one. Any list that you look at on security risks to watch out for in 2018, there was not one that did not have cyber on it. So it’s got to be one of the biggest ones that every company, every organization, every person has to be worried about. You could be a government, you could be a corporate organization or an individual person. You need to be worried about cyber. What gets more interesting though is the different types of cyber threats for 2018 that become more worrisome than others. There’s lots of them.
The most prominent ones like denial of service attacks are always out there. You’re always protecting against those. But there’s other ones I found a little more serious and a little more interesting. Ransomware, of course, being not a new one but one where companies are getting hit a little more frequently. I mean, ransomware is rampant and I think a lot of people and companies take the ‘not in my backyard approach’ thinking it will never happen to them. Be proactive about ransomware. As an individual, Tim, have you ever sat at your home computer and thought, “No one’s ever going to come into Tim’s computer. What are they going to steal from me?”. Do you think about that as an individual?
Tim Chisholm: I only ever really think about it when I see cyber attacks in the news. But my reaction is always that I’m sure that I’ve got nothing of value. I’m sure I’ve got nothing of interest. So why would anybody knock on my metaphorical door to try to extract stuff out? But then it’s one of those things where if you ever let your mind kind of roll down the drain, it’s amazing how much information you have or that you have access to either by virtue of individual banking assets, or things that your work trusts you with. There’s a lot of valuable stuff on my own computer that I sometimes take for granted as being unimportant but is actually fairly sizable and fairly valuable in these kinds of attacks.
Brian McIlravey: Yeah. It’s one of those things where you probably don’t understand how much you love something until it’s gone and taken away, and then someone says, “Hey, you can have all this back for the healthy fee of $50,000.” Pictures, documents, all of these little things that we keep on our personal computers that can easily be ransomed. Imagine being at a corporation where you come in one day and your servers are locked out. You can’t get into Salesforce. You can’t get into anything that is running your company. Just the impact on that would be so huge to any organization.
But there were two other pieces that I found very interesting when looking at cyber related threats and things to watch out for in 2018. One was related to the internet of things being the real weak link in the internet. As we know, there are more and more censor-based internet connected devices and the internet of things will always remain a major weak point right now because of the devices being connected through networks that aren’t properly configured, and rely upon the 000 password that no one ever changes. Those little gateways can give very easy access to bigger systems. They give rise to the bot nets that are just out there saying ‘looking for a hole, looking for a hole’ and are then used for volume attacks to actually trade stolen data. It’s really, really huge stuff. We have a lot of things even here in our office that are internet-based, and people have them at home. That’s just going to exacerbate over the course of the year as things get connected and further expand those weak links where something is looking for that little hole to get in to cause some kind of damage – ransomware, whatever it might be.
Tim Chisholm: I think we’re getting to a place where we’re bringing these things into our home, into our office somewhat unthinkingly. Someone goes out and buys a new smart thermostat or a new smart plug. Sometimes you can get these things for as cheap as $20, $30 and so you don’t think of it as being a point of attack for your computer, being a point of attack for your personal information. It’s one of those things that seems so innocuous. It actually reduces the cognitive assumption that it can pose a vital threat to both your home or to your office. I think as these things become more and more ubiquitous, and as the general population starts to really adopt them, it’s immeasurable how much the threat will increase because you are taking these things in unthinkingly. Maybe you have one single smart plug, and that one single smart plug is going to be fine. But if you’re going to start bringing in the kids’ toys and the random speakers, every single one of these is a new potential fail point for your home or work security.
Brian McIlravey: Yeah. It’s the fail point that’s the next point I wanted to discuss actually. So we have these connected, sensor-based devices – all these things that are used in corporations, in houses, in public. No matter where you go. These devices are becoming more ubiquitous. But at the same time, there is a significant shortage in cyber security professional skills.
Tim Chisholm: Interesting.
Brian McIlravey: I don’t know if a lot of people really recognize the amount of data that we have out there through these sensor-based devices being set up. To your point, there’s little scrutiny of these things. Part of that is there’s just not enough expertise. The expertise is not going as fast as the technology for us to properly protect all these things that are out there on the internet or out in cyberspace. Had I said, “Give me five things in cyber that you think are an issue for 2018, Tim,” would you have said, “Hey, I think it’s a skills shortage”? Because that’s one I’m shocked to have read everywhere.
Tim Chisholm: I really wouldn’t have thought of that. Is there a specific kind of skillset that you’re referring to? What would be the skillset that you find is lacking perhaps in the job’s marketplace?
Brian McIlravey: It depends on the term. There are cyber security professionals. There are InfoSec professionals. They both relate to the protection of something cyber. So InfoSec people are going to be more concerned with the protection of information and data and getting through servers. But think of something as big and critical as infrastructure protection. When you look at the electric grid and other high impact critical infrastructure places, a lot of those are running on networks and are still based on the internet. Their servers might be contained but they are still open targets that need protection. So you have professionals that range from the physical protection of physical barriers through to the logical barriers through to the local barriers. I mean, it’s just a protection of all these pieces, widgets, sensors, connections, pathways, open ways. The skill set is very diverse. Through ASIS International, there’s a council called the Information Technology Security Council. I think there’s 40 to 45 members on that council that range from military backgrounds to private InfoSec members to cyber security members. If you ask each one of them what the difference is between what they do, their answers will probably be localized to the group or to the industry that they work in. But their skillset is simply understanding how to protect systems, and more importantly, understanding how attackers want to get into those systems.
I find that cyber professionals are very astute at understanding how someone would get in somewhere or how someone got to something. I am no where near a cyber guy. But I know a lot of them and their skillset is very unique. It just appears there are not enough of them. The technology moves too quickly. There’s not enough people engaging in that right now. So hopefully over the course of 2018 and beyond, we’ll start to see cyber security and InfoSec becoming larger professions and we’ll have people jumping on them as quick as they can.
Tim Chisholm: Do you find that one of the aspects of those jobs that might actually wind up being somewhat important is the ability to educate the employee base? It’s one of those things that I start to think of too – how much each individual employee becomes his/her own vulnerability. This idea that Google just prompts you now to save your password. It’s easy and convenient. So someone just clicks ‘yes’. But now that’s become a vulnerability within the company. It’s this necessity for people to not just manage the systems but to also manage the employees and make them understand that they, themselves, may be potential vulnerabilities.
Brian McIlravey: Absolutely. Even at Resolver, every time a new policy comes out, there are new requirements – your password has to be changed to 27 characters, must contain 14 letters, 5 numbers, a roman numeral, and a toy car. As soon as you see it, you’re like, “What? What on earth is this? Why do I have to do this? I’m not doing it.” But they’re doing it for a reason. They’re doing it for protection. A lot of times they’re following protocols that have to be followed, but oftentimes, yeah, people will just be like, “No. Why do I have to do that? I’m not doing it… Why do I have to lock my laptop?” You go to Starbucks and you open up your laptop and go on the Wi-Fi there. You get a big warning that says, “The guy beside you is probably reading everything you’re typing right now,” and you hit ‘okay’ and carry on. How often does that happen? How many times a day do potential data leaks happen or access points become available just by virtue of an employee not following that basic principle of watching what they’re doing and where they’re doing it and being aware of the people around them that could be watching the whole time.
Tim Chisholm: It’s exactly like you said, you end up with all of these points in your day where you are presented with a choice that you have to make about whether or not you’re going to be more secure or more convenient. As an individual, you can come up with a list of reasons for being more convenient. That you’ve reached whatever your imaginary threshold is for the day of things that you’re going to be secure about. Yet, it’s the resiliency of the threat that actually makes that such an unpalatable solution. Even thinking back to the email hacking that happened during the last U.S. election – you send out enough phishing emails, you send out enough spam, and it just takes that one person that one time to chose to ignore that one piece of advice. It’s one of the things that makes me so interested in this idea that InfoSec professionals are somewhat of an educational force not only in the way that they’re deploying information, or in the ways that they’re explaining why security is important, but also in their ability to actually change minds and make people understand not just from a policy level but from a practical level, and an emotional level why they have to make these changes.
I think those kinds of skillsets in the profession might wind up being as important as the ability to understand the entire mainframe or the entire framework of the company because at the end of the day, each individual is as much a vulnerability as each internet of things or device that they bring in. It makes for a very difficult role to fill to the point where I even start to wonder – is this the kind of thing where the company has to set up its own cyber security or InfoSec division, or where people with those specific skill sets need to be embedded within individual departments? There almost needs to be representatives throughout the company just because of the sheer amount of vulnerabilities that a company faces by virtue of its employee base.
Brian McIlravey: Yeah. Does it become its own division? How far do you go? How long does your password have to be to keep up with new policy recommendations? It keeps going and going and going. This will be a good segue into the next piece I wanted to talk about. There’s a saying from former FBI Director William H. Webster, which is, “Security is always seen as too much until the day it’s not enough.” It’s a very interesting phrase because when you look at something like cyber, you say, “Okay. Why do I need to do all these things? We have all these passwords and all this stuff in place.” It looks like it’s too much until the day you are ransomed and you’re like, “Well, how did we not see this? Why was this not in place? Why was that not in place?” You go through the triage of figuring out all the things that were not in place and what was not enough. Looking back is always easier.
For something like soft target attacks going into 2018, I still think they’re going to continue to rise. As we’ve sadly seen for the last few months, that is the reality of it, and the big question becomes how do you protect against them?
Tim Chisholm: What is a soft target attack for those who aren’t familiar with the term?
Brian McIlravey: That’s an excellent question. The easiest way to define a soft target is a place that is open to all of society. So if you think of a mall, a hospital, a church, open air events, nightclubs, they’re places that are open to everyone. The word soft comes from the fact that they are not typically fortified. There’s no walls, there’s no fences, there’s no access control, which means they are vulnerable, they are unprotected, and they’re essentially undefended. That’s what makes them soft targets. They are not hardened. When you talk about hardening a target, you’re talking about putting defenses in place to make sure they’re hardened so you can’t get through the wall. You can’t get past this, you can’t get over that, you can’t go through this to get through. So soft targets are those areas that are unprotected, undefended, and filled with people.
Tim Chisholm: Okay, interesting.
Brian McIlravey: How far do you have to go to protect something until security is seen as too much? When you talk about terrorism, the whole goal is to get you to not want to go to the hospital, to not want to go to that concert, or be at that concert and fear for your life the whole time that’s something’s going to happen. So how do you protect against that? How do you prepare for that? The way I see this is it’s not impossible but near impossible to protect against that lone wolf or that group that has a mission, has identified a target, and all you can do really is be prepared for the response or hardened to the extent that is possible in society. That you don’t walk in and say, “Hold on, I’m just trying to go to the hospital here. Why do I have to go through all this stuff?”
In Canada, I think maybe we take it a little more for granted because nothing significant has happened unless you go back to the Ottawa attack of 2015. It was a soft target attack at the capital. A guy walks out with a gun, shoots two guards at a cenotaph, then walks into our nation’s capital building and starts firing away.
Tim Chisholm: Right.
Brian McIlravey: In 2018, we’re not going to see much change there. Just because of the nature of soft targets as easy, it’s really hard to protect them. The big thing is being able to respond properly.
Tim Chisholm: What always interests me about the soft target issue is when watching the response, how much of it actually winds up being a new form of protection versus, I think, rebuilding the confidence in the individual? It goes back to what you were talking about with the motivation behind terrorism. Instill this terror to keep people from leaving their homes, to keep people afraid. I think probably the most famous example would be 9/11 and how afraid people were to fly in the aftermath of that. There’s the very obvious security side of it from that the individual almost never sees. But then there’s also a little bit of performance in order for people to feel safe to fly again. Because the shoe bomber had media coverage showing what he attempted to do, we now have to take off our shoes at the airport. It’s the most commonly cited example.
This weekend, I was reading an article about how Disney hotels are now going to remove the ability for you to put out ‘Do Not Disturb’ signs outside your hotel room. Once a day, the employees of the hotel are encouraged to enter every single room – all in response to the Las Vegas shooting. The likelihood of that measure actually stopping the exact same thing that happened in Las Vegas is probably pretty slim, but at the same time, it feels like it’s the kind of thing that now has to happen in order to restore confidence in the individual to want to book again, to want to come out and vacation again. Do you find that these sorts of things are practically helpful or are they only put in place for the benefit of the individual and of the consumer?
Brian McIlravey: Yeah. For that one there’s a back and forth answer. I didn’t know that about Disney. I’d be interested to see the amount of the people that promote, “Yeah, come and check my room. I don’t care,” versus the, “No, you should not be allowed to come in my room. I paid for it. It’s mine,” versus the, “You’re on our property. We have the right to do whatever we want.” Then you have some people saying, “Hey, if somebody had just checked his room.”
Tim Chisholm: Right.
Brian McIlravey: Walked in and said, “He’s got a big gun set up on his desk and he’s got five other guns on the table.” That’s probably a leading indicator that something bad was going to happen. Most hotels you have someone going into that hotel room every day. They’re going in to clean. They’re going in to check something with the room. I don’t necessarily know if you need a person going in to rifle through people’s things to see what they have. But even with the ‘see something, say something’ approach, you’ve got to wonder if part of it is lack of training. Are we training employees like in-room staff to watch out for indicators? These are things that have to be done and you often look back and say, “Maybe the better thing to do is to train people to look for certain things and notice certain things.” People in the security industry are trained observers and might be more adept at noticing small little things out of the ordinary. Whereas, if it’s not something you’re trained in and astute in, a person walking in with 15 bags might be the norm. Or when they have 25 bags and you walk in and you see a bullet on the desk. A bullet on the desk should be enough to say, “Hmm. Maybe I should just tell someone. There’s something off there.”
But you made a comment earlier that will lead me into my final big sell here that I kept as a secret from you. Here’s the big secret. In going through all these 2018 lists of top threats and in looking at cyber attacks and in looking at soft target attacks, a lot of them came down to two things that you should be looking out for, which is, not surprisingly, external threats. So threats from foreign countries, especially related to cyber. But even more noted and more importantly was internal threats. So internal being what would be referred to as insider threat. When we were talking earlier about how easy it is for me to make a mistake and have something happen. Well, how easy is it for me to do it intentionally, to find the hole, and bring something down?
So what I found really interesting from the 2018 Resolver list was not just cyber attacks and soft target attacks being on the list, but both of them being relative to external foreign threat and internal insider threat – each of them really focusing on the insider threat. Insider threat is as big as ever. I don’t think it’s ever not been a threat. I think it’s just a bigger, more prominent one now.
And how do you protect against an insider? Probably one of the harder things to protect against is an insider threat over an external one because external you’re looking for signs that would indicate certain groups, people, or things want to attack you. Intelligence groups are there to detect that. Insider is a totally different game. It’s really hard to find the lone wolf. It’s really hard to find indications until something happens. Then you go back and you look and you say, “Well, that was obvious. How didn’t we notice that?” Or you get the, “Yeah, there’s no way we would’ve ever noticed that this person had an issue and this was going to happen.” So I thought it was really interesting to find not just cyber and soft target being on the Resolver list, but both of them really nailed in on insider threat being a big piece of each.
Tim Chisholm: And you almost get the impression from a social standpoint that people feel like the insider threat thing is over. You think back to the Cold War and it was all everybody was worried about – spies roaming among us. It seems like since the end of the Cold War, you’re at a point where people feel like, “Well, we’re all just one, big, happy, global community.” There isn’t that same need for the internal vigilance that maybe once existed. Do you feel that the threat is equivalent or more so than it might have been in the ’60s,’70s, and ’80s, or do you feel that it’s on a par where we should be maintaining at least a certain amount of the same mindfulness that we did once upon a time?
Brian McIlravey: Well, going back to the beginning of our conversation, I think the planet is different. Going back to threats from the Cold War era, one of the items on the 2018 Resolver list is espionage. Espionage is something that is here today but was also present in the ’60s and ’70s and probably in the ’20s and ’30s. Espionage is essentially trying to find something out about a specific group, be it a government or an organization. We’re putting insiders out in some way, shape, or form to find out information. The difference now is that insider threat within an organization is not accessible in a way that it was in the ’60s. It would be really hard to detect Tim going through electronic files and putting in malicious code. Whereas, in the 1960 if you’re going through all the filing cabinets and everything, I think things would’ve been a little bit more obvious.
So yeah, espionage and the way you did things in the ’60s, although covert, was just done differently than it’s done now. I think it’s a little bit easier now to be an insider than it was in the ’60s and ’70s. Espionage has not gone away. Corporate intelligence or whatever you want to call it is simply corporate spying. Happens every day. There’s just so many easy ways to get corporate data right now, especially if you have an insider. During the Cold War, the easiest way to get information from another country was to go get one of their people, con them over, and say, “Hey, we’re going to pay you to give us all the top secrets that you have access to.” Well, that’s still there today. There’s still those people there. We’ve seen it all in the last 10 years – h ow easy it is to give away secrets or things that are going on.
So I don’t think it’s necessarily changed what we do. It’s just how we can do it now, and how easy it is to do it now. Gone are the days where someone flies over and meets you in a clandestine burger joint and hands you an envelope full of money. Things are done differently now. That gets you into things like the dark web and deeper threats that are probably a good topic for another session.
Tim Chisholm: Alright then we’re about to wrap up. I want to throw one more thing at you before we do though. We sort of talked about a lot of the things that have become new threats or threat trends that are going to be occurring in the next year. Is there anything that you feel that we’re better at now than we have been in the recent past? Are there any once common threats that have been somewhat mitigated or neutralized in the last tenfold of years that come to mind before we scare the bejesus out of everybody?
Brian McIlravey: Well, the reason that risk and security exist is that when one protection is created, someone immediately tries to defeat it the instant it is made. If that concept was not in place, we’d still be using those locks from the 1800s that had the big key and were 1600 pounds and made of iron for a six foot, six inch lock. There are probably things that we are much better at. Every time something happens, there is a lesson you learn – you do a root cause analysis or you figure out why that happened and how it happened. Then you do your best to make sure it doesn’t happen again or if it happens again, you reduce the impact or you have a better response. So depending on how far back in time you go and what threat you look at, it’d probably be easy to say yeah, we do a better job with that now than we ever did.
I think one of the biggest things that we do really well now that you couldn’t do 30 years ago is notifications. When you have major events now, it’s very easy to know there’s an event going on. Let’s even go back to 2005, before the iPhone and before a lot of social media – if an event occurred, it was sometimes only the next day when you picked up a paper that you figured out something had happened. Now things are instantaneous. What we do really well now is the notification of events. Whether that be intentional through intelligence or mass notifications or tracking of employees and notification of employees. If you’re traveling to the other side of the planet and you’re in a city where something significant happens, 15 years ago, it’d be very hard to track you down and find you to get you out. Now, you’ll be notified right away. We know where you are or where you’re supposed to be. The whole global village is a lot tighter now that we can notify people immediately. People are aware right away, and people are communicating right away. Every event, even any of the ones you look at recently, has information being passed along mostly through social media sites where update are being posting right away.
So I think that’s probably the one thing I’d say that we do much, much better. Beyond all the great things that we do now across risk and security and protection, notifications just seems to protect people maybe a little bit quicker than we used to before.
Tim Chisholm: All right. I like it. We have a little bit of an up note to end on. So that concludes our very first episode. Thank you very much, Brian. That was fun.
Brian McIlravey: Yeah. That’s was a lot of fun, Tim. Looking forward to the next one.