Hello again, dear readers!

Did you know that only 10% of ransomware attacks are reported? Companies keep it quiet because they don’t want to deal with the regulatory headache and reputational loss that comes with being hacked. They’re also way more willing to negotiate and pay hackers than you might think. More on that below. 

Also, Prop 22 has been upheld in California, which means gig workers at companies like Lyft, DoorDash, and Uber will remain contractors. These companies must be relieved, as they saw Prop 22 as an existential threat to their entire business model. Meanwhile, labor rights groups are unhappy.

This issue features the usual bunch of AI Insights and recommendations for the week's podcasts, books, shows, charts, and tweets, followed by a final chuckle. 

Let’s get going.

Industry Highlights: Negotiating a Ransom Payment

Procurement people like to think they’re pretty good at negotiation, but this is next-level. 

A gripping story in The Economist describes a ransomware attack on an unnamed administrative services provider with thousands of clients including health services, government agencies, and police forces. 

It starts with the security operations center (SOC) noticing unusual activity - somebody was trying to access an admin account, trying thousands of passwords per day. The SOC alerted the client’s IT team, who either missed or ignored the message, and the issue was forgotten. Eventually, the hacker gained access, the servers started malfunctioning, and a threatening email was received which included a link to a private chatroom and a deadline for using it. 

“We have already penetrated your clients’ networks. We used your passwords and can clearly see a map of the networks of all victims! After all, you know what is happening and what fines await the company, what litigation can be between the corporations that you let down if it becomes public.”

“By resolving this incident in silence and without unnecessary noise, you will be safe.
Are you ready to start negotiations with us on non-disclosure of the data we received?
If you refuse, it will be very sad for your company.”

I won’t regurgitate the entire story here, but here’s the gist - while the company leadership panicked, someone was smart enough to engage expert ransomware negotiator Nick Shah, who (like something out of a spy novel) operates from a beachside resort in Mauritius. 

By staying calm and slowing things down, Shah worked to determine what the hackers had gained access to. He then took control of the negotiation and eventually reduced the demand from $2 million to a mere $179,500. The company, relieved, paid the hackers, and the ransom was released.

Here are some of the insights I gleaned from this story. 

This happens ALL the time: Ransomware used to be a small-time deal, with hackers usually just asking for a few hundred dollars to unlock your files. But that all changed around five years ago.

Once these organized crime groups in Russia and Ukraine realized how much cash they could make from ransomware, they stepped up their game. They developed more sophisticated attack methods and started pursuing bigger payouts—we're talking millions of dollars in ransom demands.

Things went into overdrive in 2019, with a huge spike in ransomware attacks and the size of the ransoms skyrocketing. And then the pandemic hit shortly after and nearly every business went online, cybercriminals had a field day exploiting all those new vulnerabilities.

By 2022, the financial damage from ransomware in the US was just insane. Cyber insurance companies had to pay out over $4 billion in claims that year, covering everything from business disruptions to incident response to the ransom payments themselves, often in crypto. 2023 saw a 70% jump in ransomware attacks, with the hackers scoring over $1.1 billion in direct ransom payments.

But even those numbers are probably just the tip of the iceberg. Cybersecurity experts think something like 90% of ransomware cases never even get reported because companies don't want the bad PR or regulatory headaches from admitting they got hacked.

Hackers operate like corporations: The ransomware game has become more complex lately. Russia and Ukraine are still major hubs, but we're seeing ransomware outfits popping up all over the place - Iran, Brazil, India, North Korea, China, Peru, you name it.

Some of these hackers seem to be going rogue, almost like digital-age pirates. But others appear to have at least tacit backing from their home countries. Figuring out which is which is tricky - as one FBI expert put it, are the crooks selling their skills to intelligence agencies, or are government-trained hackers moonlighting for personal profit? 

The top-tier ransomware gangs have professionalized their operations, setting up shop like proper corporations. They've got HR departments, complex hierarchies, the whole nine yards. They even issue press releases ("We're thrilled to announce we encrypted Acme Inc's network and stole 35 TB of data!") and have user-friendly dark web portals where victims can try to negotiate. One negotiator told The Economist it's actually faster and more helpful than calling Apple support.

Successful ransomware attacks require specialized skills, and different people handle the malware, network infiltration, data processing, negotiation, and so on. Affiliates are often in different countries, too, which makes it a massive headache for cops to even begin tracking these guys down.

A lot of companies decide to pay: Hollywood movies often show cool-headed decision-makers who take the line that “We don’t negotiate with criminals.” In reality, most companies do negotiate and do make the payments. 

The issue of ransom payments is complex and contentious. Some argue that coughing up the cash only encourages and enriches malicious actors, perpetuating and incentivizing further attacks. Last year, a senior White House official even raised the possibility of banning ransom payments altogether.

The British government is currently proposing compulsory reporting of ransomware incidents and requiring firms wishing to pay a ransom to first receive a government license. This sounds like a bureaucratic nightmare to me.

However, many cybersecurity experts believe that government attempts to penalize or prohibit ransom payments could be counterproductive. They argue that even if such measures could be effectively enforced, exceptions would likely need to be made—for instance, would you really forbid hospitals from paying to regain access to critical systems? As soon as exceptions are granted, those entities may then become prime targets.

Some public organizations are already forbidden from paying the hackers, and are discouraged from negotiating with them at all. But the stigmatization of negotiations plays into the criminals' hands, as it makes victims more reluctant to share information with each other or the authorities.

Attacks that endanger lives or critical infrastructure do occasionally occur, but these are often believed to be unintended consequences rather than deliberate targets. Some ransomware groups have even issued press releases claiming they will refrain from attacking hospitals or schools, seemingly to portray themselves as "socially responsible."

Try to determine what the hackers have: This is the difficult part. The attackers claimed they had access to the service providers’ entire client network, but they may have been bluffing. Shah suggested that the comparatively low-ball demand of $2 million meant “they had no idea” of the value they were sitting on. The hackers never named specific clients, either. 

Rather than reveal that he was a ransomware negotiator, Shah pretended to be a mid-level, female manager in the IT department who needed approval for every step. He asked the hackers if they could provide more detail on the information they had accessed, but the hackers side-stepped the question. 

The other factor is that gangs may not decide to risk going after major targets - governments, police forces, etc - because they don’t want to draw too much attention to themselves or cross a line that would prompt a law-enforcement or government response. In the end, Shah said there was simply no way of knowing what the gang had accessed.

Slow things down: Shah’s key technique was to refuse to comply with the hackers’ deadlines, such as “you must respond within one hour.” Shah limited responses to working hours only, used corporate, professional language, and often waited 24 hours between making each response. Despite the organization’s stressed-out Board wanting to resolve the issue as fast as possible, he dragged the negotiations out - and it worked. The hackers became increasingly desperate, voluntarily dropping their demand from $2 million to $750,000, then accepting an offer of only $179,500. 

This was a win - of sorts. The hackers got paid and disappeared, the hole in the system’s security was closed, the client network was apparently never attacked, and outside of a handful of people, nobody ever knew that the company was hacked. But it’s a chilling example of criminal activity that is largely unreported. 

If it happens to you, the best advice is to stay calm, slow down your responses, and call a negotiator like Nick Shah.

The Future of Work: Gig Economy Survives its Day in Court

The people at Lyft, DoorDash, and Uber must be celebrating right now. They’ve just avoided

paying additional costs of $300 million, $1 billion, and $1.1 billion, respectively. 

California’s Supreme Court has upheld Proposition 22. This law lets gig companies treat their workers as independent contractors, not employees - a change they believed would pose an existential threat to their business. 

The arguments for Prop 22: The gig companies' main argument was that classifying their workers as employees instead of independent contractors would undermine the flexibility that's a big part of why people are drawn to gig work in the first place. They said that as contractors, workers can choose their own schedules, hours, and work locations. But reclassifying them as employees would mean imposing more rigid working conditions and hours, taking away the flexibility that a lot of gig workers really value.

Additionally, the companies maintained that shifting to an employee-based model would seriously disrupt their established business operations. They claimed it would force them to significantly hike prices for consumers, and could even lead to large numbers of workers leaving the platforms altogether, since the companies wouldn't be able to keep operating the way they do now under an employee framework.

The gig firms also emphasized that Prop 22 was approved by nearly 10 million California voters back in 2020. They argued this showed there's strong public support for preserving the contractor model, and that the court should respect what the voters had decided. The companies also said that many gig workers themselves prefer the independent contractor status because it gives them more autonomy over their work. The companies contended the workers don't actually want to be reclassified as employees and lose that flexibility.

The arguments against Prop 22: Labor rights groups strongly opposed Prop 22, arguing that gig workers should be classified as employees rather than independent contractors. As employees, the workers would be entitled to benefits and protections such as minimum wage, overtime pay, unemployment insurance, workers' compensation, paid sick leave, and the right to organize. 

The labor groups contended that treating gig workers as contractors denies them these basic employee rights and leaves them vulnerable. They voiced strong opposition to the aggressive $200 million campaign that the gig companies funded to back Prop 22. They argued this demonstrated the companies were willing to spend heavily to maintain their contractor model and avoid reclassifying workers.

Overall, the core argument against Prop 22 from labor advocates was that it allowed the gig companies to skirt their responsibilities as employers and deny workers the full protections and benefits they deserve. 

All in all, this ruling is seen as a massive victory for Uber, Lyft, and other gig companies. It lets them keep classifying workers as contractors, not employees with full benefits. 

Shares of Uber, Lyft, DoorDash, and Instacart all spiked on the news, with Lyft jumping most by 7.4%.

Here’s Uber’s statement: “Whether drivers or couriers choose to earn just a few hours a week or more, their freedom to work when and how they want is now firmly etched into California law, putting an end to misguided attempts to force them into an employment model that they overwhelmingly do not want.”

The ruling sets the tone for gig-worker regulation in other states and may discourage other legislators from tackling the issue. Washington state has passed a law preserving the companies’ independent-contractor models. Massachusetts reached a settlement with these companies last month that mirrors Prop 22. 

Overseas, gig companies have had fewer legal victories. Uber made a major concession in the UK when it was forced to grant drivers an employment status that entitles them to vacation pay and pension contributions. The EU has promised gig workers greater social and labor rights, Australia has introduced new laws that define “employee-like workers” in the gig economy, granting them the right to negotiate minimum pay and conditions, while gig drivers in Singapore will receive a form of social security.

AI Insights

• NVIDIA is accelerating humanoid robotics development with a suite of services, models and platforms, meaning they can be trained and deployed faster. Why are humanoid robots more popular than, say, a robot that is simply a box with an arm attached? Because they can interact better with the human environment we live in, enable more ‘natural’ interactions with people … and humanoid robots have greater potential to replace human workers. 

• Study finds AI is hampering productivity: A recent study found a disconnect between executive expectations and employee experiences with AI. While 96% of C-suite executives expect AI to boost productivity, 77% of workers using AI say it has increased their workload and hampered productivity. Nearly half of these employees report not knowing how to achieve expected gains, and 40% feel their company is asking too much of them regarding AI adoption.

• Microsoft is calling for laws to crack down on AI-generated deepfakesand protect against fraud, abuse, and manipulation, especially during elections. The company believes law enforcement needs a legal framework to charge perpetrators, and that all AI companies should label AI-generated content.

Struggling to find the right talent for your business?

Express Employment Professionals is here to help, with local teams deeply connected to your community. They understand your needs and have access to global resources, making hiring a breeze.

Connect with Your Local Team

The Supply Aside

📕 Read - The Algebra of Wealth

Scott Galloway, an NYU Business School professor, explains why the financial advice of our parents’ generation no longer applies in the face of so much disruption - longer working lives, galloping inflation, and housing affordability. As a WSJ reviewer points out, there’s really nothing very new here in terms of advice, but Galloway has a refreshing, no-BS style. For example, he points out that despite hundreds of personal finance experts urging us to save and invest from a young age, the reality is that most people in their early careers simply don’t make enough for this to be feasible. Nevertheless, there’s practical advice around riding big economic waves, the importance of diversification, tax planning, and taking a stoic approach to developing better financial habits.

This is a useful resource in terms of building your financial literacy, but it’s important to keep in mind that Galloway - who tells us (twice) that he owns a jet - made his fortune through buying and selling companies, not through careful financial management. I’m generally a fan of Prof G, so had to pick this one up. Glad I did, as it’s overall an interesting read. And yes, no one will confuse this as his best work. 

What Else I’m Reading

• New Boeing CEO has an enormous task ahead: Kelly Ortberg, formerly of Rockwell Collins, is being billed as a “company doctor” who plans to turn over every stone, identify what needs to be done, and make the difficult decisions needed to save Boeing. As Bloomberg writes, “stabilizing Boeing will be one of the most audacious turnaround challenges in corporate America.”

• How to build your workplace “Rizz”: Charisma - the ability to charm others, network with ease, chitchat and effortlessly take control of a room - has traditionally been placed in the ‘you’ve either got it or you don’t’ column. But author Charles Duhigg believes “Rizz” can be developed. Anyone (even introverts) can become a super-communicator by fostering connection, making our conversation partners feel special, and matching others’ vibes.

• The Greatest Books of All Time: Shane Sherman, a computer programmer in Texas, has used more than 300 lists to come up with a list of lists, which he calls the “greatest books of all time” (GBOATs). It has more than 10,000 books, which means that I’d better get reading if I have any hope of getting through the GBOATS in my lifetime! What’s number one on the list? Gatsby.

📺 Watch - The Olympic Games

There's nothing quite like watching the world's best athletes compete at the highest level. The sheer dedication and hard work that goes into reaching this stage is awe-inspiring. It’s always exciting to see the USA-China rivalry play out on the field and in the pool (rather than the usual geopolitical arena.) While the USA has more medals than any other country so far, what really matters is the gold medal tally - and that’s what we’ll all be watching closely. I’m looking forward to the 2028 LA Olympics, where they’ll include two of my favorite sports - squash and cricket - for the first time. My all-time favorite remains the NFL. 

👂 Listen - Inside Mark Zuckerberg's AI Era

It seems Meta is really going for it with this open-source AI push, which seems to be a shift from the more closed-off approaches of companies like Google and OpenAI. Bloomberg's Emily Chang got to sit down with Zuckerberg and talk about how their new Llama 3.1 AI model could impact business, tech, and society. She also headed out to his place in Lake Tahoe, where she got to see Zuckerberg's personal side - chatting about his growth as a leader and even learning how to wake surf with him and his wife Priscilla.

It's an interesting look at how Meta is positioning itself in the AI space, especially compared to some of the tech giants. The personal angle on Zuckerberg gives some good insight into the guy behind the company. I'm curious to hear his thoughts on the potential implications of their Llama model.

💡 Think - Jobs Galore, No More?

I've been tracking the recent shifts in our job market, and the extraordinary boom is clearly winding down. The unemployment rate has increased to 4.1%, and the frenetic job-hopping we saw during the labor shortage has slowed. We're back to pre-pandemic levels of job openings per unemployed person.

It's remarkable how quickly things have changed. A mere 12-18 months ago, wages were soaring, and employees held all the cards. While still relatively healthy, the market presents new challenges for job seekers. Low layoff rates are reassuring for those employed—companies seem keen to retain hard-won talent. But for those hunting, competition is intensifying.

As we navigate this transition, I'm curious about the long-term implications. Will we see gradual cooling or more significant changes? One thing is certain: it's a lot easier to hang on to your current gig than to find a new one.

📕 From my upcoming book…

The following is a short excerpt from my upcoming book, Fire the Boss, Keep the Love: 10 Jobs, 10 Exits, 10 Lessons. The release date is coming soon!

A month into the job at ANC, it still felt like day one. As Manager, Vendor Supply Chain, I was running in circles. That's not my nature. I was always one to take initiative, but I was floundering, and it wasn't just obvious to me. Around that one-month mark, I remember a meeting where I was filling in for my boss. My GM and some other leaders also participated. About halfway through the meeting, the GM asked me something I had no idea about.

I mumbled some non-answer, and his biting response is still etched in my memory today. It was something like, "Pretty soon, I'm going to start wondering what the hell it is exactly you do around here." Ouch. I laughed, thinking it was a joke. Then I realized he wasn't kidding. He was serious. And the truth was, I didn't know what I was doing in that meeting either - or at ANC, for that matter. 

Here’s the thing. ANC wasn’t the villain in a corporate horror story. This wasn’t your “worst office in the world” situation, where I was in a toxic environment. The challenge? Breaking through the dense fog of their insular culture, especially as the new kid on the block.

Charts of the Week

Quote of the Week

Tweets of the Week

The Final Chuckle

Thanks so much for reading. I’d love to know what you think about this issue and how I can make it more useful to you.

If you have suggestions or topics you want to see me address, email me at [email protected]!

Want more?

If you’d like to read more of my writing on the supply chain, entrepreneurship, or the future of work, check out my website.

For timely updates, follow me on LinkedIn and Twitter!

Happy reading this weekend!

-- Naseem