WannaCry! When you cannot have Cyber Security Fail?
Photo : Marcus Hutchins sits in front of his
workstation during an interview in 2017.[1]
Mr WannaCry has
admitted his guilt as cyberattacker. He was news again as on 20 April, 2019, as
he pleaded guilty to a US Court. Hutchins faces up to five years in prison, and
up to $250,000 in fines, on each count[2].
As recently as 29th April US media is debating the value of a hard
sentence.[3]
The world was
hit by a major cyber security issue in May, 2017: WannaCry. It was not the
first and it won’t be the last. Have
Boards, C-level management and auditors learned the lessons yet?[4]
Marcus Hutchins (known
on the internet as “MalwareTech”) sprang to stardom by playing a major roll in
stopping the spread of “WannaCry” ransomware (the malware is known as “Kronos”).
He was more than poacher turned gamekeeper. He was an employed as a researcher
in malware and was based in Ilfracombe, Devon, U.K. He was “the man”. He worked
in cyber-security but created and distributed malware as a hobby![5]
He admitted his crimes.[6]
His business began, in 2014, as stealing bank identities and selling them to
Russian Criminals. His talents were later applied to point-of-sale systems too!
It happened to me
To those of us
who have suffered from Crypto-lock (ransomware) cyber security is a clear and
present danger. One Friday evening I was sitting at my desk in our CBD office,
working on my laptop but connected to the company-wide network and Crypto Lock
exploded on my screen and I was “hit”. It exploded at 6:00 pm sharp. I was at
my desk because I had promised a client a paper. I ran from my office and there
was a member of the IT team still in the building. I explained the situation and he ran to my
office and disconnected me from the server. I was down but the network could still
be infected.
It was a
horrible weekend but I learned a lot – thanks to the IT team who worked over
the weekend. I suggested I could log into another PC and update my data from
the week before back-up – “No” it is probably infected and the month before –
it could be infected too. Just sit and wait. I learned that this process would
have occurred over several weeks. The demand I received was for a payment in
Bitcoins and I was given 24 hours to comply.
What surprised
me was that same scenario had played out with a subsidiary’s CEO, based on the
same floor, but this had not been reported up the line to the main board as
people were embarrassed.
Just imagine
this on a grand scale – your whole business is gone – not only have you lost
you PC, Phone, Watch and Bank Account – all gone. Your and all your work
associates are the same and all the clients data is ???? Are you the next Panama Papers?
It happens to others too!
Daily we read
and hear of massive cyber system attacks. The names are big, British National
Health, Boeing, banks, Parliament House Canberra. We are told by experts it
could only be done by a foreign government because of XYZ. Do we care if it is
CIA, AFP, China, Russia, North Korea, Australia or Uncle Joe? We want our
systems, connections and data safe then they need to work. We are all using
less paper and physical files. The consequences have become more worrying as we
place more and more in the cloud – not just music, photo’s and emails but our
critical records – client files, banks statements, our accounts, our financial
transactions, staff details, our supply agreements, our contracts. This list
seems to be endless.
Could it happen to you?
How many
mid-size companies have a CIO (Chief Information Officer) or a board member
will deep IT experience or understanding. It is something we leave to experts
and in my most recent experience it is outsourced – we had over 400 people
nationally dependent on our systems. Even the IT professionals sitting in our
office were contractors from an outside organisation.
Repeatedly,
commentators have reminded us what is needed is good people and good processes.
Buying or adding another box or piece of software is not the real solution.
What is needed is still good experienced people to do reviews, current software
versions, reports and manual intervention.
As a former
corporate treasurer what scares me is that so many large organisations have
treasury and trading functions which are the size of small bank but don’t have
the same management, controls and board focus as a small business. I see the
points of vulnerability as
1.
Treasury,
2.
Commodity trading (sales and
purchases),
3.
Sales collections and
procurements payments
4.
Accounts payable / receivable
and
5.
Payroll / expenses
In modern
business these are seen as “cost centres” and not “profit centres”. The focus
is therefore on reducing costs. Increasingly, middle management are given
remote access to authorise on these and associated banking systems. There are
more access points into the system.
In May 2017, Eric
Berdeaux, CEO of GRC software firm OXIAL, said "WannaCry mostly targeted
firms that hadn't made a significant investment in cyber-security", and so
it is "hard to say the response was a failure".[7]
Clearly cyber security is not a plug and forget solution. Firms and
organisations need good software, but it needs to maintained, undated, checked
and challenged. First and organisations need know if there has been any
attempted cyber attach and how the systems and staff responded. Often staff
will react by shutting down a system or isolating what is under attach – e.g.;
an interface with one bank. It is the people who need solve the problems – yes
good software is needed but it is not a “black box” it needs good people and
practical processes. Each organisation needs to have these good people familiar
with their setup and ready for the call.
Who needs to act?
Boards,
auditors and C-level management need to understand what are their mission
critical systems and ensure:
1)
They are property funded and
updated.
2)
Staff are first class, trained
and re-trained – current.
3)
Systems issues are reviewed and
vendors called to account.
4)
The system is challenged by
someone who knows how to look for weaknesses.
5)
This not just left to internal
audit, external auditors or treasury system consultants. We need call in the
cyber security experts. We need have them certify our system security and
committed to our disaster recovery plan.
Most companies
see their important systems as core to what they do. Armies don’t just do
desktop studies. Armies engage in largescale wargames at great cost. They test
the robustness of the team. As part of this they appoint “bad guys” and people
defect to the “dark side”. If we want to test our physical security systems, we
need to call in a consultant and say “Please look at our building and see if
you can get in?” We need to be ready in case our system is violated and/or our
bank is not available.
As a director,
former corporate treasurer and as chair of the Audit Committee of a large
public body – you need to call in the professionals and let them tell the Board
or the Audit Committee – “We tried but we couldn’t get in.” I wonder if this
will be the answer.
Second, if they
do or do not get in this time, does the Disaster Recovery Plan a) address the
issue and b) provide the necessary path?
Third, talk to
your insurance broker about
a)
Business interruption insurance
coverage
b)
Economic loss coverage
c)
Professional indemnity
d)
Directors and Officers cover
e)
Liability for loss of client
information
f)
Class action coverage
As an
independent director or audit committee member I sometimes need to ask
uncomfortable questions, which C-level management do not like, and cause
companies to spend money. I do believe this is why I was appointed – this is
much better than talking at a press conference about the company being
“off-line”. Boards do need “New Generation Directors”[8]
who want to contribute.
I needed find
such a consultant for one of my clients. Not an easy task when you don’t know
all the questions let alone the answers you should be hearing.
By Paul Raftery (see www.paulraftery.com.au)
#PaulRaftery
#Treasurer #Economist #Banker #Accountant #Mentor #Leader #Analysis #Chairman
#Consultant #Boardrooms #Projectcontrolgroups #Investmentteams #Auditvommittees
#Duedillegencecommittee #Businessreviewgroup #Financialflows #Cashmanagement
#Riskmanagement #Multinationalinvestment #Soveringrisk #insurablerisk
#Financialreporting #Creditrating #Economics #Law #CorporateFinance #Ecometrics
#Investmentanalysis #Banking #Corporatetreasury #Analytical #Teamplayer
#TreasuryAssociation #ChiefExecutiveOfficer #ConfidantBusinessMentor
#LeadingFinanceSolutions #ProjectLeader #ProjectControlGroupFinanceLeader
#FellowFinance #TreasuryAssociation
#FellowAustralianInstituteofCompanyDirectors #FellowAustralianInstituteofBankingandFinance
#AssociateFellowAustralianInstituteofManagement #AssociateMemberCPAAustralia
#MasterofBusiness
[2] Collier, Kevin; “WannaCry 'hero' pleads
guilty to hacking charges”, https://edition.cnn.com/2019/04/19/politics/marcus-hutchins-pleads-guilty/index.html read 21-04-19
[3] See; Robert
HackettHow to Deal With Marcus Hutchins: No Pardon, But Public Service,
Fortune, , 29 April, 2019 (http://fortune.com/2019/04/29/marcus-hutchins-wannacry-kronos-hacking/ )
[5] I Source: Davey Winder (20 April,
2019) viewed on www.forbes.com/sites/daveywinder/2019/04/20/wannacry-hero-marcus-hutchins-pleads-guilty-to-creating-banking-malware/#6a0de75513e8 21-04-19.
[7] See Davey Winder, Has WannaCry trashed reputations of leading cyber-security vendors?
25 May, 2017 www.scmagazineuk.com/wannacry-trashed-reputations-leading-cyber-security-vendors/article/1474592. Accessed 21-04-19.
[8] This term has been developed and marketed
by Kyle Hammond, CEO, Directors Institute (Sydney), (See https://www.directorinstitute.com.au/about/). It is not about age, it is about how
directors need to think and act.
Comments
Post a Comment