Where the rubber meets the road on cyber security
Last weekend Central Otago hosted the 40th and final Brass Monkeymotorcycle Rally. This hard-core motorcycle rally of choice for the Kiwi motorcycle fraternity, normally attracts around 1500 two-wheeled punters tomaniototo.
But last weekend the word ‘‘final’’ ramped attendance up to 5000, meaning the iconic event went outwith a celebratory bang rather than awhimper thanks to a combination of bucket-listers and curious locals.
A celebration aided by both Jordan Luck belting out Kiwi favourites, some excellent beer and an impressive set of fireworks around midnight.
Apart from an exponential rise in compliance costs, the Monkey fell victim to the ageing of the Otago Motorcycle Club organising committee. Now they are all close to 80 and reckon they deserve a rest. Hard to argue with that after 40 years.
Sadly the weather gods failed to bless the final Brass Monkey with a decent frost. Temperatures sat around a balmy 8 degrees Celsius, a far cry from 2018 when the hoar frost kept thingswell south of zero.
My team of Monkettes have a taste for roads less travelled. Ideally they go from nowhere to nowhere and there’s a quicker way for those in a hurry. This year our rally route included the Hakataramea Track, the Old Dunstan Rd and the Black Forest Track.
Theweather bomb that had hit Canterbury a few days earlier turned normally benign river crossings into deeply gouged crevices that took their toll on riders and machines. Many of our riders went down in the rough, some of them repeatedly.
But good bike preparation and good processes paid dividends, so everyone got through and no one got hurt (although some got a bit wet). We have a handful of rules so riders know in advance who’s responsible for what and how to fix things in the middle of nowhere.
This concept of beingwell-prepared in advance of adversity came tomind lastweek in thewake of the hostile cyberattack on the Waikato District Health Board.
Hackers broke into the health board’s technology stack on May 18 resulting in a full outage of the board’s extensive information services. Give the interconnectivity of the system, it also affected services at Te Kuiti, Taumarunui, Thames and Tokoroa, as well as Hamilton.
At the time ofwriting it’s still to be fixed, with a collection of manual processes and standalone systems keeping things marginally operational. Meanwhile the Government has confirmed that it will not pay any ransom to the hijacker group who claim to have personal and financial information of staff and patients.
The district health board is in good company. In the same week it was targeted, across in the United States a ransomware attack forced the shutdown of freezing works that process about 20 per cent of the country’s meat supply.
Meanwhile, in Australia, seven major companies appeared to have been hit by a similar attack. And the frequency is rising fast.
According to cybersecurity firm Purplesec, the number of malware infections per year has grown from just 12million in 2009 to over 900 million on 2019.
For business leaders and company directors there has never been more need to be prepared before they experience a crippling digital kick in the head.
At the very least I think there are three questions that every chief executive and board director needs to be able to answer.
First, would you be prepared to pay a ransom tomake a cyberattack go away?
The first response is to say no, but it’s not as simple as that. Although the Government needs to have a blanket response because it makes a juicy target, the same is not always true for the private sector.
If the ransom area is a small, standalone piece of tech that you can’t fix in a hurry but is costing you tens of thousands of dollars a day, then it might make sense to pay the bucks and then quickly stand up a new system. Prepared companies often use a point-scoring matrix to make the right call.
Second, who is the chief information security officer in the company? Hint: If it takes you more than two seconds to answer this question then you have the wrong answer. If you’re not big enough to have a full-timer then take on a virtual chief information security officer from the likes of ZX Security. Now, not when you are being attacked.
Three, what is the security methodology that you have in place? The international gold standard is the NIST framework run out of the United States Government, while my personal favourite is the Essential 8 baseline run out of the Australian Cyber Security Centre.
Whatever you have, the board needs to prove its execution on at least an annual basis.
Whether it’s piloting a motorcycle across dodgy terrain, or maintaining a digital security framework, the biggest risk is the floppy input device. Namely, the people driving it.
When it comes to the latter, a key element is the leadership and governance of those people. I reckon being able to answer these three simple questions is the bare minimum anyone in an oversight role needs to be able to do.
Would you pay a cyberattack ransom? The first response is to say no, but it’s not as simple as that.
Mike ‘‘MOD’’ O’donnell is a professional director and strategy facilitator; and an amateur motorcyclist. He’s done 23 Brass Monkeys and survivedmore than a few cyberattacks.