Cyber attacks should be prepared for like a motorcycle rally | #government | #hacking | #cyberattack

OPINION: Last weekend saw Central Otago host the 40th and final Brass Monkey Motorcycle Rally.

This hard-core motorcycle rally of choice for the Kiwi motorcycle fraternity, normally attracts around 1500 two wheeled punters to Maniototo.

But last weekend the word “final” saw attendance ramp up to 5000, meaning the iconic event went out with a celebratory bang rather than a whimper thanks to a combination of bucket-listers and curious locals.

A celebration aided by both Jordan Luck belting out Kiwi favourites, some excellent beer and an impressive set of fireworks around midnight.

* 350 cyber attacks on NZ in last year, a third by state-sponsored exploitation groups
* Waikato DHB scrambles to contain cyber attack, safety of patient data unclear
* ‘No ransom will be paid’ – Waikato hospitals reeling after cyber attack
* Cyber attack: Government not considering making payment of cyber attack ransom an offence – minister

Apart from an exponential rise in compliance costs, the Monkey fell victim to the ageing of the Otago Motorcycle Club organising committee. Now they are all close to 80 and reckon they deserve a rest. Hard to argue with that after 40 years.

Sadly the weather gods failed to bless the final Brass Monkey with a decent frost. Temperatures sat around a balmy 8 degrees Celsius, a far cry from 2018 when the hoar frost kept things well south of zero.

My team of Monkettes has a taste for roads less travelled. Ideally they go from nowhere to nowhere and there’s a quicker way for those in a hurry. This year our rally route included the Hakataramea Track, the Old Dunstan Rd and the Black Forest Track.

Mike O'Donnell (centre) farewells the last Brass Monkey Motorcycle Rally.

Mike O’Donnell/Supplied

Mike O’Donnell (centre) farewells the last Brass Monkey Motorcycle Rally.

The weather bomb that had hit Canterbury a few days earlier turned normally benign river crossings into deeply gouged crevices that took its toll on riders and machines. Many of our riders went down on the rough, some of them repeatedly.

But good bike preparation and good processes paid dividends, so everyone got through and no one got hurt (although some got a bit wet). We have a handful of rules so riders know in advance who’s responsible for what and how to fix things in the middle of nowhere.

This concept of being well-prepared in advance of adversity came to mind last week in the wake of the hostile cyberattack on the Waikato District Health Board.

Hackers broke into the health board’s technology stack on May 18 resulting in a full outage of the board’s extensive information services. Give the interconnectivity of the system its also affected services at Te kuiti, Taumaranui, Thames and Tokoroa, as well as Hamilton.

At the time of writing it’s still to be fixed, with a collection of manual processes and standalone systems keeping things marginally operational. Meanwhile the Government has confirmed that it will not pay any ransom to the hijacker group who claim to have personal and financial information of staff and patients.

The district health board is in good company. In the same week it was targeted, across in the United States a ransomware attack forced the shutdown of freezing works that process about 20 per cent of the country’s meat supply.

Meanwhile across in Australia seven major companies appeared to have been hit by a similar attack. And the frequency is on a serious up-tick.

There is currently no charge for those parking at Waikato District Health Board – another consequence of a recent attack on its IT systems.

Kelly Hodel/Stuff

There is currently no charge for those parking at Waikato District Health Board – another consequence of a recent attack on its IT systems.

According to cybersecurity firm PurpleSec the number of malware infections per year has grown from just 12 million in 2009 to over 900 million on 2019.

For business leaders and company directors there has never been more need to be prepared before they experience a crippling digital kick in the head.

At the very least I think there are three questions that every chief executive and board director needs to be able to answer.

First, would you be prepared to pay a ransom to make a cyberattack go away?

The first response is to say no, but it’s not as simple as that.

While the Government needs to have a blanket response because it is a juicy target, the same is not always true for private sector companies.

A sign at Waikato Hospital, warning of computer outage disruption after the cyberattack on the district health board.


A sign at Waikato Hospital, warning of computer outage disruption after the cyberattack on the district health board.

If the ransom area is a small, standalone piece of tech that you can’t fix in a hurry but is costing you tens of thousands of dollars a day, then it might make sense to pay the bucks and then quickly stand up a new system. Prepared companies often use a point scoring matrix to make the right call.

Second, who is the chief information security officer in the company? Hint if it takes you more than two seconds to answer this question then you have the wrong answer. If you’re not big enough to have a full-timer then take on a virtual chief information security officer from the likes of ZX Security. Now, not when you are being attacked.

Three, what is the security methodology that you have in place? The international gold standard is the NIST framework run out of the United States Government, while my personal favourite is the Essential 8 baseline run out of the Australian Cyber Security Centre.

The path of the final Brass Monkey Motorcycle Rally ran long.

Mike O’Donnell/Supplied

The path of the final Brass Monkey Motorcycle Rally ran long.

Whatever you have, the board needs to prove its execution on at least an annual basis.

Whether it’s piloting a motorcycle across dodgy terrain, or maintaining a digital security framework, the biggest risk is the floppy input device. Namely, the people driving it.

When it comes to the latter a key element is the leadership and governance of those people. I reckon being able to answer these three simple questions is the bare minimum anyone in an oversight role needs to be able to do.

– Mike “MOD” O’Donnell is a professional director and strategy facilitator; and an amateur motorcyclist. He’s done 23 Brass Monkeys and survived more than a few cyberattacks.

Original Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

one + 6 =