6 September 2020

The other virus hitting business

While business is focused on its response to COVID-19, another threat is lurking in the background.

By Dallas Gurney

In the 2017 Netflix series Money Heist, a mysterious man known as “The Professor” recruits a group of eight people to carry out an ambitious robbery of the Royal Mint of Spain.  His meticulous plan involves using hostages to help keep the police at bay for 11 days, which is just long enough to print €2.4 billion before (spoiler alert) escaping through a tunnel built many months earlier.

The Professor’s mantra: “The only thing we need to do is buy time.”  The longer they can keep the elite forces outside, the more notes roll off the printing presses.

The same approach has been taken by another gang of crims, these ones targeting prominent New Zealand businesses in the last couple of weeks.

On Tuesday August 25th, the NZX website ground to a halt after suffering a sustained DDoS cyber-attack.  The same happened on Wednesday, then Thursday, and it soon became apparent this was an attack the prominence of which this country has never seen.

The answer, from both experts and the Government, was waiting until the hackers gave up.  “In the end you just have to withstand it and let it fizzle out,” GCSB minister Andrew Little told Newstalk ZB’s Mike Hosking the following Tuesday morning.  Meanwhile, the Metservice, Stuff and others joined the NZX as targets of the siege.

It is now known the attack was financially driven, with Andrew Little telling media the NZX received a ransom email prior to the start of the DDoS attack, requesting a sum of money to be paid or risk bombardment by bot.  The money was clearly not paid.

Just like The Professor’s band of misfits, time is money for these robbers too.  The longer they can sustain their attack, the more likely you are to cough up with the ransom.  “The only thing we need to do is buy time.”

The Government’s cyber security agency CERT NZ recommends businesses not pay hackers when targeted by ransomware.  But that advice is just that – advice, the ultimate decision sits with the organisation itself.  There are many public examples globally, and probably infinitely more private ones, where companies have chosen to pay up to avoid the time, resource and embarrassment that comes with fending off a cyber-attack.

And this is happening to big companies.  Very big companies.  According to the Wall Street Journal, in January this year, global currency exchange company Travelex chose to pay $2.3m USD ($3.4m NZD) to end a raid which locked them out of their own system.  The attack ground Travelex online services to a halt and forced its retail kiosks to conduct manual transactions.  For a global company the size of Travelex, the cost would’ve quickly run into the millions, surely making the option to pay more-and-more attractive by the minute for the embattled financial services company.

On Sunday, chief security officer at cyber security firm Palo Alto Networks, Sean Duca, told Stuff businesses brought to their knees by the much more serious scourge of ransomware hacks could be inclined to pay ransoms to unlock their data and prevent it being auctioned on the internet, even though paying such ransoms was “unethical”.

The decision not to pay is a principled one.  It is understandable, in theory.  Crime should not pay.  But in practice, it is a harder call to make.  If it would cost you multitudes more to try to ward off the assault, would you blame a battered CEO for taking the easier option?

Of course, another consideration is whether by paying the ransom you just open yourself up to further trouble.  There is nothing to say paying will stop the attack, hackers are actors after all.  And then there’s the impact on your credibility, paying off hackers could put a dent in your reputation.

The 2020 Cyber Defence Report from security firm PerimeterX found that 62 per cent of IT professionals said their networks had been compromised by ransomware, with many paying to get rid of the problem.

This is not an easy decision; made harder by the fact you are having to make it when you are at your most vulnerable.  You may not be able to trade.  The media could be beating down your door.  In some cases, all your data, including your darkest secrets, are at risk of being exposed for the world to see.

If you were the CEO of NZX, would you pay?  If not, in what circumstances would you?

If you say under no circumstances would you pay, I do not believe you.  Think about how annoying it is when you can’t get into your drives for a few hours because of an IT upgrade.  Imagine if that was a few weeks.  Or a few months.  Imagine if it was costing millions in lost revenue.  Would you pay up then?

The key to making a good decision under pressure, is not having to make one under pressure.

Crisis ready organisations work out exactly what they would do when faced with a cyber-attack, with all their variants, scales and possibilities mapped out, well before facing one head on.  The road map is tested time-and-time-again through simulation, so leadership, and the front line team dealing with it, are well versed with how to react should the worst occur.  External specialists can help you get to grips with what’s likely, what’s possible and how the risk can be mitigated.

In the third series of Money Heist (again, spoiler alert) The Professor finds a new target, aiming to steal all the gold from the vault of the Bank of Spain.  To enable his team to enter the bank, he creates a diversion, dropping €140m in cash from the sky onto the streets below.  The citizens of Madrid go crazy and the police, distracted, drop their guard.

Has your organisation been distracted by anything lately?  A global pandemic, maybe?