How to prepare for a Cyber attack

On 27 June 2017 staff at the shipping giant AP Moller-Maersk became rapidly alarmed as screen after screen went blank right across their global office network.

The company had become an unintended victim of the NotPetya ransomware virus.

Developed as a disk-wiping cyber weapon by the Russian military and helped along by a leaked version of the NSA’s EternalBlue hacking tool – which is the same exploit that powered the WannaCry ransomware outbreak – NotPetya’s original target was businesses in the Ukraine.

However, the malware quickly got out of hand.

Soon it was spreading around the world, taking down networks and causing billions of dollars in damage and lost revenue.

For a period stretching into weeks Moller-Maersk was forced back into the operational disciplines of the pre-digital age – quite a feat when there is a Maersk container landing somewhere in the world every fifteen minutes.

By the time their systems had been fully restored (and the after-effects lasted some months) the business reckoned it had lost around US$300 million as a direct result of these events.

Moller-Maersk is one of the “celebrity” victims of cyber crime, but I would estimate that around 40% of the businesses with which I have some close personal acquaintance, have had financial losses caused, to some degree, by criminal cyber activity.

When it happens it is a scary thing. So what’s to be done about it?

How to prepare for a cyber attack

To answer this I have to be upfront and say that I speak as a generalist and lay no claims whatsoever to speciality technology knowledge.

However, the questions I would ask the executive team of any board that I sit on would basically be fourfold.

1. Do we have to explicitly adhere to a defined set of standards on cyber security?
   
   In the UK there is a ten-step programme for cyber security promoted by a government agency called the National Cyber Security Centre (www.ncsc.gov.uk).
   
   Unless there is a programmatic and structured approach to this then your business is already amongst the most vulnerable to random malware attacks.
   
   
2. Do we have the effectiveness of our adherence regularly tested by an independent, reputable cyber-security firm?
   
   Such businesses can endeavour to hack into operating systems as well as test the more mundane (but more common) approach of phishing for valuable company data or to initiate fraudulent payments or transactions through the e-mail system.
   
   A criminal will not check with your IT director to ascertain where there might be holes in your defences and so you should not simply rely on their assurance that all is well.
   
   Good IT directors will insist on this approach anyway.
   
   
3. Do we get structured and comprehensible feedback on such penetration and vulnerability testing to the executive committee and main board, including clear direction on corrective actions?
   
   It’s pointless doing the testing if we don’t then work to fit, as it were, better locks and hinges to our cyber weak-points. Some businesses now even have a cyber-risk committee of the board.
   
   
4. Do we have a tested plan on how we would operate if our systems succumbed to a Moller-Maersk-type disaster?
   
   It is hugely valuable if we set aside a couple of hours every six months or so to test how well we can operate if our systems become unavailable as a result of a cyber attack.
   
   Although this might seem like an unwelcome distraction it is 100 times less distracting than having your business shut down because you don’t have a plan.

Why it’s important to go back basics in business

Particularly on that last point, it’s important that your people don’t become so detached from the practical steps of the operation that they can’t even imagine how it might be made to work without a computer system.

Furthermore, it’s likely that if they are forced to visualise the practical, essential links in the daily process of getting something on- and off-rent and billed, without a system doing it, then they will also start to identify opportunities for process simplification and improvement.

So there are benefits to be gained, even if you’re fortunate enough to avoid a malware-driven systems outage.

I recently heard an elder-statesman of a well-established British business tell how the company’s safe and enclosed documents were destroyed in an air raid during WW2...

The response? All the staff got together and collated, from memory, which sales and purchase orders were outstanding, who their customers were and which customers owed money and how much.

In this way they were able to re-create all of their company records and keep trading with, as far as they could tell, no loss of revenue or cash. Now that is disaster recovery!

If our business information disappeared today through a cyber-raid as opposed to an air-raid, it would be an amazing achievement, and a stretching goal, to achieve the same outcome.

*This article was originally published under the title ‘Attack of the Cyber-villains’ in the November-December 2019 issue of IRN magazine. To download it, and or other issues, click here.

About the author Kevin Appleton is an experienced senior executive and advisor in the equipment rental, logistics and construction service industries. He is a former CEO of Lavendon Group and a chairman and/or non-executive director of a number of companies in the rental and logistics sectors. To comment on these articles, e-mail: [email protected]