Skip to content

Cyber Resilience: Going Beyond IT Concerns

Cybersecurity: Not Just an IT Issue

  • Url copied to clipboard.

It seems nowadays that just about everyone has technology making their lives easier (or worse). You can paint a masterpiece with your finger via an app on your phone, and then tag the astronauts on the ISS from your lounge or even become an overnight sensation just by wearing a Star Wars mask. So when do we stop to think (and seriously consider) how vulnerable we are to technology?

In 1999, New Jersey-resident David L. Smith gave a show-girl in Florida the ultimate gift: a computer virus that bared her name. Using a stolen America Online account, Smith posted a Word document infected with “Melissa” to a discussion group on America Online, purporting it to be a list of usable log-in information to pornography sites. Smith’s virus spread via email, forwarding itself to fifty email accounts in Microsoft Outlook on every infected computer, and which, over time, overloaded email servers and forced companies such as Microsoft, Intel, Lockheed Martin, and Lucent Technologies to shut down their email networks. In the end, Melissa performed viral dances on upwards of one million infected PC’s and caused $80 million dollars in damage.

A year later in February 2000, Michael Calce, aka “Mafiaboy” singlehandedly took down Yahoo, CNN, eBay, Dell, & Amazon. The first major distributed-denial of service attack (DDoS) responsible for crippling some of the internet’s most popular websites were executed by the hands of a Canadian citizen not old enough to drive. Mafiaboy, 15-year-olds, set out to make a name for himself in February 2000 when he launched “Project Rivolta,” which took down the website of the #1 search engine at the time—and second-most popular website—Yahoo. Thinking it may have been a fluke, he went on to attack the servers of CNN, eBay, Dell, and Amazon in a wave of highly-publicized attacks that were the first to show the world how easily one kid can knock out major websites.

Michael Calce: The Interview. Photo by Vincenzo D’Alto.

Now think about if you were Jerry Yang of Yahoo or Satya Nadella and you’ve just been told by your IT team that someone has posted millions of viruses to all customers and personal details are now missing. You ask them, “OK, what can we do about this? Can we get the details back? Can we find out who they are?” The answers, like so many cases, is a resounding no.

Within an hour, only 10% of Yahoo’s customer base realises they’ve been hacked, however, they’ve now involved the media. Before the executive even made their first-morning coffee and fed the dog, they’re standing in front of world press to explain how the company they run, one of the biggest in the world and most profitable has just been hacked by a kid not even old enough to intern for them.

OK, yes, you’re probably not running Microsoft right now, but that doesn’t matter. You have a responsibility beyond your IT’s security. Are you ready to action this when it’s time?

A cyber attack isn’t an if situation, it’s a when. Over the last two years, 70% of crisis events have been IT related. That means 7 out of 10 negative impacts on your business are technology/IT based.

Further to my post around convincing a CEO to revisit their business continuity, it’s important to look into more specific issues that the leadership team is going to have to deal with. What plans could you set in place that will be effective? What will you do to maintain trust and a high level of service to your customers?

Technology doesn’t attack organisations, people do. It’s silly mistakes from people that open up business operations within seconds

Brad Law, NZ Country Manager has given these talks hundreds of times. Dealing with some of the worlds most important sectors, the message is always the same, “the biggest attack vector by a large margin is people and people being careless”.

“I think the most important thing to impress upon [your staff] when it comes to IT security is that most of the time technology isn’t the issue”

An attack as serious as the WannaCry cyberattack was a prime example of organisations showing their resilience but also showing that they’d prepared in advance for such an event.

You can Google the names of the companies affected. This is not a good look for any organisation and could have easily been avoided. The companies computers didn’t infect the organisation, the people who run them did.


For all organisations, it’s imperative that you ensure you’re staying up to date as much as possible. Understand the threats, get to events and seminars on what the possible vulnerabilities may be within your organisation.

When was the last time you validated and checked your Malware? If it wasn’t within the last 90 days, it’s overdue!

The Resilience Digest