article banner
From where we sit

In the aftermath of a cybercrisis

Paul Gonzales

First of 2 parts
Everything was still at the newly renovated penthouse office of Prix Healthcare Inc. The 25 workstations clustered in the center of the entire floor for everyone at the office was left empty. Several desk drawers and file cabinets sat half-open. Rows of lifeless black monitors jutted out from low glass panels meant as desk dividers to make the space look big. A handful of laptop displays went on screensaver mode showing the Prix logo. This time, the corporate video was not playing on the 98-inch curved 8k TV at the lobby. An uninterrupted beeping sound from a headset left unhooked from its cradle filled the room.

In his corner office, Mark Reyes, a lanky entrepreneur in his early 40s, married, with an angular jaw and penetrating eyes, has been talking on his spare bendable smartphone for the past 29 minutes. Clutching an energy drink, his gaunt frame is a far cry from his formerly lean and commanding stature. His backlit silhouette can be seen pacing back and forth behind the smart frosted glass installed a few weeks earlier. Meanwhile, everyone else was at the pantry, where they stood glued to Channel 10.

Melanie, the 52-year-old veteran primetime news anchor, replayed the events of the past four and a half hours. The news was interrupted now and then by an advertisement for standalone commercial cyberinsurance, offering specials when you ‘renew your 2021 coverage now!’ “Too late for that now”, said the IT guy nudging his lunch buddy and cocking his head towards Marks’ direction. Melanie delivered the breaking news in her crisp, clear, and deep voice: “the massive breach in the health sector led operators of declared Critical Information Infrastructures (CIIs) to scramble and determine how the virus works and how to stop its spread. Our expert from the Department of Information and Communications Technology (DICT) says that information about the attack is shared only between a few members within the sector’s Computer Emergency Response Team or CERT Network.” She effortlessly ended her news segment with “while most have relatively contained the spread of the virus within their own network infrastructures, others have struggled to stay afloat. The health industry worries about who is the next target.”

“Like I was saying… Mark, we are understaffed as it is; but, surely, I can loan you, our guys once the dust settles. These intrusion signatures are like nothing we have seen before. We are still grappling to contain it as we speak,” his friend on the phone said.

Like the vast majority of companies at that time, Mark fell into the trap and did not perceive a risk, believing his company was safe from cyberthreats. About a year after the national directive—DICT Memorandum Circular No. 005—took effect, prescribing the policies, rules, and regulations for protecting CIIs as stipulated in the National CyberSecurity Plan 2022—which ordered all CII operators to adopt and implement an information security management system—he judged that investing in an information security program to comply was at the bottom of his priority list. He couldn’t be bothered with it, having a lot on his plate just dealing with the Insurance Commission.

For him, the regulated certification, coupled with a mandatory security evaluation and participation in annual vulnerability assessments, involved considerable costs and effort. Even the self-declaration and certification mechanism for compliance seemed like a tedious undertaking. He brushed the thought aside.

“When the CERT Network went into full information sharing mode, they were quick to identify the cause of this madness, Mark; although it is still preliminary, the source seems to point…” Mark then heard a deep sigh and a crack in his friend’s voice “…I think your machines may have served as ground zero for the attack.”

An intense unpleasant physical sensation gripped Mark. His vision dimmed as he began to feel light-headed. Staring blankly at the barely-lit Makati skyline, he tried to recount how his morning played out.

It was a typical Monday morning. After a 20-minute jog around his apartment compound, he went for his routine double-shot macchiato and a traditional Greek gyro at the local deli. He saw a stray USB flash drive on one of the shop’s tables, but he knew enough not to touch it. Those drives can be weaponized and deliver self-replicating malware, he thought.

Nothing seemed to stand out of the ordinary. Although it was strange that one of his staff sent him an epub file copy of Mitch Albom’s latest book, This isn’t like her, he remembered thinking, then double-clicking on it anyway. He enjoyed the rest of his morning skimming through the highly anticipated prequel, alt-tabbing between several open windows on his Dell laptop: company and personal emails, various social media platforms, a free online epub reader, and a pdf copy of a Japanese visa application form he was waiting for to load, but never did.

* * *

This is a work of fiction. Names, characters, businesses, places, events, locales, and incidents are either the product of the author’s imagination or used in a fictitious manner. Any resemblance to actual persons, living or dead, or actual events is purely coincidental.

The author wants to show a precautionary tale of the near future, where cyberattacks continue to dominate the news and hackers win the cyberbattle, yet again, in a highly interconnected digital market. While the government finds diplomatic ways to impose its regulatory might, small businesses struggle to cope in a regulated marketplace with steep protection rules, where the overall cost of compliance schemes represent an additional barrier to market entry. And the need to focus on the human element and how it plays a crucial role in security. The biases and the impact of decisions that shape the course of our businesses, its competitiveness and impact on society.

Paul Gonzales is a Director of the Advisory Services Division of P&A Grant Thornton. P&A Grant Thornton is one of the leading Audit, Tax, Advisory, and Outsourcing firms in the Philippines, with 21 Partners and over 900 staff members. 


As published in The Manila Times, dated 6 February 2019