US tech giant Palo Alto Networks - which now numbers Sir John Key as one of its directors - has just reported a boom quarter.
The maker of Cortex, Prisma and other network security products beat analyst expectations with third-quarter FY2021 revenue that rose 24 per cent over the year-ago quarter to US$1.1b, and adjusted net income rose 22 per cent to US$139.5m.
The company also raised its full-year revenue guidance to US$4.20b to $4.21b and lifted its full-year adjust earnings outlook to a $581m to $583m range.
Recent high-profile attacks on the likes of giant beef producer JBS and Colonial Pipeline have highlighted that ransomware has shifted from an economic nuisance to a national threat, which is getting worse as many pay up, incentivising more offending. (Colonial coughed up a US$4.4m ransom, though most of the funds were later seized by the FBI as it hacked the hackers - somehow acquiring the private cyber-key to the final digital wallet they used, after much online ducking and diving, to stash the payment made in bitcoin).
Demand is also expected to be fuelled by US President Joe Biden's multi-trillion infrastructure package, which will include funds for upgrading America's national cyber-security defences, and similar moves in other countries (NZ, so far, has had a modest response in terms of Crown funds.)
Palo Alto Networks' NYSE-listed shares, which plunged from US$247.25 in February 2020 to US$143.53 in March 2020 during the shock of the first lockdowns, rebounded strongly to hit an all-time high in February. The stock ticked up on the result and was recently trading at US$357.35 for a market cap of US$34.2 billion.
"The work-from-home shift earlier in the year and recent cybersecurity issues have increased the focus on security. Coupled with good execution, this has driven great strength across our business," chairman and CEO Nikesh Arora said.
Cybercriminals know they can make money with ransomware and are continuing to get bolder with their demands, according to a recent report by the firm, which found the average ransom demand is now US$850,000, with the highest US$50m (from US$30m last year).
The Palo Alto Networks' report also notes that ransomware gangs are becoming increasingly slick in their operation - even taking the cocky step of issuing service tickets in the manner of a corporate helpdesk. It profiled a relative newcomer, an outfit called Prometheus, as an example.
"Like many ransomware gangs, Prometheus runs like a professional enterprise. It refers to its victims as "customers," communicates with them using a customer service ticketing system that warns them when payment deadlines are approaching and even uses a clock to count down the hours, minutes and seconds to a payment deadline," the report said.
"'We are closing the ticket and have started an auction on your data,' the group threatens when victims fail to pay up. But there's an out: Victims can click to open a new 'ticket' if they're willing to pay up to stop the auction and recover their data."
Warning for NZ boards
Key joined the company's board in April 2019. At the time of his appointment, he was awarded stock worth US$1m, according to an SEC filing, with one-third of the shares vesting after one year and the balance after two years." (The stock was at US$244.66 at the time of the filing).
In addition, the company expects to grant an annual award of restricted stock units having a value of approximately US$300,000 to Key on the date of each annual meeting of stockholders, beginning with the annual meeting of stockholders to be held in 2020, the filing said.
Although he had security and security technology experience as an ex GCSB Minister, the Silicon Valley-based firm tapped the former PM for his international political and business contacts.
Key declined to comment, referring the Herald to Palo Alto Networks regional chief security officer Sean Duca, who had a warning for Kiwi boardrooms as cyber-security threats escalate - as witnessed by the recent issues suffered by the likes of Lion, Toll Group, Fisher & Paykel Appliances, the Reserve Bank, the NZX and the Waikato DHB.
"There is an acceleration of highly visible attacks - whether supply chains, or ransomware. As we're all so much more reliant on technology, these can be crippling to organisations," Duca said.
"The New Zealand Government cannot combat this alone.
"The solution requires a collaborative effort from industry, Government and technology leaders.
"Key to this is the sharing of information to ensure that organisations are equipped with the necessary security, as well as an understanding of how to react should a breach happen.
"Business leaders must move beyond talking about cybersecurity at the board level and move into executing plans that defend and secure their digital property.
"There is a strong demand for cybersecurity as conversations about security move from IT departments to lawmakers and boardrooms."
Earlier, Duca said the fact NZ's government had to activate a crisis plan during the NZX attack - which involved drafting in the GCSB to assist the under-fire exchange - showed the seriousness of the cybersecurity crisis.
"The ramifications are not just significant to the financial sector, it's more the fact that someone's targeting something of national interest, that's part of the country's critical infrastructure."
Such infrastructure includes systems that provide essential services such as the electricity grid, communication networks and transport providers.
"Attacks like these are a bit of a wake-up call to organisations," Duca said.
Beyond boards needing to take the issue seriously, the tech skills gap has been part of the problem. Here, his firm chipped in during December as Unitec was named the first member of the New Zealand arm of the Palo Alto Networks Cybersecurity Academy. The US tech giant is supplying short-course content designed to "upskill and reskill full-time workers".
A legal obligation for boards
Bell Gully partner Tania Goatley recently emphasised that getting up-to-speed with cybersecurity threats is not just a pressing business need for boards. It's a legal obligation.
"Directors owe a broad duty to exercise the care, diligence and skill that a reasonable director would exercise in the circumstances. So they need to understand the specific cyber risks, determine cyber risk appetite, and take appropriate actions to deal with the risks. "
Regulators like the Financial Markets Authority have made it clear that boards are ultimately responsible for overseeing cybersecurity, the legal expert said.
"Failure to acknowledge or property engage with cybersecurity issues may become relevant to directors' duties under specific legislation such as the Financial Markets Conduct Act or the Health and Safety at Work Act. Under the Privacy Act 2020, any organisation that holds personal information must ensure it is protected by reasonable safeguards to protect against these sorts of cyber-attacks."