progress.”
“But that’s impossible. Our Security and IT departments assure me that we have implemented the very best cyber defences.”
There was silence on the other end of the line. Moorcroft slowly digested the implications.
Smith attempted to placate him. “Even the best defences can still be compromised, Dr Moorcroft. It may be that the hackers have only gained peripheral access. I’m sure your firewalls and intrusion detection systems would have notified you of any unusual activity.”
“Yes, I’ll check with IT.”
“Good. And you could also . . .”
“What?”
“Well, I was going to suggest that you have a penetration test performed, but I’m sure your IT department has those done regularly.”
“Penetration test?”
“Hiring someone to test your cyber defences, as if they were a hacker attempting to break into your systems. It’s the best way to know for sure if you have any weaknesses. If they find anything, they’ll report it to you and you can put new defences in place.”
“I’ve not heard of our IT department doing that, but then I’m not close to their day-to-day activities.”
“Well, there’s pentesting and then there’s pentesting .”
“What do you mean?”
“Given the nature of your business, your company lives and dies by its patents and other intellectual property, yes?”
“Yes.”
“Well, then maybe you should retain the services of one of the best penetration testers in the industry. They’re not all the same, you know. And, if you do it without anyone knowing — especially IT — then it would be a true test. A bit like when you do a fire drill. You don’t warn employees it’s coming, otherwise it makes a mockery of the test itself.”
“I see. That makes sense.”
“It’s like turkeys voting for Christmas. The last thing most Security or IT departments want is to be embarrassed by poor pentest results, so they don’t necessarily do it justice. They just hire large IT security companies to make it look like they’re doing the right thing. But it’s a skilled job and it always comes down to the individuals doing the test.”
“Hmmm.”
Smith had a point. But the most important point was that GCHQ had intercepted the term Project Myosotis from the Chinese. This was serious. As Head of R&D, Moorcroft had every right to protect the company’s interests. No, more than that, as a registered company director, he had a responsibility to protect the company.
It had nothing to do with Madeline’s condition, he told himself.
“Is there anyone GCHQ recommends, Mr Smith?”
“Not officially, but . . .” Smith gave Moorcroft the names and contact details for three independent penetration testers.
“I really appreciate your bringing this issue to my attention, Mr Smith.”
“You’re welcome. Hopefully, you’ll never hear from me again.”
Smith ended the call. And only then did Moorcroft remember that Smith had called him on his mobile number. He supposed Smith had done it to prove how resourceful GCHQ was.
Moorcroft took a slurp from his coffee and almost spat the disgusting, lukewarm, bitter liquid out all over his desk.
He picked up his desk phone and dialled the number at the top of the list.
Today, 8:50am
Avoiding eye contact with the three senior executives sitting confrontationally on the other side of the huge oak meeting table, Brody plugged the projector and audio cables into his top-of-the-line tablet computer. The absence of small talk heightened the sense of tension in the room. Brody thought about saying something, anything really, to break the ice, but then remembered he wasn’t here to make friends or seek their approval. He was here to make a point.
Not that Brody had many friends, well not in the real world anyway.
It was early on a rainy Monday morning in HTL’s head office campus near Shoreham in Kent. The pharmaceutical company’s Research and Development Director, Dr Moorcroft, had yet to arrive. Moorcroft had
“But that’s impossible. Our Security and IT departments assure me that we have implemented the very best cyber defences.”
There was silence on the other end of the line. Moorcroft slowly digested the implications.
Smith attempted to placate him. “Even the best defences can still be compromised, Dr Moorcroft. It may be that the hackers have only gained peripheral access. I’m sure your firewalls and intrusion detection systems would have notified you of any unusual activity.”
“Yes, I’ll check with IT.”
“Good. And you could also . . .”
“What?”
“Well, I was going to suggest that you have a penetration test performed, but I’m sure your IT department has those done regularly.”
“Penetration test?”
“Hiring someone to test your cyber defences, as if they were a hacker attempting to break into your systems. It’s the best way to know for sure if you have any weaknesses. If they find anything, they’ll report it to you and you can put new defences in place.”
“I’ve not heard of our IT department doing that, but then I’m not close to their day-to-day activities.”
“Well, there’s pentesting and then there’s pentesting .”
“What do you mean?”
“Given the nature of your business, your company lives and dies by its patents and other intellectual property, yes?”
“Yes.”
“Well, then maybe you should retain the services of one of the best penetration testers in the industry. They’re not all the same, you know. And, if you do it without anyone knowing — especially IT — then it would be a true test. A bit like when you do a fire drill. You don’t warn employees it’s coming, otherwise it makes a mockery of the test itself.”
“I see. That makes sense.”
“It’s like turkeys voting for Christmas. The last thing most Security or IT departments want is to be embarrassed by poor pentest results, so they don’t necessarily do it justice. They just hire large IT security companies to make it look like they’re doing the right thing. But it’s a skilled job and it always comes down to the individuals doing the test.”
“Hmmm.”
Smith had a point. But the most important point was that GCHQ had intercepted the term Project Myosotis from the Chinese. This was serious. As Head of R&D, Moorcroft had every right to protect the company’s interests. No, more than that, as a registered company director, he had a responsibility to protect the company.
It had nothing to do with Madeline’s condition, he told himself.
“Is there anyone GCHQ recommends, Mr Smith?”
“Not officially, but . . .” Smith gave Moorcroft the names and contact details for three independent penetration testers.
“I really appreciate your bringing this issue to my attention, Mr Smith.”
“You’re welcome. Hopefully, you’ll never hear from me again.”
Smith ended the call. And only then did Moorcroft remember that Smith had called him on his mobile number. He supposed Smith had done it to prove how resourceful GCHQ was.
Moorcroft took a slurp from his coffee and almost spat the disgusting, lukewarm, bitter liquid out all over his desk.
He picked up his desk phone and dialled the number at the top of the list.
Today, 8:50am
Avoiding eye contact with the three senior executives sitting confrontationally on the other side of the huge oak meeting table, Brody plugged the projector and audio cables into his top-of-the-line tablet computer. The absence of small talk heightened the sense of tension in the room. Brody thought about saying something, anything really, to break the ice, but then remembered he wasn’t here to make friends or seek their approval. He was here to make a point.
Not that Brody had many friends, well not in the real world anyway.
It was early on a rainy Monday morning in HTL’s head office campus near Shoreham in Kent. The pharmaceutical company’s Research and Development Director, Dr Moorcroft, had yet to arrive. Moorcroft had
Similar Books
