In this episode of Reputation Matters, host Anupam Gupta along with Mitu Samarnath Jha, founder of Eminence Strategy discusses two major cyber incidents—AIMS Delhi's 2022 data breach and CrowdStrike’s software update failure. They share insights on crisis management, the importance of cybersecurity architecture, and how organizations can protect their reputations. Learn from these cases and discover essential lessons on leadership, communication, and safeguarding data in today’s tech-driven world.
Learn more about your ad choices. Visit megaphone.fm/adchoices
[00:00:13] Hello everyone and welcome to Reputation Matters, a show about how companies faced crisis, dealt with them, survived them and what are the lessons from all of this for all of us. My guest as always, Mitu Samar, CEO, Eminent Strategy Consulting. Mitu, welcome to the show.
[00:00:29] Thank you Anupam.
[00:00:30] Mitu, let's start with AIMS. India's premier medical institution in Delhi, in 2022 they faced a cyber attack which went on for quite some time. I think it was almost 15 days, 5 servers and patient formation. First let's walk into what happened.
[00:00:46] So like you said, in the year 2022, November, AIMS had this cyber attack where all the outpatient data and also some amount of research data, all that got compromised by a cyber attack.
[00:01:03] It is said that, you know, on a daily basis about 12,000 outpatients come to AIMS for treatment. Now imagine the plight of not just the patients who had to wait extensively because all the process immediately had to move manual.
[00:01:24] Imagine the plight of the workers there, right? Because they had to now make all the entries manually and the delays were at another level. So very, very chaotic for them.
[00:01:37] And it took AIMS almost, like you mentioned, almost about two weeks to come back to normalcy.
[00:01:43] What really surprised me was the way their whole architecture of the network architecture or the whole cyber program was constructed. And when I was reading reports around this, people were saying that how sad, like they were feeling as if AIMS is a victim.
[00:02:06] Sometimes I doubt that, right? Because in such a situation, Anupam, what do you think of an organization? Is it a victim or it should have been responsible, right?
[00:02:18] So these kind of conversations that come in, but yeah, in a nutshell, that is exactly what happened. They had to undergo a cyber attack and data off. So many people got compromised.
[00:02:31] So that is sad.
[00:02:32] I guess the sadness part comes out of the fact that A, it's government, B, it's a hospital.
[00:02:36] Yeah.
[00:02:37] Who in his right mind, what kind of hacker is out there who would target a government-run large medical institution, a hospital where everyone from the poorest to the richest to politicians all go there?
[00:02:49] So what we need to really pay attention to, Anupam, is that the kind of profile of people who come to AIMS for treatment, right?
[00:02:58] Of course, like you said, people of, you know, the regular masses, they definitely visited.
[00:03:05] But high-profile personalities, politicians, people from countries outside India, all of them, they come there for treatment.
[00:03:13] And the value of their data, particularly their health data, is extremely precious.
[00:03:20] So whenever cyber attack happens or the data theft happens, why do they happen, right?
[00:03:26] The outcome is that they sell that data and that's one of the returns that these attackers get.
[00:03:35] It is said that health records, if I'm not wrong, health records top the kind of data that gets sold.
[00:03:45] The rate of health records, that's the highest.
[00:03:48] And now imagine the health records of high-profile personalities.
[00:03:51] So the reputational risk here is of a very different nature.
[00:03:56] It's not just about a cyber attack and a data, you know, theft or a privacy, this thing.
[00:04:02] But more importantly, in a very high-profile environment, that's worthy of noting.
[00:04:08] Okay.
[00:04:09] What was their response?
[00:04:10] Because again, I don't think they were expecting this, anticipating this.
[00:04:14] Maybe they had IT professionals on board.
[00:04:17] I guess they would have had to.
[00:04:18] Their systems would have been architectured in such a way to prevent some attacks.
[00:04:21] And yet the defense failed.
[00:04:23] And you had this attack went on 15 days.
[00:04:25] What was their response?
[00:04:26] What happened afterwards?
[00:04:27] So as usual, FIR was filed.
[00:04:30] But the nature of the aims itself and the severity of attack, variety of authorities came in the picture, right?
[00:04:40] So Delhi Police, SERT, Ministry of Home Affairs, National Investigation Agency, all of them came in.
[00:04:47] So you imagine the seriousness of this whole episode, right?
[00:04:51] So all that came in.
[00:04:53] They issued statements, all the regular episodes or events or steps, as they call it, that would happen when such an attack will happen, happened.
[00:05:05] But what stands out is the government went ahead and now the national cybersecurity regulatory framework has been formulated post this attack.
[00:05:19] So that is one of the big developments that happened.
[00:05:22] But other than that, the regular responses came in.
[00:05:28] Six or eight months later, in 2023, probably June, July, I'm not sure.
[00:05:32] Not on the same scale.
[00:05:33] There was a repeat of not on the same scale.
[00:05:35] And thankfully, this time was not as bad.
[00:05:37] What happened at that point of time?
[00:05:38] So similar.
[00:05:40] It was a malware attack.
[00:05:41] Malware attack again, right?
[00:05:43] But what really intrigued me was a statement from Rajesh Pant.
[00:05:48] He is, if I'm not wrong on the designation, he is the former Lieutenant General of Cybersecurity in India.
[00:05:57] And his statement, which really stood out for me, was that architectural framework of Frames Network Solutions was designed primarily by doctors and not by IT professionals.
[00:06:12] Or at least with their inputs must be.
[00:06:15] So that is one of my key observations here.
[00:06:19] That whenever you design your architectural framework around your network solutions, we have to be mindful that it's a multidisciplinary team that is coming together and forming it, which will have IT experts.
[00:06:34] It will have subject matter experts.
[00:06:37] It will have cyber experts and so on.
[00:06:39] And it can't just be one department's job.
[00:06:43] It has to be a multidisciplinary effort.
[00:06:45] I want to move on to the next one, which is very interesting because it's a Microsoft CrowdStrike episode that happened in this year itself.
[00:06:53] As someone who uses Windows on a daily basis, I am also aware that I have to keep on updating my laptop and the updates come out of nowhere and I have no choice.
[00:07:01] It's just update, update, update, update, update.
[00:07:04] Sometimes updates.
[00:07:05] Sometimes updates.
[00:07:06] Most of the times the updates go right, but I have faced enough situation where I need to call in tech support that my computer is gone.
[00:07:12] It's hung.
[00:07:13] It's this and that.
[00:07:13] And then in some cases I've also had to reset, swipe my laptop all over again.
[00:07:17] So it's something that it's at least it's happened with me.
[00:07:20] I don't know what you get it.
[00:07:22] What happens with everyone?
[00:07:23] Yeah, but this was different.
[00:07:25] I mean, this was one specific software CrowdStrike, which had its upgrade update.
[00:07:31] Sorry.
[00:07:32] And when that update went through, there was some line of coding somewhere in that that completely froze windows for a lot of important places for a lot of important people.
[00:07:42] At least I wasn't affected.
[00:07:43] It only affected those people who use CrowdStrike software on their machines.
[00:07:47] What happened?
[00:07:49] Yeah.
[00:07:49] In fact, even I wasn't affected, but one of my colleagues, I guess she got affected because she kept writing to our IT team that my system is not working and he kept responding.
[00:08:01] Everybody else's system is working.
[00:08:03] So, you know, you restart your system.
[00:08:05] Initially, that was their response.
[00:08:07] The one solution that always works for everything is restart.
[00:08:09] Reboot, right?
[00:08:10] So that started.
[00:08:12] But eventually he like within hours, he understood the development and he guided her.
[00:08:17] That you have to hold on.
[00:08:19] So, yeah, common people like you and I also got impacted in some manner is what I'm trying to say.
[00:08:24] But on a larger scale, what happened is industries across the globe got literally paralyzed for some time.
[00:08:34] Right?
[00:08:35] Whether it was banking, whether it was airline, whether shipping or, you know, telecom.
[00:08:41] There's so many industries that in a manner of speaking came to a standstill when the strike happened.
[00:08:48] Yeah.
[00:08:48] And to give the viewers a sense of the impact, I remember the visuals.
[00:08:52] I remember the photos at that point of time.
[00:08:54] I think it was Delhi airport where the schedules were being manually written on a whiteboard.
[00:08:59] I mean, I don't think I've seen that in the longest time.
[00:09:01] Correct.
[00:09:01] That's the impact that a strike of this nature has on the systems.
[00:09:06] LEDs can't flash right information.
[00:09:08] The people at the counter don't know what's happening.
[00:09:10] So what do they do?
[00:09:10] They have to write it manually on the whiteboard.
[00:09:13] And that's talking about the customer facing software.
[00:09:17] I don't know what happens in the airline or in the ATCs, etc.
[00:09:20] And imagine, Anupam, the impact on the global economic processes also.
[00:09:25] What you're talking about is, again, us, right?
[00:09:29] Common people, which of course got impacted.
[00:09:32] But now when you spoke about people traveling from one place to the other,
[00:09:37] imagine the cargo movement globally.
[00:09:40] That got impacted, right?
[00:09:42] Interbank transfers globally.
[00:09:46] That got impacted.
[00:09:48] So huge amount of monetary disruption or economic disruption also happened.
[00:09:55] And that, of course, establishes Microsoft's significance in the overall global economic activities as well.
[00:10:04] And the responsibility that the company carries and all its partners carry.
[00:10:11] That's very, very noteworthy.
[00:10:14] And here CrowdStrike was one such partner, which didn't do well.
[00:10:19] So it's very interesting that this came on Microsoft, right?
[00:10:22] I mean, obviously, if you're someone who's using a MacBook, you weren't affected.
[00:10:25] But the problem was from CrowdStrike that affected Windows.
[00:10:29] And Windows has reputation, like reputation and reputation and reputation being the largest OS on the planet.
[00:10:35] And because of something that's not even in their control.
[00:10:38] It's a software that's loaded on their computer.
[00:10:40] What are the events after that that transpired?
[00:10:42] Because this is one of the largest companies in the world.
[00:10:46] Social media is tracking them.
[00:10:48] Everybody is doing this outrage.
[00:10:50] BS ODs, a word I hadn't heard honestly for the longest time.
[00:10:53] Anybody who's dealt with a laptop knows what a B-Sort is.
[00:10:57] It's a blue screen of death.
[00:10:59] Not something you want to have and especially if you're on a deadline.
[00:11:03] Those were everywhere.
[00:11:04] Screenshots were being shared.
[00:11:05] Everything.
[00:11:05] There was so much of it happening.
[00:11:07] What happened after that?
[00:11:08] So, two important points.
[00:11:10] Number one, what was the role of CrowdStrike and what was it?
[00:11:14] So, first and foremost, it was a cyber security service provider.
[00:11:20] And according to CrowdStrike, one of its software, one of the files that got corrupted while doing the software update, that went wrong.
[00:11:33] However, from this point, Anupam, what is very important to note is the role of CrowdStrike.
[00:11:40] It is the cyber security or vendor which provides similar solutions to Microsoft.
[00:11:48] And there was one file that went wrong as per the statement from CrowdStrike.
[00:11:53] I think that created this huge chaos across the world.
[00:11:58] Two important points that need to be noticed.
[00:12:02] When the CEO was giving away statements in terms of what happened, obviously media across the world would have gotten in touch with them for a statement that what went wrong.
[00:12:13] While giving away the statement, the CEO choked on screen.
[00:12:20] So, people started saying, and imagine this is a big lesson to be learned for CEOs particularly or people who give media statements or media interviews.
[00:12:31] That when you are giving away media statements, your body language plays a very important role in addition to your message.
[00:12:40] Right?
[00:12:40] So, when he choked, some school of thought started empathizing with him that, oh, he was so emotionally charged.
[00:12:49] Authentic.
[00:12:49] Yeah, very authentic.
[00:12:50] On the other hand, some people started saying that because he was not truthful, that he was trying to buy time and, you know, this was his way of thinking of the right answer.
[00:13:02] So, very, very important lesson here that we have to be mindful of not just what are we saying, but how are we saying.
[00:13:10] And second important point, again, this is my personal observation, that he kept harping upon the fact that it was not a cyber attack.
[00:13:20] It was a software upgrade at their end that went wrong.
[00:13:23] Why?
[00:13:24] Because they themselves are a cyber security company and if they have a cyber attack, then, you know, their existence itself is questionable.
[00:13:31] In question, yeah.
[00:13:32] Right?
[00:13:33] So, you see the amount of insistence that, so you and I will not ever get to know what exactly happened, right?
[00:13:40] But the lesson or the observation here is the kind of messaging that you give away to the outside world.
[00:13:47] You have to be very particular that your own existence should not come under question.
[00:13:54] Now, that's not a recommendation I am making to anybody, but that's the kind of thought that went ahead in his head while creating the messages.
[00:14:04] And paying attention to these finer nuances is very critical.
[00:14:09] That's the key message.
[00:14:10] My key message is, guys, please do your upgrades on time on your laptop.
[00:14:15] I have faced situations like that.
[00:14:16] I've got like a deadline in some 48 hours or the next two days and I'm just, I've not done my work as soon as I should.
[00:14:24] And then end mock-up, at the last moment, Windows has an update, shutdown, restart, boom, we're gone.
[00:14:29] I don't know honestly what to do with that.
[00:14:31] But AIMS, Microsoft and CrowdStrike, key takeaways from both of them.
[00:14:36] Let's wrap up this episode with some key pointers for our audience.
[00:14:39] So first and the most basic key point is that cyber attacks are here to stay.
[00:14:45] We are in a world which is full of technology.
[00:14:48] You never know what kind of tech attack can happen to you from wherever.
[00:14:54] So paying attention to your technological security, including primarily including cyber security is a must.
[00:15:02] The second important observation, like I outlined earlier as well, that when you're creating your network solutions or IT solutions, it cannot be left to one expert.
[00:15:15] Sometimes, especially in the organizations we have observed, that one department starts claiming, you know, ownership on that project.
[00:15:24] And sometimes that could be the subject matter expert or sometimes it could be the IT team or some possibly the project management team or some such a particular team.
[00:15:35] Remember that network solution or network architecture design is a multidisciplinary effort.
[00:15:44] And all the teams must come together and work around it.
[00:15:50] And the third thing, like you have always been talking about, that we need to pay attention on not just upgrading our own systems, but overall organizational systems.
[00:16:01] Because your system comes under vulnerability only because it's outdated, right?
[00:16:08] So attacks on say aims, again, we don't know how updated their systems were.
[00:16:15] Again, some reports that I was reading which said that the systems were outdated, right?
[00:16:20] So it's very important that organizations pay attention to this.
[00:16:26] In the scheme of things, you know, when you look at return firm, a lot of times these small, small points become deprioritized because you have bigger business decisions to take care of and follow through.
[00:16:39] But then when they go wrong, it really has very huge repercussions.
[00:16:45] So we cannot take things lightly.
[00:16:48] So if I were to just very quickly tell you one, two, three, what are the three important things to remember?
[00:16:54] Number one, make cyber risk as one of the most important aspects of the risk committee in all the bots.
[00:17:02] Number two, when doing architectural designs around your IT systems and solutions, please ensure that it's a multidisciplinary team that is getting formed and that is seeing it through for creation of such platforms or such systems.
[00:17:20] And lastly, don't let your system be vulnerable.
[00:17:25] Carry out upgrades timely because outdated systems are really vulnerable to attacks and also carry out audits around it.
[00:17:34] So these are the three important things to remember.
[00:17:36] I just miss the days when all we were told was don't open shady files that are attached to your email.
[00:17:41] I had done it once.
[00:17:43] It had some very nice name to it.
[00:17:45] I said, come on, this is what is happening?
[00:17:46] And I opened it and boom.
[00:17:48] I had sent mails to some hundred people with some random content.
[00:17:51] And of course, I was called into the cabin and what happened there?
[00:17:54] What happened there?
[00:17:55] I'm glad that that happened 20 years ago and I don't have to face the consequences.
[00:17:59] But me too, talking about consequences, can you just also add in a point about responses?
[00:18:04] Like what the three points that you said were fantastic for maybe a CEO, for organizations to figure out the architecture and their cyber networks and their technology and the frameworks and all that.
[00:18:14] But once this has happened, how should they respond to the public?
[00:18:18] What are the kind of statements they should put out?
[00:18:20] Should they take ownership?
[00:18:22] What should they do?
[00:18:22] And I'm asking this question to you because we spoke about how the CEO of CrowdSight choked up.
[00:18:28] What was your view on that?
[00:18:29] Which camp were you in?
[00:18:31] And therefore, from that, are there any learnings on how leaders should come out and respond to this upfront?
[00:18:38] To me, it appeared inauthentic.
[00:18:40] Largely because body language or nonverbal communication, as research and experts say, form 93% of your overall message conveyed.
[00:18:54] So, you know, that part needs to be very, very well focused.
[00:19:00] And being at that role, one has to be very ready and aware of your messages.
[00:19:07] You cannot let your emotions take over your thought process.
[00:19:13] But yes, two hour is human.
[00:19:15] And possibly he would have genuinely heard also.
[00:19:18] And we have to give him that benefit of doubt.
[00:19:22] Coming back to what are the key learnings or from the communication lens?
[00:19:28] If the episode has happened, what should organization do?
[00:19:33] Number one, whether episode happens or not happens, please know that cyber attack or IT-led threats are a reality.
[00:19:43] So, please develop your advanced crisis communication plan around it.
[00:19:50] So, like I had mentioned in one of the earlier episodes also, that some of the clients whom we help, we actually identify multiple crisis scenarios in advance.
[00:20:01] And then we create situations that if so and so situation happens, how would you respond to it?
[00:20:08] To a great extent, we also create a template for holding statement.
[00:20:14] So, if a statement has to go out, very quickly it can go out because you have the basic template in place.
[00:20:19] All you have to do is fill in the blank.
[00:20:21] So, you know, having a system like that ready is very critical.
[00:20:27] And that's one of my most favorite.
[00:20:30] And the first response, whenever anyone asks me what should be a crisis response be, not just cyber, but any kind of crisis.
[00:20:41] First thing you should do is advance planning helps you a lot.
[00:20:45] So, do that.
[00:20:47] Secondly, evaluate whether you should issue a statement or you should not.
[00:20:53] Maybe an initial acknowledgement kind of a statement could serve you good.
[00:20:59] Then dwelling very deep into it has to be a call of judgment.
[00:21:05] Sometimes silence is also necessary.
[00:21:08] And again, as I keep repeating that sometimes being silent is a great crisis communication strategy as well.
[00:21:15] So, but again, that's not a recommendation.
[00:21:19] It has to be decided based on a situation.
[00:21:22] So, if your situation demands that you should be silent, be that.
[00:21:27] If it needs to engage into conversations, do that.
[00:21:31] So, that's the second thing.
[00:21:33] That issue your holding statement timely and then be judgmental about how often should you be communicating.
[00:21:40] And last one, especially with respect to crisis like cyber, these are regulatory, there are regulatory implications also.
[00:21:49] And particularly if your organization belongs to a regulated space, then all the more reason.
[00:21:56] So, be very, very engaged.
[00:22:00] Sorry, pay attention and engaging with the regulators or the right authorities.
[00:22:05] Instead of getting entangled into issuing statements after statements for, you know, just because social media people are questioning you and sending you messages, tagging you.
[00:22:17] Don't get pressurized by that.
[00:22:19] You know, instead, get aligned to the regulator, engage with the authorities and try to solve the problem.
[00:22:28] Because otherwise, your attention will be divided and the crisis will only blow up.
[00:22:33] And that's it for today's episode of Reputation Matters.
[00:22:35] Our guest, as always, Meetu Samar, CEO, Eminent Strategy Consulting.
[00:22:39] Meetu, thank you so much for doing this for our audience.
[00:22:40] Pleasure.
[00:22:41] Thank you.