A few years ago, I was in charge of the operations of a power trading in firm in Prague reporting to the Board of Directors. I discovered just how stressful a job can truly be and I learned a lot about the realities of commodity trading and businesses in general. In commodities, we talk a lot about risk management. We think about price impacts, we think about timing, credit, legalities in contracts and so much more. In my experience, two risks kept me on my toes more than any other – IT and People.
In the past, I have written about people risk and, after a weekend filled with talk of worms, ransomware, and a global hacking attack, I am going to focus on IT risk. Actually, not IT but security.
Imagine if all of you trade data was now encypted and held to ransom?
I’m sure that you have a disaster recovery plan and adequate back up and recover plans in place right? But have you ever actually tested these procedures? Will they actually work and have you back up and running in the time needed? Are you sure that your data and processes are secure?
These thoughts kept me awake at nights. In part because while I have been in and around IT all my life, I understood that I did not and could not ever understand the systems, hardware, and configurations to the level needed to be able to say to myself or my Board that everything was secure. I had to rely on someone else who did – or did they? I had to have confidence in the people hired to do their jobs and with so much at stake, I frankly found that difficult.
I’m hoping that most trading firms are quite secure. That they update their software on time and have audits and checks of their security and disaster recovery procedures. I am betting that some do not. I am guessing that a small number may have experienced wannacry themselves – perhaps paying the ransom?
Unfortunately, I am not an expert or analyst in the field of IT security so I cannot offer much usable advice. I can say this however, it is worth having someone on your IT staff focused on security, backup and disaster recovery. It is worth spending money periodically to have an outside experts audit your approach and to then rectify any less than positive findings immediately. It is also worth testing disaster recovery scenarios to ensure that they work and work in a timely manner.
To me, this side of IT is a bit like a book by JK Rowley – full of magic, incantations, and strange beasts.
In the end, I found this was my only solace. Taking such an approach helped me relax a bit about vulnerabilities and security of resources. I’m glad though, I am back being an analyst where I have much less to worry about! Oh, and I switched to Apple across the board.