The AA won’t send a tow truck unless you are a member. I learned this as my car was parked on the side of the road with brakes that no longer worked. On that same phone call I learned that you can join the AA on the phone and then they will send a tow truck. Problem solved. The next two weeks were a real hassle. Between familiarising myself with public transport (in the middle of winter) and an exorbitant mechanics bill (the parts had to come from Germany of course) I was ruing the fact I hadn’t taken a more proactive approach to vehicle maintenance!
In the last article I wrote I discussed my first foray into owning a “luxury” European car and some of the correlations between that and cyber-security. As hard as it is for me to fathom, it turns out that having a cyber-security breach can be even more costly and inconvenient than dealing with the ultimate driving machine spending two weeks at the mechanics.
What would be the impact on your business if you lost all access to your systems and data for a week? That’s not a rhetorical question. Stop and think about it. No emails. No customer information. No list of creditors or debtors. Nothing. Not going to happen to you? I admire your optimism however, as a colleague of mine once said; hope is not a strategy.
In one of the most fascinating articles I have read on the topic, Wired magazine writes a detailed, blow by blow account of Maersk, the Danish shipping line, and the impact of a malware attack on their business. Approximately 80,000 employees, no systems, no data, nothing.
“Soon, hundreds of 18-wheelers were backed up in a line that stretched for miles outside the terminal. One employee at another company’s nearby terminal at the same New Jersey port watched the trucks collect, bumper to bumper, farther than he could see “
Two weeks after the attack, and at tremendous expense, Maersk was in a position to start issuing staff with new or rebuilt devices and allowing them to connect to the network. Ultimately the firm restored systems and has continued trading. All told, it was estimated NotPetya cost Maersk between US$250 million and US$300 million - however it is likely the figure was much higher.
Closer to home, over the last few months, we have seen several examples of organisations that have fallen victim to ransomware. Toll Holdings, the Australasian freight and logistics company, earlier this year had its systems thrown into disarray after being hit by ransomware. Several weeks later, after a prolonged restoration of services, the company was hit once again – by an unrelated ransomware attack.
Several months later, the same ransomware that impacted Toll also took down Fisher & Paykel Appliances and Australasian brewer, Lion. In both cases is was confirmed that data had also been leaked onto the dark web as part of that attack. Front page news.
Looking at US data, the figures are equally grim. The cost of the average data breach is approximately US$3.86 million, according to a new report sponsored by IBM. That’s the average amount companies spent to recover from hacks, including the costs of forensic investigations, legal fees, regulatory fines, and lost business. That doesn’t take into account the reputational damage from a customer and supplier perspective.
The IBM report was conducted before Covid-19 and doesn’t take into account the increased risks associated with a post-covid world. There is no question the tempo of attacks is going up and IT teams are uniquely stretched by the multiple challenges as a consequence of the pandemic. Large chunks of the workforce are now operating remotely, based on VPN, significantly increasing potential attack vectors.
Are you safe? Have you done your scheduled servicing? Has it been completed by a qualified expert? Or by someone who watches a few YouTube clips and gives it a go in the weekend? In the next few weeks, I’ll write an article about the number one thing your organisation can do to lift its security posture. In the interim, cross your fingers and touch wood. Or feel free to get in touch.
Best of luck!