Costly damage from cyber attacks can be devastating to companies that see revenue streams interrupted, stock prices dive and reputations smeared. Often, companies also face costly lawsuits and fines from regulators. The lessons the attacks reveal, however, can provide a silver lining in an otherwise very dark cloud.
Cyber risk is one of the downsides of the ongoing trend towards digitalization, and cyber attacks have become almost commonplace. But despite the widespread publicity around the attacks and the ensuing damage they cause, many companies, especially smaller ones, remain dangerously unprepared.
Companies in practically every sector of business are moving quickly towards digitalization through e-commerce, mobile payments, “big data” and analytics, the adoption of machine learning and other avenues. The more companies become dependent on information systems to control their production, distribution and other processes, the more exposed they become to cyber risk.
A few high-profile examples show how the damage from cyber attacks can bring some companies perilously close to disaster. In 2017, Maersk’s IT infrastructure was almost completely destroyed and several months of work were needed to bring operations back up and running. Two years later, Norsk Hydro’s systems were rendered dysfunctional, halting the company’s revenue stream for weeks.
Capital One reported a breach in 2019 that caused the bank’s stock to drop nearly 6% in after-hours trading and lose 13.89% over two weeks, Harvard Business Review reports. A hack at Equifax in 2017 caused its stock to fall from $142.72 to $92.98 in a week, with market share dropping significantly in the wake of the breach.
These incidents are among many others that illustrate the sometimes dire consequences of successful cyber attacks. Not only is business lost, but companies must also regain the trust of customers that may question their ability to protect sensitive information. That work is not done quickly and, in some cases, could take years.
Surviving a cyber attack means knowing first what not to do. It makes no sense to hide the details of a successful breach or make excuses that minimize the organization’s responsibility. Own up to the incident and begin the work to minimize the damage and recover.
The best reaction to a cyber crisis is through direct and honest communication that acknowledges accountability, is clear that the company and others are at risk and ensures customers and the public that the weakness that allowed the breach are being strengthened. Communications that clearly state that the company is working with the proper authorities is a critical early step in mitigating the crisis.
As John F. Kennedy was known to point out, the Chinese used two brush strokes to write the word “crisis” – one stands for danger and the other for opportunity. In President Kennedy’s case, he avoided a catastrophe in the 1962 Cuban Missile Crisis through quick, clear and direct communications with the Soviet Union. In the same way, organizations hit by a cyber crisis should not ignore the opportunity to improve the situation through well-thought-out communications and putting the right measures in place to prevent such attacks from materializing again and again.
Shoring up weak spots A cyber incident will reveal weaknesses where systems can be vulnerable. It is important to “walk the talk” that ensured the public that systems are strengthened. That means technical and organizational upgrades have to be put in place to protect data, employees and customers’ data and the resilience of the organization’s business processes, as well as to rebuild trust and help restore the company’s image and brand that may have been tarnished by an attack.
“Cyber attacks can take a heavy toll on your company’s revenue streams and reputation,” says Philipp Hurni, Cyber Risk Engineering Global Practice Leader, Commercial Insurance, Zurich Insurance Group. “When a cyber attack hits, take the opportunity to demonstrate true leadership - take accountability, apply lessons learned and shore up defenses to prevent similar attacks in the future. Nobody is safe from cyber attacks – but not learning from mistakes means failing.”
There are examples of companies that have found the silver lining in cyber events that have hit themselves or companies in similar industries and have implemented stronger, more sustainable cyber risk management practices. As cyber risk engineers, we have taken notice of work by companies to protect themselves better, in, for example, the following areas:
- IT networks through segregation. Before the WannaCry and NotPetya viruses appeared in 2017, many companies had flat network structures, with workstation computers connecting with any server, database or control system in the organization. Now, companies routinely put in place network segments and microsegments, restricting communication flows to legitimate business use cases and limiting opportunities for malware infections to spread. This generally means higher IT management costs but provides a big payoff if network defenses fail and attack software sneaks past a firewall.
- Remote access. Data breaches, ransomware and other forms of cyber attacks often enter corporate systems through pathways such as remote desktop protocols or virtual private networks and others that are accessible over the Internet and protected only by usernames and passwords. Many companies have closed such doorways by only permitting access through multi-factor authentication and through constant scanning of their network footprint for vulnerabilities that may have been overlooked and could allow remote access.
- Privileged administrator accounts. The misuse of such accounts is another common denominator in cyber breaches. Once cyber criminals are past the perimeter, they often attempt to escalate privileges and obtain system-level access that will allow them to steal data or infect resources with ransomware. It’s not uncommon for these tactics to work because privileged accounts are often not properly managed and protected. Companies are reacting to this vulnerability, however, with solutions that better control who has privileged access and processes for monitoring and reviewing those privileges.
- Data backup and recovery: Criminals planting ransomware benefit when their targets have inadequate or non-existent backup and disaster recovery procedures. Ransomware has reached epidemic proportions and many companies have realized the value of having data backed up and strong disaster recovery processes in place should their systems be locked by cyber thieves.
Cyber attacks can be a disaster for organizations that are ill-prepared to deal with it. But there are lessons to be taken from those who have survived a crisis and lived to tell about it. And when it comes to dealing with such critically important issues as protecting systems from criminals who can create havoc very quickly, there’s no reason why any company shouldn’t seize on the silver linings that could help them avoid potential disaster.