Being resilient to cyber-attacks and cyber failures is one of the four major goals of a Cyber Risk Management Program.
The other three are:
- Achieving your customers’ expectations (covered last week)
- Being compliant with relevant laws and regulations
- Becoming an unprofitable target by practicing great cyber hygiene
We’ll cover the last two goals in later posts.
Without enough resilience, a cyber-attack or failure could result in damage severe enough that a company could be greatly hurt or even go out of business.
Let’s review a few high-profile cases to get a feel for what’s at risk.
On February 5, 2016, staff at Hollywood Presbyterian Medical Center discovered they were in the middle of an attack. Many computer systems had been encrypted by malicious code and held for ransom.
The attack forced the hospital to return to pen and paper for its record-keeping for more than a week. And they lost $19 million in revenue.
The recovery began only after the hospital paid a $17,000 ransom.
Major Unexpected Expenses
In 2012, malware partially wiped or totally destroyed the hard drives of 35,000 Saudi Aramco computers.
Like at Hollywood Presbyterian, employees used pens, typewriters, and fax machines to run the massive company that handles 10% of the global oil supply.
It took the rapid purchase of 50,000 new hard drives and five months of hard work, but Saudi Aramco eventually came back online.
In another case involving Sony Pictures, on November 24, 2014, a hacker group, which identified itself by the name “Guardians of Peace,” leaked a large amount of Sony’s confidential data.
The data included:
- Personally identifiable information about employees and their families;
- Emails between employees;
- Information about executive salaries;
- Copies of yet-unreleased Sony films;
- and lots of other sensitive information.
It took over six weeks to achieve the initial recovery, and total costs may top $100 million.
Shortly after the data breach, the CEO resigned, which can be another major consequence of large cyber failures.
In 2013, over 40 million credit and debit card accounts were stolen in the Target data breach.
Shortly thereafter, a new CIO and then a new CEO joined the company.
Recovery costs hit $162 million as of Feb. 2015.
In April 2016, a German newspaper announced that 12.7 million confidential documents from the Columbian law firm Mossack Fonseca had been leaked to them by an anonymous source.
The “Panama Papers” show how the firms’ clients hid billions of dollars to avoid paying taxes.
Vice.com called Mossack Fonseca “The Law Firm That Works with Oligarchs, Money Launderers, and Dictators.”
The Natanz uranium enrichment plant in Iran was attacked by a malicious piece of code called Stuxnet.
Publicly revealed in 2010, Stuxnet sabotaged uranium gas enrichment centrifuges by silently manipulating valves to damage the devices as well as the enrichment process. It also sent fake data to the systems monitors showing all was well.
Many credit this cyber-attack with helping to bring the Iranians to the nuclear arms control negotiating table.
Finally, let’s consider the insidious nature of Integrity attacks. Think about the power of Stuxnet and imagine the potential damage a data integrity attack could have against a hospital.
By relying on inaccurate medical records, a doctor might prescribe the wrong drug, or administer a dose that’s too large or too small.
Without accurate monitors on medical equipment, a patient could get an overdose of radiation.
What about an integrity attack against the stock market, a major bank, or our electrical grid?
How Can I Be Cyber Resilient?
It goes back to the need to practice reasonable cybersecurity. Doing what’s appropriate for:
- An entity of similar size and sophistication
- Given the type, amount, and methods of data collected
In order to break it down into smaller bites, we recommend using the NIST Cybersecurity Framework to organize and measure yourself:
Cyber Risk Opportunities helps middle market companies become resilient to cyber-attacks and cyber failures by prioritizing and reducing your top cyber risks, including the specific requirements of PCI, HIPAA, SOC2, ISO 27001, DFARS, and more.
Get in touch today to learn more and take advantage of a free 30-minute Q&A session with one of our cyber risk experts. Call 253-332-7867, or email us at firstname.lastname@example.org.