IT Security: What can be the real cost of a cyber attack today?
Many of them make news also outside the IT world. But some are not even denounced. Cyber attacks are undoubtedly one of the most burning issues in today’s computer science. For many reasons. Starting with the fact that crime is moving from traditional sectors, this means from physical attacks, to digital ones. With sophistication levels growing, as the latest cases of ransomware have shown, and “ransom” here is key. On top of all, is the notorious WannaCry, which on May 12th propagated all over the world, branching along the corporate networks and blocking dozens or hundreds of PCs within the same organization and encrypting data and files on servers accessed by infected PCs in a very short time. Experts have explained that WannaCry has hit so massive as it was a combination of “traditional” malware and sophisticated attack media, made or purchased by organizations with vast resources available, as is the case with organized cybercrime, or some sovereign states. But many are the elements that have allowed WannaCry to change forever the perception of cyber security’s impact on the business. The story, reported on the front pages of newspapers and television shows, is known: not just corporations but also banks and even the UK healthcare system have had breakdowns which, in the most serious cases, have led to more or less complete inefficiency for more than one day.
Direct and indirect costs
The point is precisely this: new types of computer attack start to cost more in terms of indirect impacts than direct ones. The latter, that is, direct damages, are immediately understandable, since they concern the actual data loss, with all the risks associated with that loss, that is to say, the possibility of having to compensate the customers for damage. Indirect damages deserve to be analyzed more closely, as they may not be perceived immediately. In fact, alongside the obvious aspects, such as the costs of inactivity, which also depend on how effective the disaster recovery system is, the reflections on business opportunities should also be considered lost: how many are those simply postponed or those lost forever? In today’s scenario, it is not difficult to imagine that the second exceeds abundantly the first, since the consumer can quickly decide to choose another supplier.
And the reputation?
There is, however, an even more significant reflection: that on the reputation of the company. And dealing with this is not simple, since reputation is something that is not acquired from today to tomorrow but over time. And in a moment or a false step it is easy to deteriorate or destroy it. But above all, it involves a much more complex path than restoring a backup. This is not a minor aspect, as it may happen that customers, business partners, or vendors want to reconsider how they collaborate with companies that have been affected by malware, especially if they have shared IT resources.
Lessons to be learned
As was widely reported, WannaCry was not difficult to avoid: it was enough to simply upgrade the operating system, with a patch that had been distributed by Microsoft almost two months before the date of the attack. So here’s the first lesson to be learned from this striking episode: do not skimp on updates, but check them out frequently, and adopt them as soon as they are available. You need to always have up-to-date (and therefore more secure) devices, but you also need to have proper policies, such as those that include USB access control, more and more common in the BYOD and Shadow IT Era, and the constant update of firewalls and lines with WiFi access.
Suggested reading: Pros and cons about VDI and Cloud IT security for businesses