Awareness, always and always awareness. The very reason of the existence of this journal. Awareness is HUMAN before being TECHNICAL.

The whole  board of a company  or of an institution must have a minimum level of awareness to be able to work in good intelligence with CISOs, CIOs and CSOs, so that they in turn can ensure that the minimal technical and human needs of those specialists are met and investments are there to allow them to sharpen daily the whole system’s defenses to face the best possible threat scenario. After all, if a major accident  happens, the CSO may be fired as a “scapegoat measure”, but with the results we will look at hereafter, the board and nobody else will have to answer for the losses.

With  the  insider  threat  (by  ignorance)   bigger  than  ever,  a safe ecosystem can only be builtwith the active participation of all the employees, none excluded. Everybody should have the chance  to be provided  a minimal  awareness  capacity  in orderto bring an effective contribution  to his/her  workplace. After  all, if a major  accident  happens, the system will require expenses  cuts, generally resulting as  a  first measure by  the firing of many employees…

In an issue dedicated  to so many non-financial businesses going 4.0, from armies to big industries and, last but not least, whole State governance systems, wefinally have real data about  the real costs of an indirect global attack: notPetya aka Goldeneye. The data is now giving us insight tosift through all the mainstream media “more or less sci-fi” headlines with their statements  on attributions, State wars, quick conclusions  etc., to gather real information on the consequences  of this global malware on some top companies, reflected  in their half-year financial reports (H1).

While  we are   waiting   for  the   impacts   on H1  benefits, we already see  some astonishing  Q2 results: Mondelez,  US multinational leader on food sector: 3% revenues loss, Reckitt, UK multinational leader in pharma: 2% revenues  loss; Maersk, the Danish shipping world leader: 300 million USD forecasted as being just the first direct consequences  of the attack.

The  best-known  example  after  a  full  H1  publication  by the companyitself1 is probably the   French   multinational Saint-Gobain,  one of  the  global  leaders of construction  and high-performance materials: three days spent…  working with paper pages and pencils2, 220 million EUR loss, meaning  in detail a loss of 1.1% of the revenues and…  of 4.4% of the operating profit. And here we speak about a company  which performed a record-H1,attack included”, a +6.8% operating profit rise. In our opinion, the company remains prudent when it forecasts a total yearly cost of the attack of 250 million EUR, acknowledging some 30 million EUR consequences will still be paid in Q3. External analysts estimate a minimum cost of 330 million of the attack on the 2017 turnover3.

Those companies  for whom  results are coming  through are giants, they have the financial resources that could resist one or two notPetya per year. But even for them the problem remains: what about their trust rate? As a specialist in investments said: The day of reckoning has come for shareholders”.

For  all  smaller  companies, further attacks could  lead to severe consequences and  even failure. And  all that  for what?  Always  and  always, the  traditional  board member’s mentality:

  1. My  company   is not  interesting  for hackers,  maybe  only  its databases  and  its financial transaction systems, but I secured them.
  2. I do not understand cybersecurity issues and I do not have my CISO near to me in the board.
  3. CSO’s department will handle all problems with the specialized companies  we pay for that.

As  a  result,  no awareness  bottom  to  top,  no culture  of  cybersecurity,  and  – again – not  a single  moment   of fear of being  under  constant  attack, meaning  no consciousness that the whole company, from the night cleaner to the top executive, should be involved in securing the common  workplace digital ecosystem.

We, Westerners, are particularly weak and uninformed, contrary to some countries – Israel and India could be quoted here – where not a few companies with industrial profile have for some time employed a mix of black hats/white hats/red hats teams, built around young passionate professionals who proactively and hourly follow what’s going  on, gathering intelligence  in closed  groups, on the deep web, with their own  networks. They  are  the key  to  test  all the  company’s systems  and  to forecast  attacks with  all the  existing vectors  and  vulnerabilities, already known by hackers, but still not used.

And  besides  awareness, may  our  companies’ leaders  understand  that  actively participating  intheir country  and  global  mechanisms   of vulnerability disclosure  is not against their interests, on the contrary it can benefit them. What will be against their interests, we will see in a few months  or, at best, years, when  not-Petyas” will happen weekly as a logical consequence  of “connecting everything” with an already extremely fragile  human  ecosystem  and  to  an  already  multi-patched   technical ecosystem…

Laurent Chrzanovski | Professor at the Doctoral and Postdoctoral School of Social Sciences at the University of Sibiu (Romania)

Other Magazines