Awareness, always and always awareness. The very reason of the existence of this journal. Awareness is HUMAN before being TECHNICAL.
The whole board of a company or of an institution must have a minimum level of awareness to be able to work in good intelligence with CISOs, CIOs and CSOs, so that they in turn can ensure that the minimal technical and human needs of those specialists are met and investments are there to allow them to sharpen daily the whole system’s defenses to face the best possible threat scenario. After all, if a major accident happens, the CSO may be fired as a “scapegoat measure”, but with the results we will look at hereafter, the board and nobody else will have to answer for the losses.
With the insider threat (by ignorance) bigger than ever, a safe ecosystem can only be builtwith the active participation of all the employees, none excluded. Everybody should have the chance to be provided a minimal awareness capacity in orderto bring an effective contribution to his/her workplace. After all, if a major accident happens, the system will require expenses cuts, generally resulting as a first measure by the firing of many employees…
In an issue dedicated to so many non-financial businesses going 4.0, from armies to big industries and, last but not least, whole State governance systems, wefinally have real data about the real costs of an indirect global attack: “notPetya” aka “Goldeneye”. The data is now giving us insight tosift through all the mainstream media “more or less sci-fi” headlines with their statements on attributions, State wars, quick conclusions etc., to gather real information on the consequences of this global malware on some top companies, reflected in their half-year financial reports (H1).
While we are waiting for the impacts on H1 benefits, we already see some astonishing Q2 results: Mondelez, US multinational leader on food sector: 3% revenues loss, Reckitt, UK multinational leader in pharma: 2% revenues loss; Maersk, the Danish shipping world leader: 300 million USD forecasted as being just the first direct consequences of the attack.
The best-known example after a full H1 publication by the companyitself1 is probably the French multinational Saint-Gobain, one of the global leaders of construction and high-performance materials: three days spent… working with paper pages and pencils2, 220 million EUR loss, meaning in detail a loss of 1.1% of the revenues and… of 4.4% of the operating profit. And here we speak about a company which performed a record-H1,“attack included”, a +6.8% operating profit rise. In our opinion, the company remains prudent when it forecasts a total yearly cost of the attack of 250 million EUR, acknowledging some 30 million EUR consequences will still be paid in Q3. External analysts estimate a minimum cost of 330 million of the attack on the 2017 turnover3.
Those companies for whom results are coming through are giants, they have the financial resources that could resist one or two “notPetya” per year. But even for them the problem remains: what about their trust rate? As a specialist in investments said: “The day of reckoning has come for shareholders”.
For all smaller companies, further attacks could lead to severe consequences and even failure. And all that for what? Always and always, the traditional board member’s mentality:
- My company is not interesting for hackers, maybe only its databases and its financial transaction systems, but I secured them.
- I do not understand cybersecurity issues and I do not have my CISO near to me in the board.
- CSO’s department will handle all problems with the specialized companies we pay for that.
As a result, no awareness bottom to top, no culture of cybersecurity, and – again – not a single moment of fear of being under constant attack, meaning no consciousness that the whole company, from the night cleaner to the top executive, should be involved in securing the common workplace digital ecosystem.
We, Westerners, are particularly weak and uninformed, contrary to some countries – Israel and India could be quoted here – where not a few companies with industrial profile have for some time employed a mix of black hats/white hats/red hats teams, built around young passionate professionals who proactively and hourly follow what’s going on, gathering intelligence in closed groups, on the deep web, with their own networks. They are the key to test all the company’s systems and to forecast attacks with all the existing vectors and vulnerabilities, already known by hackers, but still not used.
And besides awareness, may our companies’ leaders understand that actively participating intheir country and global mechanisms of vulnerability disclosure is not against their interests, on the contrary it can benefit them. What will be against their interests, we will see in a few months or, at best, years, when “not-Petyas” will happen weekly as a logical consequence of “connecting everything” with an already extremely fragile human ecosystem and to an already multi-patched technical ecosystem…