June 27, 2017 In the Spanish offices of Mondelez, the multinational confectionery company whose brands include Oreo, Chips Ahoy and TUC, the IT network has crashed. Although nobody is quite sure what is happening, many people suspect that it’s a small glitch that will be cleared up shortly.
A few minutes later, the company’s world HQ sends out an alert that makes the situation quite clear: the offices are being attacked by a group of cybercriminals who have got onto the IT systems and are stealing information and data. Thus began NotPetya, the cyberattack that would go on to affect hundreds of companies all around the world, including the law firm DLA Piper, the US pharmaceutical company MSD, and the National Bank of Ukraine.
A 100 million dollar crisis
Once the catastrophe had been and gone and its effects had been mitigated, the time came to take stock of the damage done, try to get back to normal, and take a look at the potential losses. And for Mondelez, the bill would be rather steep. The official estimate for the company’s losses are somewhere in the region of $100 million. Although the company was displeased about this (and quite rightly so), there was a silver lining: Zurich, their insurer, would bear the costs.
However, the company now has another battle to fight: Zurich claims that it has no obligation to cover the damages. The food giant has thus decided to settle the matter in court, filing a lawsuit over Zurich’s refusal to pay. Mondelez states that the policy they have includes “physical loss or damage to electronic data, programs, or software, including loss or damage caused by the malicious introduction of a machine code.” Zurich, on the other hand, maintains that the policy doesn’t cover any “hostile or war like act”.
The cost of a cyberattack
The dispute between the two companies is the first lawsuit related to NotPetya to be made public, but it is unlikely to be the last. Any type of cyberattack can cost a company millions, regardless of its sector or even its size.
But, how much exactly do attacks of this type cost organizations affected by them? The consulting firm Deloitte prepared a report on the financial repercussions of WannaCry (the predecessor or NotPetya) on the economy; their conservative estimate put the damages at around $100 million. Although this figure may seem relatively low, it is because it only includes damages that can be directly and unequivocally attributed to the attack.
And some people believe that the damages caused by NotPetya are even higher: Property Claim Services (PCS) calculates that this cyberattack could have cost the affected companies upwards of $3 billion worldwide, if we take into account both direct and indirect damage.
Regardless of what the estimates may show or what the real figure may be, one thing is quite clear: an attack of this kind doesn’t just endanger a company’s cybersecurity; it can have serious repercussions on its reputation, as well as its finances. And if the insurance company decides that it isn’t their responsibility to cover the costs, the problem will take even longer to resolve.
How to avoid these cyberattacks
We’ve seen here a clear example of the kind of consequences that these cyberattacks can have. But even more important than knowing about their effects is knowing how to prevent them. It is therefore vital that companies that want to keep their corporate cybersecurity out of harm’s way must follow a set of guidelines.
1.- Cyber-resilience. Not only is cybercrime indefatigable, it is on the up. And what’s more, it is constantly refining and redefining how it attacks. This is why companies must be in a state of permanent cyber-resilience., keeping up with the latest trends that cybercriminals incorporate into their endless litany of crimes. Only by adopting this attitude can they predict what kind of attacks they could have to face.
2.- Employee awareness. We say it time and again: most of the time, employees are the weakest link in a company, and the best (and largest) point of entry for cybercriminals, since their daily activities can leave gaping holes that allow this kind of incident to slip in. For this reason, companies must train their employees in how to stay safe when browsing the Internet or downloading attachments that land in their inboxes. On top of this, if they have even the slightest suspicion that something isn’t right, they must let someone in the IT security department know in order to get rid of any kind of threat ASAP.
3.- Audit of processes. Reacting to an attack is never going to be the best option. Companies need to have a proactive attitude to avoid possible a posteriori scares. This is where Panda Adaptive Defense comes in. It is able to automatically monitor all processes that are running on an IT system in real time. This means that it can work preventively, detecting possible threats even before they happen.
4.- Action protocol. When it hasn’t been possible to avoid a cyberattack, companies must have an action protocol to isolate infected computers and keep the attack from spreading to the other devices.
5.- Cybersecurity as a strategy The case of Mondelez and Zurich makes one thing very clear: IT attacks mustn’t be the sole concern of heads of cybersecurity. They are something that should concern the whole company, which must include these aspects in their global strategy.
Not only does a cyberattack place a company under intense public scrutiny, possibly damaging its reputation, but it can also have devastating effects on their accounts. And there’s only one way to stop this: prevention.