The 3 Costs of a Malware Attack
September 15 2017
Cyber Criminals are only successful by being ahead of the security precautions taken by the businesses they attack, and as some highly publicised examples throughout 2017 has shown this can be accomplished with little effort.
As cyber-crime continues to grow as a viable industry for serious career criminals, many organisations seem to be failing to avoid the media humiliation of succumbing to attack or leaving themselves open to attack.
As the past year has shown this is now a problem affecting world leading, blue chip businesses, who are also succumbing to attack or leaving open gaping holes in their security.
The cost of these attacks can be assessed in three different spectres;
Firstly, the financial loot of the attacks, which is often difficult to be publicly assessed (often because large organisations are cautious to reveal the extent of the damage in an attempt to save face after an attack has become publicly known). This cost is often minimal, as most organisations are unlikely to pay ransoms to cyber criminals using ransomware or phishing attacks.
Cost of Repair
Secondly, the cost of repair. After a large scale cyber-attack (not before), is often when businesses take a long hard look at their security protocols and how to minimize the risk of another attack from occurring. This usually involves hiring external IT security to audit their system for areas of improvement as well as investing in standard but efficient areas of IT defence.
Cost of Tainted Reputation
Thirdly the cost of Public Relations, lost faith and stained status is something which can prove by far more costly to any business. This is especially true for organisations which work in the technology sector or which manage sensitive data for large clients.
Take for example the Deloitte Malware attack which took place sometime between October – November in 2016. A hacker was able to infiltrate the Firms email server by using an admin account, gaining access to certain areas of the firm and some of Deloitte’s corresponding emails.
Deloitte allegedly became aware of the attack in March of 2017 and Information regarding the attack become public not long afterwards.
Initially Deloitte confirmed information on at least six clients had been compromised. Since their initial statement there has been conflicting reports claiming that more than 350 clients had had their information open to attack. However, this type of attack can be difficult to track, meaning its possible neither Deloitte nor their critics know definitively what information was viewed or stolen.
While the amount of damage done from the attack was disputed by different sources and difficult to attain, it’s easy to see how the lingering PR damage can have a far wider effect.
This information was published by the Guardian on Tuesday 10th of October 2017.
A second example of a corporate firm with blue-chip clients, embarrassed by their lack of security was Accenture. Chris Vickery, an external IT Security expert and Director of the Security Firm Up-Guard, discovered alleged security flaws in Accenture’s cloud structure. Mr. Vickery privately alerted Accenture to the flaws, allowing them to fix the issue behind closed doors and avoid any negative publicity.
However, the information was later made public after Accenture downplayed the security flaws, resulting in inconsistent messages from Accenture on the extent of the lack of security and the danger to clients.
Once again, it would appear that no real damage was done but the implications of the negative publicity could be the highest cost to Deloitte.
Both Accenture and Deloitte examples showcase the cost of reputation can often be the largest casualty of malware even when nothing is stolen or the attack is unsuccessful.