After more than two decades, malware attacks have started to hit the corporate bottom line and to show significant losses in quarterly earnings reports. The shipping company Maersk, which was hit by ransomware WannaCry in May,reported a third quarter loss in 2017 of about $200- $300 million. A few weeks later the pharmaceutical company Merck was hit by NotPetya and reported a quarterly loss of around $200 million while FedEd’s subsidiary TNT reported $300 million in losses from the same outbreak. As a result, last spring’s viral ransomware attacks are causing organizations today to take another look at their current security and therefore may offer a silver lining.
“[Its] because of the high profile nature of these incidents and the exploits, business people –organizational leadership — are taking a keener interest in what’s happening in cybersecurity,” said Amit Yoran, Chairman and Chief Executive Officer of Tenable. “Maybe you have a sexy story around APT and nation-state actors. These events are all forcing a professionalization in our industry — they’re driving a professionalization in our industry — that we haven’t seen before.”
Yoran said the 2017 ransomware attacks didn’t have to be so bad.
“The combination [of WannaCry and Petya] is a face palm moment,” Yoran said. “It’s all so prototypical of our industry. This is very basic stuff. It’s been around for a while. People have known about this for a while.” He added, “This is not like some super-elite hacker. Not some nation state, a sophisticated thing coming down. It’s the basic blocking and tackling that people just still don’t get, they still aren’t getting basic hygiene. People still aren’t going bounds checking. They’re still writing buffer overflows.”
As damaging as the attacks where for some, they may have had a positive effect for others. Yoran said Boards of Directors “today would be negligent to ignore cyber risk to the extent that they rely on technology which pretty much every enterprise does.”
Yoran has observed some organizations now going the extra distance with a security vendor, asking the vendor how the organization can better manage their own security program. These organizations want metrics. And want to know what can be done without putting the entire organization on the line.
“Cyber risk and technology risk are a core components of business risk today,” Yoran said. “Hey, if we’re accepting this business risk, then we want to mature our practices around cyber and that’s a trend that has started to evolve our industry a lot faster than it has been in the past.”
What will reduce the risks to organizations? It depends
“I’d say if somebody’s focused and you have a funded advisory who is focused on intent with any modicum of skill they are going to get into your environment,” Yoran said. “At that point how do you raise the bar? How do you make it more difficult for them? And how do you decrease your time to detection?”
So, given all that, is cybersecurity better today?
“Broadly, things are better — maybe too broadly,” Yoran added with a chuckle. “The risk today is probably higher than it’s ever been as organizations rely more on technology than they have before, as core processes and technologies get more and more complex, more and more interconnected. Complexity is the enemy of security.”
That and perhaps the threats today are more persistent?
“The threat actors are as or more aggressive than they’ve ever been,” Yoran said. “I think from that perspective things are probably worse off than we’ve seen in years past. I’d say for first time, though, there’s a light at the end of the tunnel. We can see a path to improvement, which is really driven by outside influence.”
Yoran said the vast majority of the high-profile breaches that occur actually rely on a fairly simple subset of exploits which are occurring out in the wild. And as more organizations exercise better hygiene – bring more professionalism to their cybersecurity programs — that will raise the overall protection against these threats, whether it is targeted or if somebody stumbles upon you as an exposed entity.