The Rising Cost of Inaction

The Rising Cost of Inaction

This week, we’ve learned of another, large ransomware attack on a private company. The unfortunate victim of the latest attack was Norsk Hydro, one of the largest producers of aluminium in the world, and the attack was so significant that they reportedly had to call in national security experts to assist them with it.

Media reports state that the culprit in this instance was a ransomware strain known as LockerGoga, which infected the company’s systems and had a significant impact on operations. However, rather than pay the ransom, Norsk Hydro took the bold step of refusing.  Instead, the company called in experts from Microsoft and other third party companies to: “get business critical systems back in normal operations”.

In an update on March 26th, the company said:

“A week after Hydro became subject to a cyber attack, most operations are running at normal capacity. In the most affected business area, Extruded Solutions, production is now at 70-80%, except for the Building Systems business unit, where operations remain almost at a standstill.”

While the full financial impact is unknown at this stage, Norsk Hydro states,

“It is premature to give any precise or detailed overview of the financial impact at this point. Based on a high-level evaluation, the preliminary estimated financial impact for the first full week following the cyber attack is around NOK 300-350 million (£26-40m, $35-41m), the majority stemming from lost margins and volumes in the Extruded Solutions business area.”

The incident once again highlights the threat posed by ransomware attacks, and is the second high profile attack this month. The first, against the UK’s Police Federation of England and Wales (PFEW), was spotted on March 9th. Information Security magazine reported that, although: “…the full extent of the damage remains undisclosed, the FAQs section of the announcement noted that ‘a number of databases and systems were affected. Back up data has been deleted and has been encrypted and became inaccessible. Email services were disabled and files were inaccessible.’”

It’s believed that the attack was not targeted, but part of the typical spillover from a ransomware attack, similar to the domino effect, which hit Maersk and others so badly in 2017.

The costs of these incidents continues to rise and, although insurance is available, there is a risk that affected companies might not get the payout they hope for. This week has seen news reports suggesting that legal firm, DLA Piper, plans to launch an action against insurance firm, Hiscox, over claims made following that NotPetya attack in 2017. The case is reportedly currently in arbitration and not related to certain policy exclusions such as ‘act of war’ which have been mentioned in the media.

This has been cited as a possible reason for other insurers to avoid paying out after an attack and Information Security magazine claims that it, “is the reason that insurance giant Zurich is said to be refusing to pay out a multimillion dollar claim from confectionary giant Mondelez. The Cadbury owner is said to be suing the insurer for over $100m to cover permanent damage to 1700 of its servers and 24,000 laptops as well as unfulfilled orders and other operational disruption.”

As the costs of mitigation rise, so too do the risks for insurers and these cases will be watched widely by companies and insurers concerned by possible loss. Insurers are naturally a bit unhappy when faced with the scale of such payouts, as are companies having to make them.

The real issue remains one of detection and mitigation. As malware remains one of the key, persistent threats for all companies, it’s time companies took more steps to prevent infection. While backdoor malware infection remains the domain of the IT department, more common, every day threats are faced by staff. In this regard, training and awareness are of paramount importance. You might have one of the most secure platforms on the planet, but if Bob in HR decides to either click on that ‘internal mail’ attachment or needs a document from his personal USB drive which also happens to be infected, you’re not looking at the best scenario.

With better staff training and risk awareness, companies can at least know that they’ve taken steps to remove the human factor from the equation, allowing their security software and CISO to get on with the task of maintaining and protecting its systems.

Doing nothing is not an option and could cost you a small fortune.