If you are a skier you know it can be dangerous at times even deadly. Running a company can be as dangerous ! The more time I spend with entrepreneurs, investors and customers around cybersecurity, the more worried I get.
Now — imagine that you run 15 % of world trade through your company. You have 88,000 employees, you have offices in 130 countries around the world, you have more than 60,000 endpoints (PCs, laptops, tablets) deployed globally, plus servers, mobile phones, switches, and routers — the works ! ONE day it all stops working !
THIS ONE day arrived at Maersk, a Danish logistics conglomerate, on the 27th of June, 2017. Almost NO computers worked. Queues of trucks formed outside ports, container ships the size of football fields stopped in the middle of the ocean, people had their contact databases wiped, and nobody knew why.
Maersk had been attacked by a vicious “weaponized” malware called Notpetya. Notpetya DESTROYED everything in its wake AND fast. So you are the leadership team. A legal and PR disaster is in the making, and you still do not know how to tackle it, how deeply it has infected your operations, how long it will last, who else was attacked, etc., etc., etc.
The official cost estimate of this attack on Maersk was quoted as being in excess of $300M. Unofficially, much larger numbers have been floated.
I heard the account of these events unfolding when I attended a briefing by the former CISO of Maersk, Mr. Andy Jones, who was running the operations center of the Maersk infrastructure out of Maidenhead in the UK at the time of the attack. Some of the learning from this attack, he said, were :
- Plan for it ! Plan for being taken out.
- It moves very quickly to being a legal and PR problem.
- Know the movers and shakers in the industry.
- Assume you haven’t thought of everything.
- Rehearse extreme scenarios.
Here is an account of the attack : https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/
Now, for the last 18 months, I have been spending considerable time in and around cybersecurity investing with NGP.
The reason why I wanted to bring this up is that the more time I spend with entrepreneurs, investors and customers around cybersecurity, the more worried I get. Here is the catch : When security in your systems works … NOTHING happens !!! It is like your home alarm, you only install one once you have had a burglary.
I don’t know the state of your cybersecurity protection. All I know is, chances are that you are infected in some way or other. It may not be something that brings down your business. But it could still create a lot of nasty problems.
Unfortunately it takes, on average, about 100 days — that is THREE MONTHS — in Western Europe for companies to DETECT that they have been compromised. Think about it.
How much did you invest in your cyber defences this year ? Oh, your services are running in the cloud. Yes, the threat surface is even more complex and vulnerable there, as systems are so distributed. SSL does not mean that it is secure.
I met an unnamed cyber expert who works closely with/for (a bit hazy) the government of a large EU nation. He said that they knew that criminals already were investing heavily in hacking AI/ML algorithms. He quoted a figure in excess of $1B invested for one organised crime syndicate alone. I have no way of verifying this information, but it certainly sounded scary. There are a lot of very sophisticated, very motivated attackers out there. It is not only nation states that can bring a lot of resources to the table.
I don’t want to be the scaremonger here. BUT how much resource and time do you spend in the management team discussing your cyber defences and vulnerabilities ? How many times have you been attacked or compromised ? Do you have APIs or integrations with other partners ? What do you know of their systems ? Are you in the process of acquiring another company ? What do you know about their cyber defences ? A friend of mine was in charge of acquiring the consumer business of Yahoo on behalf of AOL(Verizon) in 2017. Guess what ? The release of news about the breach of 500M (that is 500,000,000 !!!) Yahoo accounts did not speed up the acquisition — as you can imagine, it was almost aborted at the time. Who knows what concessions the buyer extracted from Yahoo shareholders at that time.
What I learned over the last 18 months is that this — cybersecurity — is a CEO and board problem. It is far too important NOT to be.
Now, some good news — as there are many attackers, there are also many folks working on making our world safer.
Let’s be vigilant. Plan for the worst !
