The WannaCry ransomware in May crippled hospitals, railways and government in more than 150 countries: the biggest cyberattack on the books, affecting hundreds of thousands of computers. Few paid up, but with systems down for days or weeks, bottom lines certainly suffered regardless.
A month later, the Petya worm exploited the same Microsoft Windows vulnerability – both despite the fact that Microsoft had patched the bug in March.
And just weeks after that, a similar attack (dubbed “NotPetya” after initial reports misidentified it) took most of the Ukraine offline and spread to more than 60 countries, again interfering with hospitals and infrastructure and therefore putting much more than ransom dollars at risk.
These blockbuster attacks, however, are just the tip of the cybercrime iceberg. Two-thirds of German hospitals have suffered cyberattacks, hospital directors and chief executives admitted in a recent Roland Berger study. The U.S. Department of Energy is even now helping power companies defend against a campaign that targeted at least a dozen players in the nuclear, power and critical infrastructure sectors.
From SMBs to large corporations, it seems no one is immune to these increasingly sneaky attacks; most have even come to view an attempted hack as inevitable. And yet, very few are ready. Ukrainian Prime imnister Volodymyr Groysman believes no country is prepared to defend against these types of attacks.
But, that’s not entirely true. Some businesses and governments are readier than others.
Ready: Mauritius, Rwanda and Kenya
The International Telecommunications Union (ITU) gave these three African countries the highest marks in the region in its Global Cybersecurity Index based on their legislative frameworks, technical capacity to respond to incidents and cooperation with other countries.
“Kenya, ranked third in the region, provides a good example of co-operation through its National Kenya Computer Incident Response Team Coordination Centre (National KECIRT/CC),” said ITU.
Among 144 countries surveyed, Kenya ranked 45th. Singapore topped the list, followed by the U.S.
Not Ready: SMBs
One-third of small- and medium-sized businesses believe a cyberattack is inevitable, and one-quarter would even call it “likely.” Yet three-quarters have set aside no budget for recovery in the event they get hit. Only 14 percent had a detailed and tested plan in place, according to a PolicyBee survey.
“Large corporates will all have a ‘what-if’ plan in place that has been stress-tested via a crisis simulation or role play exercise,” said Sarah Adams, cyber insurance expert, who commissioned the study for PolicyBee. “They will know exactly what to do in the event of a cyber-attack. However, small businesses seem to be chancing their luck and, despite expecting to be hacked, aren’t preparing.”
If anything, said Adams, SMBs need a plan even more than big corporations, because it doesn’t take long for an incident to hurt individuals’ day-to-day livelihood.
Ready: U.S. Homeland Security
Reuters reported last week that the U.S. Department of Homeland Security and the FBI had issued an alert to industrial firms regarding a hacking campaign that targeted nuclear, power and critical infrastructure sectors. Shortly thereafter, the departments issued a joint statement assuring the public that there was “no indication of a threat to public safety.”
At least one nuclear plant was among the intended targets, said the Department of Energy, which is helping to mitigate the impact. Fortunately, the attack was identified before it could affect electricity generation or the power grid. DOE has distributed technical details about the attack and suggestions for mitigation among industry players.
Despite reports that it was hit, the Wolf Creek Nuclear Operating Corp. said the plant was continuing to operate safely.
“There has been absolutely no operational impact to Wolf Creek. The reason that is true is because the operational computer systems are completely separate from the corporate network,” company spokeswoman Jenny Hageman told Reuters via email.
Still, with enough time, it wouldn’t be impossible for hackers to make their way from digital business networks into operational systems, said nuclear expert David Lochbaum.
“Perhaps the biggest vulnerability nuclear plants face from hackers would be their getting information on plant designs and work schedules with which to conduct a physical attack,” Lochbaum said.
Not Ready: Ukraine
Hindsight is 20/20, and it’s pretty clear by now that Ukraine was not ready for the scale of cyberattack that struck it on June 27. More than 2,000 attacks hit in 64 countries, yet none suffered quite as much as Ukraine, where the attacks crippled healthcare and shipping systems for days.
But Ukraine isn’t the only one still recovering from the NotPetya attack. Maersk, the world’s largest shipping company (which is based in Ukraine), had to redirect ships when the attack left ports unable to process normal docking and unloading procedures. Nuance, a major voice and language tool provider, just got its sites and doctor dictation service eScription back online last Sunday.
Some of the world’s biggest companies are calculating revenue hits as high as nine figures. Reckitt Benckiser, the maker of Nurofen OTC migraine pain relief products, Dettol cleaning products and Durex condoms, is one of them. The attack disrupted both production and distribution in multiple countries, costing the company around £100 million ($129,366,500) in revenue, Nurofen estimated.
Even if Reckitt recoups the losses in Q3, as it expects to do, it will still slash net revenue projections for the year from 3 percent to 2 percent. And it’s one of the luckier ones.
Comparitech.com reported that companies that experience a data breach feel the repercussions in stock prices for years to follow. Companies that fell victim to cyberattacks underperformed Nasdaq by 7.3 percent in the first year and by a whopping 41.6 percent over three years.
“A data breach can harm both public sentiment and a company’s competitive edge in the market depending on the type of breach,” said Paul Bischoff, a researcher and privacy advocate for Comparitech. “In this study, we wanted to quantify that “sentiment” and assess the impact on investors through Wall Street’s reaction to a data breach.”
Charlie Huggins, fund manager at Hargreaves Lansdown, agreed.
“Cybercrime is fast becoming the No. 1 risk for companies, which is absorbing greater resources and management time,” Huggins said. “But the reputational cost of getting this wrong can be significant, so it’s vital businesses commit the appropriate resources to reassure investors.”
OK, so what does that look like? From large companies down to individual users, there are a few tips that can help everyone stay safe in this risky environment. CNET starts with the basics: Don’t slack on social media security, be careful with emails, don’t brush off passwords, and keep your Windows OS updated – the company releases patches whenever vulnerabilities are discovered.