[BreachExchange] Why Security Firms Do Not Share The Cost Of Bad Reputation After A Cyberattack?

Destry Winant destry at riskbasedsecurity.com
Mon Dec 3 10:36:56 EST 2018


https://www.forbes.com/sites/yiannismouratidis/2018/12/01/why-security-firms-do-not-share-the-cost-of-bad-reputation-after-a-cyberattack/#76e68fbbbf33

Marriott hotel chain is the most recent 'big name' that fell prey to a
cyber attack, after the discovery that personal data of their clients
had been breached. It was such a big story that made the headlines on
many major media companies. However, a closer reading reveals an issue
which is kept behind the lights of publicity. The more I read several
articles that a few hours after the announcement reached the top
charts of searching engines, the more I realized that none of them
mentions the company that was responsible for the cybersecurity of
Marriott hotel chain, instead, it stayed rather on the sidelines of
the huge disaster that hit its client.

This is not the first time that something like this happens; less than
a year ago the NotPetya malware hurt hard a lot of companies, among
them the shipping giant Maersk. The Wired Magazine published a very
analytical article about all the details of the attack, titled 'The
untold story of NotPetya, the most devastating cyber attack in
historyā€¯ but in that deep examination, there was not a single
reference to the company or companies legally bound to protect Maersk
against cybercrime. The attack forced the company to reinstall 4.000
servers and 45.000 PCs, while according to gross estimations the total
cost of the attack overpassed $300 million. Even if some Service Level
Agreement may refund the victim, Maersk has risked its reputation
although it was not the only responsible for what happened.

It is highly unlikely that these companies and many more who have
suffered huge losses due to cyber attacks have not installed a simple
anti-virus protection on their systems. Even in that remote
possibility, the company that developed the anti-virus should have
shared part of the cost material one or not, regardless of the
insufficiency of mechanisms or people involved. However, this is not
what happens in reality. Speaking recently with some security firms
and consulting companies, it seems that their general approach is to
disclaim responsibility and blame the user for not following
instructions. Although they admit that there is no such a thing as
100% security and from this perspective, there is always a possibility
that even the most explicit instructions may have a blind security
gap.

So, the whole security story looks as if it were a play where at the
beginning both customer and security firm share the publicity lights
when they sign a contract, but soon the lights turn off, the disaster
strikes and it turns into a one-act play.


More information about the BreachExchange mailing list