At least in the computer field. Remember the NotPetya malware? Unlike the ransomware that hit Colonial Pipeline earlier this week, it wasn’t reversible, making it a tool of vandalism – I shan’t dignify it was the ‘ware’ suffix, which might make it seem sexy or something. It’s just a vandal’s tool.
This interview with Adam Banks, the Chief Technology & Information Officer of Maersk, the big shipping concern that was one of the victims of NotPetya, is revealing:
“All end-user devices, including 49,000 laptops and print capability, were destroyed,” he says. “All of our 1,200 applications were inaccessible and approximately 1,000 were destroyed. Data was preserved on back-ups but the applications themselves couldn’t be restored from those as they would immediately have been re-infected. Around 3,500 of our 6,200 servers were destroyed — and again they couldn’t be reinstalled.”
The cyber-attack also hit communications. All fixed line phones were inoperable due to the network damage and, because they’d been synchronized with Outlook, all contacts had been wiped from mobiles — severely hampering any kind of coordinated response.
Maersk was hardly the only company experiencing an IT meltdown at the hands of NotPetya: food and beverage manufacturer Mondelez, pharmaceutical giant Merck, advertising agency WPP, health and hygiene products maker Reckitt Benckiser, French construction company Saint-Gobain and FedEx’s European subsidiary TNT Express were among thousands of multinationals impacted. [Global Intelligence for Digital Leaders]
Staggering by sheer numbers.
It seems to me that the measure of your vulnerability correlates to how closely you approach 1 in the monoculture metric – that is, if all your company uses is Microsoft, you’re going to be a 1. Doubt it?
Banks is candid about the breadth of the impact: “There was 100% destruction of anything based on Microsoft that was attached to the network.”
And it appears the closer your company is to a 1, the more likely blackmailers and vandals can inflict serious damage on your company.
This raises the question, no doubt already under discussion or even answered among IT security professionals: do we limit our efforts to trying to stop the initial infection, or do we accept that occasionally it will happen and structure the systems to resist and hinder the spread of such software once it’s become present in a company’s networks? And how much does that add to our costs?