In June of 2017, Nuance Communications found themselves one of the many victims of the NotPetya attack that swept across global continents in a swift but barbarous attack. Though similar to ransomware, the intent of the malicious code was to not just encrypt data, but also essentially destroy it. In some instances, that meant the hardware that hosted the data itself. The attack on Nuance Communications brought down 14,800 servers, of which 7,600 had to be replaced as they were beyond repair. It affected 26,000 workstations, of which 9,000 had to be scrapped. When the company contacted their global hardware vendor about purchasing replacements, unfortunately, the vendor did not have that many units in inventory so they had to be manufactured. IT personnel worked on a 24/7 basis for six weeks restoring everything before anyone was able to take off a single day. Replacement and recovery costs approached $60 million and the attack itself cost the company over $100 million. (To learn more about recent attacks, see The Health Care IT Security Challenge.)
Nuance was not the only one to sustain such destruction. Maersk, the largest container shipping company in the world, was forced to replace 4,000 servers and 45,000 workstations. In addition, 2,500 applications had to be reinstalled. Said Maersk CEO, Jim Hagemann, “We had to reinstall an entire new infrastructure.” In another case, Princeton Community Hospital in West Virginia also faced the daunting task of replacing its entire network as quickly as possible.
The numbers are truly staggering alone, but the speed with which the attack took place is mind numbing. In the case of Nuance Communications, the duration of time between infiltration and destruction was fourteen minutes. Now consider the fact that the malware attack could have been easily defended against by installing a simple patch that was released by Microsoft months prior to the attack that secured the SMB vulnerability. Many victimized companies were still running Windows XP on their network, which was particularly prone to the attack.
The Cost of Not Doing It Right
Mark Siegel, a research scientist at the MIT Sloan School of Management, states that there is an inverse ROI of not investing adequately in cybersecurity or critical IT infrastructure. Not only does research show this, both global malware attacks last year clearly illustrated the relationship between investment and network disruption. Those companies that invest properly save money in the long term. Those that do not “just learn what it costs not to do it right.”
Too often, IT is viewed as a cost center that only subtracts from the bottom line. Executives look at cost reductions as a way to improve margins, thus improving profitability. The problem is, of course, that a cybersecurity incident involves costs at multiple frameworks.
- First, there is the cost of the disruption to operations. In the case of Nuance Communications, their cloud-based transcription service was down for several weeks. In the age of the digital transformation in which companies are rushing to digitize as many services as possible, a network disruption also disrupts revenue streams as well.
- There is the cost of recovery. Businesses that lack the necessary talent or people may have to bring in outside help. Hardware may have to be replaced, requiring immediate CAPEX.
- A data breach can result in the loss of high value proprietary data that could reduce a company’s competitive advantage in their industry.
- The personal records of customers and employees can be compromised, opening up a company to possible regulatory fines as well as litigation costs and awarded compensations.
- Finally, there is a cost to the company’s reputation and loss of confidence of its customers and consumers.
Now consider the fact that according to the U.S.’ National Cyber Security Alliance, 60 percent of small companies that sustain a cyberattack are out of business within six months. Skimping on IT can translate into the elimination of your entire business. Couple this with the fact that 87 percent of organizations were hit with a cybersecurity attack in 2016. Suddenly, the math starts adding up in favor of investment.
While it is true that an investment in cybersecurity does not equate to a direct increase in revenues, it does provide substantial savings and can ensure the preservation of capital and assets during a cyberattack, and C-level executives must realize that there is a substantial opportunity cost to not investing properly in IT. This may in fact require a new approach to calculating ROI and financial benefits concerning cybersecurity and infrastructure investments. This approach should include a business impact analysis of a cyber-incident and a risk assessment. The company should clearly define what its acceptable level of risk is. What’s more, it is important that the top leadership of the company be aware of the advantages of cyber investment as well so that the appreciation of proper investment is embedded within the DNA of the company.
The Cost of Legacy
Last year, a major Fortune 20 corporation began a $34 million enterprise migration that would encompass a highly specialized staff over an eighteen-month period. The company was depending on 26 essential applications that helped process $21 billion of financial transactions a year. These applications still resided on a 25-year-old mission-critical IBM mainframe that was absorbing $6 million a year just in support costs. One of the applications was supported by a part-time retired SME that was in her 70s. Imagine the vulnerability of this company when you consider all of the “what-ifs” that could have resulted in devastating consequences. The migration involved transferring all of the applications to the AWS public cloud.
Legacy costs can prove substantial for organizations today. From infrastructure to licensing, ongoing legacy system maintenance comes at a high price. These costs tend to increase rapidly over time as technology changes and the system becomes more vulnerable with age. Finding compatible hardware as well as finding talent with the specialized skill sets required can prove highly challenging. Furthermore, companies that fail to adapt to new enterprise architectures such as hybrid IT and cloud computing can find themselves antiquated versus their more nimble and agile competitors. IT must now function at the speed of business in order to allow businesses to take advantage of narrow windows of opportunity and respond to industry disruptors. This was nearly impossible with IT infrastructure of even ten years ago. (Are you running old equipment in your business? Then check out Is It Time to Refresh Your Office Technology?)
In a digitally connected world driven by the consumerization of IT in which the omnipresent nature of the internet equates to ubiquity of electricity itself that is vulnerable to something as simple as malware embedded email attachment, companies cannot skimp on IT investment. IT budgeting is a moving target that must be flexible, adaptable and most of all, sufficient. For companies today, IT is not a cost center, but a center of opportunity.