Friday, December 14, 2018

Point of View Matters

Just a quick thought this morning as I'm reading the news on the attack against Italian oil services firm Saipem across Twitter and other news outlets. It struck me fairly quickly that much of what my security industry peers read is very one-sided, and perspective matters.

Allow me to illustrate.

This article shows up on most of the business wires, it's from Reuters:
https://www.reuters.com/article/us-saipem-cyber/saipem-revenues-will-not-be-impacted-by-cyber-attack-idUSKBN1OC1D4
It's short and gets to the point quickly.

  • the attack on the firm will have no impact on the group's revenues
  • a cyber attack crippled over 300 computers and servers in the middle east
Short. To the point. Leads with the big story first (no revenue impact).

This article was retweeted a bunch on the Twitter hacker and information security feeds: https://www.cyberscoop.com/shamoon-saipem-palo-alto-networks/
It paints a different story.
  • uses words like "notorious", and highlights an outage
  • it focuses on the negative impact (technologically) of the attack
  • likens to Saudi Aramco attack, and "one of the most destructive cyberattacks in history"

Saipem's own website, has this to say: http://www.saipem.com/sites/SAIPEM_en_IT/con-side-dx/Press%20releases/2018/Cyber%20attack%20update.page and is much more frank and simple in explanation.

Now, let's get perspective.

Corporate leadership likely reads the short version, on Reuters, which basically says "No financial impact, some computers got broken, move on." On the security side, we see a different, more in-depth (obviously) story develop. Now when you go to your CEO or CFO and say "We need to do more to protect ourselves so we're not the next Saipem" your CFO/CEO will likely look back at you and ask why. There was no revenue impact, the risk seems to have been appropriately handled.

Think about this, as you look at security risks to your organization.

No comments:

Google+