Want to know the ugly (like, SUPER ugly) truth about how badly a dirty piece of malware could cripple your law firm? Check out the recently released spreadsheet shared by Michael Sampson. Michael calculated the impact of NotPetya on DLA Piper, including direct costs of the IT staff, and the numbers are startling. Even scarier, the numbers don’t include the lost productivity of partners and lawyers, who were without email for four days.
In a nutshell, Michael thinks the law firm lost $2.25 million just on IT labor alone.
“For the direct costs of recovery, assuming a fully-burdened cost per hour of labour at $150, I get $2.25 million. This does not include lost productivity for partners and lawyers who were unable to work, or who had to find workarounds during the post-attack weeks. There is no doubt that this cost of lost productivity was many, many times the cost of the IT team.”
And that is just the cost of the IT labor! Can you imagine the losses from attorneys spread around the globe who couldn’t work for four straight days?
I won’t share Michael’s spreadsheet here because I think you should go visit it yourself and give him your traffic. Suffice it to say, DLA Piper suffered significant damage to its bottom line thanks to lost productivity and, presumably, lost client confidence.
Wait, What Happened?
In case you’re not aware of the DLA Piper story, or of NotPetya, let me back up a bit…
In June of 2017, a nasty piece of ransomware took the globe by storm. It was a file-scrambling software that targeted Microsoft Windows PCs. Unlike other ransomware outbreaks, which are usually launched in order to make money for cybercriminals who “ransom” the keys to unlock the scrambled content, this particularly frustrating malware seems to exist just to spread “merry mayhem.”
The “mayhem” crippled DLA Piper, as Michael Sampson notes:
- every data centre and Windows-based server was impacted
- due to having a flat network structure, NotPetya was able to spread very quickly
- the firm had no email for 4 days
- the IT team put in 15,000 hours of paid overtime in the first three weeks in order to recover
- the first two weeks after the attack were spent trying to find salvageable equipment, but eventually the decision was made to just start afresh
- the IT team re-created the entire infrastructure in the third week. Good backups made this possible.
So, How Did NotPetya Spread So Quickly?
Here is what The Register recently reported (underlines mine):
Crucially, NotPetya seeks to gain administrator access on a machine and then leverages that power to commandeer other computers on the network: it takes advantage of the fact that far too many organizations employ flat networks in which an administrator on one end point can control other machines, or sniff domain admin credentials present in memory, until total control over the Windows network is achieved.
One way to gain admin access is to use the NSA exploits. Another way is to trick a user logged in as an admin or domain admin into running a booby-trapped email attachment that installs and runs the malware with high privileges. Another way is to feed a malicious software update to an application suite running as admin or domain admin, which starts running the malware on the corporate network again with high privileges. It is understood NotPetya got into corporate networks as an admin via a hijacked software update for a Ukrainian tax software tool, and via phishing emails.
Annnnd Here We Are Again…
While I understand that it is very important for your technological networks to be built and run in a way that prevents widespread failure, such as what DLA Piper learned about its system of global networks, it is also critical to train your employees to recognize phishing emails. Malware may be tapping at the back doors of your many networks and you’re using high-tech Jiu Jitsu to block them. But these malicious programs are also kicking down the front door to your network by offering your employees carrots on sticks that they can’t seem to resist.
Phishing is targeted at the basic human instinct of curiosity. Whether it’s an email that appears to be from the CEO offering us a raise, or a coupon from the nearby pizza chain, your employees need to recognize when something looks “phishy.”
The only way to protect that front door is through ongoing security awareness trainings. Note that word: “ongoing.” We all know that if you need to change a habit, you need to get your messaging in front of people on a regular basis. Additionally, since criminals are constantly changing their tactics, you need a security awareness training program that constantly monitors the dark underbelly of cybercrime and creates trainings to protect your firm.
I highly recommend KnowBe4 and I believe in their work so resolutely that I have partnered with them to offer their training content. Heck, just read their blogto see how passionate they are about protecting you from cybercrime.
I’ve written many blogs about the successes that law firms see from their KnowBe4 security awareness training. If you’d like a free demonstration, please contact me today. Consider it the first step toward protecting your front door.