Why Security Firms Do Not Share The Cost Of Bad Reputation After A Cyberattack? by Yiannis Mouratidis

Marriott hotel chain is the most recent 'big name' that fell prey to a cyber attack, after the discovery that personal data of their clients had been breached. It was such a big story that made the headlines on many major media companies. However, a closer reading reveals an issue which is kept behind the lights of publicity. The more I read several articles that a few hours after the announcement reached the top charts of searching engines, the more I realized that none of them mentions the company that was responsible for the cybersecurity of Marriott hotel chain, instead, it stayed rather on the sidelines of the huge disaster that hit its client.

This is not the first time that something like this happens; less than a year ago the NotPetya malware hurt hard a lot of companies, among them the shipping giant Maersk. The Wired Magazine published a very analytical article about all the details of the attack, titled 'The untold story of NotPetya, the most devastating cyber attack in history” but in that deep examination, there was not a single reference to the company or companies legally bound to protect Maersk against cybercrime. The attack forced the company to reinstall 4.000 servers and 45.000 PCs, while according to gross estimations the total cost of the attack overpassed $300 million. Even if some Service Level Agreement may refund the victim, Maersk has risked its reputation although it was not the only responsible for what happened.

It is highly unlikely that these companies and many more who have suffered huge losses due to cyber attacks have not installed a simple anti-virus protection on their systems. Even in that remote possibility, the company that developed the anti-virus should have shared part of the cost material one or not, regardless of the insufficiency of mechanisms or people involved. However, this is not what happens in reality. Speaking recently with some security firms and consulting companies, it seems that their general approach is to disclaim responsibility and blame the user for not following instructions. Although they admit that there is no such a thing as 100% security and from this perspective, there is always a possibility that even the most explicit instructions may have a blind security gap. 

So, the whole security story looks as if it were a play where at the beginning both customer and security firm share the publicity lights when they sign a contract, but soon the lights turn off, the disaster strikes and it turns into a one-act play.

Read the full article..