All News

<< Next Post - Previous Post >>

Can a pen and paper really save you from a Cyber Incident?


We all know the adage:
It is not a question of "IF" you will be hacked, but "WHEN".

This is true for all companies in all industries.

The ultimate answer to this problem is, to quote a famous French film:
"What is important is not the fall, but the landing." (*)

However, when speaking to upper management about cyber risks and the cost to implement remediation or prevention security controls, the answer we often get is a "Don't worry, we will be fine. We can just operate manually with pen and paper until we fix everything again”.

It might be true for (very few) companies, but the reality is unfortunately often much more complicated than that.

A recent example is a cyber-attack that occurred in the Indian Ocean region this week:
Leal Réunion, a car dealership on the Réunion island, got attacked by a hacker group.
This attack is impacting their ability to use their IT systems and some sensitive financial information has also been stolen along with a demand for ransom.

The immediate operational fall out, after only a few days, for that company is quite severe:
2.5 million euros turnover loss and 70% of their work force put in partial unemployment.

This is not surprising because many industrißes, like the automotive industry, where the core business does not appear to be IT Related believe they can operate without IT.
After all, they sell cars. Not IT equipment.
They have a few showrooms where a customer needs to be physically there to get their goods, they are not banks where the money/good is accessed virtually.
As such, hackers should not care about them, and they can just go back to the "good old days of paper ledgers”.

The reality is unfortunately quite different.
Hackers, in their infinite generosity, care about everyone and everyone is a potential target.
Furthermore, all companies nowadays are in fact heavily reliant on IT systems.

Not appreciating these facts is a dangerous risk posture to have.

It is a stark reminder of the importance to continuously re-evaluate your cyber risks exposure, impact, and procedures.

  • Could your business sustain a similar successful attack, where IT systems are down, and sensitive data is being leaked?
  • Could you really operate "manually" with a pen and paper, and for how long?
  • Could you adequately respond to a cyber incident, do you have the relevant procedures in place and understood/practiced?

    If Leal Reunion thought they could, they are now finding out the hard way they actually couldn't.

    Your IT/Security teams should ask themselves those questions and continuously re-evaluate their risk exposure whilst assessing if their remediation controls are adequate.
    Having Incident response procedures documented is important, practicing those procedures is more important.

    Below is a link for further information on this attack (in French):
    Francetvinfo news website article

    Feel free to contact us if you have any concerns or questions related to your incident response readiness.

    (*) A more accurate and full translation of the quote would actually be:

    "It's the story of a man who falls from a 50-story building.
    The guy, as he falls, repeats to himself constantly to reassure himself:
    'So far, so good. So far, so good. So far, so good.'
    But the important thing is not the fall, it's the landing."

    This quote is from a movie called "La Haine”.
    In cyber-Security there are, of course, a few more nuances:
  • How you fall: do you have any security controls in place? are they configured correctly? etc
  • and from which height you fall: Do you have any backups? any security logs? etc
    But we could argue it is all part on how you can land... if you are well prepared then it should make little difference, how and from where you fall.

  • << Next Post - Previous Post >>