He runs the crisis management division at software company EcoOnline
Ferrari may be best known for its slick supercars, but the Italian manufacturer recently made the headlines when it was hit with a ransom demand from cyber-criminals.
The luxury sportscar brand said its Italian subsidiary had been “contacted by a threat actor with a ransom demand related to certain client contact details.” Typically, ransom cases involve criminals threatening to leak stolen data online unless they are paid. In this case, it’s believed a hacker gained access to some of Ferrari’s IT systems, including some client names, addresses and phone numbers.
The car giant added, “Upon receipt of the ransom demand, we immediately started an investigation in collaboration with a leading global third-party cybersecurity firm. In addition, we informed the relevant authorities and are confident they will investigate to the full extent of the law.”
The price of Ferrari’s ransom demand isn’t known, but they can run into millions. Just recently, Royal Mail was reported to have dismissed an eyewatering £67m ultimatum. And in a stance that will meet the approval of cyber experts, Ferrari is rightly adamant it won’t cave in.
“The recommended practice is to not pay a ransom, because it fuels criminal activity,” says IT expert Andrew James. “Even if a business does pay, there’s no guarantee hackers will do what they have promised in return.”
Instead of capitulating, Ferrari has informed customers that their data may have been exposed. “We believed the best course of action was to inform our clients and thus we have notified our customers of the potential data exposure and the nature of the incident,” said the statement.
“We have worked with third party experts to further reinforce our systems and are confident in their resilience. We can also confirm the breach has had no impact on the operational functions of our company.”
While Ferrari has no doubt chosen the right course of action, the case is a salutary reminder that the threat of cyber-attack is very real.
“All companies have risk, whether they prepare for them or not,” says Morten Kopke, who leads the crisis management team at software specialist EcoOnline. “Ultimately, regardless of sector and speciality, it’s a make-or-break difference in shareholder value for those that handle crisis well.”
With this in mind, here are Morten’s best-practice tips for managing cyber-security risk, whatever the size of your business.
It’s easy for businesses to adopt a ‘if it ain’t broke, don’t fix it’ attitude when it comes to crisis strategy, assuming it’s a problem they’ll never have to face. However, this is a near sighted and hazardous approach.
Recent global events have taught us that no one is immune to cyber-security attacks, and it’s much easier to recover from a breach if there’s a pre-emptive defence strategy in place. Having a plan in place also boosts customer confidence, with a proven track record of how your business will manage potential crises, informing everything from external reputation to insurance premiums.
It’s essential to have a crisis team that is briefed and ready to deal with any events as they arise, so that operational disruption can be kept to a minimum. It’s crucial to share the load, avoiding responsibility falling on only one person, risking a system meltdown if that person is unavailable.
Incorporating your crisis strategy into a centralised, cloud-based dashboard can help businesses to streamline data collection and information management. This means data can be synchronised across your customer base, keeping your records updated with the latest information. Moreover, it enables plans to be updated seamlessly and staff crisis training to be kept up-to-date. Having access to this rich data can help businesses to demonstrate compliance, with transparency being key for customer relations as well as any auditing processes.