As summer was taking hold at the end of June, so too did one of the great modern threats in the digital age, with a global cyber attack bringing some of the world’s largest organisations to their knees.
The Petya malware attack held Fedex, the Ukrainian government departments, its central bank and airports to ransom as well. Caught up within the global fall out was the world’s largest advertising agency network, WPP, which was affected for around 10 days and cost the company up to £15m before insurance, its chief executive Sir Martin Sorrell has revealed for the first time.
Speaking to The Drum at the end of a busy two days in Cologne while attending Dmexco, Sir Martin spoke about the hack openly for the first time, revealing the impact and praising many of his staff and clients who helped see the company through the period of the attack.
“You can never be comfortable because you can never be 100% certain. It’s a bit like consumer brand safety, you can’t be certain that you aren’t going to have a problem on Google or Facebook but it means that you reduce the possibility of something going wrong,” he responds calmly when The Drum begins to ask just how he has begun to protect it from future attacks and adds that companies must ready themselves for these “inevitable” events.
“It lasted intensely for about a week. We had heavy internal communications that we handled reasonably well and we learned that it was important to not try and do everything. It didn’t affect the whole company. The timing for the attack was interesting for various reasons [taking place at around midday in the UK] and gave us a bit more flexibility. You don’t always get that advantage but we moved pretty quickly to contain what we could contain. There were parts of the company that were severely hit, but it took us seven to 10 days to work our way through it. But we set the priorities whereas at the beginning we were trying to do everything. You can’t do everything – you have to find out where your biggest problems are and sort through them line-by-line and have a regular communication with your key people from all the constituencies, not just the operational constituencies. It can be legal, client, PR, the usual people you bring in on a crisis situation. Over-communicating is better than under communication because if there is a vacuum, people see ghosts that don’t really exist. To some extent we’ve still got issues. Also it acts as a catalyst. If you were doing things and doing them too slowly you catalyse.”
He continued: “The amazing thing, with phishing for example, you carpet bomb people by saying ‘don’t do this’ and ‘don’t do that’ but some of these attacks are becoming increasingly sophisticated in their methodology. It’s amazing what people do when they look at something that obviously looks as though it is a scam and it’s accepted still – it’s incredible,” he laments before admitting that other attempts have recently taken place – including one he describes as “absolutely extraordinary” that took place over the phone.
“If you saw it in a film you wouldn’t believe it. It’s amazing how brazen and how calculating they can be. You are dealing with very sophisticated and ballsy people with strategic intent.”
He also reveals that the company has held a post-attack summit with around 50 chief executives to discuss what transpired.
“Tactically you have to be very sure that you have gone through the fire drill,” he warns after describing such attacks as “an existential crisis” and surprisingly admits that “in a way, we were lucky” as the company’s systems are not fully integrated meaning that it did not spread across the whole of WPP.
Going forward, Sorrell is aware that the threat continues to be present for all companies and that it is only likely to get more and more sophisticated over the years, which is why the company is now also investing an incremental £10m-£15m a year on preventative measures – a cost he describes as “not enormous” with the infrastructure that is already in place within the network.
Sorrell also took the opportunity to commend the company overall, and was clearly impressed by the commitment that many showed to overcoming the attack.
“We’d outsource systems to our partners, chiefly IBM who did a good job in helping us deal with all of the issues. It was wearing for our people and literally was 24/7. The other thing that was interesting was the ingenuity of people even going back to pen and paper while dealing with it – they were very resourceful. We had a couple of cases where we were in the midst of logistics and literally the pitch day disappeared. People in high pressure situations responded magnificently. It’s amazing, and I know this is a bad analogy, when you look at what happened with the Hurricanes, it’s amazing what people can do in highly distressing or pressurized situations. People would work 24/7 day-after-day and after a week of it they really began to suffer. But from seven to 10 days we were still sorting through it. The clients were good and you will never know for sure as some clients might not say anything or you might have missed out on an opportunity without knowing that you missed out, but by-and-large we had a lot of client interest and a lot of client involvement.”
Finally, when asked how the experience of the attack ranked in crisis he’s faced while leading WPP for the last three decades, he responds with the surprisingly casual; “I’ve had worse weeks.”
In which case, the mind boggles as to what weeks those might have been.