A cyberattack vs. CompuCom will cost the MSP between $5 million and $8 million in lost revenue, and up to $20 million in cleanup costs. ODP, parent of CompuCom and Office Depot, disclosed the cyberattack costs on Friday night, March 26. Cyber insurance may cover a portion of the cyberattack costs, ODP added.
CompuCom initially disclosed the malware attack in early March 2021. The attack involved DarkSide ransomware, multiple sources told BleepingComputer. However, CompuCom has not publicly confirmed that assertion. The malware attack arrived at an extremely sensitive time, considering ODP is seeking to sell CompuCom.
CompuCom Cyberattack: Lost Revenue and Cleanup Cost Estimates
Fast forward to present day. CompuCom says the cyberattack has triggered the following costs and financial losses, according to an ODP statement:
Lost Revenue: Between $5.0 million and $8.0 million in lost revenue “as a result of the incident (primarily because of CompuCom’s need to temporarily suspend certain services to certain customers).
Cyberattack Cleanup costs: “The Company expects to incur expenses of up to $20 million, of which the Company assumes approximately $10 million will be accrued through the first quarter of 2021. These expense estimates are primarily related to CompuCom’s efforts to restore service delivery to impacted customers and to address certain other matters resulting from the incident. The Company carries insurance, including cyber insurance, which it believes to be commensurate with its size and the nature of its operations and expects that a portion of these costs may be covered by insurance.”
Service Restoration: “CompuCom was able to substantially restore delivery capabilities as of March 17, 2021. The Company expects that CompuCom will have service delivery restored to substantially all of its customers by the end of March 2021. As a part of the restoration efforts, CompuCom has taken actions to efficiently and securely restore service delivery to its customers while hardening its systems with enhanced security measures and advanced anti-malware agents.”
ODP disclosed the cyberattack cost estimates on Friday night, March 26 — after U.S. markets closed and after most U.S. east coast IT media organizations had gone home for the weekend.
CompuCom parent ODP is currently in a quiet period ahead of its Q1 2021 financial results. The first quarter earnings call is scheduled to occur on or about May 5, 2021, ODP added.
CompuCom Up for Sale
The attack comes at a particularly bad moment for CompuCom — considering the MSP is up for sale. Indeed, Office Depot parent ODP Corp. is exploring strategic options for CompuCom, including a potential sale of the MSP business, ODP CFO Anthony Scaglione indicated in February 2021.
To safeguard against such attacks, ChannelE2E recommends the following MSP steps:
1. Embrace Multi-Factor Authentication: Activate two-factor/multi-factor authentication (2FA/MFA) on all systems — including MSP software platforms, administrator systems and end-user systems where ever possible. Longer-term: Check in with all of your vendors to understand the current state of their 2FA / MFA strategies, upcoming enhancements and multi-vendor relationships.
2. Configure BDR and Security System Alerts: Check in with security and business continuity platform suppliers. Learn how to properly configure BDR and security systems so that administrators receive alerts whenever system settings are changed or adjusted. Longer-term: Potentially explore third-party 2FA/MFA platforms that can assist this effort. Strive to ensure that BDR and security setting updates/changes require an approved MSP administrator who has 2FA/MFA access.
3. Embrace an MSP Documentation Platform to document your data protection and cybersecurity processes, disaster recovery plans, etc.
4. Stay Informed: Sign up immediately for U.S. Department of Homeland Security Alerts, which are issued by the Cybersecurity and Infrastructure Security Agency. Some of the alerts specifically mention MSPs, CSPs, telcos and other types of service providers.
7. Integrate Wisely: Connect the dots between your cybersecurity and data protection vendors. Understand how their offerings can be integrated and aligned to (A) prevent attacks, (B) mitigate attacks and (C) recover data if an attack circumvents your cyber defenses.
8. Partner With MSSPs: All MSPs need to get more serious about managed security services. But it’s unwise to suggest that all MSPs will transform into full-blown MSSPs. As an MSP, decide which pieces of the risk mitigation puzzle you can truly manage, then partner up with a true MSSP to fill your gaps. (Related: Top 250 MSSPs, from MSSP Alert.)
9. Refocus Your Travels: As face-to-face conferences get canceled amid the coronavirus pandemic, explore virtual alternatives to continue your cyber education.
10. Additional Suggestions: If you are aware of such attacks and have best practices for risk mitigation and recovery, email me: Joe@AfterNines.com.