More than 24 hours after news broke that a ransomware attack had effectively disabled the world’s largest advertising company, WPP has yet to fully recover.
Several hours ago, the company issued a statement acknowledging that the incident is ongoing.
According to multiple WPP employees who spoke to Adweek, staff at various offices left work early yesterday due to an inability to access their networks. And while Macs were unaffected, all who use the Windows operating system continued to experience server issues today.
Sorrell reassures staff as rivals debate next steps
“Many of you will have experienced significant disruption to your work. However, contrary to some press reports, WPP and its companies are still very much open for business,” read last night’s internal memo attributed to chairman Martin Sorrell. “We are a group packed full of highly creative, ingenious and dedicated people. I urge you all to put those qualities to use in making sure that what our clients experience in the hours and days ahead is as close to business as usual as we can possibly manage.”
Meanwhile, observers around the industry speculated about the implications of what appeared to be a chance encounter between WPP and a group of still-unknown hackers seeking to indiscriminately cripple businesses in the interest of short-term monetary gains.
Spokespeople for WPP’s chief competitors Omnicom, Publicis Groupe and IPG declined to comment on the news. But privately, many wondered whether the security systems that these huge networks currently have in place could have prevented such an incident—and how they should proceed in addressing a long-simmering threat that became very real this week.
“Over the last 24 hours, my inbox has been blowing up with messages from recruiters,” said Tom Pageler, chief risk officer and chief information security officer at Neustar, a company that specializes in risk management and related services. He added that one “very large” company had reached out regarding what it called an “urgent position” managing data security.
“The industry realizes that they’re really not where they need to be,” he said. “When you see recruiting efforts pick up, you know it’s really bad.”
An industry caught unprepared
Experts have now determined that the attack was a variation on May’s WannaCry, which also targeted Windows systems and demanded payment in bitcoin form. Despite a series of “patches” developed by Microsoft in March, both that attack and the one that hit this week did significant damage to a number of businesses and government organizations.
“Enterprises are clearly not prioritizing patches effectively,” said Forrester senior analyst Josh Zelonis in summing up his key takeaway. “While some organizations may have situations where they are unable to patch, that excuse doesn’t scale when you get a worm causing damage on this level.”
“WPP got hit because they’re so large and they have a presence in Ukraine,” said Pageler, who formerly led cyber security and fraud initiatives at JPMorgan Chase. “Ransomware is definitely here to stay,” he added, citing a dramatic growth in such attacks over the past two years.
“There’s no way to anticipate what the next attack is going to be. Marketing and security are going to have to converge in some meaningful way, because these things affect customer experiences,” said Neustar chief marketing and communications officer Steven Wolfe Pereira.
Time for marketers to step up
Agencies are not unaware of this fact. In recent years, many of the largest networks have built internal security teams equipped to deploy their own patches and hired third-party firms to test their systems by sending fake scam emails in an attempt to better gauge internal readiness. But Pageler said such wide-scale defensive measures can prove difficult within organizations as large and widespread as WPP, and other holding company sources agree that there is simply no way to know whether their own systems could have prevented what happened this week. One particularly frightening aspect of the WannaCry virus model is that it can affect fully patched systems once it gains access to the larger network.
Pageler said that, when hit by such an attack, organizations like WPP must first ensure the safety of their most important assets.
“At this time, we have no indication that either employee or client data has been compromised,” Sorrell wrote in his memo. “As you would expect, our companies and teams are in contact with clients on an ongoing basis.”
The next step usually involves reviewing both in-house and third-party security teams.
“If you’re a holding company, you’re not going to get the biggest and best [talent] because it’s not needed,” said Pageler. “They’re probably doing the minimum versus other, more heavily regulated industries like financial services that deal with critical data.”
The Neustar executive predicted that WPP will soon announce the hiring of “a heavy hitter” in the data security sphere and that comparable organizations will eventually turn to outsourcing this sort of work due to a paucity of legitimate security experts. He also argued that the general trend of hiring a chief information officer who oversees the security team is unproductive, stating that the competing goals of “making things work and fast” and ensuring a larger system’s security will inevitably conflict with one another.
“The CMO has been living in a bubble,” said Wolfe Pereira, who thinks marketing chiefs must better “understand how a data breach will affect the brand” when such incidents often lead to millions in lost revenue and years of recovery efforts.
A greater share of related responsibilities should fall to the chief marketing officer, Wolfe Pereira argued, because he or she doubles as the voice of the consumer. “IT is going to change every single business,” he added. “It’s a whole new world.”