Cost of cybercrime – Analysis of Maersk’s case

Published on 05 September 2017

It is very rare that we hear exact numbers from companies who were victims of a cyberattack. Although Ponemon Institute publishes a research report annually on this topic that gives an insight from a global perspective, the data is aggregated so it doesn’t provide details of individual cases. That is why the quarterly report of A.P. Moller – Maersk is an extraordinary read for security professionals. Just to recap, A.P. Moller – Maersk was one of the major high-profile victims of the NotPetya malware at the end of June 2017. According to a report the time,

in the two days since the Maersk Group was hit by the Petya ransomware attack, operations at many of its sites across the globe have returned to manual.

As the company’s press release states:

in the last week of the quarter we were hit by a cyber-attack, which mainly impacted Maersk Line, APM Terminals and Damco. Business volumes were negatively affected for a couple of weeks in July and as a consequence, our Q3 results will be impacted. We expect the cyber-attack will impact results negatively by USD 200-300m.”

That is approximately 1% of the global yearly revenue of the Danish shipping behemoth.


Average cost of cybercrime

As it turns out from the Ponemon research, US organizations have the highest average cost of cybercrime ($17.36 million), and Australia has the lowest ($4.30 million). In the Maersk case, the numbers are 10 times higher. Since Maersk is number 558 on Forbes Global 2000 list, we can be sure that there are many more companies who had, have or will suffer the same amount or even higher losses due to cybercriminals, not to mention the thousands of smaller companies who may have  suffered losses in line with the Ponemon average. Therefore, we can conclude that cyberattacks are even more costly than stated in the report.


Avoid losses

There are various solutions to avoid these losses. First of all, cybersecurity should be a priority for all companies. There aren’t verticals or companies whose daily operations that do not rely on IT, but there are verticals and companies who don’t care with IT security as they are unregulated or they simply follow the “nothing has happened yet” principle. We have to warn them that a whole industry’s operations can be upended by cyberattacks like the shipping industry experience in the summer of 2017. Besides the Maersk case, HMS Queen Elizabeth is running outdated Windows XP and theoretically exposed to exploits, and based on a BBC report some crucial nautical communication systems, such as Ecdis and VSat also have vulnerabilities. Moreover, when two modern, highly equipped US Navy ships collide with other vessels in the span of three months (4 cases in total this year), a cyberattack is one of the first things that occurs to experts. We don’t know who will be the next victim, but don’t be surprised if a new industry joins the list of compromised victims.


Key factors to reduce the cost of cybercrime

Amongst others, Ponemon highlights some key factors from the technical perspective of successful companies that are also essential to reduce the cost of cybercrime (excerpt):

  • Faster detection and recovery. To reduce the time to determine the root cause of the attack and control the costs associated with a lengthy time to detect and contain the attack, these organizations are increasing their investment in technologies to help facilitate the detection process.
  • Reducing third-party risk. These organizations are able to reduce the risk of taking on a significant new supplier or partner by conducting thorough audits and assessments of the third party’s data protection practices.
  • Addressing insider threats. A possible negative consequence of reorganization or acquisition of a new company can be disgruntled or negligent employees. These organizations ensure processes and technologies are in place to manage end user access to sensitive information. Further, there are training and awareness programs in place to address risks to sensitive data caused by changes in organizational structure and new communication channels.
  • Optimizing SIEM. These companies deploy advanced security information and event management (SIEM) with features such as the ability to monitor and correlate events in real-time to detect critical threats and detect unknown threats through user behavior analytics.


In Maersk’s case, NotPetya was the main source of financial loss. Our friends at Scademy have published an extensive list how NotPetya could have been eliminated. One of their pieces of advice is to “restrict the local administration access to privileged users; avoid giving each of your users’ local admin access to all machines unless necessary to protect against the PsExec vector”.



We at Balabit are working on products that can successfully reduce the financial losses due to cyber incidents and truly support those the efforts mentioned above, especially the privileged user problem. Balabit Privileged Access Management (PAM) is primarily designed for the support of rapid incident investigation to reduce the detection and recovery time. Here you can find how to accelerate your incident response with privileged access management. Balabit Privileged Session Management is an efficient module of our PAM solution to reduce third-party risks. Here you can find some tips for managing third party system administrators. Together with Balabit Privileged Account Analytics module which is specialized for analyzing privileged user behavior, it also gives a good option to combat with insider threats as it is described in our essential guide to privileged user monitoring. Moreover, Balabit Log Management product line can help you to build an efficient log management infrastructure as you can read in our log management essentials report.

by Csaba Krasznay

Csaba Krasznay is Balabit's Security Evangelist. He is responsible for the vision and strategy of Balabit's Privileged Access Management solutions. He was elected to the “Most Influential IT Security Expert of the Year 2011”.

share this article
Mitigate against privileged account risks
Get in touch

Recent Resources

The top IT Security trends to watch out for in 2018

With 2017 now done and dusted, it’s time to think ...

The key takeaways from 2017’s biggest breaches

Like many years before it, 2017 has seen a large ...

Why is IT Security winning battles, but losing the war…?

When a child goes near something hot, a parent will ...

“The [Balabit] solution’s strongest points are the privileged session management, recording and search, and applying policy filters to apps and commands typed by administrators on monitored sessions.”

– The Forrester Wave, Privileged Identity Management, Q3 2016, by Andras Cser