Analysis of the al-Shamoon Virus Attack

It is upon this background that the al-Shamoon virus attack should be analyzed to asses the managerial finance repercussions of shutting down a company that going by 2011 figures produced 9.1 million bpd and refined 4.02 million bpd in its facilities around the world. Clearly, Aramco plays a very crucial role in not only stabilizing global oil prices but also safeguarding global energy security which is why a virus attack on the company is more than just a security issue.

Cyber assaul

Indeed, cyber assault has become one of the key managerial concerns in the energy sector (King, 2012) where major corporations have fallen target to hackers with various energy sector companies including Qatar’s Rasgas and ExxonMobil’s joint venture as well as Maersk being targeted in the past few months.

As of 2012, the global demand for oil stood at 86 million bpd and with Aramco’s average production for the first three quarters of the year standing at 9. 7 million bpd, half a million more than last year, Aramco accounts for about 11.

3% of global energy needs (Leyden, 2012).

Get quality help now

RhizMan

Verified writer

Proficient in: Attack

4.9 (247)

“ Rhizman is absolutely amazing at what he does . I highly recommend him if you need an assignment done ”

+84 relevant experts are online

Hire writer

The choice of August 15 was a calculated move because the hackers new that the company’s employees would not be at work and therefore unleashing the virus on such a day would inflict the most damage. According to Aramco’s press release following the attack, more than 75% of its corporate PCs were affected by the virus. The virus wiped out data ranging from e-mails to spreadsheets, to documents and other types of files from around 30,000 computers.

The president and CEO of the company later asserted that the hackers primary intention was to shut down the entire company’s operations including oil and gas production but that this objective had failed and production activities were continuing normally (Perlroth, 2012).

As a measure to curb the spread of the virus, the company shut down its entire internal corporate network, and brought in security experts to try and contain its spread as well as analyze its code in order to ensure that the company took the necessary measures to prevent the occurrence of a similar attack in future.

One of the effects of this attack is that employees can no longer remotely access the internal network as well as their corporate network email as they used to due to constant disruptions and fear that allowing remote access makes the company more vulnerable to similar attacks (Perlroth, 2012). The managerial finance repercussion of this is that the cost of operation rises since teleworking is not as efficient as it was prior to the attack and this means that employees productivity reduces directly impacting on Aramco’s bottom-line.

The losses of the organizations

Ultimately, the organization losses a lot of man hours as a result of this attack. In addition, Aramco had to substantial results not only through contracting international security experts in the wake of the attack but also in replacing the affected computers to fully purge the internal corporate network off the al-Shamoon virus. While a company of Aramco’s stature would most likely downplay the effects of an external threat of this magnitude as the company evidently did, the effects are more widespread than the company would admit (Leyden, 2012).

Given the role of Aramco in ensuring price stability in the global oil market, the primary role of the company in this regard is to reassure the market that all is well and that there is nothing to worry about in as far as oil productivity and availability in the market is concerned (Leyden, 2012). Any hint that a company that produces more than 11% of the world’s petroleum needs could be incapacitated would send shockwaves throughout the global oil market and inevitably result in an escalation of oil prices.

Safeguarding and increase security

That seems to be the underlying market concern and the reason why after the al-Shamoon virus attack, the company would continue to spend colossal amounts of money in safeguarding its installations - an issue that is ultimately managerial more than it is security. In an interesting PR stunt, Aramco’s management limited the damage caused to the system to the cost of replacing the hard disks of the 30,000 PCs affected by the virus and the time it took the IT department to complete the work of replacing the disks (Perlroth, 2012).

According to Ashford (2012) however, the destruction caused by the virus is more than Aramco is willing to admit. For starters, even though the company admitted that 30,000 computers were damaged and that the data in those computers could not be recovered, this lost data has not been quantified and the company only limited the cost to replacing the hard disks. Clearly, what is of value is not the hard disks themselves but rather what they contain and until that lost data is quantified and a cost attached to it, the actual cost arising from the attack will remain a mystery.

In addition to this, the attack affects more companies than just Aramco in terms of increased security spending to avert similar attacks (Kennedy, 2012). The scale of the company and the success with which the virus destroyed data has caused other companies in the industry to rethink their own security. Interestingly, in an effort to further downplay the attack, Aramco’s management asserted that indeed the August 15, 2012 attack was not the first time the company’s computer system was being attacked and further stated that “it would not be the last time either”.

Notably, it took Aramco more than a week - precisely 10 days to replace the hard disks on the computers that were affected by the virus and put the internal system back up, a factor that from a management perspective raises further questions about the actual cost of the sabotage (Ashford, 2012). Considering that 30,000 workstations were affected during the attack, then from a conservative estimate, it would mean the affected employees lost a minimum of a week in lost man hours and therefore the time lost by the company employees is not just what was spent on the restoration exercise by the IT department as Aramco would like people to believe.

The losses arising from this incidence clearly goes further than the IT department. Assuming that the company’s oil production activities were not affected in any way and that, in the company’s vice president’s words “not a single drop of oil was lost”, the issue of reduced productivity in as far as human resources are concerned still arises meaning that there were still more losses than the company admits (Mahdi, 2012).