At the Gartner Security & Risk Management Summit 2019 in London, Andy Powell, CISO at Maersk, outlined the key lessons learned from the NotPetya malware attack the company, along with many others, suffered in 2017.
“Maersk was not alone [in being hit by NotPetya] and anybody that thinks that Maersk was the single biggest example, is wrong. There were a lot of companies bigger than Maersk suffering even worse, but they were not as transparent as Maersk,” Powell said.
Therefore, the first key lesson learned from NotPetya is that “transparency is everything,” Powell explained. “Our clients at Maersk loved us for the fact that we told them, from day one, what was going on, and we included them throughout in what we were doing.”
Another lesson learned was that “the world has changed,” Powell continued. “From a company perspective, NotPetya told us that, unless you are a government organization or a very, very highly invested-in bank, you are not going to stop a state-sponsored weapon [such as NotPetya] if it is targeted at you. We were the collateral victim of a state-sponsored attack and look what it did, so if you are trying to build a company to stop 100% of state-sponsored weapons, forget it. If you adopt a strategy around that, you will fail.”
What organizations must do, is adopt a two-part strategy. “First and foremost, you need a balance of proactive and reactive [capabilities]. You need to retain the ability to manage an incident because you will assume that it will occur.” In an era when there are going to be a lot of state-sponsored weapons being used in cyber-attacks, you need to implement a reactive and proactive balance.
Powell said that organizations also need to learn and understand “the way in which our businesses are changing. The attack surface is massively changing. The old fortified front door, ‘let’s stop them there’ approach, must go. We are all digitizing and creating one-to-one relationships with our customers, which we need to protect.”
There’s also the fact that companies like Maersk rely heavily on operational technology (OT) which, if disrupted, can cost organizations millions of dollars, Powell added. So it’s about “how we protect OT – not just conventional enterprise IT – as a network that can be compromised.”
Finally, lessons must be learned about crisis management, he said. “There is no such thing as a divide between technology and business in any company anymore, particularly when it comes to cyber. You have got to operate as one.”