Danish shipping company Maersk says the NotPetya cyber attack will cost between $200 and $300 million in a combination of lost business while its systems were locked and ships were grounded, the cost of short-term work-arounds, and new investments to rebuild systems. A Maersk official said the company responded as best it could, but “there’s no benchmark for this.”
No company wants to deal with an attack head-on like Maersk or the thousands of others hit by NotPetya. No company wants to be stymied when crucial suppliers get hit or infect their systems. Like every company, Secure Halo undertakes security controls and processes to maintain the best cybersecurity posture possible for our own enterprise. We asked security experts from our team for a top take-away from NotPetya and the Maersk loss disclosure.
Importance of patching. Patch management and risk mitigation are the best strategic options to reduce any security exposure. Even when an identified exploit may not have an immediate patch or fix, steps can be taken to reduce the accessibility to any system. Too often systems are deployed with minimal security to allow for easy access to conduct business. Unfortunately, easy access applies to all, especially the hacker or bad actor.
According to Greg Midgett, Senior Implementation Engineer, IT Operations, “the best rule is to only allow access to those who absolutely require it and only when that need exists. A proper defensive posture may cause some inconvenience, but will often deter attackers that are thwarted initially by better practices. As demonstrated by many malware/ransomware incidents, specific companies or individuals are not necessarily direct targets. Instead a ‘shotgun approach’ employed by these actors yields the greatest take.”
Understand your digital ecosystem. According to Nick Streaker, Vice President, Technical Solutions, “If critical business functions are being outsourced, they become a single point of failure in determining your effectiveness. This makes applying a security process and security fundamentals to areas that are beyond your control, but not beyond your influence, essential to empowering your organization.”
Third-party cyber risks should be considered upfront when contemplating shifting the operational control of a critical element of the business, since doing so means you will relinquish some of your own preventative and detective control. Despite your own security posture, you assume the risk of any organization connected to your digital ecosystem, so measures should be taken to influence these relationships.
What you can influence:
- organizational processes for vendor management
- assessment of risk involved with outsourcing services
- articulation of language included in third-party agreements and contracts
Read the full white paper on “Understanding and Managing Cyber Risk: A Three-Part Framework.”
Prepare for Business Continuity. Proactive cybersecurity means being ready for any eventuality. Our Enterprise Security Assessment Program Manager Brendan Fitzpatrick has found that surprisingly, companies often forget important considerations that make it easier to get back to business in the event of an attack.
“We’ve seen several self-inflicted information security wounds, for example, failing to test disaster recovery and business continuity plans. We’ve seen some larger organizations store all disaster recovery plans and procedures on the organization’s network shares. When a disaster occurred, they lost access to those plans because they didn’t have a complete set of offline copies.
Less obvious problems: many organizations forget that procedures like Change Management are an essential part of information security. If you do not track and control all changes to your environment, then it becomes likely that additions or changes will undermine your security. An example: a firewall port is opened for a special project or purpose but not documented or approved in the change management system. The project ends, and the organization forgets to close the port.”