Speaking at the Gartner Security & Risk Management Summit 2019 in London, Maersk CISO Andy Powell outlined the key lessons learned from the NotPetya malware attack that hit the company in 2017.
“Maersk was not alone [in being hit by NotPetya] and anybody that thinks that Maersk was the single biggest example, is wrong. There were a lot of companies bigger than Maersk suffering even worse, but they were not as transparent as Maersk,” Powell said, as quoted by infosecurity-magazine.
Therefore, the first key lesson learned from NotPetya is that “transparency is everything,” Powell explained. “Our clients at Maersk loved us for the fact that we told them, from day one, what was going on, and we included them throughout in what we were doing.”
Another lesson learned was that “the world has changed,” Powell continued. “From a company perspective, NotPetya told us that, unless you are a government organization or a very, very highly invested-in bank, you are not going to stop a state-sponsored weapon [such as NotPetya] if it is targeted at you. We were the collateral victim of a state-sponsored attack and look what it did, so if you are trying to build a company to stop 100% of state-sponsored weapons, forget it. If you adopt a strategy around that, you will fail.”
According to Powell, organizations must adopt a two-part strategy. “First and foremost, you need a balance of proactive and reactive [capabilities]. You need to retain the ability to manage an incident because you will assume that it will occur.”
Powell added that companies like Maersk that rely heavily on operational technology should “protect OT – not just conventional enterprise IT – as a network that can be compromised.”