In the wake of the serious DP World Australia cyber attack an EY cyber security leader has warned that too many organisations worldwide remain lax in the face of the growing threat of potentially devastating supply chain hacks.
DP World is Australia’s largest port operator, and the company was forced to shut down its Sydney, Melbourne, Brisbane, and Fremantle port operations after discovering hackers had breached its systems.
The company is still in the process of resuming full operations following the attack. One regional exporter was left with 300 containers stuck in a single port.
Jeremy Pizzala is Asia-Pacific Cybersecurity Consulting Leader at EY. He warns that too many vendors are cybersecurity laggards, who are vulnerable to malware, ransomware or denial of service attacks. These can then work their way up or down the supply chain to larger organisations.
The laggards, explains Pizzala, tend to be organisations that rely on so-called operational technology (OT) – such as Internet of Things (IoT) devices – and as a result do not see cybersecurity as a high priority.
Operations tech ‘can be cybersecurity weakness’ – EY
He says: “Supply chain attacks have risen dramatically in recent years, in tandem with the rapid adoption of open-source software, digitisation, interconnectivity across the business ecosystem and the integration of OT with IT in today’s digital ecosystem.
“Attackers can inject malware into widely used IT service management platforms. Supply chain attacks are serious. They compromise sensitive information, alter data and disrupt operations. This results not only in financial losses but also reputational damage, broken trust, missed deadlines, and dissatisfied customers.”
A recent EY survey of global cybersecurity leaders found that the most heavily digitised organisations are those that are most aware of the risks posed by potentially malign software embedded in their critical business operations.
Pizzala says that these organisations are most secure because they are more likely to adopt advanced cybersecurity approaches such as DevSecOps.
DevSecOps stands for ‘development, security and operations’, and is the practice of integrating security testing at every stage of the software development process.
It includes collaborative tools and processes for developers, security specialists and operation teams to build software that is both efficient and secure.
On the general subject of cyber protection, Pizzala says it is unrealistic for businesses to conduct meaningful security checks on the hundreds of thousands of software vendors in existence, “let alone carrying out security checks on the open-source software community operating freely on the web”.
Instead, Pizzala urges organisations to:
- Adopt machine learning-based tech that identifies unusual behaviours, and so indicate the presence of attackers inside a network
- Take a zero-trust based approach that denies systems access to anyone who doesn’t require access as an essential part of their job
- Store powerful ‘super user’ credentials in digital vaults, because attackers seek these out in order to escalate attacks
- Immediately apply security patches released by software producers discovering a vulnerability.
BizClik is a global provider of B2B digital media platforms that cover executive communities for CEOs, CFOs, CMOs, and leaders in sustainability, procurement, supply chain, technology & AI, cyber and FinTech. It also covers industries such as manufacturing, energy and EV. BizClik is based in Norwich, London, Dubai & New York. It offers content creation, advertising and sponsorship solutions, webinars & events.