Maersk, the global shipping company and one impacted by June’s NotPetya malware, revealed last week the cyberattack could end up costing the company as much as 300 million dollars. While that may not be enough to sink a company with revenue in the billions, it is still a very painful loss: money that could have been spent in a much more productive fashion.
Another less publicised but very painful attack on the logistics industry was suffered by road haulage firm TNT, which is still struggling to clear its backlog and recover from the NotPetya attack in June. Without access to vital computer systems, visibility of truck and parcel locations was lost, parcels backed up in warehouses and consignments went missing. While the full impact of the attack will be unclear for some time, owner FedEx has stated the fall-out from NotPetya will have a “material” effect on the company.
Seemingly, digital transformation is a Hobson's choice for traditional large industries: those who fail to adopt the latest computer and data systems are potentially consigned to the scrap heap of history while those who adopt too fast leave themselves open to crippling cyberattacks. Logistics firms, rail companies, power, and shipping: nobody is out of the cross hairs of the attackers.
These attacks are typically financially motivated, with criminals attempting to extort money by holding important data to ransom. But there are other reasons for these attacks too – from mischief, to disruption, to sabotage. When data is the lifeblood of a business, having someone work their way inside and accessing it can be costly. Businesses, particularly those key to critical national infrastructure and trade, must take a robust and hard-line approach to their digital defences as a primary part of their digital transformation activities.
In a company press release issued on 16 August, Maersk wrote the system shutdowns caused by NotPetya “resulted in significant business impact especially within the container business”. While Maersk’s computer systems were left paralyzed for a period of time, CEO Soeren Skou has publically stated there was "no data breach or data loss."
Fortunately, Maersk had systems in place that prevented NotPetya from making a much more severe impact. Having gone through this experience, there’s a good chance the company will further strengthen its defences. Its industry cohorts would be wise to do the same.
What does this mean, exactly? It means knowing where the important data is, why it’s important, and who should be allowed to see it and when. Having identified what data is important, protections must be put in place that take account of the market they’re in, the data’s real value, and the profiles of anyone who might want to disrupt them.