EY cyber leader warns of IoT supply chain risks
In the wake of the serious DP World Australia cyber attack an EY cybersecurity leader has warned that too many organisations worldwide remain lax in the face of the growing threat of potentially devastating supply chain hacks.
DP World is Australia’s largest port operator, and the company was forced to shut down its Sydney, Melbourne, Brisbane, and Fremantle port operations after discovering hackers had breached its systems.
The company is still in the process of resuming full operations following the attack. One regional exporter was left with 300 containers stuck in a single port.
Jeremy Pizzala is Asia-Pacific Cybersecurity Consulting Leader at EY. He warns that too many vendors are cybersecurity laggards, who are vulnerable to malware, ransomware or denial of service attacks. These can then work their way up or down the supply chain to larger organisations.
The laggards, explains Pizzala, tend to be organisations that rely on so-called operational technology (OT) – such as Internet of Things (IoT) devices – and as a result do not see cybersecurity as a high priority.
Operations tech 'can be cybersecurity weakness' - EY
He says: “Supply chain attacks have risen dramatically in recent years, in tandem with the rapid adoption of open-source software, digitisation, interconnectivity across the business ecosystem and the integration of OT with IT in today's digital ecosystem.
“Attackers can inject malware into widely used IT service management platforms. Supply chain attacks are serious. They compromise sensitive information, alter data and disrupt operations. This results not only in financial losses but also reputational damage, broken trust, missed deadlines, and dissatisfied customers.”
A recent EY survey of global cybersecurity leaders found that the most heavily digitised organisations are those that are most aware of the risks posed by potentially malign software embedded in their critical business operations.
Pizzala says that these organisations are most secure because they are more likely to adopt advanced cybersecurity approaches such as DevSecOps.
DevSecOps stands for ‘development, security and operations’, and is the practice of integrating security testing at every stage of the software development process.
It includes collaborative tools and processes for developers, security specialists and operation teams to build software that is both efficient and secure.
On the general subject of cyber protection, Pizzala says it is unrealistic for businesses to conduct meaningful security checks on the hundreds of thousands of software vendors in existence, “let alone carrying out security checks on the open-source software community operating freely on the web”.
Instead, Pizzala urges organisations to:
- Adopt machine learning-based tech that identifies unusual behaviours, and so indicate the presence of attackers inside a network
- Take a zero-trust based approach that denies systems access to anyone who doesn’t require access as an essential part of their job
- Store powerful ‘super user’ credentials in digital vaults, because attackers seek these out in order to escalate attacks
- Immediately apply security patches released by software producers discovering a vulnerability.
******
For more insights into the world of Technology - check out the latest edition of Technology Magazine and be sure to follow us on LinkedIn & Twitter.
Other magazines that may be of interest - AI Magazine | Cyber Magazine | Data Centre Magazine
Please also check out our upcoming event - Sustainability LIVE Net Zero on 6 and 7 March 2024.
******
BizClik is a global provider of B2B digital media platforms that covers executive communities for CEOs, CFOs, CMOs, sustainability leaders, procurement & supply chain leaders, technology & AI leaders, finTech leaders as well as covering industries such as manufacturing, mining, energy, EV, construction, healthcare and food.
Based in London, Dubai, and New York, Bizclik offers services such as content creation, advertising & sponsorship solutions, webinars & events.