Blogpost

A Recent History of Cyberattacks: Lessons from Stuxnet and NotPetya

The new decade got off to a promising cybersecurity start, according to the Wall Street Journal. The publication reports that most information technology (IT) leaders expect their companies to increase cybersecurity spending in 2021 — some by “double-digit percentage points.”

The previous decade, alas, was a bit of a nightmare from a cybersecurity perspective. Yet, there are valuable lessons to be gleaned by information security, data privacy and third party risk management (TPRM) professionals from some of the biggest, baddest breaches of the 2010s. CNBC’s Kate Fazzini recently detailed the past decade’s most meaningful cybersecurity breaches.

Fazzini’s identifies each event and when it occurred and highlights what happened and why the breach was disruptive. There are several valuable lessons embedded in her rundown:

  • Lesson #1: Third party risk management is crucial to cybersecurity: The 2013 Target breach exposed more than 100 million customer credit cards and related personal information. The incident was caused by the spread of malware from one of Target’s HVAC providers to the giant retailer’s systems. “The fact that a mundane third-party service provider opened Target to criminal hackers,” Fazzini reports, “sparked far greater focus on third-party vendors.”
  • Lesson #2: Cyberattacks also target operations technology: 2017’s NotPetya attacks, Fazzini notes, inflicted “significant damage not just to desktop computers, but to the systems that run large industrial equipment and logistics operations.” Since then, the steady convergence of information technology (IT) and operations technology (OT) has increased OT risks within companies and among their vendors. This marks a growing challenge, as my colleague Santa Fe Group Vice President of Research Mike Jordan, has pointed out: “The three biggest challenges related to managing OT risks are, one, the people who understand cybersecurity often do not understand OT systems; two, the people who understand OT systems typically don’t understand cybersecurity; and three, the people who are assessing and auditing OT systems sometimes do not have a sufficient understanding of either.”
  • Lesson #3: There is a growing need for cyber insurance: The NotPetya ransomware virus halted operations at several massive, global companies. Some of those enterprises did not have cyber insurance policies at the time of the attacks. Others had policies, but saw their claims denied by insurers. Both situations “sparked a reckoning for the nascent industry of cyber insurance,” Fazzini writes.
  • Lesson #4: Consumers care about data privacy: The 2017 Equifax breach “will go down in history as one of the messiest and most likely to spark vitriolic outrage in consumers,” according to the article. Although the consumer credit rating agency later reached a $575 million settlement with consumers whose data was swiped in the breach, that vitriol has had far-reach impacts. It certainly helped focus more regulators and legislators on the need for new data privacy laws, such as the rules that took effect in California at onset of our new decade.

Learning from these and other painful cyberattack lessons may help enhance cybersecurity budgets, expertise and defenses throughout the roaring ‘20s.