Cyberattack to change relationship between software vendors, customers

0

As more companies digitise and increasingly rely on third-party software to run nearly all aspects of their operations, cyber threats throughout the software supply chain will continue to grow, Moody’s says. — AFP photo

KUALA LUMPUR: Taking the recent Sunburst cyberattack in the US as an example, Moody’s Investors Service has warned that cyberattack will significantly change the relationship between software vendors and customers in terms of cybersecurity behaviour.

“As more companies digitise and increasingly rely on third-party software to run nearly all aspects of their operations, cyber threats throughout the software supply chain will continue to grow,” it said.

The rating agency said the equipment-heavy oil and gas (O&G), electric utility and water utility sectors in the US were facing more cyberattacks as they digitised critical operations.

It said the digitisation of operations and remote connectivity had increased opportunities for hackers targeting critical infrastructure, increasing the need for the sectors mentioned above to step up their cybersecurity measures to keep pace with the increasing sophistication of the attacks.

“If new remote work arrangements become permanent, cybersecurity teams will also need to consider protection for employees connected from their self-managed wireless networks,” it said in its latest report released on Wednesday.

According to the report, cyber risk to industrial sectors had grown dramatically, led by ransomware attacks that affect industrial processes, intrusions enabling information gathering and process information theft.

“Critical infrastructure companies are attractive ransomware targets because the risks associated with operational disruptions can induce payouts,” it said, adding that supply chain risk remained a critical area of concern.

In terms of cyber regulations, Moody’s noted that sector revenue model and company size could all influence cyber practices.

“For example, because most water and wastewater utility systems are smaller than investor-owned and publicly traded companies, they have limited financial resources.

“This means that the decision to allocate capital for cybersecurity investments has to compete with other, unrelated, local policy goals,” it said.

According to Moody’s, generation and transmission-owning electric utilities were the only companies across the critical infrastructure space that were subject to mandatory cybersecurity regulation and have stronger governance practices.

“By contrast, water and wastewater treatment facilities and O&G companies face more limited cybersecurity regulatory oversight, and are not subject to any penalties for failing to meet certain cyber standards,” it said. — Bernama