As global supply chains become increasingly digital, companies are exposed to risks from umpteen indirect sources. A system is only as strong as its weakest link, and hackers will hunt meticulously to uncover a vulnerable component.
This exploitation comes at a high price. According to IBM's Security Cost of Data Breach Report, $5.52 million is the average total cost of a breach for enterprises of more than 25,000 employees and $2.64 million for organizations under 500 employees. Most companies pay hackers the ransom they demand. This summer, Colonial Pipeline Co. and JBS SA paid hackers $4.4 million and $11 million respectively to recover encrypted data after massive cyberattacks.
Other impacts include disrupted customer service, undermined trust, and loss of competitive edge.
Cybercriminals are evading barriers and identifying weaknesses to exploit supply chains more effectively than ever before. In the case of Colonial Pipeline, hackers abused a legacy virtual private network (VPN) profile that only required single-factor authentication.
Attacks not only cripple companies but also hurt customers. Eighty percent of breaches involve personally identifiable information (PII). Hackers use PII and passwords to access an individual’s various accounts across the web. Additionally, any break in a supply chain — whether it is your business or third or fourth-party vendors — impacts the production of goods and services while also driving up prices.
In the CrowdStrike Security Report — a survey of more than 1,000 participants — two-thirds of senior IT decision-makers and cybersecurity professionals revealed that their organizations had experienced a software supply chain attack. The same number confessed that their company is not adequately prepared to defend against a future breach. Businesses must be proactive and focus on building cyber resiliency to prevent exploitation.
The National Institute of Standards and Technology (NIST), part of the United States Department of Commerce, recommends the following steps to properly safeguard IT assets.
Locate potential threat vectors — routes that malicious attacks may take to get past your defenses and infect your network — by conducting internal risk and vulnerability assessments. Consider hiring a company to perform an advanced assessment.
Take the necessary actions to protect your organization and prevent threat events:
- Exposure reduction. In addition to the basic protection provided by firewalls and antivirus software, it’s vital to establish privileged access procedures. Follow the principle of least privilege — only employees who need access to sensitive data are permitted access.
Tools like behavioral analytics, endpoint detection and response (EDR), artificial intelligence (AI) and threat intelligence can strengthen defenses. Companies should adopt secure coding practices and refer to the Open Web Application Security Project (OWASP) Top Ten Web Application Security Risks.
- Employee commitment and training. Employees are the last line of defense in cybersecurity and one of the most common threat vectors. It is critical to engage every employee; the executive suite is not exempt. Establish a culture of healthy suspicion among employees. This approach may seem overly paranoid, but the stakes can be high.
Institute awareness training and internal phishing campaigns to expose employees to the newest spam and social engineering techniques. Any employee who falls for a phishing campaign should immediately be required to undergo training. Instill a strong password culture in which employees have varying and secure passwords. Ensure that they understand that if a password is breached in one place, it is possible and relatively simple for hackers to use it on other accounts associated with the same email.
There are countless helpful (and free) cybersecurity resources available to supplement employee learning and keep employees updated on the latest industry trends such as the virtual training modules provided by the U.S. Department of Homeland Security.
- Insurance. Make sure you have adequate insurance in the event of an attack. Some insurance providers include ransomware protections. Inquire about what things are not covered in a cyberattack.
- Physical security. Protect personnel, hardware, software, networks and data from physical trespassing and actions. Consider solutions like surveillance cameras, security guards, security systems, barriers, locks, access keycards, fire alarms, sprinklers and other systems designed to protect employees and property.
Beware of piggybacking. Holding the door open for someone walking into the office with their hands full may seem polite, but it poses a security threat. Make sure everyone who enters company premises is authorized personnel.
- Selective business relationships. Cyberattacks through supplier networks are becoming increasingly common. According to the 2020 Cyber Resilient Organization Study by the Ponemon Institute, 56% of organizations report that they have experienced a cybersecurity breach caused by a third-party supplier. In determining an acceptable level of risk, be selective when choosing contractors or partners to work with your company.
- Incident reporting. Instill a good culture and education for reporting incidents. IT professionals are more capable of reducing potential damage if they know about it sooner.
It has been said that a home without smoke detectors is the same as a network without monitoring. Continuous monitoring for security events should include physical environments, networks, service providers and user activity. Vulnerability scans are a great tool and should be performed regularly on systems containing sensitive information.
Response and Recovery
A correlation is evident between response time and the cost of an attack. Industries that take the longest to detect, react, respond and remediate incur the highest costs. A fast response can help mitigate the impact. Still, it cannot eliminate the possibility, so there is always an emphasis on prevention.
A disaster recovery plan is critical to restoring data access and IT infrastructure after a disaster. Recovery depends on the scope of the damage.
Chart out a response plan and a remediation roadmap for all potential incident scenarios in the form of a business continuity plan. Include tactics that will keep the business operational during a disaster. Determine vendor criticality and a course of action if key vendors are attacked. Enlist backup suppliers and backups for your backups in case you need to shift to another provider to accommodate customers.
As part of an effective disaster recovery plan, it is recommended to simulate a cybersecurity breach at minimum once a year. Through these drills, relevant personnel understand their role and the procedures to be followed.
Cybersecurity will be a prominent obstacle for businesses of all sizes as supply chains become more complex. Identify weak links in the supply chain to ensure vulnerabilities are minimized and to prevent threat events. Building cyber resiliency will prepare your company for a worst-case scenario that would otherwise be more expensive and damaging.
Marc Lewis is head of information security at Visible Supply Chain Management.