Today's world runs on complex networks of intelligent technologies that enable quick innovation and the efficient movement of goods. But with increasing interconnectedness, companies need to fortify their cybersecurity plans. And given the highly diffuse nature of modern supply chains, the risk of falling victim to a security breach has never been higher.
In 2017, the personal data of over 70 million customers was exposed in a breach of Target's network in which the hacker went after one of Target's vendors, an HVAC company that had lax security measures in place. The breach demonstrated the risk posed not only directly to companies, but also indirectly via openings among third-parties. According to a survey conducted by the Ponemon Institute, 56 percent of organizations have had a breach that was caused by one of their vendors.
Cybercrime can spell disaster for a business, damaging both employee and customer relationships—and most importantly, brand reputation. With regard to supply chain, an attack can compromise the efficiency of delivery routes, client confidentiality, and product quality. Across industries, the biggest challenge for cybersecurity involves determining the nature of the threat, and how to go about investing in the right types of controls to patch vulnerabilities.
As with anything else, prevention is always the smartest option. There are many simple practices you can incorporate to lower your organization’s chances of being affected by a supply chain attack.
1. Assume Attack is Inevitable
Oftentimes, companies treat cybersecurity like just another box to be ticked on a list of regulatory standards. This passive approach needs to be replaced by continuous, active effort to determine risk areas and develop contingency plans. Be proactive and base your cyber strategy on the assumption that your business will eventually be the target of an attack, and have a recovery plan in place in order to minimize the impact.
Cyberthreats come in the form of both hardware and software, phishing emails and other scams, and are constantly evolving and upgrading. As a result, stagnant defenses translate to vulnerable ones. By conducting timely and regular risk management assessments, you can prevent a breach from becoming a casualty.
2. Organize People Around Processes (You're Only as Strong as Your Weakest Link)
Human error is a common pitfall when it comes to cybersecurity—swift reaction to a breach is only possible if all of your employees are on the same page.
You can think of this next step as a matter of reorganizing the system you have in place rather than adding arduous new steps to your cybersecurity routine. Consolidate the rules protecting your data in a handbook that is accessible to all employees—this ensures that everyone is informed and that SOPs are clear so that if an emergency occurs, the response is quick and damages are limited. Ideally, there are two main documents: one that is company-wide and another that is department-specific. This way, all of your bases are covered and the specific needs of each department are met. And of course, everyone should be informed of any changes to the documents.
3. Control Information Privilege
While making company data accessible can help eliminate obstructive information gaps, it should be done in a conscientious way. The more people that have access to a database, the more difficult it becomes to pinpoint who is accountable for what. A good solution to this challenge is to conduct an audit to determine the current state of affairs, and then limit data access by only giving employees of a certain rank or team access to crucial information, revoking that access once it’s no longer relevant to work-related tasks. In other words, not all information has to have the same level of protection.
This concept is particularly important with respect to third-party vendors, which hackers are now targeting more frequently due to their tendency to have less stringent security policies in place. When selecting a vendor, you should factor in the rigor of their own cybersecurity framework, coordinate due diligence, and align on how and with whom they, in turn, are sharing information. One way to approach this is by implementing a "one-way feed," in which vendors provide data and benefit from the mutual insight, stopping short of an information free-for-all.
4. Invest In Updated Software (Because Antivirus Can't Save You)
Updating software might seem like a no-brainer, but not all businesses have someone on their payroll who is explicitly responsible for making sure updates actually happen. Hackers usually find it much easier to get into systems with older versions of software, so cybersecurity common sense says to stay one step ahead of the enemy by remaining up to date.
While it might be tedious, it’s important to assign someone to ensure that your software is in good shape, given that antivirus software provides a very limited means of protection. In fact, a 2015 study found that experts are far more likely to prioritize installing software updates, while non-experts were more likely to prioritize antivirus in their online safety practices.
5. Be Smart About Passwords
There’s a reason multi-factor verification is growing more widespread: the more layers of security, the better. Using a number of unique passwords and security checks (biometrics, pin/pattern codes, etc.) creates more barriers to hackers. The three types of information that Multi-Factor Authentication typically makes use of are: something you can memorize (e.g. a password or pin), something that you own and can be accountable for (a device that’s traceable and/or which has an ID), and something you are (e.g. fingerprint scans, etc.). In addition, using a password manager simplifies the process of keeping track of all this information.
Cyberthreats aren’t going away any time soon. Like the biological viruses they so often resemble, they will become faster, smarter, and more rampant, necessitating an iterative approach that evolves accordingly. These best practices can help keep your data secure and your supply chain resilient. As with most things, an ounce of prevention is worth a pound of cure.
Cyberattacks are occuring at an increasing frequency in the supply chain space. The following examples demonstrate just how severe the damage can be across verticals.
Logistics Industry: The 2017 NotPetya Attack
One of the biggest cybersecurity stories of 2017 was the "NotPetya" attack, which targeted a number of large companies and has since been dubbed the "costliest cyberattack in history." Among the victims was shipping giant A.P. Moller-Maersk, which was faced with the shutdown of operations at 76 port terminals across four countries around the world. The attack caused delays and disruptions that lasted weeks and led to a loss of over $200 million for the logistics conglomerate.
Automotive Industry: The 2015 Chrysler Recall
In the automotive industry, one of the most widely talked about cybersecurity incidents was the 2015 Chrysler hack which resulted in the recall of 1.4 million cars. Luckily for Chrysler, that weakness in their cyberdefense (which allowed the hackers to take over dashboard functions, steering, transmissions, and brakes) was discovered by two of their security researchers during a routine check and was quickly fixed. Had this been discovered by hackers or cyberterrorists, the consequences may have been far more disastrous—vehicle theft, multiple accidents, and the leakage of location information.
For the pharmaceutical industry, their greatest asset — and thus their greatest vulnerability—is information. Chemical formulas, corporate plans, and trial results make up just some of the sensitive data that pharma companies have to guard carefully. In June 2017, pharmaceutical giant Merck had its files held ransom in part of a global cyberattack that crippled its manufacturing operations and ultimately cost the company $300 million in lost sales and costs. Other companies affected by the attack were Dutch delivery company TNT and French materials manufacturer Saint-Gobain. Nayana, a South Korean web-hosting firm, paid a record $1 million in ransom to get its files back, demonstrating just how pricey a cybersecurity breach can be.