High-profile companies are increasingly being devastated by cyber-attacks that cause financial losses and that damage their brand reputation. Organisations are struggling to protect the confidentiality, availability and integrity of data. Information security has become more complex due to innovations involving big data storage, predictive analytics, and the use of cloud-based solutions. Electronic tools such as e-sourcing and automated procure-to-pay systems complicate matters further. Over and above all of this, there is the people problem. There are many weak links in the supply chain including importers, foreign manufacturers, agents, transport companies and third-party logistics service providers. Hackers, whose main objective seems to hold organisations to ransom, can infiltrate any of these layers.
The key risks
Cyber-attacks do not always come through the front door. Businesses depend on trusted relationships with their third-party suppliers and service providers. Many of these are vital suppliers of components and maintenance; others are providers of professional services such as marketing, accounting and I.T. Many cyber-attacks come through these backdoors.
Third Party Suppliers
Your company may have a cyber-security risk strategy but what about your key suppliers that can access your systems? Smaller companies contracted to larger companies are often targeted because they are more vulnerable. A niche company supplying vital goods or services may have a access to important information and only have a very immature approach to data security.
The next problem is your suppliers’ suppliers, also called tier 2 suppliers. You may have addressed security weaknesses in your own proprietary software but the problem may lie with your solutions providers. Poor information security practices by lower-tier suppliers can sink companies. .It is estimated that over a third of corporate IT breaches are via third-party suppliers.
Cyber-attacks can lead to intellectual property breaches, sub-standard or interrupted operations, sensitive data custody breaches, and decreases in service level to final customers.
Software solutions providers
Cyber attacks can be delivered through counterfeit hardware or software that is embedded with malware. Supply chain functions are often outsourced in an attempt to reduce infrastructure costs – these are the ones that require extra diligence. Website builders and data aggregators are a risk as well as “watering holes”, where the attacker guesses or observes which websites are vulnerable and infects one or more of them with malware.
Lack of awareness among employees
Education and training are recommended for both own employees and those of key suppliers. Bring your own device (BYOD) facilities in the supply chain can cause major security issues especially with mobile devices. The level of malware protection and detection performed on these devices is usually inadequate. Job roles re-opening up in cybersecurity, there are not enough trained people available yet. “Phishing” has become commonplace, this includes attempts to acquire usernames, passwords and credit card details via email for fraudulent purposes.
“Cybersecurity is never just a technology problem, it’s a people, processes and knowledge problem.”
National Institute of Standards and Technology (NIST)
Mitigating the risks
As well as financial losses and brand damage, cyber-attacks, can lead to intellectual property breaches, sensitive data custody breaches, and decreases in service level to final customers. Improving the quality of the relationships amongst all members of the supply chain is important for improving cybersecurity. Here are a few ways of staying safe:
- create a cyber-crisis team to be first responders. Re-arrange resources and develop contingency plans thereafter
- train people to follow security procedures and educate them about the risks
- improve processes e.g. due diligence for new suppliers must assess cyber risk
- upgrade internal technology. Tight guidelines for supplier access are a strong defence
The phrase cyber-resilience in supply chains has been coined to explain what is still to be achieved in the process of mitigating risks. Companies must invest in supply chain capabilities to withstand and identify potential cyber-attacks.
Many cyber attacks remain unreported. There have been some visible many recent examples of cyber breaches.
Ransomware Halted Maersk’s Supply Chain
NotPetya malware hit global businesses in approximately 59 countries in late June 2017, an attack which prevented one of the largest container shippers, Maersk Line, from taking new orders. The attack came at a vulnerable time which the company was upgrading its automated order entry system. Maersk was forced to halt operations in some of the 76 ports in those 59 countries. Inaction by senior management is compounded by the increasing complexity of global supply chains. Many businesses will not even realise the level of access that their supply chain has. Key suppliers should be on their risk dashboards.