Dealing with cyber breaches in the supply chain
June 2017 | FEATURE | RISK MANAGEMENT
Financier Worldwide Magazine
June 2017 Issue
Given that many multinational corporations have a presence in both developed and emerging markets, it is imperative that they have a robust and well maintained supply chain management structure in place.
Though supply chains can be hugely beneficial to organisations, they are also a potential liability. All modern supply chains face almost constant risks; from environmental disasters to terrorism, and from global financial crises to political risk, supply chains must be robust and flexible enough to be able to cope with the challenges they face every day. A single broken link in the chain can create a bottleneck which slows or halts production, and have a domino effect on the company’s operations.
Yet, despite the risks, technological developments have made supply chains more efficient and cost effective. By integrating new technology, companies can improve communication and coordination across thousands of miles and multiple languages. However, managing global supply chains is challenging in its own right, and the added complexity of integrating technology can create myriad risks and potential paths to compromise. Arguably, the reliance of many multinationals on their supply chain is a fillip for cyber criminals, who see the massive financial incentive of breaching a company’s defences. As such, the physical and cyber security elements of supply chains need due care and attention. Failure to address this could be catastrophic.
One of the most important aspects of supply chain management is a cyber breach containment plan. Many companies’ cyber provisions are often found wanting; a situation exacerbated by the increasing intensity and frequency of cyber attacks. According to a recent Bitglass report, cyber attacks affected 87 percent of organisations in 2016, costing firms billions in fines and lost revenue. Cyber criminals are resourceful, resilient and widespread, capable of causing considerable damage.
Breached businesses may incur financial penalties and legal costs, as well as reputational damage, a loss of consumer confidence and a possible fall in stock price as their customers also feel the impact of the breach.
Organisations are putting their faith in outsourcing key backroom functions, often to emerging markets, in search of operational efficiency. Some are outsourcing complex information and communication technology services to help secure their networks and systems in an increasingly threatening cyber landscape. As more companies outsource their software development, acquire open source software products and extensively share their digital information with suppliers, they expose themselves to malicious forces. As a result, supply chains are frequently under attack, becoming infected with malware and facing advanced persistent threats and cyber terrorism.
Companies must do more to assess the risks they face and protect their assets. This process should include expanding security procedures to include vendors, partners and even customers. Most companies only consider the safety of their own networks, software and digital assets. Protecting these assets must be a priority, but third parties should also be assessed. Further, data protection methods must be extended as far as possible, taking in staff, processes and technology solutions. A company’s cyber security provisions, much like its supply chain, are only as strong as the weakest link. Effective and coordinated provisions are essential.
Emergence of threats
Supply chains present malicious actors with myriad possible attack vectors. For many breached organisations, the attack that penetrated their defences is often not aimed directly at them, where their resistance is likely to be strongest, but through a back door in their supply chain. While cyber attacks can come from different angles and may have varying motivations, there are huge financial rewards for stealing data. Be it credit card information, medical records or company intellectual property, data is a key driver of cyber crime. With more companies developing and relying on computer systems, and with the Internet of Things becoming a reality, offering much greater of levels of interconnectivity, cyber criminals will continue to innovate and develop new attack vectors.
For example, the breach of US retailer Target, which allegedly resulted in the loss of up to 110 million records and cost the company millions of dollars in settlements, originated with a third-party supplier in the company’s supply chain. Fazio Mechanical Services, a supplier of heating, ventilation and air conditioning services, was breached, reportedly allowing the malicious party to gain access to Target’s network and, ultimately, its data.
Supply chains are more reliant than ever on new digital technologies, and more data is shared between organisations electronically every year. According to a November 2016 Cisco report, cloud data traffic is likely to increase 3.7 fold by 2020, up from 3.9 zettabytes (ZB) per year in 2015 to 14.1 ZB per year by 2020. While the migration of data to the cloud offers advantages to big businesses, it also represents a huge challenge for IT and security professionals.
New technologies, such as machine-to-machine connectivity, remotely guided vehicles and digitally linked smart products, make supply chains easier and cheaper, but they also create new security risks. New technologies often require access to a company’s internal workings, as well as its order lists, customer contracts and other valuable data. To protect their data, companies must thoroughly vet their employees and third parties, restricting access to essential data where applicable.
Third-party suppliers are a cyber security blindspot for many organisations, particularly as supply chains become more dynamic, growing in size and complexity. Disgruntled or rogue employees in third-party organisations may access data, compromise the supply chain and cause untold damage.
While malicious employees can be a grave security risk, innocent employees can also, unwittingly, jeopardise supply chains. Staff members may be unaware of potential risks, or unsure of how to defend against them. According to a joint study by Experian Data Breach Resolution and the Ponemon Institute, 55 percent of companies surveyed have experienced a security incident due to a malicious or negligent employee. Further, 60 percent of companies surveyed believe their employees are not knowledgeable or have no knowledge of the company’s security risks. Worryingly, just 35 percent of respondents reported that their senior management believe that employees should be knowledgeable about how data security risks affect their organisation. Acts of negligence or simple human error are highly likely to be the root cause of a cyber breach.
So what can companies do to deal with breaches, and hopefully reduce their vulnerability to attack?
Auditing potential vulnerabilities, though on the surface a daunting task, will provide companies with a valuable insight into their cyber preparedness. Considering potential weaknesses is clearly beneficial.
This auditing process should be extended throughout the organisation. To withstand cyber breaches, companies must know the intricacies of their own networks. Companies should know what data they hold, where it is stored and who has access to it. Backups of data should be made and access restricted.
Introducing supply chain risk management processes throughout the corporate structure is a vital step. This process must form part of a ‘big picture’ approach to cyber security. It starts at the top; the c-suite and the board of directors have to establish their approach to cyber risk management. Cyber security is no longer a concern for the IT department alone; entire organisations must take ownership of the issue and strive for greater collaboration. This includes supply chain partners.
Access to systems and data should be granted on a case-by-case basis, depending on a party’s function within the supply chain. These access privileges should be regularly reviewed. No employee or contractor should be granted access to data or systems beyond what is necessary.
Data encryption is another valuable tool. It should be adopted on an end-to-end basis, adding another layer to data protection provisions. Data encryption processes should complement overall IT security management. Organisations should also consider services that provide supplier risk ratings or rankings.
Password and account management policies should be rigorous. Firewalls and network access controls and intrusion detection systems should be in place.
Companies must also consider keeping some suppliers and other third parties at arm’s length. Forbidding some partners from integrating their systems into the supply chain can be vital for reducing threat vectors. In order to operate such a policy, however, companies must be fully aware of the size of their supply chain. Auditing vendors and suppliers should also determine which third parties they deal with. The only way by which companies will be able to shore up their cyber defences is by knowing exactly who resides within their supply chain.
In recent years, the cyber liability insurance market has matured, offering companies a variety of viable products. Though insurance is obviously not a deterrent to attackers, and will not protect a supply chain, it should still form part of a company’s cyber management plan. Cyber insurance can help a company to recover financially when breached; the right policy will cover costs associated with responding to a breach, including investigation, notification and legal costs.
If companies are to fully benefit from a cyber policy, however, they need to understand their insurance needs before they apply. Data auditing will help the company get its house in order.
Security is the responsibility of all of the constituent parts of the supply chain. All elements within the chain need to come together and implement effective security measures. If vendors, sub-contractors and other third parties are unable to meet the necessary security standards, they are a liability that should be removed.
Companies need to ensure that third parties’ security policies and procedures are codified, validated and certified. They must clearly define the standards and practices to which they expect their vendors to adhere. Questions around the allocation of liability in the event of a breach must be factored into contracts, along with breach notification requirements.
Realistically, companies are never going to completely remove cyber security threats from their supply chain. Cyber criminals are resourceful and persistent. However, companies must take the right steps to mitigate this threat wherever possible. The c-suite and the board of directors must know their company’s operations, their supply chain and its vulnerabilities. Ultimately, the challenge of dealing with cyber threats in the supply chain involves managing people and processes. Malicious actors are bold and sophisticated. Though it has delivered cost savings to many organisations, the digital revolution is jeopardising the modern supply chain. As such, it is imperative that companies match the growing ambition and ingenuity of cyber criminals with appropriate resolve. Failure to properly consider key factors will leave organisations, irrespective of their industry and size, open to attack.
© Financier Worldwide