• Welcome to Professional A2DGC Business
  • 011-43061583
  • info@a2dgc.com

Cyber Security In Supply Chain

06

May

Cyber Security In Supply Chain

Blog Credit: Trupti Thakur

Image Courtesy: Google

Cyber Security In Supply Chain

 

Supply chain security is the part of supply chain management that focuses on the risk management of external suppliers, vendors, logistics and transportation. Its goal is to identify, analyze and mitigate the risks inherent in working with other organizations as part of a supply chain.

Cybersecurity is near the top of most CIOs’ list of priorities. Supply chains often comprise thousands of vendors, many of which might be vulnerable. Hackers often target such vendors as a means of insinuating their way downstream or upstream into a multinational company, who is their ultimate target – the so-called backdoor attack.

The consequences of such an attack can be severe, operationally, financially and reputationally.

Only this summer the largest password collection in history was leaked on a popular hacker forum, allegedly containing 82 billion passwords. It’s a worrying snapshot of the threats that lurk out there.

Top 10 supply chain cyber threats:

  1. Cloud security
  2. Social Media
  3. PDF’s
  4. Databases
  5. Accidental Sharing
  6. SMS
  7. IoT Devices
  8. Poor Housekeeping
  9. Phishing
  10. Ransomware
  11. Cloud Security

Most organisations have concerns about cloud security. Misconfiguration, unauthorized access, insecure interfaces and the hijacking of accounts are all potential points of entry for hackers. With more companies digitally transforming and leveraging online collaboration tools, the migration to cloud computing has also accelerated. The cloud will continue to shape the way businesses operate, as well as expose a slew of security challenges and threats.

  1. Social media

Social media is all-pervasive, and continues to be a medium of choice for launching cyberattacks. Data breaches have demonstrated weaknesses in social networks for hackers to slip through, and poor security housekeeping on the part of users means hackers don’t even have to break through the site’s defences.

Phishing schemes (credible-looking emails and texts that invite the user to share personal data) and spoof accounts are just two of many ways to trick users into giving up their credentials, and are a constant threat. Worryingly for commerce, attackers are transitioning from targeting individuals to targeting businesses via social media.

  1. PDFs

PDF files are an enticing means of phishing as they are cross-platform and allow attackers to engage with users, making their schemes appear more believable than a text-based email with a plain link. Unlike many email scams, PDF hacks often don’t ask you to open a link to give information.

Scammers know people are more likely to open a PDF than an email, especially if they think it is a bank statement. Security company Palo Alto Networks says last year there was a 1,160% increase in malicious PDFs, and that this is set to rise.

  1. Databases

Database security is becoming a big security challenge for businesses in 2021. According to American IT provider, Straight Edge Technology, some hackers use social engineering attacks to steal login credentials, while others use malware to gain access. One of the significant issues with database exposure is the fuel it provides for hacks based on social engineering.

  1. Accidental sharing

Human error is something all hackers rely on, and for good reason: we’re all fallible. Accidental sharing includes personal or business data, via email, unsecured forms or via social media messaging. It is a particular threat to companies where large numbers of employees have access to primary databases, and occurs when information is shared or leaked accidentally.

  1. SMS

While phishing often occurs via email and web browsing, so-called ‘smishing’ is through SMS text messages on one’s phone. The attacker sends an SMS text message with a link that, once clicked, begins the attack. Cyber criminals are turning to such attacks because many email programmes – Google Mail and Microsoft Outlook for example – are smart enough to detect phishing emails.

  1. IoT devices

The Internet of Things (IoT) market is touted to grow to US$1.1tn by 2026, and the widespread use of IoT devices opens up serious cybersecurity threats, especially in supply chain, where IoT tech is commonplace. According to Symantec, IoT devices experience an average 5,200 attacks a month, and with IoT tech expanding almost exponentially, the attack surface for cybercriminals to target is huge.

  1. Poor housekeeping

For all the sophistication of cybersecurity solutions, one of the biggest problems remains people’s complacency and laziness around basic cybersecurity housekeeping. We all know someone who uses the same passwords for everything, or who doesn’t bother changing default passwords from 0000 or 1111 to something secure. This was how the UK’s newspaper phone hacking scandal was made possible, and it remains a rich source of joy for cyber criminals worldwide.

  1. Phishing

Phishing is when attackers attempt to trick users (typically via email or text messages) into clicking a link that downloads a piece of malware, or that directs them to a dodgy website. Phishing attacks account for more than 80% of reported security incidents, according to CSO Online, accounting for one in every 4,200 emails last year, and is set to increase further this year. According to Symantec one in 13 web requests leads to a malware attack, and an estimated $17,700 is lost every minute due to a phishing attack.

  1. Ransomware

Ransomware attacks are of huge concern to businesses with large supply chains. Ransomware attacks are more common in developed countries with high levels of Internet usage. Accordingly, the US ranks highest, with 18.2% of all ransomware attacks (Symantec). The average ransomware payment in 2021 was $111,605.

An infamous example of such an attack was the Kaseya ransomware attack in July 2021.

Kaseya is an international software provider with headquarters in Miami and Dublin. It provides IT solutions to 40,000 organisations, as well as technology to managed service providers, which then serve other organisations. This what made Kaseya such an inviting target for the hackers.

The attack was eventually linked to the notorious Russian hacking group REvil, who exploited a vulnerability in Kaseya’s remote computer management tool.

 

Preventive Measures To be taken for Cyber Security in Supply Chain-

For cybersecurity, prevention is always better than cure. Enlisting a focused cybersecurity service provider that can undertake a robust cyber maturity assessment helps. By planning for every contingency and seeking out future vulnerabilities, companies can inoculate themselves against would-be cyberattacks and viruses.

  1. Budget assessment

More companies are upping the ante on cybersecurity spending in technology supply contracts, due to the costs that can result from a breach. There must be healthy conversations between CISOs and CFOs about budgets if cybersecurity requirements and preventative measures are to be properly supported. By allocating resources up front, companies can save millions by preventing cyberattacks.

  1. Compliance

Companies must ensure their technology supply agreements include appropriate security compliance provisions that delineate the cybersecurity requirements in which their technology partners need to comply.

  1. Collaboration

It’s important for technology procurement professionals to support CIOs in responding to the challenges presented by cyber threats. One of the most things is a robust sourcing strategy that embeds diligence around supplier screening as part of the onboarding process. Contractual provisions must also be part of agreements so that subsequent and ongoing monitoring of supply chain risk takes place.

  1. Partnerships

The cybersecurity supplier and solution landscape is crowded, and companies must select partners who reduce the risk of cyberattack on their unique technology footprint. This requires an exhaustive cybersecurity audit, to identify gaps and vulnerabilities.

  1. Managing risk

Businesses need to know where they are on the risk spectrum. It’s important to understand the varying requirements around robust cybersecurity risk management and governance. How businesses govern, identify, detect and respond to risk is crucial to managing cybersecurity needs.

  1. Stay current

The pace of change in technology is unrelenting. Technology-sourcing professionals need to stay up-to-date on their tech knowledge if they are to properly advise CIOs and CFOs on the best cybersecurity investments.

 

Blog By: Trupti Thakur