How to protect your organisation’s data with supply chain cybersecurity
There’s a lot to be excited about when it comes to supply chain technologies. There’s robots running fully automated warehouses; chatbots enabling orders and returns; facial recognition technology predicting orders at fast-food chains; driverless vehicles and drones optimising transportation and delivery; and smart labels and blockchain technology helping consumers better understand their products and where they come from.
But with supply chain innovations come supply chain security vulnerabilities. Increasing complexity means more access points for potential cyberattacks – and cybercriminals are finding them. According to Symantec’s 2018 Internet Security Threat Report, there was a 200% increase in attackers injecting malware implants into the supply chain to infiltrate unsuspecting organisations in 2017. One prime example was the Petya/NotPetya malware, which wreaked havoc worldwide, including bringing the Cadbury factory in Tasmania to a grinding halt.
Not only are supply chain cyberattacks far more likely, but new data protection regulations mean there are greater consequences for lax cybersecurity. The Australian Government, for example, has recently brought the Notifiable Data Breaches (NDB) scheme into effect, obliging organisations to notify individuals whose personal information is involved in a serious data breach. The European Union’s General Data Protection Regulation (GDPR), which comes into effect on 25 May, also imposes hefty fines for non-compliance: up to A$30 million, or 4% of global annual turnover, depending on which is higher. (Ouch!)
In light of this, supply chain cybersecurity is a larger priority than ever before. So is your supply chain safe from cyberattacks? In today’s post, we look at the three biggest risks to your supply chain, and how you can mitigate those risks with supply chain cybersecurity best practices.
3 biggest risks to supply chain cybersecurity
1. Third-party vendors
As organisations ramp up their cybersecurity efforts, cybercriminals are increasingly having to look for ways to exploit secondary or even tertiary access to primary targets. Because of this, many experts agree that the biggest supply chain vulnerability is that of third-party vendors and suppliers. This view is supported in the government’s Australian Cyber Security Centre (ACSC) Threat Report 2017, which stated that sophisticated cyber activity against such third-parties had increased.
According to the report, organisations can be targeted via outsourced vendors by:
- Exploiting a direct connection that a vendor has with customer data and networks
- Modifying the vendor’s software or other products with malicious content, which is then installed on customer networks
- Gaining access to credentials to allow seemingly legitimate access to the target network
- Engineering sophisticated spear-phishing emails to deliver malware and thus compromise a target network
Even highly secure government departments aren’t immune to such ‘backdoor’ attacks, as the Australian Department of Defence discovered when the hacking of a sub-contractor exposed data about Australia’s Joint Strike Fighter programme. The access was gained via 12-month-old vulnerability in the sub-contractor’s IT Helpdesk Portal, showing how even the smallest oversight can have severe consequences.
As a supply chain grows, so too does its number of users. As a result, the risk of plain old human error increases. As the National Institute of Standards and Technology (NIST) wrote in conference materials on the subject of “Best Practices in Cyber Supply Chain Risk Management”:
Cybersecurity is never just a technology problem, it’s a people, processes and knowledge problem. Breaches tend to be less about a technology failure and more about human error. IT security systems won’t secure critical information and intellectual property unless employees throughout the supply chain use secure cybersecurity practices.
Social engineering, or the act of psychologically manipulating someone into performing an action or divulging confidential information, is particularly rampant. According to the Norton SMB Cyber Security Survey 2017, 54% of SMBs who had experienced a cyberattack had fallen victim to an email or phishing scam.
Whether it’s by using unsecured BYOD devices or public wifis, or inadvertently clicking links on phishing emails, your employees could potentially be exposing your organisation’s data to the risk of cyberattacks – without even realising.
3. Malicious actors
While vendors and employees may be the weakest links in your supply chain’s cybersecurity defences, it’s important not to become complacent about your own internal cybersecurity defences. Cybercriminals are constantly on the lookout for weaknesses, whether it’s a software vulnerability that has yet to be fixed by a security patch, or an IoT device that still has a default password.
Organisations, therefore, need to ensure their own internal IT security solutions remain stringent and up-to-date.
Supply chain cybersecurity best practices
When it comes to supply chain cybersecurity, it is not so much a matter of if there will be a cyberattack, but when.
When you start from the principle that a breach is inevitable, your cybersecurity solution becomes not just about preventing a breach, but also about how to prevent a malicious actor from exploiting information they have accessed, and how to recover from the breach.
Here are some supply chain cybersecurity best practices to help you protect your organisation’s data:
- Protect what matters: It is impossible to identify every single security weakness in the entire supply chain, so it’s important to focus your efforts where it’s most needed. Identify your most sensitive data, and assess the measures and strategies that are in place to protect it.
- Know who has access to your data: Maintain an inventory of all third-party vendors and employees with access to sensitive information, as well as their degree of access.
- Control access to your data: Often, vendors and employees have access to sensitive information that they don’t actually need to perform their service or their role. Limiting data access can go a long way towards mitigating the consequences of a breach.
- Verify vendors’ security practices and procedures: Carefully assess a vendor’s commitment to security during the vetting process, and make strong cybersecurity practices a prerequisite in all vendor agreements.
- Educate employees on cybersecurity best practices: Be sure employees get regular training on cybersecurity best practices, such as how to recognise a phishing email or how to use social media responsibly.
- Have a highly detailed cyberattack response plan: As mentioned, no system is 100% secure. It’s vital, therefore, to have a highly detailed cyber incident response plan for when the inevitable breach occurs.
As supply chain technology evolves in leaps and bounds, organisations have to balance the rewards of such innovations with the risks they introduce into our systems, and ensure supply chain cybersecurity remains a top priority.
Want to learn about the very latest in supply chain cybersecurity? Then don’t miss CeMAT Australia, the world’s leading trade fair for intralogistics and supply chain management. Register for your visitor pass for free today.