How to Protect Your Supply Chain from Cyberattacks
Supply chains have been stretched to their limits by COVID-19 lockdowns, border closures, and sudden shifts in consumer demands. Now, they’re facing a growing threat from hackers. According to the FBI, cyberattacks have surged by 400% during the pandemic. One of the top targets: supply chains. In 2019, there were around 300 major hacks on supply chains and 2020 is almost certain to exceed that. In a single week this fall, cybercriminals took out shipping giant CMA CGM’s e-commerce systems and hit the International Maritime Organisation with an attack that affected crucial databases.
The fastest-growing threat is ransomware, which encrypts a company’s data until a ransom is paid to the hackers to decode it. In the third quarter of 2020, companies paid an average of $233,817 in ransoms, a 31% increase from the previous quarter, according to security firm Coveware. Supply chains are uniquely vulnerable to cyberattacks because each link in the chain is a potential entry point for hackers. Corporations like Walmart can have 100,000 suppliers, and interact with each to manage orders, delivery schedules, invoices and payments. When a single click on a malicious email link can open the door to a cyberattack, policing such a complex system is an enormous challenge. So, what can be done? Here’s how to keep your supply chain safe and secure.
Assume the Worst
Your organization or suppliers will inevitably be the target of a cyberattack, so plan accordingly. If your company doesn’t have a comprehensive strategy for mitigating threats and dealing with any breaches, creating one must be a priority. The threat from hackers is ubiquitous so your strategy must encompass not only your organization but the suppliers and vendors you deal with. It should run the gamut from the technologies used for endpoint protection, to standards for accessing and handling data, and plans for recovering in the event of a successful attack. The National Institute of Standards and Technology has created standards for supply chain cybersecurity that are an excellent starting point.
Find Out Where Your Risks Are
You can’t defend against risks you don’t know about. Conduct a comprehensive audit of each third-party vendor in your supply chain. It’s not enough to look into their software and hardware, you need to know about their information security protocols, processes for patching and updating their systems, how they control physical access to their facilities and digital access to their systems, and what background checks they perform on their employees. Group vendors by their risk level, and prioritize working with the riskiest to secure systems and train staff. Particularly vulnerable equipment may have to be air-gapped from other systems. This is frequently the case for manufacturers that have expensive or difficult-to-replace machinery still operating on outdated systems such as Windows XP.
Embed Cybersecurity Throughout Your Business
The complexity of supply chains creates an enormous attack surface for hackers. The risks are increasing with greater use of IoT technologies throughout the system. Even WiFi routers, connected thermostats or smart lighting systems in warehouses could present a risk. IT departments lead the charge on ensuring networks are up-to-date with antivirus and malware detection software, and staying current with system patches. But that work can be undone by a careless worker who invites hackers in by falling for a phishing attack. Supply chains are prime targets for phishing scams, which often involve phony invoices that contain viruses or fake wire transfer requests that appear to come from a trusted source. Embedding a culture of cybersecurity awareness throughout your supply chain and regularly training all staff to be vigilant to the threat is essential to keeping systems secure.
Ransomware and other cyberattacks represent real and growing threats to companies throughout the supply chain. Attacks are inevitable, but by putting the correct technologies and procedures in place, companies can mitigate their risks and reduce their chances of costly downtime from a successful hack.
Ara Aslanian is co-founder and CEO of Inverselogic, an IT services company, and reevert, a hybrid data backup and storage solution. He is a member of the advisory board at LA CyberLab and on the leadership council of Secure the Village, both of which monitor emerging online threats and provide education on countering them.