Context Information Security: Is your supply chain a security risk?
Although your businesses will already have put in place measures to increase protection from growing cyber security risks, the next step is to think about your supply chain and whether the organisations that support you pose an acceptable risk or a weak link. Much like how you would be reticent to do business with an organisation with a bad financial credit rating, cyber supply chain risks should be seen in a similar light and It is important that you understand the threat to your business.
There are two main ways in which the poor cyber security of your supply chain can have a direct impact on your organisation:
If one of your suppliers is unable to provide you with the goods or services you rely on to operate your business due to them falling foul of a cyber-attack, then this could potentially damage your output and reputation, particularly when bearing in mind just-in-time logistics or critical services. This is a risk you would want to avoid, or at the very least minimise and go with a supplier who has insulated themselves against cyber-attacks.
Your supply chain may be used as a backdoor to gain access to your network. You may ask why your supply chain should be any different from any other business, but the key difference here is that cyber criminals are the confidence tricksters of the 21st century and will look to exploit the trusted relationships you have with your supply chain.
Attackers can exploit this trust in different ways. Firstly, some of your suppliers may have access to your Building Management Systems (heating, ventilation, power, lifts), which may be part of or linked to your network. If the supplier’s network is compromised, yours might be too. A notorious example of this occurred in 2014, when the US retail business Target was hacked via their HVAC partner, losing credit card details of 110mn customers at a cost of $61mn.
Secondly, if your networks are not directly connected, this is another way in which trust can be exploited. The attacker can send spoof emails posing as the supplier, but with malicious content embedded to gain a foothold on your network. Due to the trusted relationship you have with this supplier, you are more likely to open any attachments to emails. Cyber criminals can go unnoticed on networks for long periods of time, utilising numerous approaches including monitoring traffic and patterns to establish the types of emails sent to partner organisations. By monitoring who the emails are from and what types of attachments are usual, this significantly contributes to their success.
Having gained access to the environment, there are various ways in which an attacker can ‘cash in’. It may be client details, such as bank accounts and email addresses, which can all be sold on the dark web. Alternatively, for a potentially bigger and quicker ‘payday’ they can conduct an attack known as Business Email Compromise (BEC). Increasingly prevalent and profitable, BEC works by the attacker monitoring the communications to understand how and when you invoice your clients. The attacker then sends an email from your finance department with your normal invoice, but critically then includes updated banking details for your clients to pay into. The attacker will delete any other invoices sent to the target client and cover their own tracks, usually by deleting what has been sent from your network. As the email comes from your network, your clients may well be duped into paying the invoice, or indeed, you may get similar emails yourself. Although this attack may seem simplistic, it once again relies on the trusted relationships you have with both your supply chain and clients. Hugely successful, the FBI has estimated that $12bn has been defrauded through BEC over the past 5 years.
To protect yourself from and reduce your cyber security supply chain risks, here are some things to consider:
Perform a baselining audit of who has access into your network and remove any unnecessary access, both from your staff and external suppliers, then continue to review regularly through an ongoing audit process
Before taking on new suppliers or re-engaging existing ones, enquire about their cyber security maturity. Whilst there is no industry standard questionnaire for supply chain assurance, the UK Government’s Cyber Essentials+ would be a good place to start to show that they are at least thinking about it. There are cyber credit rating type services available that can be helpful here too but shouldn’t be viewed as a ‘be all and end all’. They can be useful comparatively, but in isolation can be also quite unhelpful
Ensure you have robust processes in place in-house, that do not allow any amended payments to be made without additional authentication for e.g. calling to confirm. Never call any numbers on an email that asks for a change in payment details – this is likely to be the attacker waiting for your call. Instead, call the known contact on a previously used number
Educate your staff on what to look for and how to spot this type of attack
Remember, nothing and no one is infallible and this type of attacker will continue for as long as it is profitable and works. It will no doubt evolve over time into something else, so you and your staff need to keep up with what is going on in order to be able to defend against it. Your organisation might not be the overall target, as you may be being used as a stepping stone to get to another more lucrative organisation – ultimately we are all a part of someone’s supply chain.
Pandora and IBM digitise jewellery supply chain
Pandora has overhauled its global supply chain in partnership with IBM amid an ecommerce sales boom for its hand-finished jewellery.
The company found international success offering customisable charm bracelets and other personalised jewellery though its chain of bricks and mortar retail destinations. But in 2020, as the COVID-19 outbreak forced physical stores to close, Pandora strengthened its omnichannel operations and doubled online sales.
A focus on customer experience included deploying IBM’s Sterling Order Management, increasing supply chain resiliency and safeguarding against disruption across the global value chain.
Pandora leverages IBM Sterling Order Management as the backbone it its omnichannel fulfilment, with Salesforce Commerce Cloud powering its ecommerce. Greater automation across its channels has boosted the jeweller’s sustainability credentials, IBM said, streamlining processes for more efficient delivery. It has also given in-store staff and virtual customer service representatives superior end-to-end visibility to better meet consumer needs.
Jim Cruickshank, VP of Digital Development & Retail Technology, Pandora, said the digital transformation journey has brought “digital and store technology closer together and closer to the customer”, highlighting how important the customer journey remains, even during unprecedented disruption.
"Our mission is about creating a personal experience and we've instituted massive platform changes with IBM Sterling and Salesforce to enable new digital-first capabilities that are much more individualised, localised and connected across channels and markets,” he added.
Pandora’s pivot to digital
The pandemic forced the doors closed at most of Pandora’s 2,700 retail locations. To remain competitive, it pivoted to online retail. Virtual queuing for stores and virtual product trials via augmented reality (AR) technology went someway to emulating the in-store experience and retail theatre that is the brand’s hallmark. Meanwhile digital investments in supply chain efficiency was central to delivering on consumer demand.
“Consumer behaviour has significantly shifted and will continue to evolve with businesses needing to quickly adapt to new preferences and needs,” said Kareem Yusuf, General Manager, AI Applications and Blockchain, IBM. “To address this shift, leading retailers like Pandora rely on innovation to increase their business agility by enabling and scaling sustainable supply chain operations using AI and cloud.”
Yusuf said Pandora’s success was indicative of how to remain competitive by “finding new ways to create differentiated customer experiences that protect their enterprises from disruptions to help mitigate risk and accelerate growth”.