Cyber housekeeping 'stops most back door supply chain hacks'

Supply chain is often the 'back door' for hackers to attack larger companies. Here, cybersecurity execs James Tamblin & Paul Gribbon share security insight

A recent Accenture study showed that, in the US, 43% of cyberattacks were aimed at small to medium-sized enterprises (SMEs) but that just 14% of such companies are adequately protected. Those are scary numbers, and it’s a similar story on both sides of the Atlantic.

The British government reports that almost a third of UK firms with digital supply chains are vulnerable to cyberattacks, with many lacking even basic protective measures. It, too, says most are SMEs – by far the most numerous type of company.

In a cyber-vulnerable company, supply vendors are too often the entry point for malware, ransomware or denial of service attacks (DoS), which then work their way upstream or downstream to the organisation itself.

And yet, cybersecurity needn’t be complicated; much of it is down to sound housekeeping and well-managed communications.

We spoke to two cybersecurity experts for their advice and insights on the matter. James Tamblin (JT) is Vice Chairman of BlueVoyant, a US company that provides a cloud-based cybersecurity platform.

Paul Gribbon (PB), meanwhile, is Cybersecurity Senior Manager at Reliance ACSN.

Biggest internal cybersecurity threat to supply chains?

JT: Internally, the biggest threats come from suppliers or third parties who have access to an organisation's IT networks. If a supplier’s IT network is breached, then this might have a direct impact on the first party. As the internal networks of organisations become better defended, increasingly, it’s suppliers who become the weak link that allows an attack. 

Biggest external cybersecurity threat to supply chains? 

JT: Externally, the biggest threats come from third-party organisations who perform a critical business process or deliver a key product to the first party. 

In the event that a supplier or third party is subject to a cyberattack that means they are unable to deliver key products or services, this can become a big problem very quickly and may impact business continuity. 

Most important first steps in being cyber-secure?

JT: For any organisation, the most important things to do when tightening cybersecurity include:

  • The relentless use of multi-factor authentication (MFA)
  • Maintaining a robust patching practice
  • Continual cybersecurity awareness training; and 
  • Using software applications that are well-supported from a security perspective. 

Doing these things well will reduce any organisation’s cyber risk significantly.

PB: The first step is for the company to understand the breadth, depth and location of its information assets. You cannot mitigate, protect and control what you don’t know about. 

Organisations should also be prepared to be surprised, or even shocked, at the amount of data that needs to be under control. This is particularly true of the proliferation of cloud services’ data, for which you have accountability and is often being processed in locations of which you were not aware. 

This also has a compliance and legislative impact, particularly as it relates to personal data. The GDPR implementation date is now four-and-a-half years ago, and any data discovery assessments conducted back then will be severely out of date if this has not been a regular exercise.

Most important cybersecurity measure?

JT: Enabling multi-factor authentication on all internet-facing applications. This one extra-step is sometimes enough to convince cybercriminals to move on to other targets.

PG: Dispelling the myth that ‘it will never happen to us’ must be the first step. The most important thing is to take the risk of cybersecurity and cyber-based attacks seriously. This means, first, accepting there is a real risk the organisation could be impacted and, second, making it a priority to ensure there’s no complacency. 

Once this is done, there will be a natural progression of activities to help identify and protect an organisation. No two organisations are the same in terms of their business or operating model, size, culture and risk exposure, so those activities should be tailored to the environment and threat profile.  

Which sectors have greatest supply chains vulnerability?

JT: There are some sectors that, traditionally, have not invested heavily in building and running state-of-the-art technology. By definition, this makes them more susceptible to being successfully attacked. 

Typically, I see this in companies with tight margins that are spend-conscious and haven’t seen the upfront benefit of significant financial investment in technology. 

Also, some sectors are more heavily targeted – including IT-managed service providers, who are seen as low-hanging fruit by hackers – because a successful breach of a managed service provider (MSP) will result in access to multiple target organisations in a single hit. 

The good news is that MSPs tend to take security very seriously and employ strong cyber defences.

Is geopolitical instability contributing to cyber threats?

JT: Using its intelligence feeds, BlueVoyant continues to monitor the unfolding situation between Russia and Ukraine for any adverse impact on our clients. 

To date, we have not seen a significant increase in attacks from that region against western targets. However, organisations in both Russia and Ukraine have been impacted by malicious hacking from both sides, as they attempt to disrupt or destroy adversaries through cyberattacks. 

For organisations who depend on third parties based in conflict zones such as Ukraine, the impact can be significant. 

Biggest barriers to tightening supply chain cybersecurity? 

JT: The first hurdle to overcome is making key individuals inside an organisation understand why supply chain cyber risk is a problem that needs addressing. 

For too long, chief information security officers, chief technology officers and other senior executives have been focused on building their own cyber defences. Understanding the business risk of a successful cyber attack on a supply chain vendor or other third party is not always apparent to senior executives. 

The second hurdle is to find an effective solution that helps the organisation have a positive impact on supply chain cyber risk. Many organisations find they are overwhelmed with vulnerability information, and don’t have effective means by which to influence third-party supply chain organisations at scale. 

Intelligent investment in external support, and understanding what is possible from a ‘data’ perspective, is a key early step. 

James Tamblin is Vice Chairman of BlueVoyant, a US company that provides a cloud-based cybersecurity platform.
Paul Gribbon is Cybersecurity Senior Manager at Reliance ACSN, a cybersecurity firm.

Featured Articles

Supply chain chiefs' relief over averted US federal strike

CrimsonLogic analyst Siddarth Priyesh on why a USA federal shutdown would have seen widespread supply chain disruption and increased logistics costs

Tech 'hampering CSCO decisions', says Gartner Supply Chain

Gartner Supply Chain report shows that 'partial picture' digital solutions are hampering CSCO decision-making

Global logistics news roundup: IATA, LA & Shanghai ports

IATA to launch new cargo data standard; LA, Long Beach & Shanghai ports in net zero drive; Food waste in supply chain ‘keeping prices high’

Inflation dampening Christmas spirit among CSCOs - Deposco

Supply Chain Risk Management

Golf driving DP World's end-to-end supply offering

Digital Supply Chain

Interview with Tony Harris, of SAP Business Network

Supply Chain Risk Management