Fortra: How to Guard Against Supply Chain Attacks
With more than 25 years worth of experience in technology and security, Theo Zafirakos provides CISO professional services to clients and regularly speaks on the topic of cybersecurity awareness training and cybersecurity.
In 2022, he joined Fortra following its acquisition of Terranova Security, for which he had already supported hundreds of clients in implementing effective security awareness programmes tailored to their unique realities and objectives.
Prior to this, he served as CISO at transportation and logistics giant, CN, where he was responsible for all aspects of information security strategy and governance.
Here, Theo speaks to Supply Chain Digital about the ways organisations can guard themselves against supply chain attacks.
For those unfamiliar with Fortra, what are the company's main activities?
Fortra provides best-in-class cybersecurity solutions, managed security services and world-class threat intelligence.
Our areas of expertise include vulnerability management, offensive security, email security, data protection, secure collaboration, digital risk protection, secure file transfer and more.
To what extent are supply chain attacks impacting organisations across the globe?
The impact is significant as in almost every case there is a financial loss associated with any breach.
The recent example affecting auto dealers across North America demonstrates how one supplier breached can have an impact of millions of dollars of operations cost for its sector. Dealerships across the US have seen operations hindered for weeks, with losses reaching US$1bn according to various news media.
Another example is a manufacturing organisation we helped overcome repeated ransomware infections that kept getting introduced via its thousands of suppliers. Fortra helped them improve their phishing detection and response capabilities and extended its awareness programme to those suppliers that did not have their own awareness programme in place.
What types of attacks have we seen in recent months?
The most common types of supply chain attacks cover three areas: software, devices, and people. Allow me to elaborate on these three areas...
Software security
As more and more supply chains rely on software, attackers can breach code repositories to which they add malicious code or disrupt operations. Once that happens, misconfigured systems or vulnerabilities are exploited and systems are disrupted, which are used to compromise services and operations. These attacks affect the services provided by the supplier and, in turn, anyone else that depends on those services for their business operations.
Attacks via connected devices
At any point in a supply chain in which there is a connection between devices or networks, one can find the opportunity to exploit a device that connects to the network to plant malware. Devices can include servers, desktops, HVAC systems, power, security, network-connected CCTV systems and so on. When users connect to a network, they generally do so with a wide range of devices, including laptops, phones, tablets, USB keys, etc. which, in turn, may carry malicious payloads that can spread to any other connected devices. All a cybercriminal needs to do is find a way to get that malware onto a device, before these devices proliferate the malware across the network. This can happen in many ways, including phishing emails, malicious links or even physically at the source.
Attacks targeting people
When someone we deal with on a regular basis gets compromised and their email account taken over by a cybercriminal, it's easy to be fooled and follow any instructions they send us because they originate from someone we know. Imitating suppliers or compromising suppliers and using stolen accounts to commit social engineering has become very common in targeted attacks.
What damage can be done as a result of supply chain attacks?
The main lesson is that there are real-world implications of cyber attacks aimed at the supply chain:
- Supply chain cyber attacks can have far-reaching effects, which often have compounded and cascading implications across many business functions and areas.
- Operational disruptions can stall production lines, leading to significant delays in manufacturing and delivery schedules, or affect essential services such as healthcare, utilities and transportation.
- The economic impact cannot be ignored as companies may face direct financial losses from halted operations, lost sales and ransom payments. This could potentially impact market valuation, leading to a decrease in the stock prices of the impacted companies, alongside eroding investor confidence and diminishing customer trust.
- There may also be significant legal costs that companies incur from lawsuits and regulatory fines.
- They also risk sensitive information exposure such as stolen personal, financial and proprietary information, leading to identity theft and corporate espionage.
- Negative publicity can tarnish a company’s image, impacting long-term business relationships.
- Companies may face penalties for failing to comply with data protection regulations such as GDPR, HIPAA or CCPA, which may result in increased scrutiny in the future by regulatory bodies.
- Significant resources are required for incident response, recovery, and restoring normal operations, which may result in costs getting passed down to the consumer.
How important is it for businesses to understand the threats they face?
Understanding the threats they face and the potential damage from supply chain attacks is crucial for organisations when it comes to prioritising and planning:
- Understanding potential threats helps organisations identify and address vulnerabilities in their supply chains. This proactive approach reduces the risk of exploitation.
- Knowledge of potential threats allows organisations to develop strategies to minimise disruptions, ensuring business continuity.
- Many industries have regulatory requirements mandating mitigation strategies for supply chain security. Understanding threats ensures compliance with these regulations.
- Supply chain attacks can result in significant financial losses due to operational downtime, loss of data and incident response. Understanding these risks helps organisations allocate budgets for preventive measures.
- Supply chain attacks can damage an organisation’s reputation, leading to loss of customer trust and loyalty.
- Understanding threats can lead to the implementation of more secure and efficient processes, reducing the likelihood of disruptions and improving overall operational efficiency.
- Knowledge of potential threats and their impacts improves incident response planning, allowing for quicker and more effective responses to supply chain attacks.
What measures can firms take to protect themselves against supply chain attacks?
We need to start with the basic preventative measures including third party risk management, zero trust architecture, vulnerability management, network segmentation, security awareness training and principles of need-to-know and least-privilege. By doing so, companies can address most regulatory requirements and cyber risks related to supply chain attacks.
- Robust Security Policies: Implement strict access controls, regular security audits, and continuous monitoring to detect and mitigate threats. This must include the acceptable use of AI and the new threats and attack scenarios that may be using AI.
- Employee Training: Conduct regular training sessions to educate employees about the risks and signs of cyber-attacks and social engineering.
- It is also important for cyber security specialists to understand the business operating environment they are trying to protect, and the risks present from their supply chain.
- Vendor Management: Perform thorough vetting and continuous monitoring of third-party vendors and service providers to ensure they adhere to strong security practices.
- Network Security and Zero-Trust Architecture: Employ advanced network security measures, including encryption, intrusion detection systems (IDS), and secure communication protocols, MFA, data segmentation and apply the principles of least privilege.
- Incident Response Planning: Develop and test incident response plans to address any breaches or compromises quickly and effectively within the supply chain.
How crucial is it for companies to develop incident response plans?
It’s crucial for every organisation to prioritise the creation of plans for incident response, disaster recovery and maintaining business operations during emergencies. For those who have them, include cybersecurity scenarios and test them regularly to ensure their effectiveness. We've seen organisations switch to pen and paper for their operations as their inventory system was off-line due to a cyber attack.
We often hear people say in the cybersecurity industry that it's not a matter if you get breached, but when, as eventually any organisation may appear on the radar of a cybercriminal organisation. Business continuity management, disaster recovery planning and incident response planning will become crucial as they can address almost any event and can be implemented while securing every network ingress point and system. In terms of stakeholder trust and organisation reputation, preparedness to respond to a cyber attack can also have a positive outcome.
Organisations should work closely with supply chain partners to ensure they have robust business continuity management, disaster recovery planning and incident response plans in place, and include them in your own testing. Organisations must share threat intelligence and best practices for cyber resilience within their sectors and their suppliers.
******
Check out the latest edition of Supply Chain Magazine and sign up to our global conference series – Procurement and Supply Chain LIVE 2024.
******
Supply Chain Digital is a BizClik brand.
- Q&A: Mateja Matko, Senior Industry Consultant at HexagonSupply Chain Risk Management
- Why US Energy Sector is at High Risk of Supply Chain AttacksSupply Chain Risk Management
- Gartner: Supply Disruption Poses Threat to ProcurementProcurement
- Think Rebuild not Recovery after a Supply Chain Cyber AttackTechnology