Comment: Back to basics to throttle supply chain cyber threat
Effective cybersecurity is challenging enough for many organisations, but when you add supply chains into the mix that may include hundreds or even thousands of suppliers, the challenge grows massively.
There have been numerous instances where an organisation has been breached as a result of hackers finding a way in via third parties such as suppliers and contractors. Probably the most infamous example of a breach via a supply chain was when hackers breached US retail giant Target in 2013 by stealing credentials from a third-party heating company who were able to access Target’s networks and monitor its systems. The company fell victim to a spear phishing attack a few months before the main attack, when the hackers installed malware onto the retailer’s point of sale systems, stealing customer credit card details, and sending them to a compromised Target server before finally sending them overseas. The breach resulted in the theft of the credit and debit card details of up to 40 million consumers and has, so far, cost Target over $200 million.
Breaches via a supply chain can occur in many different ways. A supplier could inadvertently introduce malware into a network via a phishing email, or a vendor’s credentials could be stolen, allowing a hacker remote access to an enterprise with which the vendor works. This can then lead to the infiltration of an enterprise’s network via a trusted source.
Are supply chains the weakest link?
Hackers seeking to breach a large organisation will often do their homework and seek to take advantage of the organisation’s supply chain. Various methods such as social engineering will allow them to learn who their target does business with or who its suppliers are. Social media also allows them to learn who the best people are to approach or target with phishing emails.
If they are particularly determined they are likely to go through every part of the supply chain to find any vulnerability and, once they find one, they will then seek to exploit it. Once in, they can then cause trouble right along the chain.
Large organisations’ supply chains are comprised of small or medium sized organisations which, due to their smaller sizes and budgets, are often considered to be the weakest links in the chain, with cybersecurity measures less likely to be as effective as larger ones.
Forward-thinking supply chain operators, however, know that the most effective way of reducing risk is to support their suppliers and partners by providing tools and services that enable them to improve their security, rather than burdening them with endless questionnaires.
Reduce the threats by doing the basics
Organisations at the top end of a supply chain should encourage their suppliers to implement a cyber-aware culture. Adopting government schemes such as Cyber Essentials and educating employees at all levels will help to reduce the threat.
Good cyber hygiene should be encouraged, for example, such as avoiding suspicious-looking websites and never clicking links of which you are uncertain can help avoid many cyber dangers.
Proper awareness training can also help staff recognise the signs that an email might not be legitimate. By educating employees and members of a supply chain on how to spot a suspicious email, it’s possible to cut the likelihood of a successful phishing attack. Most of the time these emails are caught by an email service provider’s spam filters, but hackers are tenacious and are constantly finding ways to try and circumvent them. Many businesses and organisations have fallen victim to such attacks. We all receive spam emails - it’s a part of everyday life, so if in doubt, it is always best to refer a suspicious email to an organisation’s internal security team and not click on any links or attachments.
Ensuring that every organisation in a supply chain has well thought out policies and procedures in place, such as allowing users to access only what they require for their role, or not allowing personal devices or removable media to be plugged in, can help to protect against cyber-attack. Likewise, carrying out an audit of assets will help an organisation to keep track of what is part of its network and - more crucially - what isn’t. Supply chain partners should also be encouraged to keep their anti-virus and other security applications up to date. Finally, it’s important to ensure there is continued awareness of these practices in the same way that fire drills are carried out regularly.
The ‘It’ll never happen to me’ mentality needs to go
The belief that a cyber-attack will “never happen to me” is a surprisingly common reason for businesses not to invest properly in cybersecurity. Small businesses in particular are likely to believe this as they think that they’re too small to be noticed by cyber criminals. In reality, however, SMEs are actually targeted more often due to their appearance as a ‘soft target’ and as a potential way into a larger organisation’s supply chain. For this reason, large organisations should regularly assess the cybersecurity of their supply chain, and ensure that the necessary training, awareness and best practice cyber hygiene is in place to reduce the risk of a breach.
Japan Seeks to Revive Stalled Semiconductor Industry
Post-pandemic, Japan has seen the consequences of relying solely on foreign imports for its semiconductors. Over 64.2% of its chips are usually imported from South Korea and Taiwan, leaving the country dependent on its neighbours. Industries from auto manufacturers to consumer electronics firms wait for chips, to no avail. But now, the Japanese government looks likely to put real funding behind its semiconductor industry, with top officials emphasising their support.
Domestic supply chains have never been more important. Rather than remain tied to international shipping routes during shortages and delays, governments are doing everything in their power to develop local lines of supply. But the question remains: can Japan pull it off?
How Will Japan Pay For It?
Herein lies our first issue. Japan’s debt has rapidly increased over the past few years, and the semiconductor industry will need roughly a trillion yen—US$9bn—in this fiscal year alone. This cost, however, pales in comparison to what Japan could lose if it fails to keep up with Europe and the US. Both nations have launched aggressive funding measures to revive their local semiconductor industries. And if Japan refuses to invest due to its debt, it could slow down progress in fields ranging from artificial intelligence to autonomous driving.
According to Tetsuro Higashi, the former president of Tokyo Electron and Japan’s top government advisor in semiconductor strategy, ‘If we miss this opportunity now, there may not be another one’. Yet one advanced wafer fabrication factory can cost more than US$10bn, and any money poured into the industry will go fast. That’s why Japan, rather than invest trillions and trillions in failing domestic firms, is considering a second option.
What Do They Plan To Do?
Japan now intends to look abroad and convince overseas chip foundries to come to its shores. Its past failures mostly centred on trying to merge domestic firms that were already going through tough times. ‘This sort of made-in-Japan self-reliance approach hasn’t worked out well’, said Kazumi Nishikawa, a director at the Ministry of Economy, Trade, and Industry’s IT division. ‘This time the goal is to offer a strong incentive for an overseas logic foundry to come to Japan’.
As follows, Japan will now reach out to industry partners and leaders in other countries, including the industry heavyweight Taiwan Semiconductor Manufacturing Co. (TSMC), to build Japanese bases. According to the South China Morning Post, the heart of Japan’s mission is a US$337.2mn research and development project in Tsukuba that will involve TSMC and more than 20 Japanese firms. ‘I think we need to cooperate with our overseas counterparts’, said Akira Amari, a senior member of the ruling Liberal Democratic Party. ‘[And] TSMC is the world’s top logic chipmaker’.
Indeed, if that’s Japan’s strategy, the future looks bright. TSMC recently set up a venture near Tokyo to research energy-efficient 3D chips with several Japanese partners. And in the future, the multinational chipmaker may consider expanding its Japanese operations—that is, if government incentives pave the path forward.