In 2021, the number of weekly attacks on corporate networks increased by 50 percent year on year, and there’s no reason to believe that trend will change in 2022 and beyond. It’s a fact that no business can afford to ignore, especially in Europe, which has seen the highest increase in attacks, from 400 per organization per week in 2020 to 670 in 2021, according to data from Check Point Research.
It is fair to say that organizations are not ignoring the increased risk, at least in as much as it involves keeping their own shop in order. Market researchers at Gartner estimate that total spending on information security will come in at about $172 billion in 2022.
But with the increased budget comes more pressure on security professionals to ensure that money is spent wisely.
The problem is that businesses do not operate in a vacuum. They are increasingly interconnected with their supply chains, a fact that brings manifest benefits in terms of transparency and efficiency but that also opens the door to new areas of cybersecurity risk.
PwC ran an eye-opening survey on the topic earlier this year. “You can’t secure what you can’t see,” they say in their opening paragraph. They then go on to demonstrate that here and now, about 60 percent of businesses admit they don’t have full visibility of supply chain cybersecurity risks.
That’s almost two thirds - and this is on the basis of self-declaration. It would be interesting to see how many of the other 40 percent can really demonstrate their “thorough understanding” of the risks that exist in the supply chain. Perhaps more worrying, however, is that a quarter of respondents have little or no understanding of the risks at all.
Let’s be honest, in the wake of Brexit, the pandemic and most recently the Ever Given taking it in turns to bring global supply chains to a halt, you could be forgiven for thinking that someone is breeding black swans somewhere. There’s a fatalistic vibe of “what next?” in the air, and some truly catastrophic cybersecurity incident feels like it is just waiting to happen.
The fact that such a significant proportion of businesses are doing little or nothing to understand, much less mitigate, the risk is all the more surprising when you consider the potential consequences of a serious cybersecurity breach in the supply chain.
Let’s Look at a Few Examples of High Profile Businesses That Have Been Hit in This Way:
Think of supply chains and you immediately start going through lists of vendors and logistics partners. But the modern Internet of Things can spin webs that connect your systems with others that might not spring immediately to mind. Target, the US retailer, fell victim to just such a vulnerability in 2014.
Fazio Mechanical Services is a Pennsylvania-based mechanical contractor that specializes in the design, installation and maintenance of supermarket refrigeration and HVAC systems. Part of the company’s role was to monitor temperatures in stores, and to do that, it needed remote access to Target networks.
This doesn’t satisfactorily explain how hackers were able to gain access to sensitive payment systems, but that is exactly what they did. The criminals purloined details of 40 million debit and credit card accounts used to make purchases at Target over a period of just under three weeks in late 2013.
As well as the significant reputational impact, Target parted with more than $18 million in a multi state settlement, the largest ever payout of its kind.
Personnel files for thousands of US military operatives and even those of Iraqi and Afghan nationals who had worked in cooperation with the US military in their home countries were stored on an unprotected Amazon server, accessible to anyone, for almost a year.
In this case, the cybersecurity risk was not the result of hackers or cybercriminals breaching defences. In fact, TigerSwan, a security firm based in North Carolina, placed the blame on a third party supplier called TalentPen, whose job it was to to process new job applicants.
The interesting thing to arise from this incident was that TigerSwan had ceased to use TalentPen the previous year, but nobody had asked the question of what would happen to the shared data after the business relationship concluded.
One of the most publicized supply chain attacks, and a guaranteed case study for MBA text books in the years ahead, concerns an Oklahoma-based software supply and management company called SolarWinds. Among the suite of solutions it provides to its high-profile client base, you’ll find an IT performance monitoring system called Orion.
Now, the very nature and purpose of Orion demands that it has access to IT systems in order to monitor their performance. Hackers inserted malware into the Orion system and this effectively provided a back door by which they could access third parties that used the software, impersonating users and legitimate accounts as they went.
It provided the hackers with access to tens of thousands of companies’ sensitive data. Not only could they access the systems of the Orion users, but once in, they could then access the systems of their supply chain partners and their customers. The cherry on the cake was the nature of some of those “high profile clients” we mentioned. They included federal government agencies such as the Department of Homeland Security, the National Nuclear Security Administration and the US Department of Treasury. Well-known private companies including Microsoft and Cisco were also affected.
The purpose of the attack remains unclear, although it is surmised that government systems were the primary target and that other victims were merely collateral damage. Presidents Trump and Biden have pointed the finger at Chinese and Russian agencies respectively over the past two years.
Last year, the hunters became the hunted as cybersecurity provider Mimecast had its certificates hacked by, it later claimed, the same hackers who were behind the SolarWinds attack.
The attack was a sophisticated one, but in essence, the compromised security certificate gave hackers access to users’ Microsoft 365 accounts, including emails. Worse, there was the potential that once inside the machine, hackers could then authenticate directly to Microsoft’s own systems and thereby access sensitive client data.
Mimecast was quick to play down the incident, assuring its clients that only a handful had actually been hit and that they had been contacted already and remedial actions implemented. However, Saryu Nayyar, the CEO of security analytics company Gurucul, said “Civilian organizations will need to up their game if they don’t want to become the next headline.” and commented that “defenses designed to resist a state-level attack should be more than enough to thwart the more common cybercriminal.”
Ms Nayyar’s comments raise a pertinent point. Managing cybersecurity risks in the supply chain is not just about protecting our businesses, our customers and our reputations. It’s well and good looking upstream in the supply chain, but our actions or inactions can often have a knock on effect on business partners, too.
One thing that is very clear from the above examples is that from the perspective of clients, regulators and the media, the buck stops with you for a cybersecurity breach, even if it originated in the supply chain. People talk about the Target incident, not the Fazio incident.
Clearly, we need a mechanism for both managing this risk and for demonstrating to stakeholders that we have done so appropriately and the answer lies in effective supplier assessment processes.
A key part of that assessment is to understand how supply chain partners manage their own supply chains. These are sometimes known as “fourth parties” and, as we saw in the SolarWinds example, this principle can be extrapolated to fifth, sixth and seventh parties. It’s impossible to check to the nth party as part of your own due diligence, so that means working only with suppliers and third parties that have equally rigorous third party assessment procedures in place.
That sounds like a hardline stance to take, but it is only because the size and shape of third party cybersecurity risk is just beginning to come into focus. Businesses take a similar line with issues such as anti-slavery and even sustainability with barely a second thought, and for similar reasons.
Embedding cybersecurity into your supplier assessment processes is, in many ways, the easy part. Implementing it in terms of updating existing supplier contracts, performing random audits, following up on corrective actions and providing comfort to stakeholders that all this is in place and working as it should is where things can become difficult.
That’s where KodiakHub’s suite of solutions comes to the fore. From supplier onboarding to performance monitoring to contract renewal or, as we saw in the case of TigerSwan, contract termination, cybersecurity needs to be right up there with performance, financial controls and regulatory compliance. KodiakHub’s assessment, evaluation, management and monitoring software helps ensure it is not neglected.
It provides red flags and reminders so you can rise to meet any risks before they happen and places the information at your fingertips to demonstrate to stakeholders that you have the controls in place to avoid becoming next week’s cybersecurity media sensation.