Cyber housekeeping 'stops most back door supply chain hacks'

Supply chain is often the 'back door' for hackers to attack larger companies. Here, cybersecurity execs James Tamblin & Paul Gribbon share security insight

A recent Accenture study showed that, in the US, 43% of cyberattacks were aimed at small to medium-sized enterprises (SMEs) but that just 14% of such companies are adequately protected. Those are scary numbers, and it’s a similar story on both sides of the Atlantic.

The British government reports that almost a third of UK firms with digital supply chains are vulnerable to cyberattacks, with many lacking even basic protective measures. It, too, says most are SMEs – by far the most numerous type of company.

In a cyber-vulnerable company, supply vendors are too often the entry point for malware, ransomware or denial of service attacks (DoS), which then work their way upstream or downstream to the organisation itself.

And yet, cybersecurity needn’t be complicated; much of it is down to sound housekeeping and well-managed communications.

We spoke to two cybersecurity experts for their advice and insights on the matter. James Tamblin (JT) is Vice Chairman of BlueVoyant, a US company that provides a cloud-based cybersecurity platform.

Paul Gribbon (PB), meanwhile, is Cybersecurity Senior Manager at Reliance ACSN.

Biggest internal cybersecurity threat to supply chains?

JT: Internally, the biggest threats come from suppliers or third parties who have access to an organisation's IT networks. If a supplier’s IT network is breached, then this might have a direct impact on the first party. As the internal networks of organisations become better defended, increasingly, it’s suppliers who become the weak link that allows an attack. 

Biggest external cybersecurity threat to supply chains? 

JT: Externally, the biggest threats come from third-party organisations who perform a critical business process or deliver a key product to the first party. 

In the event that a supplier or third party is subject to a cyberattack that means they are unable to deliver key products or services, this can become a big problem very quickly and may impact business continuity. 

Most important first steps in being cyber-secure?

JT: For any organisation, the most important things to do when tightening cybersecurity include:

  • The relentless use of multi-factor authentication (MFA)
  • Maintaining a robust patching practice
  • Continual cybersecurity awareness training; and 
  • Using software applications that are well-supported from a security perspective. 

Doing these things well will reduce any organisation’s cyber risk significantly.

PB: The first step is for the company to understand the breadth, depth and location of its information assets. You cannot mitigate, protect and control what you don’t know about. 

Organisations should also be prepared to be surprised, or even shocked, at the amount of data that needs to be under control. This is particularly true of the proliferation of cloud services’ data, for which you have accountability and is often being processed in locations of which you were not aware. 

This also has a compliance and legislative impact, particularly as it relates to personal data. The GDPR implementation date is now four-and-a-half years ago, and any data discovery assessments conducted back then will be severely out of date if this has not been a regular exercise.

Most important cybersecurity measure?

JT: Enabling multi-factor authentication on all internet-facing applications. This one extra-step is sometimes enough to convince cybercriminals to move on to other targets.

PG: Dispelling the myth that ‘it will never happen to us’ must be the first step. The most important thing is to take the risk of cybersecurity and cyber-based attacks seriously. This means, first, accepting there is a real risk the organisation could be impacted and, second, making it a priority to ensure there’s no complacency. 

Once this is done, there will be a natural progression of activities to help identify and protect an organisation. No two organisations are the same in terms of their business or operating model, size, culture and risk exposure, so those activities should be tailored to the environment and threat profile.  

Which sectors have greatest supply chains vulnerability?

JT: There are some sectors that, traditionally, have not invested heavily in building and running state-of-the-art technology. By definition, this makes them more susceptible to being successfully attacked. 

Typically, I see this in companies with tight margins that are spend-conscious and haven’t seen the upfront benefit of significant financial investment in technology. 

Also, some sectors are more heavily targeted – including IT-managed service providers, who are seen as low-hanging fruit by hackers – because a successful breach of a managed service provider (MSP) will result in access to multiple target organisations in a single hit. 

The good news is that MSPs tend to take security very seriously and employ strong cyber defences.

Is geopolitical instability contributing to cyber threats?

JT: Using its intelligence feeds, BlueVoyant continues to monitor the unfolding situation between Russia and Ukraine for any adverse impact on our clients. 

To date, we have not seen a significant increase in attacks from that region against western targets. However, organisations in both Russia and Ukraine have been impacted by malicious hacking from both sides, as they attempt to disrupt or destroy adversaries through cyberattacks. 

For organisations who depend on third parties based in conflict zones such as Ukraine, the impact can be significant. 

Biggest barriers to tightening supply chain cybersecurity? 

JT: The first hurdle to overcome is making key individuals inside an organisation understand why supply chain cyber risk is a problem that needs addressing. 

For too long, chief information security officers, chief technology officers and other senior executives have been focused on building their own cyber defences. Understanding the business risk of a successful cyber attack on a supply chain vendor or other third party is not always apparent to senior executives. 

The second hurdle is to find an effective solution that helps the organisation have a positive impact on supply chain cyber risk. Many organisations find they are overwhelmed with vulnerability information, and don’t have effective means by which to influence third-party supply chain organisations at scale. 

Intelligent investment in external support, and understanding what is possible from a ‘data’ perspective, is a key early step. 

James Tamblin is Vice Chairman of BlueVoyant, a US company that provides a cloud-based cybersecurity platform.
Paul Gribbon is Cybersecurity Senior Manager at Reliance ACSN, a cybersecurity firm.
Share

Featured Articles

Procurement & Supply Chain LIVE New York 2024: Day Two Recap

Day Two of Procurement & Supply Chain LIVE New York featured a number of engaging discussions relating to AI, risk management and supply chain innovation

Executives from Vodafone, Mastercard & SAP at P&SC London

Executives from Vodafone and SAP will join Procurement & Supply Chain LIVE London when it returns on 24 & 25 September at the BDC

Procurement & Supply Chain LIVE New York: Day 2

Join us for day two of Procurement & Supply Chain LIVE New York, the premier virtual event for leaders in North America and Canada

Procurement & Supply Chain LIVE New York: Day 1

Sustainability

Four New Sponsors Join P&SC LIVE London 2024

Operations

Four New Sponsors Announced for P&SC LIVE London

Digital Supply Chain