The world’s supply chains are under attack, and the vendors that organizations rely on could be the weakest link when it comes to protecting confidential information from falling into the hands of cybercriminals.
An October 2022 report from BlackBerry Limited highlighted how extensive the threat to supply chains has become. BlackBerry found that 80% of organizations said they “received notification of attack or vulnerability” in their supply chain during the past year. Following the attack, 59% of survey respondents said they encountered “significant operational disruption,” 58% reported data loss and 52% faced negative reputational damage.
For many enterprises, data breaches occur because of security vulnerabilities at the vendors in their supply chain. In its annual Cost of a Data Breach report, IBM found that 19% of data breaches were caused by attacks that started with a third-party vendor. It took organizations 235 days on average to identify a breach and another 68 days to contain an attack – or 26 more days in total to resolve a problem.
It should not be a shock to anyone that the supply chain is being targeted by an increasing number of adversarial nation-states, terrorist groups and organized crime organizations using cutting-edge technology. The digital transformation that has reshaped nearly every sector of the global economy resulted in organizations partnering with multiple vendors to improve their technology to better serve customers. One consequence of those efforts was an expanded patchwork of interconnected supply chain networks with less-than-optimal cybersecurity protocols and technology.
Advertisement
Our country relies on robust and resilient supply chains — whether they are local, regional, national or global — for just about every product or service we use. That is why it is absolutely mission-critical that each organization takes the necessary steps to ensure its supply chain is safe from attack. Here’s how you do it.
1. Change your cybersecurity mindset.
We will not win the cyberwar with traditional thinking. We must move beyond conventional strategies and tactics in the war in cyberspace.
Organizations often fall into the trap of responding to a cyberattack by revisiting the previous breach and devising stricter policies and procedures and compliance standards. That will not work, because by the time new processes and standards are in place, the criminals will have created new technology and implemented new tactics that break through whatever safeguards have been put in place.
During my time with special ops in the U.S. military, we were encouraged to think outside the box of traditional structures and work alongside others who had a similar perspective and sense of focus. That kind of thinking is the only way our country’s world-class businesses, community organizations and philanthropic agencies can stay two or three steps ahead of our adversaries and win the cybersecurity war.
2. Conduct a thorough cyber risk assessment.
Leaders and business owners need to approach supply chain security by finding the answer to the question, “How can we position our organization for maximum success in our war with cyberterrorists?” They must approach cybersecurity with the same passion and energy that they would in managing sales and marketing or manufacturing.
The first step in that process is to conduct a comprehensive risk assessment of the weaknesses and threats facing your organization and your vendors. The assessment will provide your enterprise with the intel it needs to design and implement effective guardrails so data and confidential information can be safely stored and shared among authorized users. The assessment should also be ongoing, to take into account any changes vendors make to their network. Fortunately, there are readily available tools from organizations like the National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency (CISA) that can help leaders start the process.
3. Review access controls.
One of the biggest challenges in managing supply chain cybersecurity – especially in today’s work-from-home environment – is controlling who has access to your network. Organizations must have clearly defined protocols in place to identify authorized users and what kind of information they can access. Access controls are the foundation upon which a world-class cybersecurity initiative is built and maintained. Just as important: These controls also allow you to monitor and review user activity and can help identify suspicious behavior.
4. Don’t forget to update your cyber insurance.
In today’s world, it is no longer a matter of if your organization will suffer a data breach, but when – and how damaging the cost will be to your business. Cybersecurity Ventures projects that the global cost of cybercrime will reach $8 trillion in 2023 and increase 15% annually for the next two years. And IBM estimates the total cost of each supply chain compromise at $4.46 million – up nearly 13% over the last two years.
One area that leaders and business executives overlook is the importance of having comprehensive insurance coverage to protect their business against potential financial losses from breaches. Policies can be written that address data loss when it can be traced to a third party. After all, it is much less expensive to pay for coverage than pay for damages related to a breach.
Today’s supply chains are more sophisticated than ever before, but they are under constant attack from forces that want to destroy our way of life. But by rethinking how we protect our business and prepare for attack, we will be better positioned for success for now and in the future.
Jeffrey J. Engle is Chairman and President at Conquest Cyber, where he brings a broad spectrum of experience in risk management, national security and business process optimization. He has served as a consultant for the Department of Defense’s premier adversary emulation team and has conducted vulnerability assessments and trainings all over the world. Prior to joining Conquest, Engle served as VP and General Manager of Federal at United Data Technologies, Inc., where he spearheaded the growth and development of the federal business unit, led contracts and the legal department. He is a veteran of the United States Army Special Operations Command, a former senior vice commander, Military Order of the Purple Heart, and current Advisory Council member for Mission United. Engle holds a master’s degree and a graduate certificate in Policy Analysis from Virginia Tech, as well as a Certificate from Harvard in cyber risk management, a Certificate in Cloud Security Knowledge (CCSK), is Certified in Risk and Information Systems Control (CRISC) and is a Certified Information Security Manager (CISM).
