It’s natural to factor in geo-political and economic risks in today’s turbulent climate. There are visible impacts of global crises, but what about virtual threats? It’s easy for security in the virtual sense to take a backseat to the threats we can see in front of us.
Inefficient cybersecurity poses one of the biggest threats to corporate supply chains. We tend to associate cyber-attacks as scams on core technology impacting data security, bank accounts, pensions, or our ability to access certain websites, but technology is a critical component across the supply network.
According to research from Check Point, global attacks increased by 28% in the third quarter of 2022, compared to the same quarter of 2021. Every link in the supply chain that uses technology has a potential vulnerability and cyber-attacks on these are only becoming more prevalent. A supply chain is only as strong as its weakest link, and hackers look for those weak links to exploit.
The SolarWinds attack in 2020 was one of the largest cybersecurity attacks of the century sparking huge supply chain disruption for global organizations. After targeting SolarWinds’ IT monitoring system, ‘Orion’ attackers were able to compromise and steal the data of over 30,000 private and public organizations, the US Government among them.
An infection in a small part of the supply chain can have a major impact on anyone using or connected to it, across multiple businesses, on a global scale. It only takes one malicious code to compromise a sophisticated global IT network. Furthermore, these codes can be untraceable, as was the case with SolarWinds, which went undetected for over a year. Prevention is key.
Phishing attacks remain the biggest risk to companies, especially in the new world of hybrid working. As users access working systems via less secure routes, we have seen a massive increase in the scale and complexity of attacks.
Another recent example is Brandjacking. This tricks users into downloading malicious code by copying a well-known brand and hiding a threat in their product via a pre-planned attack.
All of these point to an established network for attacking companies, be it disrupting for the sake of disruption or to extort money.
Software used in supply chains is developed on building blocks by reusing code or components from various products, including open-source software. The complex nature of the design and constant development of software can lead to vulnerabilities, which in turn can be exploited. In some cases, infections can lay dormant in software for several years, waiting for the right opportunity to attack.
Companies have been aware of the risk of cyberattacks for years and may have shored up their defenses in more obvious areas, such as access to systems or firewalls on their networks. However, the response from attackers has been to develop more sophisticated systems and identify new areas where they can break the chain.
How is this affecting businesses?
Cyberattacks can be crippling for businesses. Unsurprisingly, cyberattacks have serious financial implications. Cybersecurity Ventures estimates that global cybercrime costs will grow by 15% per year between 2020 and 2025, reaching $10.5trillion USD annually by 2025, up from $3 trillion USD in 2015. However, it’s more than just the cost that’s important to consider. Whether it’s a DDOS (Distributed Denial-of-Service) attack that blocks customer access to your website or infects your Warehouse Management System so you can’t process your inventory, all elements of the supply chain need to be protected to be effective.
During lockdown, companies had to pivot to a new way of working. This meant that many companies’ cyber defences were either relaxed or circumvented to allow business to continue as usual. Entire workforces working from home opened areas of vulnerability that had never been seen before.
As phishing is still the most obvious and successful method of attack, regular employee training and carrying out regular internal tests is key to seeing how effective your business is at defending itself.
Where are businesses falling down?
New software tends to go through a rigorous check to ensure its safe, but companies also need review processes in place to check the reliability of these solutions after they’ve been implemented to ensure they continue to meet the safety demands of their IT systems. For example, how often are patches deployed? How often are updates rolled out?
Organizations may avoid upgrading to the latest software version to evade the expense and complexity of new systems, but this leaves hackers with an advantage when looking for areas susceptible to cyberattacks.
Prevention is better than a fix, however, the cost of prevention is deemed by some to be prohibitive and with so many different threats with different solutions, it can be difficult for companies to make the right choices.
What should businesses be doing?
Businesses need to invest properly in their IT department and the latest software to identify threats and protect against them.
Five top tips for protecting your network:
- If you don’t already have one, it’s a good idea to employ a Chief Information Security Officer (CISO) who can be responsible for the business’s cyber strategy and resources required for success.
- Choose the right products. Cyber threats change and evolve constantly, and so do the products designed to defend against them. Don’t enter into long-term agreements, as the product could be out of date in a matter of months.
- Most importantly, choose the right partners – specifically look at Cyber software resellers or partners with a cyber practice and a track record for supporting and protecting their customers.
- Make sure that your suppliers are actioning all of the above in their own supply chains. Carrying out a regular audit of your key material suppliers is essential to ensure they are protecting themselves and, more importantly, you.
- Have a strategy for dealing with Ransomware, and agree at a corporate level how you will react if your system has been compromised. Will you negotiate? Will you pay up? Will you refuse? What are the consequences of agreeing to pay, the potential for a double extortion event, when the attackers have your information, in particular, if it has a GDPR implication.
Companies need to have a plan, ensuring that they are not a soft target for attackers, with proactive defenses in place to enable your whole business is acting as a deterrent to attacks.
The risk posed by cyber-attacks will only increase and businesses should prepare for the worst to ensure the best outcomes for their global supply networks.
Get in touch today, if you would like to learn more about how Proxima can help you.